How to Classify Your Product: Is It Defence, Dual-Use, or Civil?

Estimated reading time: 6 minutes

In my previous article, I discussed the importance of documenting and vetting your supply chain. But even the most transparent and controlled supply chain will not protect a company that does not properly classify its product.

Sooner or later, every company operating within technology, electronics, aerospace, drones, telecommunications, software, or defence-related manufacturing will face a question that sounds simple, yet it is often difficult to answer: Is your product defence, dual-use, or civil?

Many companies believe they already have the answer: The product was developed and sold commercially. It was not designed for a military apparatus, and it is used in civilian applications and markets. Therefore, it must be civil.

However, export-control authorities do not necessarily see it that way, and this is where many unintentionally expose themselves to potential legal, financial, and reputational risk.
As regulations tighten and technologies evolve faster than governments can adapt, companies are increasingly facing four critical questions:

1. Are we classifying based on facts or assumptions?
2. Do we truly understand what our product is capable of?
3. Do we understand the risks and consequences of getting classification wrong?
4. Can we document and defend our decisions?

For many organizations, these questions are becoming operational, commercial, and legal realities.

1. Are We Classifying Based on Facts or Assumptions?
One of the pitfalls of export compliance is assumptions. We frequently meet with companies that have not formally classified their products. Instead, classifications are based on historical understanding, supplier statements, customer assumptions, or internal beliefs passed down over time.

• “We have always sold this commercially.”
• “Our supplier said it is not controlled.”
• “We are not a defence company.”
• “The product is only used for civilian purposes.”

Those statements may all be true, however the product may still fall under export-control regulations. This is particularly relevant in the electronics and PCB industries, where products designed for commercial markets can also support military, aerospace, surveillance, cybersecurity, navigation, and critical infrastructure applications.

A PCB is still a PCB. A processor is still a processor. A communication module is still a communication module. The problem is that regulators do not classify products based on what companies believe they are. They classify them based on capability, application, usability, and risk.

This is probably one of the most common misunderstandings heard in compliance discussions. Companies often believe that because they are not officially identified as defence contractors, export-control regulations do not apply to them. But modern regulations increasingly focus on application and capability rather than branding.

• A commercial drone manufacturer may still operate inside defence-related frameworks.
• A telecom company may still handle controlled encryption technology.
• A PCB manufacturer may still produce hardware for aerospace or military programs.
• A software developer may still support critical infrastructure or surveillance systems.

In other words, a company does not need to be identified as a defence contractor to become subject to export-control obligations.

This is especially important as governments tighten regulations around strategic technologies, cybersecurity, semiconductors, artificial intelligence, and critical supply chains. Regulations such as the EU Dual-Use Regulation, ITAR, EAR, UK Export Control Order, and similar frameworks globally are not standing still while technology evolves rapidly.

2. Do We Truly Understand What Our Product Is Capable Of?
Most companies understand the concept of defence products. Missiles, weapons systems, military communication platforms, radar systems, and ammunition are relatively straightforward.

The complexity often starts with dual-use products, such as products, software, or technologies designed for civilian use, but which can also have military, intelligence, aerospace, or strategic applications.

This category is much broader than many realize. It includes encryption technology, RF systems, drones, thermal imaging, advanced telecommunications, sensors, navigation systems, semiconductors, AI-supported technologies, high-performance computing, certain materials and chemicals.

Even technical drawings, Gerber files, manufacturing data, software access, or production instructions are themselves controlled, something that surprises many organizations.

Export control is not only about shipping physical products across borders. In many jurisdictions, transferring controlled technical information digitally may also constitute an export. Here are some activities that, in many cases, have regulatory implications.

• Sending manufacturing data by email
• Providing cloud access to foreign nationals
• Sharing technical drawings with overseas subcontractors
• Allowing remote support access

When assessing whether a product is civil, dual-use, or defense-related, companies often look for a simple answer. The best way to start classification is by asking more questions.

3. What Is the Product Technically Capable of Doing?
Could it support military, aerospace, surveillance, encryption, navigation, or critical infrastructure applications? Does the product contain controlled software, encryption, RF technology, or high-performance processing capabilities? Could the product be integrated into another controlled system?

Here are some other important questions:

• Who is the end-user?
• Who is the end-customer?
• Who will ultimately gain access to the technology or data?
• Will the product remain in civil environments, or could it be redirected into military programs or restricted industries?

Many companies also forget to assess the data itself. Are technical drawings shared internationally? Are Gerber files, manufacturing instructions, or software transferred digitally across borders? Do foreign nationals have access to controlled technical information? Where is the data stored, and who can access it remotely?

In regulated industries, export compliance is no longer limited to physical shipments. In many cases, the transfer of technical information itself may be subject to regulations.

Finally, companies should ask a question that is becoming increasingly relevant in today’s geopolitical environment: If authorities reviewed our classification process tomorrow, could we clearly document how and why decisions were made?

In practice, classification is rarely about a single yes-or-no answer, but about demonstrating that the company performed proper due diligence, understood the risks, reviewed the applicable regulations, and made informed decisions based on evidence rather than assumptions.

4. Do We Understand the Risks and Consequences?
Some companies still view classification as an administrative exercise. It is not. Incorrect classification can create serious consequences.

• Shipments may be stopped at customs
• Export privileges may be suspended
• Customers may terminate contracts
• Authorities may initiate investigations
• Products may become blocked from certain countries or industries

Companies may face financial penalties, reputational damage, or criminal liability. In the defence industry, consequences can escalate quickly because the issue often affects not only one shipment, but trust throughout the entire supply chain.

A customer that discovers that controlled technology has been handled incorrectly may immediately question broader governance, data handling, cybersecurity maturity, and supplier assurance.

Compliance Failures Rarely Stay Isolated
At CONFIDEE, we often say that uncertainty is itself a risk factor. If a company cannot clearly document how products were classified, who made the decision, which regulations were considered, and how the conclusion was reached, then the organization is operating largely on assumptions rather than evidence.

Assumptions are a weak defense during audits, investigations, or customer reviews.

Another common misconception is that classification is permanent when it is not. Products and software change, performance improves, components are replaced, customers enter new markets, and regulations are updated. A product classified as civil three years ago may require reassessment today.

We have seen organizations continue to operate under outdated assumptions long after technology upgrades, software integrations, encryption enhancements, or customer changes fundamentally altered the compliance landscape.

That is why classification should not become a forgotten spreadsheet exercise performed once and then archived indefinitely. It should become part of an active compliance program connected to engineering, sourcing, sales, quality, and supply-chain management. One of the challenges many organizations face is that no single department fully owns the process.

• Engineering understands the technical capabilities
• Sales understands the customer
• Procurement understands sourcing
• Legal understands regulations
• Operations understands logistics

But export compliance sits at the intersection of them all. This is one reason why many businesses unintentionally create blind spots. Departments operate correctly within their own areas, but no one sees the full picture.

We work continuously to connect these perspectives because classification is not only about legal interpretation. It is about operational understanding, documentation, traceability, and creating a system where decisions can be verified over time.

If It’s Not Documented, It Didn’t Happen
Many companies only begin taking classification seriously after a customer asks difficult questions, a shipment is delayed, or an authority becomes involved. By then, time pressure often creates even greater risk.

The better approach is preparedness. Ask questions early, understand your technology, know your end use and end users, review applicable regulations, and document decisions. Reassess products when changes occur. Ensure suppliers and subcontractors understand the requirements.

Most importantly, create internal awareness that export control is no longer a niche legal topic affecting only the largest defence contractors. Today, it affects far more companies than many realize.

A Final Thought
Technology is advancing faster than regulations can keep up, while geopolitical uncertainty reshapes how governments view strategic industries, critical infrastructure, data security, and advanced electronics. This means product classification will only become more important in the years ahead.

The companies that manage this best will be the ones that create awareness early, ask difficult questions internally, document decisions properly, and build compliance into their operational culture rather than treating it as an afterthought.

Didrik Bech is a board member at CONFIDEE.