Navigating the Dual-Use Drone AI Regulatory Maze: A Comprehensive Guide for European Companies

The New Reality of Drone Development in Europe

Three years into the Russian invasion of Ukraine, the battlefield has become a living laboratory for autonomous drone technology. Fiber-optic and FPV drones have replaced short and medium range traditional artillery, and AI-powered autonomous systems are rapidly becoming the norm. European companies developing drone technology, need to keep up with evolving technologies and regulatory frameworks.

The Polish Development Fund (PFR) exemplifies the delicate balance European governments must strike. While unable to directly fund defense technology, the PFR’s new €150 million Deep Tech Program (launched May 2025) encourages companies to build civilian technologies with potential defense applications. This “dual-use” approach creates a complex regulatory landscape that companies must navigate carefully.

EU AI Act: Key Milestones

The EU AI Act rolls out in phases, with major deadlines:

• 2 Feb 2025: Ban on prohibited AI practices and AI literacy requirements take effect¹²³.
• 4 Feb 2025: Guidelines on prohibited AI practices published².
• 6 Feb 2025: AI system definition guidelines released³.
• 2 Aug 2025: Obligations for General‑Purpose AI models begin; member states must designate enforcement authorities⁴.
• Aug 2026: Full requirements for high‑risk AI systems apply; sandboxes operational⁵.
• Aug 2027: Complete implementation for all AI systems.

Despite industry concerns, the timeline remains unchanged⁴.

Why Your Drone AI System Is Likely “High-Risk”

Under the EU AI Act, autonomous drones used for civilian purposes are classified as high-risk AI systems. This classification isn’t arbitrary – it reflects the genuine risks these systems pose:

• Safety-critical components: Drones operate in regulated airspace under EU aviation laws
• Public safety impact: They directly affect people on the ground and in the air, autonomously controlling flight and mission-critical decisions, operating beyond visual line of sight (BVLOS) and potentially flying over populated areas
• Privacy concerns: They process sensitive data including images and location information
• Dual-Use Nature: The same AI system’s components and software can be adapted for military reconnaissance or surveillance, making it a dual-use technology subject to additional export controls and national defence regulations
• Impact: Failures or misuse could cause physical harm, privacy violations, or contribute to military conflicts, justifying stringent governance

Understanding the Military Exemption

The military exemption under Article 2 of the EU AI Act contains critical nuances that defense tech companies must understand. The word “exclusively” is pivotal - any civilian application brings the entire system under AI Act scope⁶. Key considerations include:

• Systems initially developed for military use that later add civilian capabilities must achieve full AI Act compliance
• Defense contractors must consider civilian market compliance from the design phase
• Dual-use classification triggers both AI Act requirements AND export control regulations⁷

Companies like Germany’s Helsing (valued at €1B+) have solved this through modular architecture that clearly separates civilian and military components. Portugal’s Tekever secured NATO Innovation Fund investment while maintaining strict use-case separation.

Real-World Success Stories: Learning from Industry Leaders

Quantum Systems (Germany) - Europe’s First Defense Tech Unicorn

Quantum Systems achieved unicorn status in May 2025 with a €160 million funding round, demonstrating the civilian-first development approach⁸. Key strategies:

• Created separate entity (Stark Defense) for weaponized systems
• Maintained clear documentation separation between civilian and military AI
• Developed modular AI that can swap between compliance configurations
• Achieved both civilian certifications and military approvals simultaneously

Nordic Air Defence (Sweden) - Software-Centric Innovation

This startup’s Kreuger 100 interceptor demonstrates how software-centric approaches reduce regulatory complexity by 10x⁹:

• Replaced traditional hardware guidance with AI-based flight control
• Reduced unit costs from €100,000+ to under €10,000
• Explicit dual-use design from inception
• Clear compliance documentation for both civilian and military applications

Milrem Robotics (Estonia) - Ethical AI in Defense

Despite UAE ownership, Milrem maintains full EU compliance through¹⁰:

• Strict human-in-the-loop requirements for all autonomous functions
• Clear separation between mobility AI and weapons systems
• Comprehensive ethical AI development policies
• Regular third-party compliance audits

UNIFLY (Belgium) - Exceeding Compliance Standards

UNIFLY’s UTM platform demonstrates how exceeding AI Act requirements through aviation standards creates market advantages¹¹:

• EASA-certified AI systems automatically meet AI Act requirements
• Successful integration of military drones into civilian airspace
• €17 million Series B funding based on compliance excellence

Technical Standards and Certification Requirements

CEN-CENELEC JTC 21 Standards (Under Development)

The European standardization bodies are developing harmonized standards expected by late 2025¹²:

• AI Trustworthiness Framework (prEN 17993)
• AI Risk Management System (prEN 18014)
• AI Conformity Assessment Procedures (prEN 18029)
• AI Testing and Evaluation Methods (prEN 18045)

These standards will provide presumption of conformity for AI Act compliance.

EASA AI Certification Framework

The European Aviation Safety Agency has established a three-tier AI classification system for aviation applications¹³:

• Level 1: AI assistance/augmentation - Human retains full control
• Level 2: Human-AI teaming - Automatic decisions with human oversight
• Level 3: Full autonomy - Not expected before 2050 for safety-critical functions

Drone AI systems typically fall under Level 1 or Level 2, requiring:

• Explainability requirements
• Performance monitoring capabilities
• Fail-safe mechanisms
• Human override functions

ISO 42001:2023 Integration Benefits

Leading companies are integrating ISO 42001 AI Management Systems with EU AI Act compliance to create unified governance frameworks¹⁴. This combined approach:

• Reduces documentation duplication by up to 60%
• Provides internationally recognized certification
• Streamlines conformity assessment processes
• Positions companies for global market access

Organizations pursuing ISO 42001 certification gain¹⁵:

• Structured AI governance framework aligned with AI Act requirements
• International recognition facilitating global market access
• Reduced audit burden through integrated management systems
• Competitive differentiation in procurement processes

Provider Requirements: Your Development Checklist

As the creator of a dual-use drone AI system, you must implement:

1. Risk Management System

• Continuous lifecycle assessment
• Iterative risk identification and mitigation
• Regular updates based on operational data

2. Data Governance and GDPR Compliance

• High-quality training datasets
• Bias mitigation strategies
• Representative data sampling
• Error-free validation processes
• Automatic anonymization for inadvertently collected personal data
• Real-time blurring of faces and license plates
• Data Protection Impact Assessments (DPIAs) for all high-risk drone operations

Recent enforcement actions highlight critical requirements¹⁶, including the December 2024 €15 million OpenAI fine signaling aggressive enforcement for AI training data practices.

3. Technical Robustness

• Accuracy benchmarks
• Cybersecurity measures
• Resilience testing
• Fail-safe mechanisms

4. Documentation (10-Year Retention!)

• System architecture details
• Training methodologies
• Risk assessment records
• Performance metrics
• Conformity assessment reports

5. Human Oversight Design

• Clear human-machine interfaces
• Override capabilities
• Monitoring dashboards
• Alert systems

6. Quality Management System

• ISO 9001-style processes
• Change management procedures
• Audit trails
• Continuous improvement frameworks

Deployer Obligations: Operating Your System

Companies operating dual-use drones face their own requirements:

• Strict adherence to provider instructions
• Continuous human oversight during operations
• Transparency obligations to affected individuals
• Impact assessments for fundamental rights and data protection
• Incident reporting to providers and authorities
• Log maintenance for accountability

Critical Regulatory Gaps and Challenges

The Liability Framework Crisis

The withdrawal of the AI Liability Directive in February 2025 creates significant uncertainty¹⁷:

• No harmonized fault allocation for autonomous drone incidents
• Varying national liability regimes across 27 member states
• Insurance products not adapted to AI-specific risks
• Unclear liability for AI decisions vs. human oversight failures

Companies must:

• Implement comprehensive insurance strategies
• Document decision-making processes meticulously
• Establish clear liability allocation in contracts
• Prepare for potential strict liability regimes

Cross-Border Operational Complexity

The fragmented implementation across member states creates operational challenges¹⁸:

• Different competent authorities with varying interpretations
• National security exemptions applied inconsistently
• Varying certification mutual recognition agreements
• Different enforcement priorities and resources

Best practice: Design compliance frameworks that exceed the strictest national requirements.

Export Control: The Second Regulatory Layer

EU Regulation 2021/821 adds another compliance dimension. Recent updates include:

• September 2024: New controls on quantum computing and advanced electronics
• March 2024: Mandatory “No Russia Clauses” in export contracts
• December 2024: China’s tightening of dual-use drone component exports
• Ongoing: Supply chain disruptions from Chinese component restrictions

The Ukraine conflict has fundamentally changed export control enforcement, with authorities taking a much stricter approach to dual-use technologies.

Managing Overlapping Regulatory Frameworks

Managing overlapping regulatory frameworks requires systematic approach¹⁹:

Key Control Regimes:

• Wassenaar Arrangement (42 participating states)
• EU Dual-Use Regulation 2021/821
• National military lists
• Sanctions and embargoes

Practical Steps:

1. Classify all components under relevant control lists
2. Implement internal compliance programs (ICPs)
3. Screen all parties against sanctions lists
4. Maintain detailed export records (5-year minimum)
5. Obtain catch-all authorizations where applicable

Practical Compliance Strategies and Tools

1. Modular Design Architecture

Follow ARX Robotics’ example: tool-free module exchanges allow rapid configuration between civilian and defense applications, simplifying compliance documentation.

2. Documentation-First Development

Start compliance documentation on day one. The 10-year retention requirement means your early design decisions will follow you for over a decade.

3. Early Authority Engagement

National competent authorities (designated by August 2025) can provide guidance. Early engagement prevents costly late-stage redesigns.

4. Cross-Functional Teams

Combine engineering, legal, and compliance expertise from project inception. Siloed development leads to compliance failures.

5. Regulatory Sandboxes

Each EU member state must establish AI regulatory sandboxes by August 2, 2026²⁰. These environments offer:

• Free access for SMEs and startups
• Limited liability protection during testing phases
• Direct regulatory guidance from competent authorities
• Fast-track certification pathways for successful participants
• Cross-border testing opportunities through mutual recognition

Compliance Costs and ROI

Companies must budget for substantial compliance investments²¹:

• €29,277 annual labor compliance cost per AI model
• €193,000-330,000 for new Quality Management System setup
• €52,227 total annual governance costs per AI model
• 2-3 FTEs dedicated to AI compliance for high-risk systems

ROI Calculation: Most companies achieve positive ROI within 18-24 months through premium pricing and expanded market access.

Global Regulatory Comparison

Different jurisdictions take fundamentally different approaches to dual-use AI regulation²²:

Jurisdiction	Approach	Key Requirements	Penalties
EU	Rights-based comprehensive regulation	Risk-based classification, extensive documentation	Up to 7% global turnover
USA	Security-first with criminal sanctions	Export controls, deemed export rules	Up to 20 years imprisonment
UK	Pro-innovation voluntary framework	Sector-specific guidance, no binding rules	Limited enforcement
China	Strategic export control tool	State approval for dual-use exports	Administrative and criminal

The Cost of Non-Compliance and Enforcement Landscape

The AI Act imposes severe penalties:

• Prohibited practices: Up to €35M or 7% of global turnover
• High-risk violations: Up to €15M or 3% of global turnover
• Incorrect information: Up to €7.5M or 1% of global turnover

While no major AI Act enforcement actions have occurred yet, parallel enforcement provides guidance²³:

• €15 million OpenAI fine (Italy, December 2024) for GDPR violations in AI training
• Increasing scrutiny of AI data practices across member states
• Coordinated enforcement expected through European AI Board
• Priority enforcement areas: prohibited practices, high-risk non-compliance

Beyond financial penalties, non-compliance means market exclusion across all 27 EU member states.

Strategic Action Plan

Immediate Actions (2025)

1. AI System Inventory and Classification
   • Catalog all AI components and capabilities
   • Determine risk levels using official assessment tools
   • Document dual-use characteristics
   • Timeline: Complete by July 2025
2. AI Literacy Implementation
   • Deploy mandatory training programs (required since February 2025)
   • Cover both technical staff and management
   • Document completion for compliance records
   • Budget: €500-1,000 per employee
3. Modular Architecture Planning
   • Separate civilian and military AI modules
   • Implement version control systems
   • Design API-based compliance boundaries
   • Investment: €200,000-500,000

Medium-term Priorities (2025-2027)

1. Standards and Certification
   • Achieve ISO 42001 certification (12-18 months)
   • Prepare for harmonized standards adoption
   • Develop relationships with notified bodies
   • Budget: €150,000-300,000
2. Cross-Border Compliance
   • Map requirements across target markets
   • Establish subsidiary structures where needed
   • Implement unified documentation systems
   • Create multi-jurisdictional teams

Long-term Strategic Positioning (2027+)

1. Standards Development Participation
   • Join CEN-CENELEC working groups
   • Contribute to industry best practices
   • Shape future regulatory frameworks
   • Build regulatory relationships
2. Strategic Autonomy
   • Reduce dependence on non-EU components
   • Develop proprietary AI capabilities
   • Establish European supply chains
   • Invest in sovereign technology

Practical Compliance Assessment Checklist

Pre-Development Phase:

• Dual-use classification completed
• Regulatory landscape mapped
• Modular architecture designed
• Compliance budget allocated
• Team training initiated

Development Phase:

• Risk assessments documented
• Data governance implemented
• Human oversight integrated
• Technical documentation maintained
• Testing protocols established

Pre-Market Phase:

• Conformity assessment completed
• CE marking requirements met
• Export licenses obtained
• Insurance coverage secured
• Deployment procedures finalized

Market Opportunities Despite Challenges

The regulatory burden hasn’t deterred investment:

• European defense tech attracted €1 billion in venture funding (2024)
• Dual-use technologies command premium valuations
• Clear compliance frameworks provide competitive advantages

Looking Ahead

The intersection of civilian innovation and defense needs will only grow more complex. Companies that invest in robust compliance frameworks today position themselves to capture opportunities in both markets tomorrow. The Ukrainian experience demonstrates that rapidly deployable, adaptable drone technology saves lives – but only if we can navigate the regulatory framework to bring these innovations to market.

The path forward requires balancing innovation with responsibility, speed with compliance, and civilian benefits with defense capabilities. Success requires a holistic approach combining technical excellence, regulatory expertise, and strategic foresight. It’s a challenging journey, but one that’s essential for European security and technological sovereignty.

---

Resources and References

Official EU Resources

• EU AI Act Official Portal
• European Commission - AI Act Implementation
• EU Dual-Use Export Controls

Industry Analysis

• High-Risk AI Systems Guide - NAAIA
• Drone-Specific AI Act Analysis - Blakistons Law
• Implementation Requirements - CERRE

Legal Perspectives

• CMS Law - AI Act Regulatory Focus
• Pinsent Masons - High-Risk AI Guide
• WilmerHale - High-Risk Requirements

Compliance Tools

• EU AI Act Compliance Checker
• IAPP - Operational Impacts Guide

Additional References

---

Dr. Piotr Gryko is a technology policy expert specializing in AI systems and European defense innovation. This comprehensive guide represents the current understanding of EU AI Act requirements for dual-use drone systems as of June 2025. Given the rapidly evolving regulatory landscape, companies should verify current requirements with legal counsel and monitor official EU sources for updates. This guide does not constitute legal advice.

1. European Commission. (2025, February 2). “First rules of the Artificial Intelligence Act are now applicable.” Digital Strategy. ↩

2. European Commission. (2025, February 4). “Guidelines on prohibited artificial intelligence practices as defined by the AI Act.” Digital Strategy. ↩ ↩²

3. European Commission. (2025, February 6). “Guidelines on AI system definition to facilitate the first AI Act’s rules application.” Digital Strategy. ↩ ↩²

4. DLA Piper. (2025, May). “EU AI Act Update – AI Literacy: Questions & Answers.” ↩ ↩²

5. European Parliament. (2025). “EU AI Act: first regulation on artificial intelligence.” Topics. ↩

6. EU Artificial Intelligence Act. (2024). “Article 2: Scope.” ↩

7. Sierra Tango. (2024). “AI Act: What impact for defence?” ↩

8. CTOL Digital. (2025). “Quantum Systems Becomes Germany’s First Defense Tech Unicorn in 2025 After €160 Million Funding Round.” ↩

9. Army Recognition. (2025). “Analysis: Sweden’s new Kreuger 100 interceptor removes traditional guidance systems to make drone interception affordable.” ↩

10. Invest Estonia. (2024). “Milrem Robotics raises the largest foreign investment in Estonia’s defence sector.” ↩

11. EU-Startups. (2019). “Belgian startup Unifly raises €17 million for its drone traffic management software.” ↩

12. CEN-CENELEC. (2024). “Artificial Intelligence Standards Development.” ↩

13. Aviation Week. (2024). “EASA Makes Progress On Standards Project For AI.” ↩

14. A-LIGN. (2024). “Understanding ISO 42001: The World’s First AI Management System Standard.” ↩

15. Nemko Digital. (2024). “ISO 42001 Certification: The Key to AI Regulatory Compliance.” ↩

16. Data Protection Report. (2025). “The EDPB Opinion on training AI models using personal data and recent Garante fine.” ↩

17. Hogan Lovells. (2024). “EU introduces comprehensive digital-era Product Liability Directive.” ↩

18. Carnegie Endowment. (2025). “The EU’s AI Power Play: Between Deregulation and Innovation.” ↩

19. Tradewin. (2024). “Dual Use Controls and Drone Technology.” ↩

20. EU Artificial Intelligence Act. (2024). “AI Regulatory Sandbox Approaches: EU Member State Overview.” ↩

21. CEPS. (2024). “Clarifying the costs for the EU’s AI Act.” ↩

22. White & Case. (2024). “AI Watch: Global regulatory tracker - European Union.” ↩

23. Holistic AI. (2024). “The High Cost of Non-Compliance: Penalties Issued for AI under Existing Laws.” ↩