CCTVplanner.io
    Compliance15 min read

    Russian-Origin Software in EU CCTV Projects (2026): Compliance, Sanctions & Procurement Review

    A factual, procurement-focused review for CCTV designers, integrators and EU contracting authorities asking the same recurring question in 2026: how do origin, sanctions and data-residency rules apply when CCTV design software is involved? This article summarises the publicly available framework. It is not legal advice — every concrete procurement decision should be confirmed with qualified procurement counsel.

    Important: this is a factual review, not legal advice

    Sanctions, export controls and procurement rules change frequently and are interpreted differently across EU member states. Nothing in this article should be treated as legal advice for any specific transaction. For binding determinations, consult qualified procurement counsel in the relevant jurisdiction. References to publicly available standards, regulations and case law are accurate to the best of our knowledge as of May 2026.

    Table of Contents

    Why this question matters in 2026 EU procurement

    Since 2022 the EU has adopted multiple successive sanctions packages targeting Russia, alongside parallel evolutions in member-state public-procurement rules. The cumulative effect on software procurement has been substantial: contracting authorities that did not previously ask about software origin now routinely include origin-disclosure requirements at the qualification stage, and bids that cannot evidence non-sanctioned origin are commonly filtered out before commercial review.

    CCTV design software sits in a particular category of risk because the artefacts it produces — floor plans, camera placement, network topology, BOM — are sensitive from both a security and an operational standpoint. Even where a sanctions instrument does not on its face cover a particular CCTV planning tool, contracting authorities tend to apply a precautionary stance, especially in defence, public administration, critical infrastructure and large healthcare or transport projects.

    This article is the explainer we wished existed when integrator clients first started asking us about software origin in tender responses. It is descriptive, not prescriptive — its purpose is to lay out the framework in plain language so a CCTV designer can ask their procurement counsel the right questions, rather than to substitute for that conversation.

    The current EU sanctions framework — high-level summary

    EU restrictive measures against Russia are implemented through Council Regulations published in the Official Journal of the European Union and updated through successive amendment packages. The framework operates on three broad pillars relevant to software procurement.

    Three pillars relevant to software

    • Export controls. Restrictions on supplying specified goods, services, technology and software to Russia, with sectoral focus on dual-use, defence and certain industrial categories.
    • Financial sanctions. Asset freezes and prohibitions on making funds or economic resources available to listed persons and entities. The "ownership and control" test is fact-specific and applies even where a vendor is not itself listed but is owned or controlled by a listed entity.
    • Public-procurement filters. Provisions in Council Regulation (EU) 833/2014 (as amended) that prohibit award of public contracts to certain Russian persons and entities, transposed and supplemented by member-state procurement law in different ways.

    In addition to the EU-level framework, member states such as Germany, France, Poland, the Nordics and the Baltic states have introduced their own public-procurement language with stricter criteria. The result is that the same vendor can be acceptable in one EU jurisdiction and filtered out in another even when no instrument explicitly names them. Procurement teams therefore tend to apply the strictest member-state language as their internal benchmark.

    US side: NDAA §889 and ICTS executive orders

    On the US side, two instruments are routinely cited even by EU procurement officers as informal benchmarks. NDAA §889 (the John S. McCain National Defense Authorization Act for Fiscal Year 2019) prohibits federal agencies and federal contractors from buying or using covered telecommunications and video-surveillance equipment from certain named Chinese manufacturers. The Information and Communications Technology and Services (ICTS) executive orders, principally Executive Order 13873 and successors, give the US Department of Commerce broad authority to review transactions involving foreign adversaries.

    Neither instrument applies as a matter of law to a typical EU procurement. They are, however, frequently used as procurement-template language. A 2026 EU contracting authority drafting a CCTV tender will commonly require the vendor to declare that their software, hosting and personnel would not be excluded under §889-equivalent rules even when §889 itself is irrelevant to the contract. Vendors that cannot make that declaration are at a competitive disadvantage regardless of the underlying legality of their offer.

    Direct procurement impact on CCTV design software

    The categories below are the four where we see software-origin questions arise most frequently in 2026 EU CCTV projects.

    Public-sector tenders

    Government, defence, healthcare and education tenders increasingly include explicit "software origin" disclosure clauses. The trigger is usually one of the procurement-filter provisions discussed above, applied through national transposition. Even where the legal threshold is debatable, the practical reality is that bids unable to evidence acceptable origin are filtered at the qualification stage. Designers responding to public-sector tenders in 2026 should expect to make affirmative origin declarations for every software tool used in the design process, not only the surveillance hardware itself.

    Critical-infrastructure contracts

    Energy, transport, banking and water-utility procurement is governed by NIS2 (Directive (EU) 2022/2555) and overlapping sectoral rules. While NIS2 itself is risk-based rather than origin-based, the resulting risk assessments commonly identify supply-chain origin as a relevant factor, and operators of essential services have built that into their procurement frameworks. The bar for software-origin evidence in critical-infrastructure projects is meaningfully higher than for general commercial procurement.

    Private-enterprise compliance audits

    Large enterprises with their own ESG, supply-chain or cyber-risk frameworks routinely audit their suppliers and sub-suppliers. Even when there is no specific tender involved, an integrator using software whose origin cannot be evidenced may find themselves removed from a preferred-supplier list during an annual review. This dynamic accelerated noticeably across 2024 and 2025 and continues into 2026.

    Cross-border integrator engagements

    Integrators with operations in both EU and non-EU jurisdictions face additional complexity because procurement standards differ. A tool acceptable for a private commercial project in one jurisdiction may not pass the procurement filter for a public project in a different jurisdiction. Many integrators have rationalised this by standardising on EU-origin tooling for all projects, simplifying the response to any future tender regardless of where it lands.

    How buyers verify software origin

    A procurement officer running an origin check has a fairly standard toolkit. None of these checks individually proves origin — they assemble a triangulated picture from public information.

    • WHOIS registry on the vendor domain — registrar country, registrant organisation, name-server ASN.
    • Vendor disclosure of legal entity name, registration country and tax ID — typically required at qualification.
    • Hosting-provider review — the cloud region where the SaaS infrastructure physically runs, evidenced by an attestation or a third-party hosting agreement.
    • Public corporate filings — beneficial-ownership registries, parent-company structure and any sanctions-list cross-reference.
    • Supply-chain attestation — a written declaration from the vendor describing where the software is engineered, hosted and supported, and naming any sub-processors.

    For higher-risk procurement (defence, critical infrastructure) the assessment can extend to source-code provenance, third-party security testing and an independent legal opinion. The marginal cost of the higher-tier assessment is non-trivial and contracting authorities typically only commission it where the value or sensitivity of the contract justifies it.

    GDPR third-country transfer angle

    GDPR Articles 44 to 49 govern personal-data transfers to countries outside the European Economic Area. The default rule is that such a transfer is prohibited unless one of the specified safeguards applies: an adequacy decision by the European Commission, an approved transfer mechanism such as standard contractual clauses with appropriate supplementary measures, or a derogation for specific situations.

    The European Court of Justice in Schrems II (Case C-311/18, 2020) made clear that standard contractual clauses must be supplemented by a transfer-impact assessment that takes into account the laws of the destination country and whether they provide essentially equivalent protection. Russia is not on the European Commission's adequacy list, and the prevailing reading is that achieving "essentially equivalent" protection for transfers to Russia is difficult given the legal landscape there. The practical consequence is that any CCTV design tool that transmits personal data to servers in Russia, or to entities under Russian jurisdiction, faces a meaningful transfer-impact-assessment burden that EU-hosted tools simply do not.

    For CCTV projects this matters because design tools touch personal data more often than people realise — project metadata, end-customer site information, account email addresses, support-ticket content. A buyer who treats GDPR seriously will want assurance that none of that data leaves the EU/EEA in a way that triggers Chapter V scrutiny.

    Why CCTVplanner exists — EU-hosted, EU-developed

    CCTVplanner is operated by DEFENSAR, registered in Poland, with the frontend hosted in Poland and the backend on EU-region cloud infrastructure. That is the meaning of the headline "100% Engineered and Hosted in EU" — the legal entity, the engineering, and the hosting are all inside the European Union, and there are no third-country sub-processors in the default architecture.

    For procurement teams, this translates into a short, declarative answer to the origin-disclosure questions described above. There is no Russian, Chinese or US-jurisdiction sub-processor anywhere in the data path. There is no transfer-impact-assessment burden under GDPR Chapter V because the data does not leave the EU. There is no §889-equivalent disqualifier on the supply chain. Trusted by integrators from all over the world, the EU-by-default architecture is the single feature that comes up most often in procurement conversations in 2026.

    EU posture in one paragraph

    • Operating entity DEFENSAR registered and tax-resident in Poland.
    • Frontend hosted in Poland; backend on EU-region cloud (eu-west).
    • No third-country data sub-processors in the default architecture.
    • GDPR-aligned by default — no separate transfer-impact assessment required for EU buyers.

    The "Switching from JVSG" reality

    A practical question we hear from integrators in 2026 is: "We are happy with our current CCTV design tool, but the procurement team has flagged software-origin disclosure as a risk. What does a transition look like?" The answer is mostly mechanical — export the floor plan to DXF, import it into CCTVplanner, re-place cameras from a 65,000+ model catalogue, match DORI thresholds, re-route cabling, export the multi-page PDF deliverable. We have written a step-by-step playbook in the migration guide linked below. None of the steps are particularly hard. The hardest part is generally the decision to make the switch, not the switch itself.

    For procurement-driven switches specifically, our advice is to document the transition in writing — the trigger event, the alternatives evaluated, the chosen replacement, and the date the existing tool is retired from the workflow. Procurement counsel and ESG auditors both reward documented decisions, and a written transition log is a common artefact in due-diligence packs.

    Closing disclaimer

    This article is a factual review based on publicly available standards, regulations and case law as of May 2026. It is not legal advice and it is not a substitute for advice from qualified procurement counsel in your jurisdiction. Sanctions, export controls and procurement rules evolve frequently and are interpreted differently across EU member states. Every concrete procurement decision should be confirmed with counsel familiar with the specific contracting authority, sector and jurisdiction at hand.

    No statement in this article is intended as a disparagement of any country, company or category of vendor. The intent is to describe the procurement framework as buyers experience it in 2026, so that integrators can prepare bid responses and design workflows that survive the qualification stage.

    Frequently Asked Questions

    Is software of Russian origin banned from EU public procurement in 2026?

    There is no single blanket EU rule that says "all software of Russian origin is banned". Instead, several layered EU instruments — sanctions regulations, public-procurement rules, sectoral export controls and member-state interpretations — combine to make Russian-origin software difficult or impossible to procure in many specific contexts (defence, public administration, critical infrastructure, financial services). Whether your specific procurement is permitted depends on the contracting authority, the sector and the country. Always consult your in-house counsel or external procurement advisor for a binding determination.

    Does the EU sanctions framework apply to design software, not just hardware?

    Sanctions instruments commonly cover "goods, services, technology and software" — software is treated as a category of its own, separate from physical hardware. Whether a particular CCTV design tool falls inside or outside a specific sanctions instrument is a fact-specific legal question. Public-sector tenders increasingly include explicit "software origin" disclosure requirements, and a vendor unable to evidence non-Russian origin is usually filtered out at the qualification stage regardless of the underlying sanctions analysis.

    How does GDPR interact with Russian-hosted software?

    GDPR Articles 44 to 49 govern personal-data transfers to third countries. Russia is not on the European Commission's list of countries with an adequacy decision, and standard contractual clauses to Russian processors face additional scrutiny under the Schrems II reasoning of the European Court of Justice. In practice this means that any CCTV design tool that transmits personal data — project metadata, account information, customer-site details — to servers in Russia or to entities under Russian jurisdiction faces a meaningful GDPR transfer-impact assessment burden that EU-hosted tools do not.

    What is NDAA §889 and does it apply outside the United States?

    NDAA §889 is a US federal procurement rule that prohibits federal agencies and federal contractors from buying or using telecommunications and video-surveillance equipment from certain named Chinese companies. It is a US instrument with US scope, but it is increasingly cited as a procurement template by EU and UK contracting authorities updating their own rules. Procurement officers in 2026 routinely ask vendors whether their products would qualify under §889 even when §889 itself does not legally apply to the contract.

    What practical due-diligence does a procurement team perform on software origin?

    Standard checks include WHOIS lookups on the vendor domain, verification of the legal entity name and registration country, review of hosting providers (where the SaaS infrastructure physically runs), inspection of public corporate filings, and a request for a written supply-chain attestation from the vendor. For higher-risk procurements (defence, critical infrastructure) the assessment can extend to source-code provenance, third-party penetration testing, and an independent legal opinion. None of this is a substitute for advice from procurement counsel, which is why the recurring recommendation in this article is to consult one.

    Related Articles

    CCTVplanner vs JVSG

    Side-by-side comparison including data-residency posture.

    Switching from JVSG: 2026 Migration Guide

    Step-by-step playbook for a procurement-driven switch.

    Best Free CCTV Design Software (2026)

    Free-tier options vetted for EU origin and GDPR posture.

    EN 62676-4:2025 OODPCVS Update (2026)

    Standards-side update relevant to EU procurement language.

    DORI Calculator

    EU-hosted browser calculator, no install required.

    EN 62676-4 Calculator

    Standards-aware lens recommendation, EU-hosted.

    ← Back to Blog

    © 2026 CCTVplanner. All rights reserved.