Summary
- On 25 June 2025, the European Commission announced its proposal for a “Space Act” that would introduce a new regulatory framework for EU space activities. The proposed framework includes cyber-resilience obligations for EU and non-EU entities operating in the space sector (space operators), including both infrastructure located in space and ground infrastructure supporting it.
- Under the Space Act, space operators will have wide-ranging obligations including in relation to: “all hazards” risk management; cybersecurity risk assessments; asset management and access rights; encryption; testing; incident response and regulatory notification; and supply chain management.
- The “management body” (e.g., board) of a space operator will be personally liable for the organization’s compliance with the Space Act’s risk management obligations.
- Many of these security obligations are analogous to, and appear to have been modelled on, other EU cybersecurity laws such as DORA and NIS 2 (which already applies to the space sector). Organizations should consider to what extent existing compliance projects can be repurposed for Space Act compliance.
Key Information
Who Would Be Subject to the Space Act’s Cybersecurity Obligations?
The Space Act will introduce cybersecurity obligations for space operators, meaning entities that “carry out … space services” such as operating spacecraft and launch/control sites, or processing space-based data such as satellite transmissions. This encompasses infrastructure located both on the ground and in space.
Analogously to other European technology legislation, the Space Act’s cybersecurity obligations will apply extraterritorially to non-EU entities that “provide space services to [EU] space operators, or … space assets” — unless those third-country space operators are based in a country whose regulatory regime has been deemed “equivalent” by the EU. Entities will therefore need to assess the Space Act’s scope even if they are not established in the EU.
What Are the New Cybersecurity Obligations?
The Space Act introduces a range of new cybersecurity obligations for space operators, each of which is analogous to existing cybersecurity obligations under NIS 2 and DORA. For more information, see our October 2024 client alert on NIS 2 and our November 2023 and January 2025 client alerts on DORA.
- Risk assessment and risk management policies: Space operators will be required to put in place risk management and risk assessment processes across all segments of their space infrastructure. Notably, the risk assessment must also include the supply chain, reflecting EU regulators’ increasing scrutiny of companies’ supply chain management.
- Asset management and access controls: Space operators will need to implement asset management and access controls.
- Encryption and backups: Space operators will be required to implement technical policies on encryption and backups.
- Incident detection and reporting: Space operators will be required to implement security incident detection processes, including reporting “significant” security incidents to senior management, the management body (e.g., board), space sector regulators and NIS 2 regulators.
- Testing: Space operators will be required to have an IT testing program, including threat-led penetration testing.
- Vendor management: Space operators will be required to establish a third-party risk management framework, and to establish an “inventory of assets” needed to maintain control of a space mission.
The Relationship Between the EU Space Act and NIS 2
The space sector is already within the scope of NIS 2, and NIS 2 obligations will apply to the space sector in full until the Space Act comes into force. Once the Space Act comes into force, it will override the cybersecurity risk management obligations set out in NIS 2.
Enforcement
Member state regulators and the EU Agency for the Space Programme (EUSPA) will have wide-ranging enforcement powers, including powers to conduct on-site inspections both within and outside the EU.
They will also have powers to issue substantial fines. Levels of fines issued by EU member state regulators will be decided by those individual member states, as with other recent EU technology regulations, such as DORA, while the Commission will have powers to issue GDPR-style fines up to 2% of global revenue. Experience with DORA has shown that member states will likely allow for similarly large fines.
In addition, the Space Act will impose personal liability on management bodies, similar to NIS 2.
Next Steps
The current draft of the Space Act proposes that obligations would come into force on 12 January 2030. While that leaves some time for compliance, companies operating in the space sector should:
- Assess and map the extent to which their operations will be captured by the Space Act’s cybersecurity obligations.
- Consider the extent to which existing cybersecurity compliance programs (e.g., NIS 2 programs) can be repurposed for the Space Act.
- Consider avenues to influence the ongoing development of the Space Act, such as industry groups, to ensure that obligations remain proportionate and aligned with existing compliance standards such as NIS 2 and ISO 27001.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.