The defence industry has traditionally focused on hardware. Tanks, aircraft and ships were defined by their physical ability to engage the enemy. However, modern warfare has changed this.
Defence requirements are updated daily, and concepts that were once only seen in computer games are becoming reality: Add-ons and upgrade packages modify existing platforms and adapt them to new challenges, equipping them with advanced defence capabilities, for example. These new capabilities will increasingly focus on improvements to the underlying technology, particularly with regard to software. The same applies to newly developed weapon systems, for which 'software-defined defence' (SDD) is becoming one of the core requirements.
SDD involves optimising and controlling defence and security capabilities to steadily improve and expand defence systems. The main advantages of the SDD concept are improved upgrade cycles, flexibility, scalability, resilience, and enhanced Multi Domain Operations capabilities.
While weapon system manufacturers have extensive experience in building excellent 'hardware', SDD requires different skills. With a software focus, the legal challenges may be different and not yet be a priority for manufacturers.
Securing your intellectual property is crucial.
SDD-driven weapon platforms promise agility and interoperability across NATO and EU member states. At the same time, companies must ensure that they avoid unclear IP ownership and violations of strict licensing – copyright litigation is not a battle worth fighting.
EU programmes such as the European Defence Fund (EDF) and Permanent Structured Cooperation (PESCO) usually target consortia of start-ups and SMEs that jointly develop technology for the defence sector. However, joint development teams require clarity on source code, modifications and exploitation rights across borders, as well as a clear IP allocation. Otherwise, the software developed cannot be licensed or sold, which has a direct impact on companies' financials and tax compliance.
In accordance with European copyright laws in the member states (e.g. § 69 of the German Copyright Act, UrhG), software developed in-house is automatically protected by copyright. Employment relationships assign rights to the employer, though moral rights remain with the developers. Open-source components, while technically free, carry obligations. Licences such as the GPL require disclosure and reciprocal sharing, a legal pitfall that is often underestimated by firms. Strict OSS regulations must be fulfilled during software development, particularly when dealing with the government, and any software produced in this context will be diligently screened for undocumented OSS components.
A robust IP strategy starts with asset mapping and proactively defining ownership and use rights, particularly within consortium agreements, but also when freelancers support in-house software development teams.
Cyber security is key.
Improving cyber security is one of the key compliance challenges with a direct impact on a company’s capacity to act. For companies active in the defence sector, the NIS2 Directive, which imposes risk-management and incident-reporting duties on essential and important entities across 18 sectors, and the Cyber Resilience Act (CRA), which incorporates “security by design” into the process of placing software and digital products on the EU market, must be taken into account.
Under NIS2, many defence suppliers fall squarely within the scope of the directive, whether as digital infrastructure providers, cloud and data centre operators, or manufacturers of critical products embedded in defence systems. The Directive mandates governance and accountability for cybersecurity risk management, imposing fines of up to EUR 10 million or 2% of global turnover for non-compliance, and setting out specific timelines for Member State transposition and enforcement. It also elevates the role of national CSIRTs and requires the rapid reporting of significant incidents, prompting companies to professionalise their detection and response capabilities.
The CRA builds on the foundations laid by NIS2. It establishes horizontal requirements for products containing 'digital elements' and demands vulnerability-handling processes, timely security updates, transparency regarding support periods and, for higher-risk categories, stricter conformity assessment before a CE mark is applied.
The risks for private companies are real. A single vulnerable library can propagate across platforms, trigger multi-country incident reporting under NIS2 and prompt market surveillance scrutiny under the CRA. This can lead to contract penalties, audit findings and loss of accreditation, as well as reputational damage. Boards face personal accountability under NIS2 and product lines can be halted if CRA conformity is in doubt.
Be aware of export control limitations.
SDD shifts the spotlight towards regulations that were previously reserved for hardware. Under EU Regulation 2021/821, software capable of military use or surveillance is treated as a 'dual-use item', requiring export authorisation. A recent Commission Delegated Act (2025/2003) highlights that unlisted software intended for military, human rights or internal repression purposes may also be subject to controls.
Like other EU Member States, Germany applies the Dual-Use Regulation but enforces additional national licensing under the Kriegswaffenkontrollgesetz (KWG) and related ordinances. These laws require prior approval for not only physical war weapon exports, but also increasingly for intangible transfers, including software for targeting, encryption or cyber surveillance. This applies to exports both outside and within the EU.
Unlicensed exports may result in fines, revoked permits, contract cancellations with public-sector clients and reputational damage, particularly when national legislation ties the liability of individuals to company directors.
AI: It’s a trap.
AI is certainly an issue for companies doing business in the defence industry. While ethics might be a relevant part of this topic, the focus is once again on dual use.
Artificial intelligence is fast becoming the nervous system of Europe’s defence software, with models triaging sensor feeds, automating maintenance and assisting commanders at the edge. However, in Europe, the decisive contest is not only technical, but also legal. The EU AI Act establishes harmonised rules for AI systems placed on the EU market, prohibiting certain practices and imposing strict obligations on high-risk systems. It also establishes a dedicated regime for general-purpose AI models, requiring transparency regarding training data and copyright policy. Obligations regarding prohibited uses and AI literacy are already in place, with the phased implementation of GPAI starting on 2 August 2025, followed by the full implementation of high-risk requirements. While the defence sector is exempt from the obligations of the AI Act at first glance due to Art. 2(3) of the AI Act, this exemption does not apply to AI systems not exclusively designed for military purposes. Indeed, most AI-driven systems used in a military context also serve civilian purposes. In this case, the exemption does not apply, and the strict regime of the AI Act applies with all its consequences. It is crucial to plan ahead, even in the design phase, to avoid the 'dual use trap'.
How to SDD?
Now, being aware that legal issues might not only cause compliance issues but do have a direct impact on the core business and the success of a new developed weapon system when SDD comes into play, is the first step to avoid the major issues in this regard. Most of the challenges can be avoided with structured planning already in the project phase, strict documentation and processes during the development phase and robust contracts in place.
