Contact us
Need a problem solved?
Our dedicated experts, located around the world, are here to help.
Cybersecurity
Data
EU
Europe & UK
Public Affairs
Space
The European Commission has recently unveiled its long-awaited proposal for the European Union Space Act (EUSA). The objective is clear: establish a harmonised legal framework governing space activities across the Union that enhances safety, resilience, and environmental sustainability, while simultaneously boosting the competitiveness of Europe’s growing space sector.
A particularly notable aspect of the proposal is the dedicated resilience chapter, spanning Articles 75–95. These provisions address cybersecurity and operational resilience matters in unprecedented detail and will likely reshape the security posture of space operators for years to come.
The urgency of these measures is underscored by the ENISA Space Threat Landscape Report released in February 2025, which highlights that the space sector has become a prime target for sophisticated threat actors, ranging from nation-state operations to hacker-for-hire groups and opportunistic cybercriminals. This was exemplified by the Viasat hack in 2022, which disrupted European satellite networks via a destructive wiper malware, interrupting communications, Ukrainian military operations, and 5,800 wind turbines in Germany.
Three dimensions of the resilience chapter stand out as particularly significant: EUSA’s relationship with the existing NIS2 Directive, the introduction of a tailored risk management framework, and new incident reporting rules.
Clarifying the EU Space Act’s relationship with NIS2
One of the positive aspects of the Space Act is that it provides greater clarity on how sector-specific legislation interacts with NIS2, the EU’s horizontal cybersecurity law. NIS2 already applies across essential sectors, including energy, healthcare, and transport, but also operators of ground-based infrastructure that supports space services.
The Commission has explicitly signalled that the EUSA will serve as lex specialis – the governing set of rules that takes precedence over more general legislation (Recitals 71–72, Article 75). This means that operators deemed essential or important entities under NIS2 would need to follow the cybersecurity and resilience requirements of the Space Act, avoiding an unnecessary duplication of obligations.
While this clarification is important, a further welcomed clarification would be to understand whether the EU Space Act takes precedence over NIS2 for those space operators who provide services under sectors in scope of NIS2 in addition to space, such as digital infrastructure and ICT service management. In this context, it remains unclear which set of cybersecurity measures an entity should apply – either NIS2 Article 21 cybersecurity measures or the resilience chapter of the Space Act. This ambiguity risks creating duplicative compliance efforts and unnecessary burdens for space sector actors, an issue that demands urgent attention during the legislative negotiations.
A sector-specific cyber risk management framework
The Space Act goes beyond the baseline risk management requirements embedded in NIS2. Articles 76–92 establish a comprehensive, sector-tailored risk management framework that introduces both technical and organisational measures. While the general principles mirror the NIS2 obligations, including incident handling, business continuity, and supply chain security, the EUSA adds more specificity.
For example, Article 88 introduces a formal threat-led penetration testing (TLPT) regime for space operators, in line with the other cybersecurity lex specialis, the Digital Operational Resilience Act (DORA). This provision introduces a testing programme for space operators’ network and information systems as a key component of their risk management. Specifically, EU space operators must carry out TLPT prior to launch, or in the case of satellite constellations, prior to the launch of the first batch of satellites, and at least every three years afterwards. Importantly, independent testers should be certified by an accredited body of a member state or adhere to formal codes of conduct and ethical frameworks.
In line with previous policies aimed at increasing cybersecurity skills, the Space Act also requires companies to provide their staff with appropriate and tailored training (Article 89). However, one element that should be improved is the framing of security awareness training. While awareness training is indeed mentioned in Annex VII, the main text folds it into crisis communication and disclosure policy (Article 90), creating the impression that security awareness should be crisis-driven. As the text is discussed during negotiations, ensuring that security awareness training is implemented as a core component of a comprehensive information security policy, rather than only during crises, is essential.
The incident reporting challenge
As highlighted by the European Cyber Security Organisation (ECSO), incident reporting currently poses significant operational and compliance challenges for entities when dealing with significant incidents due to overlaps with several pieces of EU legislation.
Article 93 of the Space Act exacerbates existing complexity by potentially requiring operators to report incidents to multiple authorities: the EU Agency for the Space Programme (EUSPA), Member State authorities under EUSA, and computer security incident response teams or competent bodies under NIS2.
Stakeholders, including the ENISA Advisory Group, have already proposed a more coherent approach in the context of the revision of the Cybersecurity Act – whose proposal is awaited by Q4 2025: a single reporting platform that consolidates obligations across EU horizontal and vertical legislations. Such a system would dramatically reduce compliance burdens without weakening the flow of critical incident information to regulators.
Moreover, the timeline for incident reporting presents additional concerns. The current requirement to submit an early warning following a cybersecurity incident “without undue delay, and in any event within 12 hours” appears excessively stringent. This obligation is more demanding than the already strict NIS2 standard, which sets a 24-hour deadline for initial reporting. In practice, excessively tight timelines often compel companies to submit incomplete or speculative reports, diverting focus from incident management during the critical early stages of response. A more pragmatic 72-hour window for initial reporting, as recommended by several industry voices, would better balance regulators’ need for timeliness against operators’ operational realities.
Engagement opportunities and next steps
The cybersecurity provisions in the EU Space Act represent a crucial step forward in establishing comprehensive cybersecurity requirements specifically tailored to the unique challenges facing the space sector. While some provisions will be refined via future delegated acts, the main text will already profoundly change the cybersecurity posture of space operators.
This transformation requires companies’ information security teams to directly engage with the policymaking process to ensure that relevant cybersecurity requirements for the space sector are embedded into law. The eight-week public consultation, which opened in July and runs until 21 September 2025, provides a critical opportunity for concerned stakeholders to provide feedback.
Following this consultation, the legislative proposal will be negotiated under the ordinary legislative procedure by the European Parliament and the Council. Stakeholders anticipate that this process will require at least one to one-and-a-half years, with some projections suggesting adoption in 2027 or 2028.
As Europe increases its reliance on space, the cybersecurity framework established by the Space Act will determine whether this journey enhances or compromises the Union’s digital resilience. The time for stakeholder engagement is now – the future of European space security depends on getting these details right.
Share
