How Geopolitical Risk Management Will Reshape Defense Procurement
A sober look at trusted ICT rules, supplier dependence, and the coming post-quantum migration.
The EU is not declaring war on suppliers, but it is moving toward a more explicit and more geopolitical model of ICT risk management. In February 2026, the Commission and the NIS Cooperation Group adopted an EU ICT Supply Chain Security Toolbox, a horizontal and non-binding framework for identifying and mitigating supply-chain risk across ICT procurement. In January 2026, the Commission also said its revised Cybersecurity Act proposal would set out a trusted ICT supply chain security framework that addresses non-technical risks such as foreign interference.
That matters because supply-chain security is no longer just a checklist item. The new direction is clearly aimed at reducing dependency on critical suppliers, improving resilience, and pushing buyers toward more diversified and better-assessed sourcing choices. For defense primes and critical-infrastructure operators, that means procurement teams will increasingly have to defend not only the security of a component, but the structure of the chain behind it.
The real pressure point is tier depth. Most major organizations already know their Tier-1 vendors; far fewer can map the specialized Tier-3 and Tier-4 suppliers that produce niche hardware, embedded software, certification tooling, or cloud dependencies. That becomes a problem when the policy signal shifts from “manage risk” to “prove resilience,” because smaller suppliers can be operationally excellent yet still fail documentation, provenance, or concentration-risk tests.
At the same time, the EU is pushing post-quantum cryptography migration. The Commission’s roadmap calls for a coordinated transition and gives Member States a timeline for planning and implementation, reflecting the reality that current cryptography will not be enough forever. For defense and critical-infrastructure operators, that creates an awkward overlap: systems must be prepared for PQC migration while still running on long-life hardware and procurement cycles that move much more slowly.
This is where the tension becomes practical, not theoretical. A small specialized supplier may have the technical expertise to deliver a critical component, but if it depends on non-EU manufacturing, external cloud services, or opaque sub-suppliers, the buyer may face new pressure to justify that dependence. The result is not an automatic ban; it is a sharper procurement environment in which resilience, substitution ability, and supply-chain transparency matter more than they did before.
For smaller innovators, that can feel punishing. NIS2 already places substantial compliance obligations on many entities in critical sectors, with penalties that can be significant for in-scope organizations. Even where a small company is not directly in scope, it may still be pulled into the compliance gravity of its customers, who now need more evidence, more assurance, and more contractual control.
The honest conclusion is simple: the EU is building a more sovereign, more security-conscious ICT regime, and that will favor suppliers who can document trust, continuity, and cryptographic agility. For defense buyers, the challenge is to avoid turning legitimate resilience goals into blunt exclusion that erodes industrial capability. The winners will be the suppliers who can prove their chain, adapt to PQC, and survive a procurement culture that is getting much less forgiving.
Forculus can help defense and critical-infrastructure teams turn this policy pressure into a practical advantage by mapping supplier dependencies, stress-testing tier-3 and tier-4 exposure, and building a credible evidence pack before procurement or audit questions arrive.
The pro tips are simple: start the supplier inventory now, demand provenance and substitution data from key vendors, separate “must-have” components from nice-to-have dependencies, and make PQC readiness part of roadmap planning rather than a future retrofit.
