A defence prime with Tier-2 and Tier-3 suppliers across 15 countries cannot manually verify the identity of every engineer, technician, or courier touching sensitive components. Today, most sub-tier verification is document-based, paper-based, or simply implicit.
Modern defence primes operate networks of hundreds of sub-tier suppliers across dozens of countries. A single fighter aircraft programme involves suppliers from 20+ nations; a single armoured vehicle platform has Tier-3 subcontractors in every permissive jurisdiction.
Supply-chain identity governance has not kept pace. Most programmes rely on vendor questionnaires, bilateral agreements, and periodic site audits — processes that were state-of-the-art in 2007 and are no match for 2026 threat actors targeting the defence supply chain.
NIS2 Article 21 requires critical entities to manage supplier cybersecurity risk. The EU Dual-Use Regulation requires documented identity controls across the technology chain. Neither is satisfiable with paper documentation and annual audits.
Not every defence supplier relationship carries the same identity risk. These are the patterns where a single sub-tier breach creates cascading programme exposure.
Aerospace, naval, and land-system primes with Tier-2 and Tier-3 suppliers in 15+ countries. The prime cannot manually verify every contractor. IdentiGate bridges the gap at individual level.
EDF consortia routinely include SMEs from multiple member states — each with their own national ID regimes. A shared passport-anchored identity layer simplifies consortium operations and audit.
Semiconductor, optics, AI, and quantum suppliers often span civil and defence ecosystems. Dual-use export controls require individual-level identity evidence most ERPs cannot produce.
Vendor management platforms, supplier portals, and procurement ERPs were built around companies — SAP Ariba, Oracle, Coupa. They handle company-level onboarding, contract management, and compliance tracking. None of them verify, cryptographically, which individual engineer or courier is touching sensitive components at any given moment — because they were never designed to.
Defence supply chain has three existing approaches today — ERP supplier modules, specialised defence supplier platforms, and the US CMMC-style accreditation model for cybersecurity. Each handles company-level governance; none produces individual-level cryptographic evidence.
| Capability | ERP Supplier Module | CMMC-style Accreditation | IdentiGate |
|---|---|---|---|
| Individual-level identity verification | No | Partial — via HR | Yes — passport chip |
| Per-handover cryptographic signature | No | No | Yes — AdES |
| Tier-N coverage (sub-tier contractors) | Company level only | Policy-based | Individual level |
| NIS2 Article 21 audit artefacts | No | Policy documentation | Cryptographic evidence |
| Non-EU supplier coverage | Varies | US-focused | Worldwide — 179 NFC + document route |
| Personal data returned to prime | Full identity record | Full identity record | Signed attestation only |
| Integration with company identity (LEI) | Limited | No | Yes — ISO 17442 |
Keep your ERP. Keep your supplier portal. IdentiGate adds the individual-level identity layer that company-focused systems cannot produce — turning vendor questionnaires into cryptographic evidence, and paper handovers into audit-ready records.
You verify your Tier-1 suppliers. Your Tier-1 claim to verify Tier-2. The claim is usually a vendor questionnaire. By Tier-3, nobody really knows who is handling what. The default posture across European defence procurement today.
Passport-anchored individual identity, issued to every contractor, creates continuous sub-tier visibility without rebuilding Tier-1 HR.
A Turkish electronics subcontractor, a South Korean optics supplier, a Ukrainian software integrator — all legitimate, all outside EUDI Wallet. National ID regimes vary wildly in cryptographic rigour.
Passport-anchored identity works the same way in every country — a nation-signed NFC chip is a nation-signed NFC chip, whether Madrid, Ankara, or Seoul.
NIS2 requires documented supplier cybersecurity controls. Regulators know vendor questionnaires prove nothing. They will increasingly demand cryptographic artefacts that independently verify identity without self-report.
IdentiGate's evidence layer produces exactly these artefacts — tamper-evident chains satisfying NIS2, DORA, EU Dual-Use Regulation, and export-control audits.
EDF consortia include SMEs whose identity tooling does not match primes. This creates a ceiling on SME participation — or forces primes to absorb the cost.
Passport-anchored identity is independent of enterprise tooling investments. A five-person SME in Lithuania uses the same layer as a 50,000-person prime in France.
Each capability below solves a specific moment in the defence supply chain — from the first contractor at the gate, through multi-tier sub-suppliers, to the cryptographic handover chain a regulator or programme office will eventually audit. Deployable today, built on our existing products.
NFC passport scan, performed once per person, cryptographically verified — closes the visibility gap at every tier simultaneously.
GLEIF LEI support produces one verifiable answer across jurisdictions, linked cryptographically to authorised signers.
AdES signature at each handover, from the verified individual — tamper-evident chain from origin to delivery, audit-provable.
Cryptographic evidence chain produces the NIS2 supervisory record as a structural artefact — regulator-verifiable without re-disclosing personal data.
Prime + Tier-1 + Tier-2 + ministry = seven signatures, seven jurisdictions. Each with own verified passport-anchored identity. No weak link.
12 partners across 8 countries provisioned in one operation. Revoked uniformly if a partner exits. Months-long work becomes one API call.
The procurement systems aren't here yet. Our architecture already is.
Confirms "holds clearance at or above the required level" without disclosing the actual level or issuing authority. Fit for multi-national consortia.
AI QA systems, autonomous vehicles, agent scheduling. Every non-human action traceable to a named human supervisor via cryptographic delegation.
Verified contractor moves to new consortium. Identity travels with them. New programme consumes attestation, not fresh documents.
Embed IdentiGate verification into SAP Ariba, Oracle Procurement, Coupa, or a bespoke supplier portal. Scales from single-prime deployments to consortium-wide EDF identity layers with NIS2 Article 21 evidence built-in.
Hosted path for SME sub-tier suppliers, consortium members, and tier-N partners without internal identity tooling. Every signer is a passport-verified person — ideal for NIS2 Article 21 supplier attestations, EDF consortium agreements, and cross-border supply chain documents where counterparties span USA, EU, Asia, Africa.
For full pricing details, see product pages: Identity Verification, Authentication, AdES Signing, Signing Portal. Integration fees are scoped per engagement — we quote after a short discovery call.
Full pricing, volume tiers, and enterprise terms live on the product pages. Integration fee scoped per engagement — we quote after a short discovery call.
For defence primes, EDF consortium leads, and procurement digital teams: a technical briefing covering architecture, NIS2 Article 21 evidence production, and integration paths for your specific programme. Remote or in-person — wherever suits your team.