Navigating the evolving cybersecurity landscape – NIS2, CMMC and implications for defence contractors in the EU

1. A new era of cybersecurity regulation

The regulatory landscape for cybersecurity has undergone a significant transformation on both sides of the Atlantic. In the European Union, the Network and Information Security Directive 2 (NIS2) entered into force on 16 January 2023, with Member States required to transpose its provisions into national law by 17 October 2024.

While the transposition process was significantly delayed across the EU, momentum has now accelerated and more Member States are implementing the directive into national law.

NIS2 represents a substantial expansion of the EU’s cybersecurity framework, broadening the scope of covered entities, strengthening security requirements and introducing more stringent incident-reporting obligations and enforcement mechanisms. Organisations falling within NIS2’s scope must now implement comprehensive risk-management measures, including policies on risk analysis, incident handling, business continuity, supply-chain security and employee cybersecurity training.

In the United States, the federal government has similarly prioritised cybersecurity through a series of executive orders, agency directives and regulatory initiatives. The Cybersecurity and Infrastructure Security Agency (CISA) continues to issue guidance and requirements for critical-infrastructure sectors, while various federal agencies have implemented sector-specific cybersecurity rules.

For organisations operating in or with the U.S. defence sector, the most consequential development has been the finalisation of the Cybersecurity Maturity Model Certification (CMMC) programme.

2. The CMMC programme: securing the defence industrial base

The U.S. Department of Defence (DoD) published the final rule for the CMMC programme on 15 October 2024, with phased implementation beginning on 10 November 2025.

The CMMC programme is designed to protect sensitive unclassified information, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), that the DoD shares with contractors and subcontractors across the Defence Industrial Base (DIB).

CMMC establishes a tiered certification model with three levels of increasing cybersecurity maturity:

Level 1 (Foundational) applies to organisations handling FCI and requires annual self-assessment and affirmation of compliance with 15 basic safeguarding requirements.

Level 2 (Advanced) applies to organisations handling CUI and requires compliance with additional security requirements. Depending on the sensitivity of the information involved, Level 2 assessments may be conducted through self-assessment or by a certified third-party assessment organization.

Level 3 (Expert) applies to organisations handling the most sensitive CUI and requires compliance with additional requirements, assessed by the Defense Industrial Base Cybersecurity Assessment Center.

Importantly, the CMMC programme applies to the national and international Defence Industrial Base. Hence, European companies that serve as prime contractors or subcontractors on DoD contracts must achieve the appropriate CMMC certification level to continue participating in the U.S. defence supply chain. The flow-down of CMMC requirements to subcontractors means that even lower-tier suppliers must demonstrate compliance.

3. Cybersecurity requirements for defence contractors in the EU (and how the EU model differs from the US)

Unlike the United States – where CMMC is a single DoD-driven, tiered, auditable certification regime that conditions eligibility for defence procurement – the European Union does not operate a uniform, defence-specific cybersecurity certification framework applicable to the entire defence industrial base. Instead, the EU landscape is multi-layered and fragmented, with cybersecurity requirements for defence contractors typically arising from a combination of (i) horizontal EU rules that may apply depending on the contractor’s activity and (ii) security and cybersecurity obligations embedded in defence/security procurement and classified-information rules, implemented largely through national authorities and contractual conditions.

It is correct that defence is not listed as a NIS2 sector in itself. Moreover, NIS2 expressly allows Member States to exempt entities carrying out activities in the areas of national security and defence from certain key obligations (notably the cybersecurity risk-management measures and incident-reporting obligations), insofar as these relate to those activities/services.

That said, defence contractors should be cautious with broad “NIS2 does not apply” statements. In practice, a group that supplies defence may still fall within NIS2 if it also performs activities that are independently in scope (e.g. certain digital infrastructure or ICT-managed-services profiles), subject to how each Member State implements the exemptions.

For procurement awarded under the EU’s defence and sensitive-security procurement regime, contracting authorities can impose security-of-information and related requirements that are then enforced primarily through the contract and associated tender documentation (including subcontractor flow-downs). This is often where defence contractors see the most concrete cybersecurity obligations in EU practice – because requirements are tailored to the programme and the risk profile rather than imposed by a single EU-wide defence-cyber rulebook.

Where a contract involves EU Classified Information (EUCI) (or national classified information), contractors and subcontractors may be subject to industrial-security requirements (personnel clearance, secure facilities, controlled IT environments, secure communications, incident/breach handling, etc.), derived from EUCI rules and implemented through national security authorities and contract conditions.

Separately from “entity” cybersecurity, the Cyber Resilience Act (CRA) establishes cybersecurity requirements for products with digital elements placed on the EU market (secure-by-design expectations, vulnerability handling, etc.). Defence contractors manufacturing or distributing dual-use or broadly marketed digital products may therefore face CRA-driven obligations, even where NIS2 is not the primary driver.

4. Implication for EU contractors in transatlantic supply chains

While NIS2 (and common frameworks like ISO 27001) can provide a strong baseline, the EU framework is not a “CMMC-equivalent” substitute; instead, contractors typically need to map contract/programme security requirements (EU) and CUI/FCI control requirements (US) side by side.

For EU companies subject to both NIS2 and CMMC, a natural question arises: does compliance with one framework assist in achieving compliance with the other? The short answer is yes – but with important caveats.

NIS2 and CMMC share a common foundation in recognised cybersecurity best practices. Both frameworks require organisations to implement risk-based security measures across several overlapping domains:

Risk management. NIS2 mandates systematic risk assessments and the implementation of appropriate technical and organisational measures to manage cybersecurity risks. CMMC similarly requires risk assessment aligned with CMMC’s underlying standard, which emphasises identifying and mitigating risks to organisational operations and assets.

Access control. NIS2 requires strong access controls, including multi-factor authentication where appropriate. CMMC’s underlying standard contains detailed access-control requirements governing the management of user accounts, authentication mechanisms and least-privilege principles.

Incident response. NIS2 imposes strict incident-handling obligations, including detection, response and reporting requirements (with initial notification to competent authorities within 24 hours of becoming aware of a significant incident). CMMC requires organisations to establish incident-response capabilities, including preparation, detection, analysis, containment, recovery and reporting.

Business continuity. NIS2 requires backup management, disaster recovery and crisis-management planning. CMMC addresses these concerns through contingency-planning and system-recovery requirements.

Supply-chain security. NIS2 requires organisations to address cybersecurity risks in their supply chains, including assessments of third-party service providers. CMMC similarly requires the flow-down of security requirements and oversight of subcontractor compliance.

Security awareness training. Both frameworks require organisations to provide cybersecurity-awareness training to personnel.

Organisations that have achieved NIS2 compliance – or that maintain certifications such as ISO/IEC 27001, which generally covers a significant part of NIS2’s requirements – will have established a mature cybersecurity posture that provides a meaningful head start toward CMMC certification. Existing policies, procedures, technical controls and governance structures can often be leveraged or adapted to satisfy CMMC requirements.

5. Why NIS2 compliance does not directly satisfy CMMC requirements

Despite the overlap, NIS2 compliance does not equate to CMMC certification. CMMC is an assessment-driven procurement gate – requiring a defined certification outcome through self, third-party or government assessment depending on the level – while NIS2 does not establish an equivalent, uniform certification regime and is enforced through national supervisory authorities. The two frameworks differ in both legal nature and scope: NIS2 is an EU directive implemented through national law, while CMMC is a U.S. DoD contractual requirement tied to U.S. information categories that do not map neatly onto NIS2 concepts.

6. Practical recommendations for EU companies

For EU companies that are – or seek to become – part of the U.S. Defence Industrial Base, early preparation is essential. The most efficient starting point is a structured gap analysis mapping existing controls – whether implemented for NIS2 compliance, ISO/IEC 27001 or internal governance – against the applicable CMMC level. Based on the gaps identified, organisations should develop a remediation plan aligned to the target certification level and implement appropriate remediation measures. In parallel, companies should plan for the applicable assessment route – whether self-assessment or a third-party assessment.

Ultimately, while NIS2 readiness provides a strong baseline and accelerates the journey, it is not a substitute for CMMC. EU contractors that treat CMMC as a procurement qualification exercise – grounded in control-level evidence, documented system boundaries and assessment readiness – will be best positioned to remain competitive as cybersecurity becomes a hard gate in transatlantic defence supply chains.