Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLΒ·EN
Explainer

The AI Act, defence and national security: the exemptions

Adopted 2026-06-22 Β· ≈ 2 min read Β· Dirk Baaijen

The AI Act does not apply to AI systems used exclusively for military, defence or national-security purposes. Article 2 carves these out, but the boundaries are narrow: dual-use, civilian deployment and fundamental rights remain in scope.

Short answer: The AI Act does not apply to AI systems placed on the market or used exclusively for military, defence or national-security purposes. Article 2 carves these out. But the exemption is narrow: as soon as a system is also deployed in a civilian context, or falls outside that purpose, the AI Act applies in full β€” and other law applies regardless.

What Article 2 excludes

Article 2 of the AI Act provides that the regulation does not apply to AI systems developed and used exclusively for military or defence purposes, nor to systems used exclusively for national security β€” whether by a public or a private party.

The rationale: defence and national security are primarily a competence of the Member States, not the Union. The EU legislator did not want to intervene there through product regulation.

"Exclusively" is the pivotal word

The exemption stands or falls on the word exclusively. A system used even partly for other purposes falls outside the exemption and therefore within the AI Act.

That bears directly on dual-use: technology usable both militarily and civilly. A facial-recognition or drone system deployed not only in defence but also in border management or policing may fall fully under the AI Act for that civilian use β€” possibly even as a high-risk or prohibited practice.

What the exemption does not do

The exemption switches off only the AI Act, not the rest of the law. Processing of personal data remains under the GDPR insofar as it applies, fundamental rights continue to apply, and international law remains fully in force. The exemption is thus no blank cheque, but a delimitation of one instrument.

Nor does it mean anything bearing a security label drops out of view. Use by law enforcement for routine tasks is not "national security" within the meaning of Article 2; those applications are in fact among the most heavily regulated categories of the AI Act.

Consequences for suppliers

For anyone supplying defence the boundary is commercially relevant. A product that stays purely military escapes AI Act conformity. The moment the same product seeks a civilian market, the ordinary obligations apply β€” see the overview of high-risk obligations. That forces a deliberate choice about positioning.

What to do

  • Establish the actual purpose of use, not just intent: is deployment truly exclusively military/defence/national security?
  • Separate dual-use variants: a civilian application draws the AI Act fully in.
  • Apply the GDPR and fundamental rights anyway; the exemption does not switch those off.
  • Distinguish national security from law enforcement: the latter falls squarely within the AI Act.
  • Place this in the wider context of the state of AI regulation.

The defence exemption is real but narrow. Reading it too broadly misses the civilian and fundamental-rights obligations that simply continue to apply.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Article 2 excludes AI used exclusively for military, defence or national-security purposes from scope.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): continues to apply to processing of personal data, even where the AI Act does not.

Share on LinkedIn

Read next

U

Open-source AI models under the AI Act: exemptions and limits

The AI Act eases some GPAI obligations for models released under a free and open licence, but the exemption is narrow and conditional. Copyright policy and a training-data summary still apply, and where there is systemic risk the exemption falls away entirely.

W

EAA: which products and services are covered

Directive (EU) 2019/882 (European Accessibility Act) imposes accessibility requirements on five product categories and six service categories; micro-enterprises providing services are fully exempt, and self-service terminals in use before 28 June 2025 may continue operating until end of economic…

A

MDR and the AI Act: regulatory overlap for medical software

Medical software with AI components falls simultaneously under the MDR and the AI Act; the high-risk classification via the MDR route (Article 6(1) AI Act) does not apply until 2 August 2027.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject β€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method β†’

A project or programme? Work with YRproject β†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.