EU Defense Procurement 2026: How to Bid on Military and Security Contracts

The Separate Legal Framework — Why Defence Procurement Is Different

The first thing to understand is that EU defence procurement operates under a completely separate legal regime from standard public procurement. While civilian goods and services are governed by Directive 2014/24/EU (the standard Public Sector Directive), defence and sensitive security procurement falls under Directive 2009/81/EC. The practical differences are significant for suppliers entering the market:

• Restricted procedures are the norm rather than the exception — contracting authorities can pre-qualify a short list of suppliers before inviting tenders, and the public market is considerably less open than in civilian procurement
• Security of supply requirements allow contracting authorities to require suppliers to guarantee continuity of supply, accept inspections of production facilities, and restrict subcontracting to entities within specified countries
• Security of information requirements allow contracting authorities to impose handling requirements for classified information, mandatory personnel security clearances, and facility security clearances — all of which must be in place before a company can be awarded a classified contract
• Above-threshold contracts (€443,000 for supplies/services, €5,538,000 for works) must be published on TED, but Article 13 exemptions for contracts where publication would endanger essential security interests mean a substantial portion of European defence spending never appears on TED at all

The strategic implication: for companies new to defence, the TED-visible market is the entry point, but the majority of defence spending — particularly at the classified level — requires relationships, clearances, and track record that are built over multiple contract cycles.

Security Clearances: Plan for 3–18 Months

Security clearances are the single largest structural barrier for companies entering defence procurement. There are two types that matter:

A Personnel Security Clearance (PSC) is granted to individual employees and certifies they can access classified information up to a defined level (typically NATO SECRET or EU SECRET — formally EUCI, EU Classified Information). A Facility Security Clearance (FSC) is granted to a company's premises and certifies the physical and procedural controls for handling classified information are adequate. Both are required for classified contract work; neither is granted speculatively — a contracting authority must sponsor the application, which means you typically cannot get cleared before winning a contract, but you cannot win a classified contract without clearance.

The way through this catch-22 is to start with unclassified defence contracts, use those to build relationships with national security authorities, and apply for clearance when a specific classified bid opportunity justifies it. Processing time is typically 3–18 months depending on country and clearance level — Germany and France run structured national vetting processes (managed by Bundesamt für Verfassungsschutz and SGDSN respectively) that take 6–12 months at SECRET level; smaller member states can be faster. NATO SECRET and EU SECRET are separate clearances managed nationally but mutually recognised under bilateral agreements.

The European Defence Agency and the EDF

Two EU-level bodies generate procurement and funding opportunities distinct from national defence ministries:

The European Defence Agency (EDA), headquartered in Brussels, facilitates collaborative procurement programmes — capability development projects where multiple member states pool requirements to achieve economies of scale and interoperability. The EDA does not procure for member states directly but manages joint competitions on their behalf. Suppliers should monitor the EDA Bulletin (eda.europa.eu) alongside TED — EDA-managed programmes often publish separately, and they represent multinational contracts worth hundreds of millions of euros that do not appear through standard TED keyword searches.

The European Defence Fund (EDF), established by Regulation (EU) 2021/697 with a budget of €8 billion for 2021–2027, funds collaborative R&D of new defence capabilities — advanced drone systems, satellite communications, directed energy, AI-enabled command and control. Grants are awarded through annual work programmes published by DG DEFIS. Participation requires a consortium of companies from at least three different EU member states; SMEs benefit from enhanced funding rates. EDF participation is not procurement in the traditional sense, but the downstream procurement of successfully funded research results creates an estimated €500 million–€2 billion in annual follow-on procurement contracts — making EDF consortium membership a significant market entry mechanism for companies with relevant technology.

National Defence Procurement Agencies: Who the Buyers Are

For most defence procurement, the entry point is the national defence ministry's procurement agency. Each major EU member state runs a dedicated organisation responsible for equipment, services, and technology procurement:

• BAAINBw (Germany) — Bundesamt für Ausrüstung, Informationstechnik und Nutzung der Bundeswehr. The largest EU defence procurement agency by budget. Headquartered in Koblenz. Runs structured supplier qualification programmes and publishes extensively on TED under the 2009/81/EC regime.
• DGA (France) — Direction Générale de l'Armement, part of the French Ministry of Armed Forces. Manages multi-billion euro equipment programmes including naval, aerospace, and digital systems. French defence procurement is highly centralised and strongly favours French industrial partners, but subcontracting opportunities exist for specialist technology providers.
• SEGREDIFESA (Italy) — Segretariato Generale della Difesa. Italy's defence procurement secretariat. Manages procurement for the Italian Armed Forces and publishes on TED and the Italian national defence procurement portal.
• DGAM (Spain) — Dirección General de Armamento y Material. Spanish defence procurement authority within the Ministry of Defence. Increasingly active in cybersecurity and digital systems procurement.
• DE&S (UK) — Defence Equipment & Support. Post-Brexit, UK contracts are no longer published on TED and UK companies no longer have automatic access to EU defence tenders, but DE&S remains a major buyer and the bilateral UK-EU relationship creates continuing commercial relationships between UK and EU defence suppliers.

Building relationships with these agencies through national defence industry associations (BDSV in Germany, GIFAS in France, AIAD in Italy) and defence exhibitions — Eurosatory (Paris), DSEI (London), MSPO (Kielce, Poland) — is fundamental to accessing the restricted and negotiated procedures that account for the majority of defence contract value.

Dual-Use Technology and Export Control Compliance

The fastest-growing entry point for companies new to defence is dual-use technology — products and services with both civilian and military applications. Cybersecurity (SIEM, threat intelligence, incident response), AI and machine learning, autonomous drone systems, satellite communications, and advanced logistics software all qualify. Defence ministries and the EDA are actively seeking civilian technology ecosystem companies precisely because cutting-edge capability development in these areas is now happening outside traditional prime contractors.

The EU's EDIS (European Defence Industrial Strategy), adopted in March 2024, explicitly encourages this movement and provides funding incentives for companies transitioning from civilian to defence markets. However, the compliance obligations are real and non-negotiable: Regulation (EU) 2021/821 (the EU dual-use export control regulation) requires companies to obtain export licences before exporting dual-use goods and technology outside the EU, and in some cases within the EU. Cybersecurity products — particularly intrusion software, network monitoring tools, and cryptographic equipment — feature prominently on the dual-use control list. Non-compliance carries criminal penalties in most member states.

Companies should conduct an export control classification assessment before targeting defence markets and implement an internal compliance programme. National export control authorities (BAFA in Germany, DGA's export control unit in France, SIEL system in the UK pre-Brexit) publish guidance and run pre-classification consultations.

The Practical Entry Strategy: Subcontracting First

For companies without an existing defence track record, direct prime contracting is rarely the realistic first step. The practical market entry strategy is subcontracting to established prime contractors — Leonardo (Italy), Thales (France), Rheinmetall (Germany), Saab (Sweden), and Airbus Defence and Space (multinational) collectively run supplier qualification programmes that assess technology, financial stability, quality management, and export control compliance before admitting a company to their supply chain.

Primes seek specialist subcontractors in exactly the areas where civilian technology is strongest: cybersecurity, AI/ML, data analytics, cloud infrastructure, and advanced communications. A cybersecurity company that is too small to prime a €50 million defence contract can realistically qualify as a specialist subcontractor to a prime in 6–12 months, and that subcontract history then becomes the track record needed to compete for direct contracts in subsequent cycles.

The structured path for a company new to EU defence procurement is therefore: (1) identify which prime contractors are active in your technology domain and register on their supplier portals; (2) pursue unclassified defence-adjacent contracts on TED to build references; (3) obtain FSC and begin PSC applications for key personnel when a specific classified opportunity justifies it; (4) join national defence industry associations to access relationship networks; and (5) evaluate EDF consortium opportunities where your technology is applicable — EDF participation at any scale builds EU-level visibility with DG DEFIS and EDA simultaneously.