Securing the frontline: Legal strategies for cyber resilience in the defence sector
Deze Engelstalige blog van NautaDutilh belicht de noodzaak van juridische awareness binnen zowel civiele als defensiegerelateerde organisaties, in een tijd van steeds geavanceerdere cyberdreigingen. Het ontwikkelen van heldere juridische kaders om cyberrisico’s en complexe regelgeving het hoofd te bieden, is daarbij geen bijzaak meer, maar een essentieel onderdeel van adequate governance.
30 June 2025
As digital threats grow in sophistication, legal preparedness is vital. Developing robust frameworks to address cyber risks and regulatory obligations is now an integral part of organisational governance.
Cybercrime & Cybersecurity in the Defence sector: A legal imperative
The defence sector is under dual pressure because of the rise of sophisticated cybercrime and the growing complexity of cybersecurity compliance. Nation-state actors, insider threats, and criminal networks are targeting critical infrastructure and sensitive data, making legal oversight more essential than ever.
As cyber threats intensify across the defence landscape, suppliers find themselves increasingly scrutinised. Whether providing software, hardware, or data services, vendors connected to defence operations face growing legal and regulatory oversight, especially when their technologies have potential dual-use applications.
Dual-use technologies: A legal grey zone
Dual-use items are products, software or other technologies that can serve both civilian and military purposes. Think of AI models, encryption tools, drones, or satellite systems. Under EU and international law, these products and technologies may fall under export control regulations, sanctions regimes, or military end-use restrictions.
For suppliers, this means that:
- Legal due diligence is essential before exporting or licensing dual-use items.
- Contracts must include clear use limitations (e.g. end-user statements), especially when working with international partners.
- In-house counsel must assess whether a product qualifies as dual-use good and whether additional authorisations are required under the EU Dual-Use Regulation or other (inter)national export laws.
Note: AI systems developed solely for military, defence or national security purposes are excluded from the scope of the AI Act. However, if such systems are also used for civilian, humanitarian, or public security purposes, they fall within the scope of the AI Act and must comply with its requirements.
Failing to comply can result in severe administrative penalties, reputational damage, and even criminal liability. The stakes are high – legal teams must take a central role, working closely together with compliance, procurement, and technical departments to ensure that dual-use risks are identified and mitigated early.
“Legal and technical teams must act early to spot and control dual-use risks.” - Joris Willems, head of Technology group
In-house counsel: From legal advisor to strategic defender
In-house legal teams are no longer just advisors; they act as strategic defenders within organisations. From validating internal cybersecurity policies to managing incident response and regulatory reporting, their role spans both proactive and reactive defence. Gartner’s 2025 insights confirm the shift that legal and compliance leaders are increasingly responsible for ensuring that cybersecurity measures are technically sound and can stand up to regulatory scrutiny. This includes oversight of AI-driven monitoring tools, machine identity governance, and third-party risk management.
Gartner is highly regarded for its expert analysis, industry insights, and strategic advice, which help organisations navigate complex business and technology challenges.
Proactive Legal Defence
Anticipating threats before they escalate
Cybersecurity is about preventing breaches but also being ready for when they occur. Our team helps legal departments implement proactive measures such as:
- Legal validation of cybersecurity policies, awareness programs, and access controls.
- Contractual risk management, including cyber clauses in supplier agreements.
- Insider risk monitoring and data loss prevention, with legal safeguards for confidentiality, data protection and privacy.
These measures are essential to comply with the EU Cyber Defence Policy, NIS2 Directive, and other (national) security laws.
Repressive legal response
Acting decisively when incidents occur
When a cyber incident occurs, the legal response must be swift, coordinated, and defensible. We assist with:
- Crisis management and regulatory communication.
- Coordination with forensic partners for digital investigations.
- Legal representation in interactions with regulators, law enforcement, and cyber insurers.
- Litigation support for civil/criminal liability and administrative enforcement actions.
In conclusion
Cybercrime and cybersecurity are no longer separate domains. For defence organisations and their suppliers, they are two sides of the same legal coin. With the right legal strategy, in-house counsel can turn compliance into resilience, and resilience into competitive advantage.