[co-author: Aleksander Aleksiev]
Summary
- On 25 June 2025, the European Commission announced its proposal for a “Space Act” that would introduce a new regulatory framework for EU space activities. The proposed framework includes cyber-resilience obligations for EU and non-EU entities operating in the space sector (space operators), including both infrastructure located in space and ground infrastructure supporting it.
- Under the Space Act, space operators will have wide-ranging obligations including in relation to: “all hazards” risk management; cybersecurity risk assessments; asset management and access rights; encryption; testing; incident response and regulatory notification; and supply chain management.
- The “management body” (e.g., board) of a space operator will be personally liable for the organization’s compliance with the Space Act’s risk management obligations.
- Many of these security obligations are analogous to, and appear to have been modelled on, other EU cybersecurity laws such as DORA and NIS 2 (which already applies to the space sector). Organizations should consider to what extent existing compliance projects can be repurposed for Space…
