ARTICLE
12 May 2026

Beyond NIS 2: The EU Space Act And The Coming Of Age Of Space Cybersecurity

HS
Hannes Snellman Attorneys Ltd

Contributor

Hannes Snellman Attorneys Ltd logo

Hannes Snellman is a leading Finnish business law firm entrusted by its clients in matters of critical importance. Our mission is to provide our clients with world-class advice and our people with world-class careers. What sets us apart is our deep commitment to achieving our clients’ goals. With our industry knowledge and business understanding, we provide simple yet effective advice and fresh perspectives, even in the most complex and demanding situations. We focus on what matters the most.

Explore Firm Details
From satellite navigation to financial settlement systems, space infrastructure has quietly become essential to modern life. Regulators are catching up, and the legislative picture is more complex and contested than it first may appear.
Finland Technology
Axel Hård Af Segerstad
Your Author LinkedIn Connections
Axel Hård Af Segerstad’s articles from Hannes Snellman Attorneys Ltd are most popular:
  • with Inhouse Counsel
  • in United States
  • with readers working within the Business & Consumer Services, Pharmaceuticals & BioTech and Law Firm industries

From satellite navigation to financial settlement systems, space infrastructure has quietly become essential to modern life. Regulators are catching up, and the legislative picture is more complex and contested than it first may appear. Following the first instalment of our blog series, which set out why space deserves closer legal attention in Finland and Europe, this second part examines a regulatory frontier moving fast: the cybersecurity of space infrastructure.

On 25 June 2025, the European Commission published its proposal for a regulation on the safety, resilience, and sustainability of space activities in the Union: the proposed EU Space Act. The Commission’s case is fundamentally about the single market. Divergent national rules on satellite design, cyber risk management, and environmental constraints create obstacles for cross-border operations and reduce legal certainty for EU operators. The Space Act responds to that fragmentation and to a real security gap. International law sets broad principles (state responsibility under the Outer Space Treaty, for example) but offers little in the way of binding technical rules. Modern risks such as cyberattacks and orbital congestion have outpaced the existing framework.

Where Things Stand: NIS 2 and the Space Sector

The Commission’s core cybersecurity argument is straightforward. NIS 2 and the CER Directive reinforce the resilience of ground infrastructure, but they do not cover all segments of space infrastructure, including certain Union-owned assets within the EU Space Programme. The Space Act is designed to fill that gap.

It introduces an all-hazard risk-management framework across the full lifecycle of space missions, from design and manufacturing through to launch, operations, and disposal, covering digital and physical threats across all segments: ground, space, and link.

The compliance bar is high. Under the Commission proposal and the Council compromise, operators must conduct mandatory Threat-Led Penetration Testing (TLPT) before launch (or, for constellations, before the first batch launches) and at least every three years thereafter. Cryptography is a core requirement under both texts: operators must define a cryptographic concept, implement encryption policies, and ensure end-to-end authentication between control centres and the space segment, with risk-based encryption of telecommands. Supply chain risk management is also explicit in both texts, covering contractual security requirements and an inventory of critical non-Union-origin assets needed to maintain effective technical control.

The Parliament’s ITRE Committee has taken a different view. It proposes deleting the dedicated TLPT, cryptography, and supply chain provisions from the Space Act, on the basis that these matters should be governed by NIS 2 directly. Whether these obligations survive the trilogue in Space Act-specific form is one of the key open questions.

The NIS 2 Relationship

This is where the legislative picture becomes genuinely complex and where the three institutions diverge most sharply.

The Commission’s position is that the Space Act should function as a lex specialis, a sector-specific override. For operators already captured by NIS 2 as essential or important entities, the Space Act would replace NIS 2’s cybersecurity risk management obligations under Article 75 of the Commission proposal, while keeping the broader NIS 2 framework intact. The practical aim is to avoid duplication without cutting the space sector off from the wider EU cyber governance ecosystem.

The Council Presidency’s December 2025 compromise takes a more cautious approach. The relationship is framed as “without prejudice”: where space operators qualify as essential or important entities under NIS 2, the Regulation does not displace NIS 2, and national authorities should cooperate to ensure consistent application. The Council text does call for cybersecurity requirements under NIS 2 and the EU Space Act to be synchronised so that obligations are identical across entity types, a sensible goal that would reduce administrative burden and increase legal certainty. For operators not covered by NIS 2 as essential or important entities, the Council text creates Space Act cybersecurity risk management duties that mirror NIS 2 measures, including risk analysis, incident handling, supply chain security, secure development, effectiveness testing, and access control. A lighter regime for research and education institutions and small enterprises would follow via implementing act.

The Parliament’s ITRE Committee has gone furthest. The ITRE draft report explicitly rejects a separate lex specialis cybersecurity regime in the Space Act, arguing there is no technical justification for one. Instead, it proposes amending NIS 2 to extend its scope to space activities, services, and Union-owned assets, so the entire space sector would comply with a single legal act. As a consequence, the ITRE draft also proposes deleting the Space Act’s dedicated provisions on TLPT, cryptography, and supply chain risk management, on the basis that those obligations would instead flow from NIS 2. The ITRE text does reproduce the Commission’s Article 75 lex specialis provision in its amendment table but proposes its deletion, an internal tension that signals this will be a central issue in the trilogue.

Incident Reporting: A Moving Target

When and where you report a significant incident will depend on which institutional position survives the trilogue, and the gap between them is material.

The Commission proposal sets a two-track system. An early warning must be given within 12 hours for significant incidents affecting Union-owned assets, or within 24 hours for other assets, followed by a 72-hour report and a final report within one month. For operators qualifying as essential or important entities under NIS 2, reporting flows through NIS 2 pathways via CSIRTs and competent authorities. The 12-hour early warning track is an innovation of the Space Act proposal itself. NIS 2 Article 23 requires only a 24-hour early warning for all covered entities, without a shorter track for particular asset types.

The Council compromise broadly retains this structure. The “significant incident” threshold follows NIS 2 concepts. NIS 2-covered entities report under NIS 2, while others report to the CSIRT or competent authority, with a 24-hour early warning and 72-hour notification, and summaries flowing to the Agency. The 12-hour track is retained in the Council text but limited to operators of Union-owned assets reporting to the Union Space Programme security monitoring structure. It does not apply as a general regime.

The ITRE draft takes a different approach entirely. It proposes deleting the Space Act’s incident-reporting timeline regime in its entirety, including the 12-hour and 24-hour early warning tracks, the 72-hour notification and the one-month final report deadlines set out in Article 93(7) of the Commission proposal, as well as the NIS 2 Article 23 routing provision. Under the ITRE text, Union space operators would report significant incidents to national competent authorities, who would transmit a summary to the Agency. The precise scope of those amendments remains subject to the trilogue.

Authorities Will Coordinate

Both the Commission and Parliament propose a dedicated coordination body, the EU Space Resilience Network (EUSRN), to link national authorities, the Agency, the Commission, and the EEAS, and connect them to the broader EU cyber-governance structures, including the CSIRTs network and EU-CyCLONe. The Council compromise text does not appear to include equivalent provisions, meaning this structural point is not yet agreed across all three institutions. Its precise form will depend on the trilogue outcome, but the intent of integrating the space sector into EU-wide cyber situational awareness is consistent across the Commission and Parliament texts.

On supervision, Member States must designate national competent authorities, with a single point of contact where multiple authorities exist. The texts anticipate coordination with NIS 2 authorities for resilience supervision. For Finnish operators, Traficom, through its Cyber Security Centre, is the natural first port of call. It is Finland’s primary NIS 2 supervisory authority and hosts the NIS 2 single point of contact. Knowing your regulatory interlocutor now, before the Space Act takes effect, is one of the simplest and most valuable steps an operator can take.

What to Do Now

The trilogue will need to resolve genuinely contested questions: above all, whether the Space Act operates as lex specialis to NIS 2, whether NIS 2 is expanded to cover the space sector directly, or whether a hybrid model emerges. Despite that uncertainty, the groundwork can start now:

  • Mapping current position: Review existing compliance frameworks against the Space Act’s resilience chapter. Much of the underlying work (risk assessments, supply chain frameworks, incident management processes) translates directly across legislative scenarios.
  • Identify gaps: Pinpoint activities or entities that may fall outside the Space Act’s scope and will therefore remain under NIS 2. Multi-sector operators will need to be precise about which obligations apply where.
  • Watch the TLPT and cryptography requirements closely: Both appear in the Commission proposal and the Council compromise, but the ITRE Committee has proposed deleting the dedicated Space Act provisions, on the basis that those obligations should flow from NIS 2 directly. These requirements are therefore contested rather than settled. They remain a useful compliance planning reference, particularly if the Commission or Council position prevails in trilogue, but operators should not treat them as confirmed obligations under the final text.
  • Follow the trilogue actively: The outcome on the NIS 2 and Space Act relationship will determine the entire compliance architecture. Operators who engage now will be best placed to respond when the text is finalised.

The EU Space Act remains a legislative proposal. The analysis above reflects the Commission’s proposal of June 2025, the Council Presidency’s compromise text of December 2025, and the European Parliament’s ITRE Committee draft report of March 2026. The final text will be shaped by trilogue negotiations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Axel Hård Af Segerstad
Axel Hård Af Segerstad
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More