Defence Procurement: Sub-Tier Risk, Sanctions, and the Moving Parts Once You Are Committed

Why defence supply chain risk is structurally different

Defence procurement is characterised by a set of features that collectively create a risk environment unlike almost any other sector. Lead times measured in years rather than weeks. Single-source or sole-source components with no qualified alternative. Highly regulated end-to-end supply chains where a change at Tier 3 can require re-qualification of the entire platform. And — most critically — a geopolitical dimension to supply chain risk that simply does not apply to most commercial procurement.

The consequence of these features is that decisions made at contract award carry forward for years or decades. A prime contractor who commits to a supply chain in 2025 for a platform with a 15-year production run will still be living with those sub-tier choices in 2040 — by which time the geopolitical landscape, sanctions regimes, export control frameworks, and ownership structures of their sub-tier suppliers may have changed beyond recognition.

The regulatory landscape — overlapping and evolving

Defence supply chains operate within a layered regulatory environment where multiple overlapping regimes interact — and where non-compliance creates criminal as well as commercial liability.

The US International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern the transfer of defence articles, services, and dual-use technologies. For UK defence supply chains, ITAR is a pervasive constraint: US-origin content in a platform may require US government licence approval before that content can be transferred to a third country — even within a UK programme with a UK customer. ITAR compliance requirements flow down through the entire supply chain, not just to the prime.

The UK Export Control Joint Unit (ECJU) administers the UK's export licensing regime under the Export Control Act 2002 and the Export Control Order 2008. Following Brexit, UK companies no longer benefit from EU Open General Export Licences and must operate under UK-specific licensing arrangements. The Open General Export Licence (OGEL) framework provides routes for routine transfers but requires careful review of end-user, destination, and item type for every transaction.

The practical risk for sub-tier suppliers is that an export licence that was valid when a programme began may be revoked, suspended, or made subject to new conditions at any point — including mid-production. The programme continues; the licence does not.

Sanctions regimes — administered by OFSI (UK), OFAC (US), and the EU — prohibit transactions with designated individuals, entities, and in some cases entire sectors of designated countries. In defence supply chains, sanctions exposure arises in three primary ways.

Direct sanctions hits — a sub-tier supplier, or a company that owns a sub-tier supplier, is designated. This creates an immediate prohibition on any payment, transfer, or dealing with that entity. If the entity is a sole-source supplier of a critical component, the programme effect is immediate and severe.

Indirect exposure through beneficial ownership — a sub-tier supplier that appears clean on the surface is owned or controlled, directly or indirectly, by a sanctioned individual or state entity. This is the more common and more dangerous scenario. Beneficial ownership chains in defence-adjacent sectors are often deliberately opaque, and the layers of corporate structuring used to obscure sanctioned ownership are sophisticated.

Sanctions creep — geopolitical events trigger new designations. A country or sector that was not sanctioned at programme award becomes sanctioned mid-programme. Russia's designation following the 2022 invasion of Ukraine affected defence programmes that had, in some cases, Russian-origin sub-tier content that had been in supply chains for years without scrutiny.

US defence programmes requiring access to classified information necessitate security clearance under the National Industrial Security Program (NISP). Foreign Ownership, Control, or Influence (FOCI) — which arises when a cleared facility is owned or controlled by a foreign entity — can result in clearance revocation, programme disqualification, or mandatory mitigation agreements (Special Security Agreements, Board Resolutions, or proxy arrangements).

For UK supply chains working on US-origin defence programmes, any change in ownership of a Tier 1 or Tier 2 supplier that introduces foreign control — including private equity acquisition, sovereign wealth fund investment, or strategic stake acquisition by a foreign entity — must be notified to the relevant security authority immediately. The failure to notify is itself a compliance violation, independent of whether the acquisition creates a genuine security risk.

The UK National Security and Investment Act 2021 introduced mandatory notification requirements for acquisitions in 17 sensitive sectors including defence, military and dual-use technologies, and advanced materials. Transactions in these sectors that meet the notification threshold must be approved before they complete — providing a mechanism for government review of foreign acquisitions in the defence supply chain.

Ownership change — the risk that arrives quietly

Change of ownership in the sub-tier is one of the most significant and least-monitored risks in defence supply chains. A specialist component manufacturer that is acquired by a private equity firm may face asset stripping, key personnel departure, and investment withdrawal that degrades their capability within 18 months. A strategic acquisition of a Tier 2 supplier by a competitor — or by a state-owned enterprise — may create conflicts of interest or security concerns that only become apparent after the fact.

The challenge is that ownership changes in sub-tier suppliers often happen without notification to the buyer chain. A Tier 1 contractor may not be contractually required to notify their customer of a Tier 2 acquisition. A Tier 2 supplier has no direct relationship with the programme customer and no obligation to disclose. The acquisition completes, the ownership changes, and the affected organisation continues to supply — until the implications become visible, at which point the options are constrained.

Adequate management requires: contractual notification obligations that flow down through the supply chain; active monitoring of Companies House, overseas corporate registries, and commercial intelligence services for ownership changes in critical sub-tiers; and a clear internal process for assessing and responding to ownership change events, including escalation to legal, security, and programme management as appropriate.

Long lead items — the particular vulnerability of commitment

Long lead items — components, materials, or assemblies with extended production lead times that must be ordered well in advance of final assembly — create a specific form of sub-tier risk. By the time the item is needed, the supply chain context in which it was ordered may have changed materially.

A long lead order placed in a politically stable, sanctions-free environment may still be in production when the geopolitical situation that supported that order deteriorates. A component ordered from a supplier whose ownership was unproblematic at order placement may be mid-production when an acquisition changes their beneficial ownership structure. A material specification that was compliant with export control requirements at the time of order may fall under new restrictions before delivery.

Managing this requires a long-lead risk register that explicitly tracks the regulatory and ownership risk profile of each critical long lead item through its production lifecycle — not just at point of order. Review points should be scheduled throughout the lead time, not just at receipt. And contracts for long lead items should include force majeure provisions specifically addressing sanctions, export control restriction, and ownership change as triggering events that give both parties defined rights and obligations.

What adequate sub-tier risk management looks like in practice

For prime contractors and Tier 1 suppliers managing defence programmes, the following minimum standard represents current best practice:

1. Sub-tier mapping for all safety-critical and export-controlled content. Identify every sub-tier supplier in the supply chain for designated components. For items subject to ITAR, this mapping is often required by the export licence conditions. Maintain this map as a live document, updated at programme milestones and when ownership or sourcing changes.
2. Sanctions screening at onboarding and continuously thereafter. Screen every sub-tier supplier and their ultimate beneficial owners against current UK, US, and EU sanctions lists at the point of qualification and on a continuous basis throughout the programme. Automated screening against regularly updated lists is the only way to achieve this at scale.
3. Beneficial ownership verification for all sub-tiers above a defined spend threshold. Require disclosure of ultimate beneficial ownership for all new sub-tier suppliers and at each contract renewal. Use commercial intelligence tools (Refinitiv, LexisNexis, Bureau van Dijk) to verify disclosed ownership independently for high-risk sub-tiers.
4. Export control compliance flows down through the contract. ITAR and EAR compliance obligations must be explicitly flowed down to all sub-tiers handling relevant content. Audit rights, right-to-inspect, and termination rights for export control violations should be in every relevant sub-tier contract.
5. Ownership change notification as a contractual requirement. Every sub-tier contract above a defined threshold should require immediate notification of: any change in beneficial ownership above 10%; any new foreign ownership or control; any acquisition by a private equity, sovereign, or state-owned entity; and any sanctions designation affecting any part of the ownership chain.
6. A documented response playbook for high-risk events. Ownership change, sanctions designation, export licence suspension, and security clearance risk all require different responses from different parts of the organisation. Having a documented playbook — agreed in advance, tested annually — is the difference between a managed crisis and an unmanaged one.