Export control and defense cybersecurity: compliance guide for SMEs
SMEs supplying dual-use goods or working on classified information systems must master export control (ITAR, EAR, EU regulations) and defense cybersecurity (IGI 1300, SecNumCloud). Non-compliance carries criminal penalties and market exclusion.
Export control: ITAR, EAR and EU regulations
ITAR regulates US defense exports — any French company using USML-listed components is subject to it, even as a Tier 3 subcontractor. Violations carry up to $1M per infraction. EAR covers dual-use goods on the CCL (Commerce Control List). EU Regulation 2021/821 governs dual-use exports in Europe, with the French SBDU issuing licenses. SMEs must classify products (USML/CCL/ML), screen end-users, and maintain compliance documentation.
Defense cybersecurity: IGI 1300 and SecNumCloud
IGI 1300 sets classified information protection rules for IT systems: system accreditation, ANSSI-approved encryption, access logging, network separation (air gap for TS), annual penetration testing. SecNumCloud is ANSSI's cloud security qualification — increasingly required for sensitive defense data hosting. The PSSI (IT Security Policy) is mandatory for any classified contract, covering risk analysis (EBIOS RM), technical measures, incident management, and cyber training.
Building an SME compliance program
Implement an ICP (Internal Compliance Program) covering: management-signed policy, compliance officer, screening procedures, product classification, license management, staff training, annual audit. For cybersecurity, develop a PSSI with asset mapping, EBIOS RM risk analysis, and obtain SI accreditation before contract execution (3-6 months lead time).
Frequently asked questions
Related guides
Ready to win more public contracts?
Join SMEs that respond 3x faster to public tenders.
Start for free →1 free project • No commitment • Setup in 2 minutes