Europe’s defence-industrial base is entering a regulatory environment in which operational continuity, cybersecurity, financial resilience and security of supply can no longer be treated as separate compliance domains. The convergence between the Critical Entities Resilience Directive, NIS2, DORA and EDIP is creating a layered framework that affects primes, strategic suppliers, digital infrastructure providers, banks, insurers and public authorities. Its significance lies not in the automatic inclusion of the whole defence sector within a single legal regime, but in the progressive extension of resilience obligations across the civilian infrastructures, financial systems, digital services and industrial supply chains on which defence production depends.

The report examines this convergence through four connected layers. It first explains why resilience is becoming a structural condition of defence-industrial readiness rather than a narrow legal obligation. It then analyses the four regulatory pillars separately, showing how each contributes to the emerging cyber-physical-operational resilience architecture. The report subsequently assesses the impact on defence primes, Tier-1 suppliers, lower-tier suppliers, digital providers, banks, insurers, advisers and public authorities. It closes with a Defence Finance Monitor assessment of the strategic, financial and market implications for the European Defence Technological and Industrial Base.