Industrial Production: Mr. Huq, many industrial companies from the mechanical engineering, automotive and electrical engineering sectors are currently pushing into the defence sector. Where do you see the biggest misunderstandings in dealing with regulation?

Oliver Huq: The biggest misunderstanding is the equation of compliance with pure bureaucracy. Companies that come from the civil sector know regulation primarily as something that you "work through": Filling out forms, submitting evidence, ticking boxes. It's fundamentally different in the defense sector. Here, regulation is not the framework within which you work. It is part of the product itself.

The second major misunderstanding concerns speed. Many companies believe that accelerated procurement procedures (keyword § 103b GWB or the special regulations under the Bundeswehr Procurement Acceleration Act) mean that the substantive requirements are also less stringent. The opposite is often the case: faster procedures mean that you have to be fully prepared from the outset. Anyone who only starts to worry about confidentiality, export control or IT security requirements once they are already in a tender usually loses out - regardless of how good their product is technically.

And finally, many companies underestimate the fact that this is not a uniform market. The Bundeswehr, NATO agencies, European procurement agencies such as the EDA - each of these institutions has its own requirements, its own processes, its own red lines. Those who understand these differences early on and align their product to them in a targeted manner create the basis for successfully connecting not only with the Bundeswehr, but also with international procurement organizations such as OCCAR.

You talk about "legal resilience" as a competitive advantage. What does this mean in concrete terms for a medium-sized industrial company that is serving defense customers for the first time?

Legal resilience means that a company does not get bogged down by every regulatory headwind, but remains capable of acting - even if the legal environment changes, an export application is rejected or a tender imposes requirements that must be met at short notice.

In concrete terms, this means for a medium-sized company: it is not about setting up a legal department that runs after every process. It's about building certain basic legal structures into your own organization before you need them. This starts with a clear internal responsibility for export control (the so-called export control officer), continues with a functioning system for classifying your own products according to dual-use criteria and does not end with contractual protection clauses for subcontractors.

A practical example: A medium-sized company that receives a drive component order for a defense project is usually obliged by its client to pass on certain safety requirements to its own suppliers. Companies that have no basis for this in their purchasing contracts face a real problem. This is the difference between a company that is legally resilient and one that improvises.

Supply chains are complex and international, especially in global industrial companies. Why does this very structure quickly become a legal risk factor in the defense sector?

Because responsibility does not end at the factory door. A company that supplies an electronic sensor to the German Armed Forces is not only responsible for the end product. It is also responsible for ensuring that all preliminary products and components that this sensor contains comply with the applicable regulations - including the export control regulations of the countries from which these components originate.

This becomes particularly critical when US suppliers are involved. The USA has two systems, ITAR and EAR, which contain so-called "re-export controls". This means that a component that originates from the USA or contains US technology is subject to US export controls even if it is installed in a German product in Germany and exported from Germany.

The supply chain therefore becomes a vehicle through which regulatory risks that you have not caused yourself are transferred to your own company. This can lead to considerable liability risks - in the worst case, to criminal liability for the individuals involved and not just the company as such. The management level must therefore understand that there is no diffusion of responsibility here: The law asks who knew or should have known.

Export controls take many companies by surprise, especially when it comes to seemingly civilian products. In your opinion, what is the typical error in the industry's thinking when it comes to dual-use issues?

The mistake lies in the word "civilian". Many companies think: "We manufacture industrial drones, not military drones, so export controls don't affect us." This is a big mistake.

The dual-use system is regulated at European level by the EU Dual-Use Regulation (EU) 2021/821 and covers goods that can be used for both civilian and military purposes. And the key question is not: "How do we use the product?" But rather: "How could the recipient use it?" Or even more precisely: "What technical characteristics does the product have and are these recorded in the control lists?"

A high-performance processor, a gyroscope with a certain precision, software for image evaluation - all of this may require approval, even if the manufacturing company supplies exclusively to civilian customers. The system asks about the characteristics of the product, not the subjective intention of the manufacturer.

The second classic misconception: "We only deliver within the EU, so we don't need a permit." This is also only partially true. For certain particularly sensitive goods, a permit is also required for intra-Community transfers. And as soon as the recipient resells the product outside the EU, the control system applies again - and the company must have ensured that it knew or should reasonably have known about this.

ITAR, EAR and EU dual-use regulations act as a dense regulatory network. How can an industrial company practically integrate these requirements into its development and sales processes?

I recommend a structured triad here: classify, check, document.

Classification means that every product, every component, every piece of software that the company develops or purchases must be systematically examined once to determine whether it is subject to an export control classification. This is a one-off but time-consuming task that must be integrated into the development process for new products and components - and not just at the end when the product is already finished.

Control means: based on the classification described above, processes are established to ensure that every export, every transfer, every licensing to foreign partners is checked to see whether approval is required. At first glance, this seems like pure bureaucracy, but it is actually a sensible risk filter that prevents a sales employee from unknowingly committing a criminal offense.

Documenting means: if it is not documented, it did not take place. In an emergency, authorities, law enforcement and clients will ask how the decision was made - not just what the decision was. A company that can prove that it has systematically checked, involved experts and justified decisions in writing is in a completely different position to one that says: "We've always done it this way."

Specifically, I recommend clarifying at an early stage whether a License Exception or a formal ITAR license is required for supply chains with a US connection. And: The responsible authorities - in Germany the BAFA - are often more cooperative than many companies believe. Contacting them at an early stage in the event of uncertainty is not a sign of weakness, but of professionalism.

What role does early product development play? In other words: Do companies already have to think legally in engineering if they want to become defense-capable?

Yes - and this is perhaps the most important structural change that I would like to initiate with my clients: the classic product development process ends in engineering, begins in marketing and ends in legal review. In the defense sector, legal has to be at the table right from the start - or at least the relevant questions have to be asked during the engineering process.

There are several reasons for this. Firstly, if a product reaches certain technical specifications, e.g. a certain range, precision or encryption depth, then it automatically becomes subject to approval. This is not a question of the intended use, but of the technical properties. Anyone who only realizes this after the market launch has a problem that cannot easily be solved retroactively.

Secondly: ITAR freedom as a product feature. More and more European defense customers are explicitly demanding that supplier products are free of US-controlled technology - or in other words: "ITAR-free". This is a real strategic sales argument. If you plan this from the outset, you can achieve it. Those who only try to do so after the fact often have to redevelop the product or do without American technology components that are already deeply embedded in the architecture.

Thirdly, security requirements such as BSI certifications or NATO qualifications have lead times of months, sometimes years. Anyone who does not think ahead in engineering simply cannot meet these deadlines.

In public procurement law, new industrial players are competing with established defense companies. Why do technically strong suppliers still often fail in public tenders?

Because public tenders are not a market in the traditional sense. They are a procedure. And in a procedure, it is not only the quality of the tender that is decisive, but also compliance with formal requirements. A technically superior tender that does not meet a formal requirement, be it a missing declaration of suitability, proof that was not submitted on time, an inadequately documented reference or similar, is excluded without fail. This is not arbitrariness, it is the rule of law.

New market participants also underestimate the importance of the service description. A well-formulated tender often already contains the image of the desired bidder: in the form of minimum technical requirements, certification requirements or requested evidence of comparable previous services. Those who do not read this description carefully and respond to it strategically will lose - even if they have the best product.

Another factor: proof of references. Public clients, especially in the security and defense sector, require proof of comparable services. A company that wants to enter the defense market for the first time does not have these references by definition. This cannot be solved overnight, but there are strategies: Bidding consortia with experienced partners, targeted subcontracting to gain references or pilot projects that are deliberately designed as an entry into long-term market development.

And finally: Many new providers underestimate the obligation to give notice of defects. Anyone who identifies an error in an award procedure, such as a discriminatory requirement in the specifications, must report it immediately before the procedure is completed. If you wait, you lose the right to complain afterwards. This is a common and costly mistake.

Many industrial companies underestimate the importance of confidentiality and security requirements. Where do the biggest "showstoppers" arise in practice when entering the market?

The biggest showstopper is underestimating the lead time. A security clearance for an employee under the Security Clearance Act (SÜG) can take months, as can an authorization to handle classified information for a company - the so-called facility security clearance equivalent in German terminology - or secret protection support from the BMWK or BMVg. Anyone who only starts these processes once they have already won a contract that requires corresponding security classifications is breaking their contract before they can fulfill it.

In practice, I see three typical problem areas:

Firstly: IT infrastructure. Many tenders in the defense sector require certain information to be processed on hardened, approved IT systems. The BSI requirements or NATO standards for classified IT are not trivial. Anyone using their normal business office system will not meet these requirements - and will often only discover this when the due diligence begins.

Secondly: personnel. Not every person that a company wants to deploy as part of a defense project can be easily security-cleared. This depends on nationality, CV, family connections and other factors. If a company operates in a highly specialized field and its key developers cannot obtain the necessary security clearance, it has a structural problem.

Thirdly: physical infrastructure. Certain orders require documents or materials to be physically secured - in appropriately approved premises. This is an investment that companies need to factor in beforehand.

All of this can be solved, but only if you think about it early on and start implementing it.

ESG and supply chain laws are actually considered traditional industry issues. Why are they even more complex in the defense sector?

Because the defense sector operates at the interface of two worlds of requirements that contradict each other in some respects - or at least are in considerable tension with each other.

On the one hand, there is the Supply Chain Due Diligence Act (LkSG) and the European Corporate Sustainability Due Diligence Directive (CSDDD), which require companies to identify, mitigate and report human rights and environmental risks along the entire supply chain. At first, this sounds like a general industry issue.

On the other hand, the defense sector often operates with suppliers from regions that are politically sensitive or with partners where detailed verifiability is limited for reasons of secrecy. If a Tier 2 supplier of a defence product operates in a country that is subject to an arms embargo or where the LkSG duty of care is difficult to fulfill - how do you check this without disclosing sensitive supply chain data?

In addition, the LkSG applies to companies above certain thresholds and also imposes a duty of care on indirect suppliers if there are indications of violations. In the defense sector, where supply chains are often less transparent and extend across several jurisdictions, this obligation is extremely demanding in operational terms.

And finally, the area of tension with the defense mission as such: the arms industry produces goods that can be used to kill people. This is not a malicious accusation, but a legal and ethical reality that companies have to deal with - not only internally, but also vis-à-vis their financing partners. ESG rating agencies and banks that offer sustainable financing have developed restrictive policies in some cases. Any industrial company entering the defense market must proactively address these issues in its ESG strategy. And we haven't even addressed the issue of young talent yet.

If you look to the future: In five years, what will separate successful industrial companies in the defense market from those that will have to exit?

In my opinion, the successful companies will be those that see law, technology and strategy as an inseparable unit.

I am not saying this as an advertisement for lawyers. I am saying it because the complexity of the requirements will not decrease in the coming years. The opposite is the case: the EU, for example, is currently developing new funding and regulatory architectures with programs such as the European Defence Industry Programme (EDIP), the European Defence Fund (EDF), the European Defence Industry Reinforcement through Common Procurement Act (EDIRPA) and the Act in Support of Ammunition Production (ASAP). NATO standardizes requirements that become binding for all member states. The USA is revising its ITAR regulations. And the LkSG successor legislation at European level will be more comprehensive than what we know today.

If you want to be successful in this environment in the long term, you need three things:

Institutional knowledge. Not consultants that you call in an emergency, but internal know-how that is anchored in the organization. This can be employees with the appropriate training, but also well-structured processes that ensure that the right questions are asked at the right time. External consultants can also be integrated as part of a fixed cooperation structure so that their expertise can be called upon in the same way as institutional knowledge.

Strategic flexibility. The companies that have to exit will often be those that had a single product and market strategy and were not adaptable. In the defense market, priorities, budgets, political focus change. Those who have built their business model to be dependent on a single program or a single customer are vulnerable.

Trust as capital. This is more true in the defense sector than in other markets: Trust is the most important currency. Clients - whether the German Armed Forces, OCCAR or a system integrator such as Rheinmetall or KNDS - place long-term, security-critical orders with companies they trust. This trust does not come from the best offer. It is created through consistent, reliable behavior over time - through keeping promises, transparency in dealing with problems and proof that the company has understood the special responsibility of this market.

Legal resilience is ultimately nothing other than the institutional expression of this trust - both internally and externally.

About the person
Oliver Huq is a lawyer in Düsseldorf, senior partner at gunnercooke and specializes in international commercial law. He advises companies in the area of security and defense - from regulatory compliance and contract drafting to questions of board responsibility.