The EU Space Act proposal in the legislative process: Cybersecurity, market access, and implications for non-EU space operators

Background

The European Commission’s proposal for an EU Space Act by the (COM(2025) 335 final, the “Proposal”) is an ambitious attempt to establish a single, horizontal regulatory framework for space activities. It is intended to replace a patchwork of national space laws with an EU-wide regime by establishing common EU requirements for authorization, registration, supervision, orbital safety, cyber resilience and environmental sustainability.

If adopted, the EU Space Act could position the EU as a global standard-setter in space governance, creating a potential "Brussels Effect" in an industry of USD 1.8 trillion projected for 2035. Such impact is bolstered by the extraterritorial edge of the Proposal, as certain obligations are intended to apply to non-EU-operators providing space-based data or space services to EU customers.

As trilogue negotiations approach, significant divergences have emerged between the Commission, Council, and European Parliament, including on cybersecurity requirements and how they interact with existing EU legislation. The negotiations are critical for EU and non EU companies operating in the space sector, including satellite operators, launch service providers, and electronic communications providers serving EU customers. The outcome will shape the regulatory framework for years to come, particularly as the EU’s cybersecurity architecture continues to evolve through parallel initiatives such as the proposed revision of the EU Cybersecurity Act, often referred to as “Cybersecurity Act 2” (”CSA2 Proposal”), at a time of increasing geopolitical dimensions of cybersecurity.

Key Developments

Ahead of the trilogue, the emergent positions of the Council and more so the Parliament are in stark contrast to the Commission’s Proposal in key issues.

Robust cybersecurity and interplay with the NIS2 Directive

A central point of disagreement among the institutions concerns how the EU Space Act should interact with the NIS2 Directive (Directive (EU) 2022/2555, “NIS2 Directive”).

1. Commission: Sector-specific cybersecurity approach

The Commission’s approach establishes the EU Space Act as the specialized legal act (lex specialis) for space cybersecurity in relation to Article 21 of NIS2. Under Article 75 of the Proposal, space operators qualifying as essential or important entities under Article 3 NIS2 and national implementation laws by Member States respectively would apply the EU Space Act's specific cybersecurity requirements instead of the NIS2 Directive's general requirements.

The Commission’s rationale is that neither the NIS2 Directive nor the Critical Entities Resilience Directive (Directive (EU) 2022/2557, “CER Directive”) adequately address all segments of space infrastructure, from the ground to space and link segments.

Articles 75 to 95 of the Proposal, supplemented by Annex VII, therefore establish a dedicated resilience framework. The Proposal suggests for example:

• comprehensive lifecycle risk management obligations for space operators with regard to the security of network and information systems and of physical infrastructure and environment, explicitly covering the entire lifecycle of space missions from the conception and design phase all the way to the end-of-life-phase, supported by continuous risk assessments (Article 76, 78);
• management oversight, responsibility and liability for the implementation of cybersecurity requirements (in parallel to the governance obligations under Article 20(1) NIS2 Directive) and the requirement to establishment of human resources policies that ensure understanding, commitment, vetting and checks of all personnel for cybersecurity responsibilities (Article 77);
• the obligation for space operators to identify and manage relevant information and infrastructure assets, control logical and physical access rights, and protect critical physical infrastructure, including ground stations, command-and-control assets, telemetry systems and backup assets (Articles 80-82; Annex VII);
• the obligation for continuous monitoring of anomalies, incidents, cyberattacks and interference, together with preventive and protective technical measures, authentication, secure configuration, encryption and cryptographic key-management policies (Articles 83-85; Annex VII)
• obligations to implement backup, redundancy, restoration and recovery measures, as well as business-continuity, incident-response and crisis-communication arrangements to safeguard mission continuity and effective technical control (Articles 86, 87 and 90);
• the establishment, maintenance and review of a testing programme by space operators, including Thread Led Penetration Testing (TLPT) prior to launch, for satellites part of a constellation prior to launch of the first satellite batch, and in consecutive 3-year-minimum intervals (see Article 88);
• the establishment and implementation of incident detection and handling processes, with particular account to adverse impacts on satellite platforms hosting third-party payloads, for which pre-defined agreements with specific incident handling instructions shall be concluded with third parties (Article 91);
• supply-chain risk-management obligations, including contractual information-security requirements for manufacturers and service providers, a strategy to reduce supply-chain risks and an inventory of critical assets of non-EU origin needed to maintain effective technical control of the space mission (Article 92);
• robust incident reporting requirements, including an early warning within 12 hours after becoming aware of a significant incident affecting Union-owned assets, an early warning within 24 hours for other covered significant incidents, a 72-hour report and a final report within one month, while preserving the interaction with reporting obligations under the NIS2 Directive and the CER Directive where applicable (see Article 93); and
• the establishment of the Union Space Resilience Network (“EUSRN”) between authorities to facilitate cooperation, consistency and coherence (see Article 94).

Importantly, these requirements would also apply to non-EU spacecraft operators, launch operators and launch site operators (see Article 15(1) and (2) of the Proposal).

2. Council: Application of NIS2 requirements for major space operators

The Council's December 2025 compromise text (“Council Text”) takes a different approach, by advocating for synchronization between the EU Space Act and the NIS2 Directive. Under Article 75a of the Council Text, space operators qualifying as essential or important entities in scope of the NIS2 Directive must comply with the implementing act adopted under Article 21(5), subpara. 2 NIS2 Directive, instead of a separate cybersecurity regime under the EU Space Act.

Space-sector-specific requirements would then apply only to entities outside the NIS2 Directive’s scope, particularly smaller EU space operators and third-country operators. The Council’s objective is to preserve primacy of NIS2 requirements for major space operators while extending harmonized requirements to smaller entities and non-EU operators through the EU Space Act. As Recital (71a) Council Text states, “cybersecurity requirements under NIS2 and this Regulation should be synchronised and coordinated, to ensure the requirements are identical for all types of entities, hereby fostering legal certainty for operators and avoiding unnecessary administrative burden."

3. Parliament: Full integration of space activities into NIS2 Directive

The European Parliament's March 2026 Draft Report (“Parliament Report”) by Rapporteur Elena Donazzan takes the most radical approach: it rejects the lex specialis concept of the Proposal entirely and proposes full integration of space activities into the scope of the NIS2 Directive. Instead of the detailed regime in Articles 75-95 of the Proposal, the Parliament Report proposes a single Article 117a that would amend the scope of the space sector in Annex I of the NIS2 Directive to include:

• "Space activities" (defined in Article 5 no. (13) of the Proposal), broadly encompassing activities in outer space, such as control of space objects, launch services and sites, human spaceflight, space transport, or monitoring and disposal of space debris ;
• "Space services" (defined in Article 5 no. (14) of the Proposal), encompassing operation of space objects, launch and launch site operation and maintenance services, services by primary providers of space-based data, in-space services and operations;
• "Union-owned assets" (defined in Article 5 no. (20) of the Proposal) as tangible and intangible assets created or developed under the Union Space Programme; and
• Undefined operators of ground-based infrastructure supporting space-based services, notably excluding providers of public electronic communications networks.

The explanatory memorandum of the Parliament Report argues there is "no technical justification for introducing a 'lex specialis' for space in terms of cybersecurity" and that integration ensures "stakeholders of the entire space sector will need to comply with a single legal act, the NIS2 Directive, as regards resilience." This approach would remove the detailed sector-specific cybersecurity regime under the Proposal, including requirements on risk assessments, cryptography, incident detection, penetration testing, and supply chain management, and would streamline the Proposal to fully attune to cybersecurity requirements under the NIS2 Directive and national implementation by Member States.

Further divergences

Beyond cybersecurity, the institutional texts diverge on several additional points, including:

• With regard to the scope of the EU Space Act, as defined in Article 2, the Proposal would directly apply to international organizations, but both the Council Text and Parliament Report reject such direct applicability and instead require an international agreement before application. The Parliament Report also proposes extending the defence and national security exemption under Article 2(3) lit. a and b of the Proposal to expressly cover space data and services.
• On authorization procedures, the Parliament Report proposes significantly accelerated timelines: decisions within 6 months, technical assessments within 3 months, and completeness checks within 15 working days. It also introduces a deemed approval mechanism under which the authorization for space activities is automatically granted if the competent authority fails to issue a decision within the prescribed deadline.
• On collision avoidance, the Commission and Council require third-country spacecraft operators to subscribe to a collision avoidance service provider and notify the European Union Agency for the Space Program (“EUSPA”) of the provider's details. The Parliament Report offers greater flexibility, allowing operators to maintain internal collision avoidance capabilities as an alternative if equally effective. It also introduces environmental sustainability modifications, requiring methodologies to integrate existing life-cycle assessment methods and ensuring operators are not obliged to disclose confidential data, intellectual property, or sensitive design details.

Equivalence and mutual recognition

The Proposal introduces an equivalence mechanism allowing non-EU space operators to be considered compliant with EU Space Act requirements if the Commission recognizes their domestic regulatory framework as equivalent. While all three texts retain this mechanism, the Parliament Report adds important conditions:

• Equivalence decisions to be granted for at least five years, subject to renewal;
• A mandatory assessment after three years exploring whether conditions for mutual recognition are met; and
• A requirement that any conditions attached be technology-neutral, proportionate, and avoid duplicative obligations.

This poses a practical challenge in light of the uncertain US regulatory landscape, characterized by ongoing deregulation initiatives which may delay equivalence negotiations. US ITAR export controls may also prevent companies from sharing technical details necessary to demonstrate compliance.

Interplay with the ICT supply chain framework of the CSA2 Proposal

The EU Space Act should also be assessed against the EU’s broader cybersecurity and ICT supply-chain agenda.

The Commission’s January 2026 Proposed CSA2 seeks to strengthen EU cybersecurity resilience, reduce fragmentation and enhance ICT supply-chain security. Particularly, Arts. 110 and 111 of the CSA2 Proposal would create a specific trusted ICT supply-chain framework for mobile, fixed and satellite electronic communications networks.

This is highly relevant for satellite communications businesses, as cybersecurity supply chain obligations may arise from more than one legislative instrument. A satellite operator may face obligations under the EU Space Act as space operator, under the NIS2 Directive as an essential or important entity, and supply-chain related restrictions under the CSA2 Proposal where it provides or supplies key ICT assets for satellite electronic communications networks.

What this means for space sector businesses

For companies active in the space sector, the current divergences are a useful indicator of where future compliance burdens are most likely to arise::

• Cybersecurity compliance pathway remains uncertain: With regard to cybersecurity requirements, the outcome of the legislative proceedings will determine whether space operators must comply with bespoke EU Space Act cybersecurity requirements (Commission position), synchronized NIS2 and Space Act requirements (Council position), or the NIS2 Directive and national implementation laws with a scope adapted to Space Act requirements and definitions (Parliament position). Operators should monitor negotiations closely and prepare for multiple scenarios.
• Market access formalities are likely to remain central: Across the texts, market-access formalities remain a central issue for in-scope space operators. Even non-EU space operators providing space-based data or space services in the EU must register with EUSPA, obtain an e-certificate, and designate an EU legal representative.
• Equivalence and mutual recognition: For non-EU operators, equivalence decisions will be critical. The Parliament’s proposed requirements for mutual recognition and technology-neutral conditions may facilitate negotiations. It is recommended to monitor developments in other jurisdictions to identify and assess regulatory gaps, thereby proactively prioritizing key compliance issues.
• Supply chain obligations: All three texts impose supply chain security requirements on space operators, with the Commission position establishing a dedicated supply chain risk management framework in Article 92 and Point 6 of Annex VII of the Proposal, while the Council position integrates general supply chain obligations under Article 75a(4) lit. d Council Text in conformity with NIS2-verbiage, and the Parliament position relies on supply chain security requirements established by the NIS2 Directive and national implementation laws. Non-EU component suppliers and service providers may face indirect compliance obligations through contractual flow-down requirements. This is further complicated by the specific ICT supply chain framework for satellite electronic communications network providers under Articles 110 and 111 of the CSA2-Draft.
• Assessment of applicability and roles is key: At this stage, companies should not assume that all space-related activities will be treated alike under the Space Act, once adopted. The current draft texts draw distinctions between different types of space service providers, including space operators, collision avoidance space services providers, primary providers of space-based data and international organizations, whereby the precise compliance consequences remain subject to the legislative process. For businesses preparing for compliance at an early stage, a key task would be to monitor whether their activities could fall within one or more regulated categories.

Timeline and outlook

The Proposal envisages 1 January 2030 as concrete date of entry into force, while the Council Text and the Parliament Report anticipate entry into force for 36 months after adoption. All three texts plan for additional transitional periods for assets to be launched after entry into force with their critical design review phases having ended 12 months (Proposal) or 24 months (Council Text and the Parliament Report) after entry into force respectively, with application of the EU Space Act being pushed to 1 January 2032 (Proposal), 24 months (Parliament Report) or 8 years after entry into force (Council Text). Notably under the Parliament Report, Member States would have until 31 December 2029 to transpose the amendments to Annex I of the NIS2 Directive into their national cybersecurity laws, with application of these changes triggered 36 months after entry into force of the EU Space Act.

Given the divergent positions between institutions, intense trilogue negotiations are likely, which makes a final adoption of the EU Space Act before late 2027 unlikely. Realistically, adoption could take place in 2028, and entry into force after the transition period can be expected around 2030, potentially slipping to 2031.

Companies and organizations operating in the space sector in the EU should closely monitor the EU Space Act legislative process, including the developments with regard to its interplay with other EU legislations, such as the NIS2 Directive, the CSA2 Proposal and DNA Proposal.

Authored by Henrik Hanssen and Johannes Schmees.