Cyber threats are no longer abstract risks discussed in boardrooms. They are an operational reality, significantly disrupting critical infrastructure, defence supply chains, and public services across Europe.
Over the past few years in the UK alone, cyberattacks have disrupted public services like the NHS, manufacturers like Jaguar Land Rover, and huge retailers like M&S. In the case of Jaguar Land Rover, the impact cascaded through the broader automotive ecosystem, affecting thousands of suppliers and jobs. Incidents like this have demonstrated how interconnected and vulnerable modern supply chains are.
Chris Dimitriadis, Chief Global Strategy Officer, ISACA
For defence and technology firms in particular, the combination of increasingly sophisticated cybercrime and persistent targeting of sensitive data has elevated cybersecurity from an IT concern to a board-level priority. It is within this broader climate of rising digital risk that the United States is strengthening its expectations of defence contractors with new rules that UK and European businesses working into US defence must be made aware of.
The US has introduced new cybersecurity measures for all contractors
The US Department of War recently announced the Cybersecurity Maturity Model Certification (CMMC) program, a comprehensive cybersecurity certification framework designed to ensure that defence contractors are resilient to cybersecurity threats and can adequately protect sensitive government information, including Controlled Unclassified Information (CUI).
While CMMC is a US initiative, its implications are unmistakably global. For European and UK organisations embedded in transatlantic defence supply chains, this is not a distant regulatory development. It is an approaching commercial reality.
From 2025 to 2028, CMMC will be progressively embedded into US defence procurement. As this happens, contractors handling CUI or supporting US prime contractors will be required to demonstrate compliance at defined maturity levels. For many European businesses, eligibility to bid on or continue supporting US defence programmes will hinge on obtaining CMMC certification.
UK and European businesses must be aware of the new CMMC requirements
This leaves UK and European businesses potentially exposed as the number of businesses who fall under scope is immense. Hundreds (if not thousands) of UK and European firms contribute components, software, services, and specialist expertise into US defence programmes – and they will all need to meet this baseline cybersecurity certification requirement to maintain eligibility.
But for many firms, this will not arrive as a regulator’s letter – it will arrive via a prime contractor contract amendment. UK and European businesses must be made aware of these new requirements to maintain competitiveness – or risk losing business.
CMMC implementations can align with European regulations in order to reduce complexity for organizations. Under frameworks such as NIS2 and the Digital Operational Resilience Act (DORA), European regulators are moving toward independently verifiable cyber maturity, stronger governance, and enhanced supply chain security. CMMC or NIST controls can also be mapped to existing cybersecurity framework implementations to speed up the compliance process.
CMMC converts the US government’s cybersecurity expectations into a measurable, independently assessed certification. For European organisations, this alignment can reduce the conceptual gap between US and EU requirements.
There is a global shortage of assessors to deliver the certification
To be CMMC certified, businesses will need the help of practitioners within their workforce and from third parties to help with implementation and also hire third parties to conduct the assessments through certified assesors. They can also develop certified assessors internally to help with internal audit, supporting readiness for the third party audit and continuous compliance.
However, there is a global shortage of qualified cybersecurity assessors. There are only so many trained practitioners, assessors and instructors who can deliver CMMC credentials, creating a strategic risk for UK and European businesses that must comply with the US DoW’s programme. It also presents an opportunity for starting a new business in Europe or for one to promote their career in a field where demand is high.
It is imperative that assessors are trained and made ready to deliver CMMC credentials, not simply to preserve commercial relationships and continuity of operations, but to uphold the shared defence interests that bind transatlantic countries. Common supply chains, interoperable platforms, mutual defence obligations, and the protection of sensitive IP all depend on a common baseline of cyber maturity.
ISACA has been appointed as the Credentialing Accreditation and Instruction Certification Organisation (CAICO) for the CMMC programme, responsible for training, examining and certifying the professionals who will deliver assessments globally. Its role is to build the workforce behind CMMC, scaling global capability because these standards cannot operate without qualified professionals to apply them.
For UK and European organisations, the message is clear: awareness and preparation must begin now. As CMMC becomes embedded within US defence procurement, its impact will be felt far beyond American borders, reshaping expectations across transatlantic supply chains. Without investment in awareness of the requirements and assessor capacity, UK and European organisations risk falling behind – not through lack of technical ability, but through lack of preparedness for a certification that will increasingly determine market access.
Additional information can be found at www.isaca.org/cmmc on the ISACA website.
Article submitted by Chris Dimitriadis, Chief Global Strategy Officer, ISACA
Post written by: Vicky Maggiani
Vicky has worked in media for over 25 years and has a wealth of experience in editing and creating copy for a variety of sectors.
RELATED ARTICLES
March 17, 2026
Homeland - Open source innovation driving defence advantage
Modern defence operations must have fast, accurate situational awareness to support decision-making and operational effectiveness. Until now, there hasn’t been
March 16, 2026
Land - Supply chain comes together to support logistics and procurement
Last week, a significant strategic alliance named Torus Defence Supply Chain was unveiled, bringing together four global industry leaders –
