AI in Defence Summit
The EU AI Act and Defence AI: A Practical Guide for Military Developers and Policymakers
All ArticlesRegulation

The EU AI Act and Defence AI: A Practical Guide for Military Developers and Policymakers

The EU AI Act creates specific obligations for high-risk AI systems — including defence applications. Here's what European defence AI developers and procurement officials must understand in 2027.

AI in Defence Summit Editorial
25 June 2026
11 min read

The EU AI Act — the world's first comprehensive AI regulation — came into force in 2024 and is now shaping how European defence AI is built, procured, and deployed. Its interaction with military applications is complex: defence and national security activities are partially exempt, but the reality for companies building dual-use AI — systems that serve both civil and military markets — is significantly more regulated than many assume. Understanding exactly where the exemptions apply, where they do not, and what the compliance obligations actually require is no longer optional for anyone operating in this space.

What the EU AI Act Actually Says About Defence

The Act explicitly excludes AI systems used exclusively for military and national security purposes from its scope. This exemption is real — a system developed, operated, and used solely within a member state's armed forces for national security purposes sits outside the Act's requirements.

However, this exclusion is narrower than it sounds. Most defence AI companies do not build systems exclusively for military use. They build on commercial foundations — computer vision libraries, natural language processing APIs, commercial cloud infrastructure — and adapt for military applications. They serve mixed customer bases: civil security agencies, border management, law enforcement, and defence. They procure through channels that interact with regulated civil markets and export to allied nations with their own regulatory requirements. The result is that most companies operating in the European defence AI space face meaningful AI Act obligations, even if they believe the military exemption applies to their core product.

The practical test is not "what is this system used for?" but "is it used exclusively for military or national security purposes, by a military or national security entity, without any civil application?" For most European defence AI companies, that test fails — and the Act's full framework applies.

High-Risk AI Classifications Relevant to Defence

The AI Act identifies eight categories of high-risk AI systems that trigger mandatory conformity assessment, transparency obligations, human oversight requirements, and data governance standards. Several of these are directly relevant to defence AI:

Biometric identification and categorisation — any system that identifies or categorises individuals using biometric data. This includes facial recognition systems used in security screening, speaker identification in communications intelligence, and gait analysis in surveillance applications. These systems face the Act's highest compliance requirements.

Critical infrastructure management — AI systems that manage or optimise critical infrastructure, including energy grids, water systems, and transport networks. For defence AI companies building systems that operate across civil-military critical infrastructure, this classification applies.

Law enforcement decision support — AI systems used by law enforcement for risk assessment, polygraph-like systems, crime analytics, and predictive policing. Companies building AI for police and security agencies that also serve military clients face specific obligations here.

Border control systems — automated risk assessment at border crossings, document verification, and threat detection. This is a major area of dual-use relevance, particularly for companies operating across the Schengen border management environment.

Administration of justice — AI systems that assist courts in researching and interpreting facts and law. While less immediately relevant to most defence AI, this classification touches AI-assisted military legal advice and rules of engagement systems.

The Dual-Use Problem — Where Regulation Meets Procurement

An AI-powered surveillance system built for commercial smart city applications and repurposed for battlefield ISR occupies an ambiguous regulatory space. At the 2026 AI in Defence Summit, this dual-use dilemma was identified as one of the most pressing structural problems for European defence AI companies — not because the regulatory answer is unclear in principle, but because the operational reality of how these systems are built and deployed makes clean categorisation almost impossible.

The specific tension is this: the most capable AI in Europe is being built in the commercial sector. Defence procurement that could absorb this capability is constrained by a regulatory framework that treats civil and military AI as categorically distinct — when in practice the distinction is rarely clean. Companies that attempt to maintain strict separation between their civil and military offerings often find they are disadvantaging themselves in both markets: their civil products cannot access the domain expertise and data that military deployment provides, and their military products cannot benefit from the commercial investment in reliability, user experience, and scale.

The dual-use problem is not simply a compliance challenge. It is a structural feature of the European defence AI market that shapes company formation, capital strategy, sales motion, and regulatory engagement. Getting it wrong has consequences on both the commercial and military sides.

CE Marking, Conformity Assessment, and Defence Procurement

For high-risk AI systems within the Act's scope, the mandatory conformity assessment process requires companies to demonstrate technical documentation, data governance practices, human oversight mechanisms, accuracy and robustness testing, and cybersecurity measures before placing the system on the market.

CE marking — the conformity marking that results from a completed assessment — is increasingly being requested by defence procurement officials as a baseline quality and governance signal, even for systems that are technically exempt from the Act's requirements. The logic is straightforward: if a system has been through a rigorous conformity assessment process, it has demonstrated the kind of documented, auditable development and testing practices that responsible procurement requires.

EDF and EDIP application processes are beginning to reflect this. Applicants who can demonstrate AI Act-aligned development practices — not necessarily full conformity assessment, but the documented governance approach it requires — are increasingly advantaged in evaluation. Procurement officials at member state level are moving in the same direction, particularly in markets where civil-military boundary cases are frequent.

What Founders and CTOs Should Do Now

The practical response for a European defence AI company is not to wait for regulatory clarity. It is to build the practices that responsible AI development requires regardless of whether they are legally mandated:

  • Map your system against the Act's risk classifications. Be honest about whether the military exemption genuinely applies. If there is any civil-facing application, customer, or use case, assume the high-risk framework applies and plan accordingly.
  • Document your training data. Where it came from, how it was processed, what biases it may contain, and how you have tested for them. This is a requirement under the Act and a basic standard of responsible development.
  • Establish human oversight mechanisms. For any system that makes or informs consequential decisions, document how human oversight is maintained. This matters for international humanitarian law compliance as well as regulatory compliance.
  • Plan for CE marking where applicable. The conformity assessment process takes time. Companies that begin the process early have a significant advantage in procurement conversations.
  • Engage early with the European AI Office. The Office is the Act's enforcement body and is actively developing guidance on the defence exemption and dual-use cases. Early engagement shapes how the guidance develops.

The Regulatory Gap That 2027 Will Address

The EU AI Act was written primarily with civil applications in mind. Its interaction with defence — the exemptions, the dual-use grey zones, the interface with member state national security law — was addressed at the margin rather than at the core. The result is a regulatory environment with significant genuine uncertainty about how key provisions apply in practice.

What the 2027 Summit's policy track will address directly: the emerging guidance from the European AI Office on the defence exemption; the interaction between the Act and the EU AI Liability Directive for defence applications; the specific compliance pathway for dual-use AI companies; and the legislative reform discussions already underway about whether the Act's military exemption needs to be redrawn in light of how European defence AI is actually being built and deployed.

The goal is not less regulation. It is clearer regulation that allows European defence AI companies to build, invest, and procure with confidence — rather than in a grey zone that advantages companies willing to tolerate legal uncertainty over those doing responsible development.

See also:

All ArticlesApply for 2027 Summit