AQAP 2110: The Complete Guide to NATO Quality Assurance Standard for Defense Suppliers (2026)

AQAP 2110 is a NATO publication that sets quality assurance requirements for contractors performing defense contracts in Alliance member countries. The current edition — AQAP 2110 Edition D Version 1, published in 2016 and still in force without amendments as of 2026. The document works as a layer on top of ISO 9001: it contains all ISO 9001:2015 requirements in full, plus 8 additional defense-specific blocks — from configuration management to the special role of the Government Quality Assurance Representative (GQAR).

AQAP stands for Allied Quality Assurance Publication. The standard sits within NATO STANAG 4107 — the agreement on mutual recognition of government quality inspections among Alliance members. In practice this means that if an accredited body in one NATO country issued your AQAP 2110 certificate, procurement authorities in other countries will accept it without re-checking your management system. Details are catalogued by NATO Standardization Office.

For a Ukrainian manufacturer of weapons, UAVs, ammunition, or components, the AQAP 2110 certificate is a ticket to NATO defense ministry tenders, NSPA contracts (NATO Support and Procurement Agency), and Ukrainian state contracts where the buyer is moving to a NATO-compatible quality assurance model. In 2026, that shift is no longer theoretical, it's actually happening — more on the Ukrainian market at defense industry and on AQAP 2110 certification itself.

The AQAP series was born in the 1970s as NATO's attempt to unify quality requirements for arms suppliers. Before that, each Alliance country had its own military standards (MIL-Q-9858 in the US, DefStan in Britain, AQAP-1 in NATO), and mutual recognition of inspections didn't exist. A large American contractor supplying components to a French program went through separate audits from the Pentagon and the French MoD — identical scope, different forms.

The first AQAP documents (AQAP-1, AQAP-4, AQAP-9) appeared between 1968 and 1970. In the 1990s the series was rewritten around the structure of ISO 9001:1994, in 2003 Edition C appeared, in 2009 — Edition 2, in 2016 — the current Edition D Version 1. Each new edition got thinner and closer to ISO 9001, focusing on defense specifics instead of duplicating generic quality requirements.

The AQAP family today consists of several documents covering different levels of contract complexity:

• AQAP 2110 — quality requirements for design, development, and production. The base and most common standard.
• AQAP 2210 — additional software quality requirements.
• AQAP 2310 — requirements for aerospace and defense organizations (paired with AS 9100).
• AQAP 2120 — simplified version for production without design.
• AQAP 2105 — requirements for quality plans.

Why has the standard been stable for over 50 years? The defense sector doesn't like rapid change. Weapons you ship in 2026 were designed against requirements adopted in 2010-2015, and need to live in service through the 2050s. Breaking quality rules every 5 years would mean half of NATO stockpiles fall out of compliance with the current standard. So ISO 9001 is reviewed every 7-10 years, AQAP — less often and more conservatively.

The publisher of AQAP 2110 is the NATO Standardization Office (NSO) in Brussels. It's a structure under the NATO Military Committee that coordinates all Alliance publications. NSO drafts the document, runs it through member-state voting, and after ratification — publishes it. The current Edition D was ratified by 26 NATO countries in 2016.

The second player in the system is NSPA (NATO Support and Procurement Agency) in Luxembourg. NSPA is effectively the Alliance's procurement agency for multinational programs: from ammunition to fuel and drones. NSPA is the one that builds the AQAP 2110 requirement into the tender documentation for NATO purchases, and also maintains the approved supplier list. A contract with NSPA is practically impossible without an AQAP 2110 certificate.

Each member country then adds AQAP requirements into its own national procurement rules. In Germany this is done by Bundeswehr through BAAINBw, in the UK by DE&S, in the US by DCMA. Each MoD has the right to strengthen requirements but not to weaken them. At the contractor level this means: if you have AQAP 2110 — you automatically clear the baseline procurement threshold in practically any NATO country.

Ukraine isn't a NATO member, but officially follows NATO-compatible procurement standards since 2020. The Ukrainian MoD through ДОТ (Defense Procurement Agreement) and the State Special Communications Service are gradually moving supplier requirements to a format that closely mirrors AQAP 2110. In practice this means that even for Ukrainian state contracts, AQAP 2110 in 2026 has stopped being a 'nice bonus' and become de facto mandatory for serious volumes.

The universal answer: anyone supplying products or services into a defense contract — direct or subcontract. More specifically, in 2026 six categories of Ukrainian companies have a critical need.

First, manufacturers of unmanned aerial systems. Procurement drumbeats from Brave1, the Defense Procurement Agreement, and direct contracts with Ukrainian Armed Forces units run into thousands of systems per month. Without AQAP 2110, a manufacturer doesn't make the shortlist for serial contracts of 1000 units and above.

Second, manufacturers of unmanned ground vehicles (UGV), unmanned surface vessels (USV), electronic warfare and SIGINT systems. This is an active export direction for 2026-2027 — NATO countries are specifically looking for proven Ukrainian partners, because their own armies either lack such solutions or pay 3-5 times more for them.

Third, ammunition manufacturers — from artillery shells to mortar bombs and converted FAB-series air bombs. Here the requirement is not only commercial but safety-driven: no NATO distributor will accept a batch of ammunition without a certified traceability system per AQAP 2110.

Fourth, MRO centers — maintenance, repair and overhaul of military equipment. Western partners are transferring Leopard, Bradley, M2A2, IRIS-T, and Patriot systems to Ukraine. Local MRO becomes a key direction for 2026-2028, but without AQAP 2110 no Western OEM will hand over documentation and original spare parts to a Ukrainian partner.

Fifth, electronic manufacturing services (EMS) producing boards, communication modules, GPS receivers for defense systems. Sixth, component manufacturers — optics, optoelectronics, gyroscopes, tactical-grade batteries. A summary below.

By the way, AQAP 2110 isn't required for a subcontractor producing neutral commercial components for the general market (think a standard resistor maker). But the moment a contract becomes defense-specific or demands batch traceability — the certificate becomes a mandatory condition. Otherwise the main contractor simply won't engage with you. If you fall into one of these categories — move on to preparing for AQAP 2110 certification with a consulting team.

AQAP 2110 Edition D mirrors the structure of ISO 9001:2015 (10 clauses based on the Annex SL model), but adds 8 blocks of specific requirements that auditors check with special attention. Let's look at each.

1. Context of the organization (clause 4). The contractor must document the specifics of defense contracts separately from civilian activity — relevant regulatory requirements, export restrictions (ITAR/EAR), security requirements for personnel and facilities. The stakeholder register must separately identify the government customer and the GQAR.

2. Leadership and quality policy (clause 5). The quality policy must reference the defense sector directly. The auditor checks: does top management personally participate in quality reviews of defense projects, is responsibility for liaison with GQAR clearly assigned, is it documented how senior leadership responds to serious nonconformities in defense deliveries.

3. Risk management (clause 6). The standard requires a separate risk assessment for defense contracts — from the risk of missing delivery deadlines to the risk of specification compromise. Military contracts carry tough penalty clauses, so risk management here isn't a formality, it's a real management practice.

4. Configuration management (clause 8.1.4, annex). This is the most important defense-specific addition. The standard requires a full Configuration Management (CM) cycle following the ACMP-2100 model (NATO Configuration Management Policy): configuration identification, change control, status accounting, configuration audit. Every product modification — from swapping a microchip to changing firmware — gets formal registration, customer approval, and documentation updates. Without CM, an AQAP 2110 certificate won't be issued.

5. Product traceability (clause 8.5.2). Every critical component must be traceable from the raw-material supplier down to the specific board number of the finished product. In practice this is serial numbers, lot tracking, ERP integration with suppliers. Traceability works both ways: you have to find which products a given component batch went into, and conversely — which components a specific unit was assembled from.

6. Change and documentation control (clauses 7.5, 8.5.6). Documented information is managed with versions, formal approvals, access control. Transfer of documents between sites, suppliers, and customers — through a regulated procedure. Every electronic document flow must ensure untouchability — protection against unauthorized modification.

7. Nonconformities and corrective actions — CAPA (clause 10.2). AQAP tightens ISO 9001 requirements around root cause analysis. For critical nonconformities in defense deliveries, a formal RCA report in 8D, Ishikawa, or Fault Tree Analysis format is mandatory. The CAPA process is integrated with GQAR notification and reporting to the national MoD.

8. Internal audit (clause 9.2). The internal audit program must cover all AQAP 2110 requirements (not just ISO 9001) and all sites where defense contracts are executed. Auditors hold a documented competency certificate for AQAP 2110 — an ordinary ISO 9001 internal auditor credential isn't enough.

The most common misunderstanding at Ukrainian defense companies is trying to choose between AQAP 2110 and ISO 9001. It's a false dilemma. AQAP 2110 isn't an alternative to ISO 9001, it's a layer on top of it. If you already hold ISO 9001:2015, 70-80% of your AQAP 2110 documentation is already in place — what's left is adding the defense blocks.

Why this matters for the budget: integrated certification of ISO 9001 + AQAP 2110 as a combined audit is usually 20-30% cheaper than separate audits. Auditor time is billed once, not twice. Almost all accredited certification bodies (Bureau Veritas, TÜV, DNV, BSI, SGS) are ready to issue both certificates from a single visit.

The guidance document IAQG 9137 (available at IAQG.org) directly describes how to integrate AQAP requirements into an existing ISO 9001 system. Your quality team should read this document before starting an implementation project — it's recommended by NATO itself and by the IAQG aerospace community.

A short comparison in the table below. The most important point: ISO 9001 says 'the organization shall', AQAP 2110 says 'the organization shall, plus show the customer evidence'. That's a different level of records formalization and change control.

The second legitimate choice on the market is between AQAP 2110 and AS 9100. Here the confusion runs deeper, because both standards are defense-related and both are based on ISO 9001. The logic is simpler than it looks.

AS 9100 (current edition — AS 9100D from 2016, in Europe — EN 9100:2018) is the IAQG (International Aerospace Quality Group) standard for the aerospace industry: civil aviation + space + defense aviation. The scope is broader: it covers Airbus, Boeing and their tier-1 suppliers, but also military avionics manufacturers. AQAP 2110 is narrower: purely NATO defense contracts, without a mandatory aerospace component.

In practice, a manufacturer supplying aviation components to both civil and military customers gets AS 9100 + AQAP 2310 (the defense layer on top of AS 9100). A manufacturer of ground-based defense systems (UAVs, artillery, armored vehicles) picks AQAP 2110. A manufacturer working only with NATO air forces on purely military contracts — could in theory take AQAP 2110 + AQAP 2310 without AS 9100.

For the Ukrainian market in 2026 the pragmatic choice is this: if you build tactical-class UAVs and below (under 25 kg takeoff weight) — AQAP 2110 alone is enough. If you're moving into MALE/HALE class (Bayraktar-tier and above), or making aviation components, or planning contracts with the European aviation industry — add AS 9100. The AS 9100 + AQAP 2310 combo is the premium segment, which only pays off on contracts in the multi-million-euro range.

The IAQG 9137 document also describes a combined certification model — it helps you see which requirements get covered simultaneously and which need separate implementation.

In 2026 the AQAP 2110 market in Ukraine isn't theory, it's active procurement reality. Three large buyers shape demand.

First — the Ukrainian MoD through the Defense Procurement Agreement (ДОТ) system. Since 2024 the agreement has been moving to a NATO-compatible procurement model: tender documentation more and more often references AQAP 2110 as a mandatory qualification requirement for contracts above a certain threshold. In practice in 2026 this is uneven — some tenders still accept alternatives (for instance ISO 9001 + a declaration of conformity to AQAP), others already require a hard certificate. The trend is clear — full AQAP 2110 requirement by 2027-2028.

Second — Brave1, the defense innovation cluster. Brave1 doesn't require AQAP 2110 to enter the ecosystem (the bar for startups is low there), but manufacturers who grew from Brave1 to serial production of 100+ employees don't reach serious export contracts without a certificate. Brave1 effectively pushes companies toward certification on a 12-18 month horizon after their first successful deliveries.

Third — direct export contracts with NATO MoDs and with NSPA. This is the biggest potential in revenue terms: contracts of €5-50 million where AQAP 2110 is must-have from page one of the tender. In 2026 several dozen Ukrainian companies already execute such contracts; another few hundred have the potential but are blocked by the lack of a certificate.

Bureau Veritas is one of the few global certification bodies that issues AQAP 2110 for Ukrainian companies with NATO-recognized accreditation. Ekontrol has worked as Bureau Veritas's partner in Ukraine since 2014, and the team became one of the first to specialize in the defense segment after 2022. If you want to go deeper into our cooperation model — there's a separate complete guide to ISO 9001 that lays out the base logic on which AQAP 2110 stacks.

The path from 'we have no certificate' to an AQAP 2110 certificate takes 4-8 months for a company that already holds ISO 9001, and 8-12 months for a company starting from scratch. Let's break it into five steps.

A consulting team goes through a checklist against every clause of AQAP 2110 Edition D and records the gaps. Special focus on the defense blocks: is there configuration management, how mature is traceability, how is CAPA set up. The output is a report with a prioritized action list and a realistic budget. It takes 5-10 working days. Without this step, planning is blind. Order a diagnostic audit at the start of the project.

Drafting a quality policy with a direct defense focus, a stakeholder register including the GQAR, a defense-contract risk register, an updated process map. The same step covers training internal auditors for AQAP 2110 (they need separate competency, ISO-certified internal auditors aren't enough). Duration — 4-8 weeks. This is the foundation onto which the defense layers will stack.

The hardest and longest step. Launching Configuration Management per the ACMP-2100 model: product configuration identification, change control procedures, status accounting, configuration audit. In parallel — implementing traceability: serial numbers, lot tracking, supplier integration. For many Ukrainian manufacturers this means standing up a full ERP or PLM system for the first time. Duration — 2-4 months. It's an investment that pays back not only through the certificate but through operational transparency. The management system implementation service often includes setting up these processes from scratch.

Internal audit against every AQAP 2110 requirement, closing nonconformities, the first formal management review. After that — Stage 1 from the certification body (1-2 days): documentation review, readiness assessment for the main audit, identification of risk areas. Block duration — 4-6 weeks. Companies often order external certification audit support at this stage — to have a second set of eyes before Stage 2.

A Bureau Veritas auditor (or another NATO-recognized CB) works for 3-7 days depending on company size and number of sites: staff interviews, production audit, review of CM and traceability records, a simulated nonconformity and its investigation. The output — the certification decision. The AQAP 2110 certificate is issued for 3 years with a mandatory annual surveillance audit. In year three — a recertification audit.

Across hundreds of defense projects the same mistakes show up. Knowing them in advance saves months and tens of thousands of euros.

1. Choosing AQAP 2110 without an implemented ISO 9001. Logical thinking: 'let's just go straight to the higher standard'. In practice — failure. Without a working ISO 9001 base, there's nothing to stack the defense layers on. The team drowns in implementing the base and the layer at the same time, and Stage 2 ends in rejection.

2. Documentation for the audit, not for real processes. A classic trap: write beautiful procedures that nobody follows. The AQAP 2110 auditor runs an interview-driven audit — asking not 'what's written' but 'what do you actually do'. The mismatch between documentation and practice is the most common critical nonconformity.

3. Ignoring configuration management until the last minute. CM is the hardest defense block, and teams launch it 2 weeks before Stage 1. That's a guaranteed failure — CM requires 2-3 months of real operational cycles before the auditor can see the accumulated change history.

4. Internal auditors without AQAP competency. The team assumes that ISO-certified internal auditors will handle it. They won't. AQAP 2110 requires separate training on the defense blocks. Without it — zero trust in internal audit results.

5. Cutting corners on the certification body. Ukraine has several bodies that claim 'we issue AQAP 2110'. Not all of them hold accreditation that NATO MoDs accept. A certificate from an unrecognized CB doesn't open any doors — just paper. Verify accreditation against the IAF MLA and the NSPA Supplier Approval List.

Ekontrol is Bureau Veritas's partner in Ukraine since 2014. In 2022-2024 the team focused on the defense industry as its core direction: we supported dozens of AQAP 2110 implementations at UAV, ammunition, electronics manufacturers, and MRO centers. The cooperation model is staged — so the budget unfolds along the project rather than demanding an upfront payment for everything at once.

First stage — a diagnostic audit in 3-5 days. The output gives you a realistic budget, timeline, and risks. If the decision is to proceed — we move to full management system implementation: system design, documentation, internal auditor training, launching CM and traceability. The stage runs 4-8 months depending on the starting point.

Next — certification audit support: pre-audit by our consultants 2 weeks before Stage 2, presence at the audit itself, help with responses to nonconformities. After the certificate is issued — annual support for preparing surveillance audits and keeping the system in working order. Most clients continue with annual support — defense standards demand constant attention to configuration and traceability, and losing rhythm between audits can be expensive.

If ISO 9001 is needed in parallel — we do it integrated, no duplicated work. If AS 9100 is on the horizon — we build the system architecture so it can be added with minimal rework.

We've collected answers to the questions defense manufacturers ask most often on the first call. If yours isn't here, reach out — we'll add it to the next revision.