Is sharing defense data with LSPs a violation of EU export law?
- May 1
- 10 min read
Many export compliance officers at EU defense primes assume that sharing technical documentation with a language service provider inside the EU is legally straightforward. It often is not. The EU Dual-Use Regulation 2021/821 contains provisions that can make even an intra-EU data transfer a regulated event, depending on what the data covers, where the LSP processes it, and who actually reads it. This article cuts through the confusion, maps the relevant legal architecture, and gives compliance teams a practical framework for managing the risk.
Table of Contents
When is sharing defense data with an LSP considered ‘export’?
Key compliance risks when involving LSPs in defense data translation
Steps to ensure EU export law compliance when sharing defense data
Why following checklists is not enough: Our compliance lessons from real defense projects
How our export-compliant language services support your defense data needs
Key Takeaways
Point | Details |
Intra-EU sharing is mostly unrestricted | Defense data is usually shareable within the EU except for Annex IV and national military controls. |
Sensitive and Annex IV items need extra care | Data classified under Annex IV or specific national laws may require a license even for intra-EU transfers. |
Cloud and foreign staff create hidden risks | Using LSPs with non-EU staff or cloud subprocessors can inadvertently trigger export controls. |
Thorough due diligence is critical | Compliance teams must go beyond the checklist and actively test, audit, and control defense data sharing processes. |
How EU export laws define ‘defense data’ and data sharing
To frame your compliance obligations correctly, start with the EU’s official definitions and the regulatory architecture that sits behind them.
The EU Dual-Use Regulation 2021/821 controls the export of dual-use items, which explicitly includes technical data, software, and technology with both civil and military applications. “Technology” under the regulation means specific information necessary for the development, production, or use of controlled items. That definition is broad enough to cover technical manuals, system specifications, maintenance procedures, and engineering drawings that your translation team routinely handles.
Purely military items sit in a separate legal space. Defense data typically falls under national military controls and the EU Common Military List, which member states implement through their own national legislation. In Germany, that means the Außenwirtschaftsgesetz enforced by BAFA. In France, it is the Direction Générale de l’Armement. In Ukraine-adjacent supply chains, UAMA plays a growing role. The practical consequence is that your compliance team must work across two parallel frameworks simultaneously.
The regulation’s Annex I lists all controlled dual-use items. Annex IV is the more restrictive subset requiring an individual or global license even for intra-EU transfers. Understanding which annex applies to your data is the first decision gate in any translation workflow.
Annex | Scope | Intra-EU movement | Extra-EU export |
Annex I | All controlled dual-use items | Generally free movement | License required |
Annex IV | Highest-sensitivity dual-use items | License required | License required |
Common Military List | Purely military items | National law governs | National license required |
Controlled technology under Article 2(1)(f) of Regulation (EU) 2021/821 means “technology for the development, production or use of items listed in Annex I, including software.”
When you hand a technical document to a language service provider, you are transferring technology in the legal sense of that word. The LSP’s role as a processor does not change the classification of the data itself. That distinction matters enormously when you map your defense documentation export rules against your vendor contracts.
When is sharing defense data with an LSP considered ‘export’?
With definitions set, the next step is to pinpoint exactly when sharing with an LSP crosses into regulated export territory.
Under EU law, “export” means the physical or electronic transmission of controlled items outside the EU customs territory. This is meaningfully different from the US ITAR framework, which treats the disclosure of controlled technical data to any foreign national anywhere in the world as a deemed export, regardless of geography. EU law does not have an identical deemed export doctrine written into the regulation’s text. However, Article 2(2)(b) of Regulation 2021/821 introduces a “deemed transfer” concept that functions similarly in practice: transmitting controlled technology by electronic means, fax, or telephone to a destination outside the EU constitutes an export subject to controls.
Sharing defense technical data with an LSP within the EU does not constitute an export under the Dual-Use Regulation if both parties are EU-based and the data is not listed in Annex IV. For most dual-use technical documentation, intra-EU sharing is therefore free movement. But three scenarios can flip that conclusion quickly.
Annex IV data requires an intra-EU license regardless of where the LSP is located.
National military list items trigger member state controls that may be stricter than the EU baseline.
Cloud processing or remote access outside the EU converts what looks like an intra-EU transaction into an extra-EU export.
Scenario | Legal classification | License required? |
EU prime shares Annex I data with EU LSP, all processing in EU | Intra-EU free movement | No |
EU prime shares Annex IV data with EU LSP | Intra-EU controlled transfer | Yes, individual or global license |
EU prime shares data with EU LSP that routes processing to non-EU servers | Extra-EU export (deemed transfer) | Likely yes, data-dependent |
EU prime shares military list data with any LSP | National law governs | Consult NCA (BAFA, DGA, UAMA) |
The risks of engaging unvetted translators go beyond translation quality. A linguist based outside the EU who remotely accesses your controlled technical documents through an LSP’s platform is, in practical terms, receiving a technology transfer. Your NCA does not care that the intent was a translation project.
Pro Tip: Before onboarding any LSP, check your data against both Annex I and Annex IV of Regulation 2021/821, and separately against your member state’s national military list. These are three distinct classification exercises, not one.
Key compliance risks when involving LSPs in defense data translation
Once the basics are clear, attention turns to the practical compliance risks that can arise in real translation workflows.
The EU does not have an explicit deemed export rule equivalent to the US ITAR, but the practical effect of non-EU personnel or extra-EU data transfers is nearly identical in risk terms. Non-EU personnel or extra-EU transfers may trigger controls even when the contracting LSP is an EU-registered entity. This is the gap that most compliance teams miss.
Here are the four high-risk scenarios that require additional controls in any defense translation workflow:
Non-EU translators with remote access. An LSP registered in Germany may subcontract work to linguists in non-EU countries. If those linguists access your controlled technical data, even through a secure portal, the data has effectively left the EU.
Public cloud storage of controlled documents. Many translation management systems store source files and translation memories on servers operated by US hyperscalers. Even if the LSP is EU-based, data residency on non-EU infrastructure may constitute an export.
Automated NMT engines processing controlled text. Consumer-grade neural machine translation tools process data on infrastructure outside your control. Sending controlled technical content through a public NMT API is an export event.
Unscreened subcontractor chains. An LSP may use a second-tier vendor for quality review or desktop publishing. If that vendor is outside the EU or employs non-EU nationals with data access, your export control perimeter has expanded without your knowledge.
Compliance teams often focus on the prime contractor’s own systems and overlook the LSP’s internal architecture entirely. The export control exposure in a translation project is frequently located two or three layers deep in the vendor’s workflow, not at the point of initial data transfer.
Data sovereignty steps for compliance officers should include a formal infrastructure audit of every LSP before contract signature. Ask for documented evidence of server locations, subcontractor lists, and access logs. If the LSP cannot produce these, that is itself a compliance signal.
The cloud risks for defense data are particularly acute because the problem is often invisible. Your data may be encrypted in transit, but if it is decrypted and processed on non-EU infrastructure, the encryption does not change the legal classification of the transfer.
Pro Tip: Always verify the actual physical location of LSP processing and storage, not just the registered address of the company. Request the LSP’s ISO 27001 certificate and read the scope statement. Scope limitations matter.
Steps to ensure EU export law compliance when sharing defense data
Having outlined common risks, compliance teams need a clear checklist to operationalize the guidance and protect the company.
Classifying your data against Annex I, Annex IV, and the national military list is the mandatory first step. Without accurate classification, every subsequent decision rests on an unstable foundation. Assign a classification owner, document the rationale, and update it when the technical content changes.
The following policy controls represent the minimum standard for any defense translation workflow:
Personnel screening requirement. Require the LSP to confirm in writing that all personnel with access to your controlled data are EU nationals or hold the appropriate authorizations under national law.
Data residency guarantee. Contractually require that all processing, storage, and output generation occurs on EU-hosted infrastructure. Specify that subcontractors are bound by the same obligation.
No public cloud or third-party NMT. Explicitly prohibit the use of any public cloud service or external machine translation API for controlled content.
Audit rights. Include a contractual right to audit the LSP’s infrastructure and access logs, and exercise it at least annually.
Incident notification. Require the LSP to notify you within 24 hours of any unauthorized access, data breach, or unplanned transfer of your data outside the agreed perimeter.
License documentation. If your data is Annex IV or military list, obtain the appropriate license before sharing and keep a copy in your compliance file alongside the LSP contract.
Your data security checklist for translation projects should also address translation data security procedures at the workflow level, not just the contract level. A contract clause is not a technical control. Verify that the LSP’s platform enforces the obligations you have written into the agreement.
When evaluating LSPs, ISO 27001 certified language providers offer a documented baseline for information security governance. ISO 27001 certification means the LSP has implemented a formal information security management system and had it independently audited. For defense work, also look for ISO 17100 certification, which governs translation process quality, and AQAP 2110 alignment, which is the NATO quality assurance standard for development and production. An LSP pursuing AQAP 2110 is signaling that it understands the defense supply chain’s quality and security expectations at a structural level.
Why following checklists is not enough: Our compliance lessons from real defense projects
Checklists are necessary. They are not sufficient. After 25 years of working on regulated and defense translation projects, the pattern we observe is consistent: organizations that rely on checklist compliance alone are the ones that get surprised.
Here is a scenario that illustrates the point. A Tier-1 supplier engaged an LSP for the translation of technical maintenance documentation for a dual-use platform. The LSP held ISO 27001 certification, had signed a data processing agreement, and had confirmed in writing that all translators were EU nationals. The compliance team checked every box. What they did not check was the LSP’s desktop publishing subcontractor, which formatted the final documents and, in doing so, had full access to the translated technical content. That subcontractor was registered in the EU but operated a remote team in a non-EU country. The original contract did not extend to subcontractors. The LSP’s ISO 27001 scope did not cover the subcontractor’s systems.
The project completed without a formal enforcement action, but only because the supplier’s legal team identified the gap during a routine internal audit and immediately notified the relevant NCA. The remediation process took four months and required retroactive licensing documentation. The lesson is not that the checklist failed. The lesson is that the checklist was applied at the wrong level of granularity.
Defense-in-depth compliance means treating your LSP relationship as a continuous oversight obligation, not a one-time vendor qualification event. Periodic re-verification of personnel rosters, infrastructure audits, and spot-checks of actual workflow execution are what separate organizations that manage export risk from those that merely document it.
We have also seen over-reliance on certifications as a proxy for actual compliance behavior. A certificate tells you that a system was audited at a point in time. It does not tell you what happened last Tuesday. The organizations that maintain the strongest security posture combine formal certification requirements with active relationship management and independent verification.
The uncomfortable truth is that export compliance in translation is a people problem as much as a process problem. Cultural habits, time pressure, and informal workarounds erode technical controls. Build your compliance program around that reality.
How our export-compliant language services support your defense data needs
If your compliance team is navigating the intersection of EU dual-use controls and translation workflows, you need an LSP that has built its infrastructure around exactly these requirements, not one that treats them as an afterthought.
AD VERBUM operates a proprietary LangOps System hosted entirely on EU servers, with no reliance on public cloud tooling for core processing. Our multilingual defense data support covers 150+ languages through a network of 3,500+ subject-matter expert linguists, all operating within an ISO 27001 certified, GDPR-aligned security framework. We hold ISO 17100 and ISO 9001 certifications and are actively pursuing AQAP 2110 alignment to meet NATO supply chain standards. Our AI+HUMAN hybrid workflow enforces client terminology through Translation Memories and Term Bases, with certified SME review and QA aligned to ISO 17100 and ISO 18587. Explore our full range of export-compliant LSP services or review our localization for defense projects to see how we structure audit-ready workflows for controlled technical documentation.
Frequently asked questions
Does sharing defense technical data with an LSP inside the EU require an export license?
No export license is needed for most intra-EU sharing, unless the data is classified as Annex IV or subject to national military controls. Dual-use items may be traded freely within the EU, with Annex IV as the key exception.
What if my LSP uses non-EU translators for my defense documents?
If non-EU nationals or locations are involved in processing your controlled data, sharing may trigger export controls and require a license or additional safeguards. LSPs employing non-EU personnel with data access may trigger controls if the data effectively leaves the EU or national security rules apply.
Is there an EU ‘deemed export’ rule similar to the US ITAR?
No, the EU does not have a formal deemed export rule identical to the US ITAR, but Article 2(2)(b) of Regulation 2021/821 creates a deemed transfer doctrine for electronic transmissions outside the EU. Non-EU staff or extra-EU transfers may still require controls even without a formal deemed export provision.
What steps ensure compliance when using an LSP for defense data?
Classify all data against Annex I, Annex IV, and national military lists, screen LSP personnel, keep all data processing within the EU, and verify the LSP’s compliance certifications and infrastructure controls. Classify data and check controls before transfer, and maintain documented evidence for NCA audit purposes.
Recommended