The EU AI Act does not create a general exemption for defence ministries, armed forces, defence primes or defence-tech companies. Its defence, military and national-security exclusion turns on a narrower condition: whether an AI system is placed on the market, put into service or used exclusively for military, defence or national-security purposes. This makes the word “exclusively” the decisive legal and industrial threshold. As AI systems move across defence, cybersecurity, logistics, training, public administration, border management, law enforcement and critical infrastructure, the boundary between exempt defence use and regulated dual-use deployment becomes a strategic issue for companies, investors, public buyers and regulators.

This report analyses the legal architecture of Article 2(3) of Regulation (EU) 2024/1689, the role of Recital 24, the relevance of GPAI obligations, and the implementation environment emerging across the European Union in 2026–2027. It develops a dual-use AI boundary test for defence and strategic-technology actors, examines the likely impact of different national implementation architectures in Germany, France and Italy, and translates the legal boundary into consequences for defence-tech scaleups, primes, investors, procurement authorities and legal advisers. The report also addresses the liability dimension after the withdrawal of the AI Liability Directive proposal, focusing instead on the Product Liability Directive, contractual risk allocation and national liability regimes.