Back to the overview
09-18-2025 Article

Resilience by Design for Space: EU Space Act (4) – The EU Space Act’s Blueprint for Resilience

Resilience in Space is no longer optional. The proposed EU Space Act embeds resilience as a legal obligation, requiring all space operators in the EU or active in the EU to strengthen systems, secure supply chains, and ensure mission continuity. With threats mounting, this is Europe’s blueprint for space infrastructure that is designed to survive disruption.

Introduction

On 25 June 2025, the European Commission released the proposed EU Space Act (hereinafter, the “Proposed Act”), intended to establish a unified legal framework for the safety, resilience, and sustainability of space activities across the Union. Among these three pillars, resilience stands out as the Act’s most far-reaching and technically detailed dimension, encompassing cybersecurity, physical protection, supply-chain integrity, and continuity of services.

The Proposed Act is built on the recognition that space infrastructure, whether in orbit or on the ground, is increasingly vulnerable to a growing range of threats: cyber intrusions, jamming and spoofing, sabotage, natural hazards, and geopolitical conflict. With many of Europe’s space systems now supporting essential civilian, commercial, and government functions, and with a majority of them considered dual-use in nature, the ability to withstand and recover from such disruptions has become a matter of strategic interest.

To that end, the Proposed Act imposes binding risk management obligations on all space operators serving the EU market, including non-EU entities. It also aligns and interacts with the existing EU cybersecurity (NIS2 Directive) and critical infrastructure (CER Directive) regimes, while establishing space-specific resilience requirements that go beyond existing horizontal rules.

In a nutshell:

Who Must Comply Addressees of the Proposed Act

  • Binding resilience obligations under the Proposed Act apply to all major space service providers, including space operators, launch service providers, primary providers of space-based data, providers of in-space operations/services, and providers of collision avoidance services.
  • These obligations apply irrespective of whether the entities are EU-based or third-country operators operating in the EU.
  • Indirect impacts also extend to suppliers, as the primary addressees must contractually flow down resilience requirements and are likely to demand higher technical standards from vendors even where not strictly required. Market pressures will likely compel subcontractors to meet the new standards.

Resilience Requirements What Operators Must Do

Lifecycle Risk Management
  • Operators must implement continuous, lifecycle-wide risk management, covering mission design, launch, operations, and decommissioning.
  • Measures should be proportionate to the mission’s risk profile:
  1. Large or critical missions: Full suite of controls (e.g. encryption, incident response, continuity plans).
  2. Small enterprises and research institutions: Simplified regime focusing on a minimal baseline for the most critical threats (like loss of control of propelled spacecraft or harmful interference).
Cyber, Physical, and Supply Chain Protections
  • Operators must apply comprehensive technical and organizational safeguards to cyber and physical elements of space systems.
  • Obligations include:
  1. Cybersecurity: asset inventories, “need-to-know” access controls, end-to-end encrypted command links.
  2. Physical security: protection of critical ground infrastructure (aligned with CER Directive standards).
  3. Supply chain: vetting of non-EU components, contractual security requirements for suppliers, oversight of third-party risks.
  • Together, these measures aim to harden space operations against cyberattacks, equipment sabotage, signal jamming/spoofing, and other threats.
Continuity and Incident Response
  • Operators must ensure mission continuity through built-in redundancies and recovery planning.
  • Specific obligations include:
  1. Formal backup systems for data and critical infrastructure (e.g. redundant control centers, antennas, satellite links, degraded mode operations).
  2. Mandatory business continuity and disaster recovery plans, with regular testing (including threat-led penetration tests).
  3. Incident reporting: initial alert within 12–24 hours (depending on scope), detailed report within 72 hours, final root-cause analysis within one month.
Alignment with EU Frameworks
  • The Proposed Act serves as a lex specialis to the NIS2 Directive, ensuring space operators avoid double regulation.
  • Physical security requirements are coordinated with the CER Directive so that there is no duplication, only a high and consistent standard.
  • A new EU Space Resilience Network (EUSRN) is set to be established as a coordination body, linking the European Commission, EUSPA, Member States, ENISA, and others to share threat intelligence and harmonize responses to space security incidents across Europe.

In more detail:

The resilience framework in the Proposed Act sets out requirements that must be fulfilled by the following primary addressees: space operators, launch service providers, primary providers of space-based data, in-space operations/services providers, and providers of collision avoidance services. These obligations apply across the board, regardless of whether these entities are established within the EU or in a third country and cover the ground, space, and link segments alike.

Additionally, the Proposed Act has indirect impacts on the broader space industry in two key ways. First, if the primary addressees are explicitly required by the Act to oblige their suppliers to conform to certain resilience or design requirements, those supply-chain partners will need to comply contractually. Second, even when such flow-down is not formally mandated, the primary operators are expected to demand higher resilience standards from all contractors (e.g. more robust components or software), effectively raising the bar for subcontractors and component manufacturers.

The resilience framework is built around six interlocking features, each aimed at reducing operational vulnerabilities and ensuring continuity of mission-critical space services.

1. Risk Management Across the Lifecycle

At the heart of the resilience framework is a continuous, lifecycle-wide risk management obligation. Rather than applying one-off security tests or audits, the Proposed Act mandates that resilience be embedded throughout the design, operation, and decommissioning of space systems.

Under Article 76(1), space operators must manage all risks “to the security of network and information systems and the security of the physical infrastructure and environment” in proportion to their risk profile and size. This all-hazard, all-phase approach spans design, manufacturing, integration, launch, operations, and end-of-life. It includes both external threats (cyberattacks, jamming, sabotage) and internal failures (system malfunction, human error, ground link loss). Article 78 expands on this, requiring operators to continuously identify, assess, and treat these risks throughout the mission lifecycle.

Importantly, the Act is clear that risk management must be tailored in accordance with the principle of Proportionality. Factors to be considered include:

  • Type of mission
  • Constellation size and orbital dynamics
  • Criticality of service provided
  • Operator’s organizational scale and capacity
  • Use of propulsion (which increases potential for uncontrolled movement)
This Proportionality Principle is operationalized through two mechanisms:

i. Scaled Baseline Obligations (Art. 76(3)):
Operators of large, critical, or propulsion-equipped missions must comply with the full suite of technical and organizational controls under the Act and its Annexes. This includes crypto systems, asset registries, business continuity plans, and threat-led testing.

ii. Simplified Risk Regime (Art. 79):
Small enterprises and research/education institutions qualify for a simplified regime. These actors are only required to address a minimal set of risk scenarios related to critical assets and critical functions, specifically focusing on two categories of threats:

  • Loss of control of a spacecraft equipped with propulsion
  • Loss of a spacecraft that could emit harmful interference

For such operators, only the minimum set of risk controls from Annex VII, point 9, must be implemented, essentially a tailored baseline to ensure public safety and frequency hygiene without imposing undue burden. Competent authorities shall maintain a register of which operators qualify for the simplified regime (Art. 79(2)), and the European Space Agency will report annually on its uptake and effectiveness (Art. 79(3)).

In practical terms, this risk-based model aims to strike a balance between strategic protection of Union interests and innovation-friendly flexibility for small actors. It also ensures that the same core logic applies across all operator types: assess your risks, mitigate them proportionately, and maintain that posture across the system lifecycle.

2. Cybersecurity Safeguards

Cybersecurity lies at the core of the Proposed Act’s resilience regime. The Act imposes layered technical and organizational measures on all operators to ensure the confidentiality, integrity, and availability of space systems, spanning both the space segment (onboard software, telemetry/command links) and the ground segment (control centers, uplink/downlink infrastructure, and cloud-based support systems).

a. Asset Inventory and Classification (Article 80)

Operators must maintain an up-to-date inventory of all critical assets, both physical and logical, across the entire mission architecture. While the Act does not prescribe a closed list, such inventories would typically include:

  • Satellites and onboard systems
  • Ground stations and mission control assets
  • Software and cloud-based command interfaces
  • Third-party systems or contracted service elements

These assets must be classified based on confidentiality, integrity, availability, and mission-criticality. The resulting register forms the foundation for cybersecurity measures under Articles 81–85.

b. Identity and Access Management (Article 81)

Under the Proposed Act, access to critical systems must be strictly limited to authorized personnel, devices, and systems. The Act mandates that only authenticated and authorized users and devices may connect to satellites or mission systems. Logical and physical access must follow the “need-to-know” and “least privilege” principles, with credentials automatically revoked when no longer required. These controls are designed to prevent insider misuse and limit lateral movement in case of a breach.

c. Network Security and Cryptographic Architecture (Articles 84 & 85)

The Proposed Act imposes layered cybersecurity obligations to safeguard mission-critical systems and data flows. Article 84 requires space operators to implement risk-based security controls across all mission systems, proportionate to the threat environment and tailored to each space mission. These controls must align with the technical baselines set out in Annex VII, including secure system configurations, intrusion detection capabilities, and real-time supervision of telemetry and telecommand links.

Ground infrastructure must be capable of continuous technical control over the space segment, with strict authentication between ground and satellite components to prevent unauthorized access or interference. Article 85 builds on this by mandating end-to-end cryptographic safeguards. Operators must define and implement a mission-appropriate cryptographic architecture including encryption protocols, algorithm selection, and key management policies.

At a minimum, command links must be encrypted and authenticated to prevent spoofing or hijack scenarios. Cryptographic keys must be securely stored, regularly updated, and accessible through redundancy mechanisms to ensure continuity in the event of compromise. The Act also anticipates the future imposition of EU-certified cryptographic modules through delegated acts, aligning with broader EU cybersecurity certification frameworks.

In practice, these provisions require operators to assess and modernize legacy systems, particularly ground segments and satellite uplinks, to conform with evolving encryption standards. For operators managing high-value or dual-use missions, this may entail adopting controls comparable to those used in defense-grade space systems.

d. Real-World Case: KA-SAT Cyberattack (2022)

The relevance of these measures is underscored by the 2022 KA-SAT cyberattack, where ground-based vulnerabilities were exploited to disrupt satellite broadband services across Ukraine and parts of Europe. Terminals lost connectivity; some were rendered permanently inoperable. In Ukraine, military communications were affected; in Germany, remote wind farms were temporarily shut down.

Had the safeguards outlined in the Proposed Act been operationally required at the time, particularly strengthened authentication, asset isolation, and cryptographic link protection, this level of disruption could likely have been mitigated or contained. The Proposed Act essentially seeks to ensure that future incidents of this nature are pre-empted by design.

e. Harmonization with NIS2 and Broader EU Cyber Strategy

While the Proposed Act is sector-specific, its cybersecurity provisions are explicitly designed to integrate with the EU’s broader cybersecurity architecture. Article 75 designates the Act as a lex specialis under the NIS2 Directive (Directive (EU) 2022/2555), meaning that space operators subject to both instruments will fulfil their NIS2 Article 21 obligations by complying with the more detailed requirements set out in the Proposed Act.
This alignment avoids regulatory duplication for operators already designated as “essential” or “important entities” under NIS2, particularly in relation to risk management, technical controls, and business continuity planning. However, coordination obligations under NIS2 still apply. 
In effect, the Proposed Act creates a streamlined, mission-specific cybersecurity regime for space systems, while preserving the horizontal coordination mechanisms embedded in NIS2. It reflects the EU’s intent to harmonize sectoral and cross-sectoral cybersecurity governance under a coherent legal framework.

3. Physical and Ground Infrastructure Security

While cybersecurity protects the digital backbone of space operations, physical security ensures the resilience of tangible assets, especially ground infrastructure like mission control centers, uplink/downlink stations, and data processing facilities. The Proposed Act treats these facilities as critical nodes in the space value chain, and mandates a high standard of physical resilience aligned with the Critical Entities Resilience (CER) Directive.

a. Ground Segment Protection Requirements (Article 82)

Operators must implement security measures “at least equivalent” to those set out in Article 13 of the CER Directive (Directive (EU) 2022/2557), which governs the physical resilience of critical infrastructure across the Union. Article 82 requires:

  • Secure access and perimeter controls
  • Segregation and monitoring of critical systems
  • Backup power, fire suppression, and other environmental safeguards
  • Geographic redundancy for key ground assets

The aim is to ensure that an incident, whether physical sabotage, extreme weather, or technical failure, does not cause cascading or unrecoverable disruptions across the mission architecture.

b. Coordination with CER Directive (Article 75(2))

Where space operators are formally designated as critical entities under the CER Directive, Article 75(2) clarifies that the Space Act’s physical-security rules apply in parallel to CER obligations. In practice, this means:

  • No double compliance, but coordinated application of both frameworks
  • National authorities responsible for CER will remain involved in assessing and monitoring compliance
  • Operators may be subject to audits under both regimes, but with shared reporting channels and oversight tools

This coordinated framework reduces duplication but requires integrated compliance planning, internally between cybersecurity and resilience teams, and externally between operators and Member State authorities.

c. Real World Implications

Recent kinetic threats and hybrid incidents, such as suspected sabotage attempts on undersea cables, GPS jamming near European airports, or drone incursions at military-adjacent satellite ground stations, underscore the need for robust ground-based defenses. As more high-capacity satellites rely on relatively few ground control points, these sites have become high-value targets. The Proposed Act aims to strengthen such infrastructure both through architectural design and operational readiness.

4. Backup, Redundancy and Continuity

A central feature of the resilience framework is operational continuity: the ability of space systems to remain functional, or swiftly recover, despite incidents ranging from cyberattacks and equipment failure to natural disasters and sabotage.

Article 86 requires operators to implement formal backup and redundancy measures, defining what data must be saved, how often, and how to restore it with minimal downtime. These backup systems must themselves be secured and resilient, not just mirrored vulnerabilities. To prevent single points of failure, ground infrastructure must be geographically and technically redundant, such as backup control centers, parallel antenna systems, or fallback satellite links. The space segment must also be capable of temporary autonomous functioning in “degraded mode,” giving operators time to reestablish control in the event of disruption (Article 86(3)(c)).

Article 87 then mandates comprehensive business continuity and disaster recovery plans. Operators must be prepared for events like grid failures, natural disasters, cyberattacks, or satellite collisions, spelling out how to reroute data, switch control sites, or invoke emergency protocols. The Act includes examples like severe storms, equipment malfunction, and radio frequency interference as baseline planning scenarios.

These plans must be regularly tested (Article 88), including pre-launch threat-led penetration tests and triennial refresh cycles. Article 89 further requires dedicated staff training and role-based responsibilities.

Together, these provisions aim to ensure that space missions are not brittle: they must be capable of absorbing shocks, isolating failures, and resuming operations with minimal disruption. The continuity architecture mandated here is particularly critical for dual-use or safety-critical missions, where even brief service interruptions can have cascading consequences.

5. Incident Detection and Reporting

The Proposed Act mandates that space operators adopt a structured and timely approach to incident detection, handling, and regulatory reporting. These requirements apply to all significant incidents, defined as those likely to disrupt mission operations, degrade service delivery, or pose safety or security risks.

a. Internal Incident Management (Articles 90–91)

Operators must establish clear internal procedures for detecting, managing, and escalating incidents. Article 91 requires that operators be able to promptly identify and respond to anomalies affecting space infrastructure, whether cyber or physical. Senior management must be informed of all significant incidents, and for systems hosting third-party payloads, operators must notify those payload customers and coordinate recovery actions in line with pre-agreed terms.
The Proposed Act introduces a broader obligation around crisis communication. Operators must have predefined internal and external communication protocols to ensure timely and accurate dissemination of incident-related information to affected users, staff, authorities, and the public, without creating panic or misinformation.

b. Regulatory Reporting Timelines (Article 93)

A tiered reporting system applies to all significant incidents. Operators must notify relevant authorities according to urgency and impact:

  • Within 12 hours: Initial alert to the EU Space Programme Agency’s Security Monitoring Centre if the incident affects EU-owned assets.
  • Within 24 hours: For all other registered EU missions, the same notification must be sent to the competent authority.
  • Within 72 hours: A more detailed report including preliminary impact assessment, mitigation steps, and indicators of compromise.
  • Within one month: Final report with full root cause analysis, severity assessment, and any cross-border effects.

The Proposed Act also preserves compatibility with existing incident-handling regimes. If the operator is already covered under NIS2, they must report through their designated CSIRT (Computer Security Incident Response Team). If subject to the CER Directive, notification must also go to the civil protection authority. This ensures that significant incidents enter both space-specific and horizontal EU security frameworks without duplication.

c. EU Space Resilience Network

To ensure consistent enforcement and joint situational awareness, the Proposed Act establishes the EU Space Resilience Network (EUSRN) as a formal coordination body. This multi-stakeholder forum brings together the European Commission, EUSPA, Member State authorities, ENISA, the EEAS, and other relevant actors to share incident data, align national practices, and coordinate responses to cross-border threats (Art. 94(2)).

Meeting at least twice a year, the EUSRN complements existing cybersecurity structures such as the NIS Cooperation Group and EU CyCLONe, serving as a dedicated space resilience coordination mechanism. Its creation reflects the EU’s recognition that space threats are both transnational and hybrid in nature, and require integrated oversight across sectors and jurisdictions.

6.Supply Chain Security

The Proposed Act takes a firm stance on third-party risks, particularly those involving non-EU suppliers, critical components, and software dependencies, by embedding supply chain security into the broader resilience framework.

a. Mandatory Risk Management Framework

Under Article 92(1)-(2), operators must implement a formal supply chain risk management framework. This includes embedding specific information security requirements into all contracts with suppliers, manufacturers, and service providers. The strategy must align with the minimum controls set out in Annex VII, Point 6.

b. Inventory and Analysis of Non-EU Dependencies

Article 92(3) compels operators to maintain a dedicated inventory of critical assets sourced from outside the Union, particularly those necessary to maintain effective technical control of the mission (e.g., orbital control functions). This inventory must be informed by the operator’s broader risk assessment, supporting visibility into strategic dependencies and exposure.

c. Integration with Broader Resilience Duties

Supply chain security is not treated in isolation. Article 92 explicitly ties supply chain management to overarching resilience strategies including cyber risk (Article 76), operational continuity (Article 87), and technical testing (Article 88). Operators must ensure that third-party risks are factored into system design, response playbooks, and continuity procedures.

d. Policy Context and Real-World Relevance

Recent disruptions, from firmware supply chain intrusions to geopolitical restrictions on satellite components, demonstrate the criticality of supplier transparency and control. The Proposed Act addresses these risks by requiring traceability, binding contractual obligations, and audit mechanisms that preserve EU strategic autonomy. Operators retain full accountability, even when using outsourced technologies.

Outlook

The Proposed EU Space Act marks a shift in how Europe plans to safeguard its space infrastructure, treating resilience not as an afterthought but as a built-in design principle for all missions. If adopted in its current form, the Proposed Act will demand sustained investment, tighter coordination across Member States, and industry-wide adjustments, particularly from non-EU providers and legacy operators. In the near future we can expect a flurry of delegated acts, technical standards, and national implementation rules aimed at operationalizing the Act’s layered requirements.

For space operators, this is not merely a compliance exercise, it is a signal to embed resilience deeply into the lifecycle of every mission. As cyber, kinetic, and geopolitical risks continue to rise, the Space Act may well become a blueprint for space governance beyond Europe. The ripple effects will also reach downstream suppliers and contractors. Even where they are not directly regulated under the Proposed Act, they will face growing pressure from the primary addressees to meet higher standards of security and reliability. This could prove particularly challenging for smaller and mid-sized companies, given the added costs and technical complexity; a concern has already been noted in discussions around NIS2’s impact on medium entities.

At the same time however, the shift creates opportunities. Companies able to offer resilient-by-design technologies, secure components, and trusted services will find themselves well positioned in a market where robustness and reliability are increasingly prerequisites for participation. In practice, resilience will not remain a compliance issue for primes alone but will become a competitive factor across the entire European space supply chain.

Download as PDF
Download as PDF

Contact persons

Dr. Thomas Jansen
Munich
Dr. Andreas Lenz
Cologne

Contact persons

Dr. Thomas Jansen
Munich
Dr. Andreas Lenz
Cologne

Related articles

11-25-2025
EU Defence Industry Transformation Roadmap: What Aerospace, Defence, and Space Clients Need to Know
11-12-2025
New EU Initiative to Boost Defense Investments – Opportunities for the Aerospace, Defense & SpaceTech Industry
10-17-2025
Follow‑Up Briefing on Europe’s Defence Readiness Roadmap 2030
09-22-2025
Landmark ECJ ruling on the pseudonymization of personal data
09-18-2025
Resilience by Design for Space: EU Space Act (4) – The EU Space Act’s Blueprint for Resilience
09-09-2025
“Reaching out to All?”: Draft EU Space Act (3) – Focus on SMEs / Industry
07-17-2025
“Reaching Wide”: EU Space Act (2) – Perspective of Third-Country Space Operators
07-17-2025
EU Launches Security Action for Europe (SAFE): Major New Funding and Procurement Opportunities for the Defense Industry, with Special Benefits for SMEs
07-14-2025
EU Space Act: A driver for space insurance?
07-02-2025
“Reaching High”: A First Look at the EU Space Act – (and the Vision for the European Space Economy)
05-27-2025
Ensuring Security and Compliance in the Space Industry – Key Takeaways and Action Points
05-22-2025
New Technical Guideline BSI TR-03184-2 – Cybersecurity for the ground segment of space systems

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.