The European defence technological and industrial base is being pushed toward higher standards of resilience, cyber discipline, and supply-chain security, yet the legal framework does not map neatly onto the way the defence market describes itself. Directive (EU) 2022/2555 does not regulate a standalone “defence sector” as such. It applies through sectoral classifications, size thresholds, and, in some cases, national designation. This creates a recurrent analytical error in both directions: some market participants assume that NIS2 applies automatically to defence companies, while others assume that defence relevance places them outside the directive’s ordinary logic. The real position is narrower, more technical, and more consequential. The question is not whether a company is “defence” in identity, but whether it falls within one of the directive’s legal routes to inclusion and, if so, what concrete obligations follow in practice.

The report is structured to answer that question in a disciplined sequence. It begins by reconstructing the legal baseline of NIS2, including its scope, exclusions, entity classification system, and size-cap logic, before testing which segments of the EDTIB are actually captured and on what legal basis. It then examines the substantive obligations that apply once an entity falls within scope, with particular attention to supply-chain security, governance, incident reporting, supervision, and sanctions. From there, it analyses how verified national transposition measures alter the operational compliance picture, especially for companies that may be brought into scope through national designation or supply-chain criticality. Finally, it assesses the interaction between NIS2 and Regulation (EU) 2025/2643, not by conflating the two instruments, but by showing how cyber compliance increasingly sits inside a broader defence-industrial architecture of security, control, resilience, and eligibility.