{"id":52736,"date":"2026-05-27T21:01:34","date_gmt":"2026-05-27T19:01:34","guid":{"rendered":"https:\/\/www.eh.at\/?p=52736"},"modified":"2026-05-27T20:59:00","modified_gmt":"2026-05-27T18:59:00","slug":"eu-space-act-vs-nis2-how-the-compromise-text-reshapes-the-cybersecurity-architecture","status":"publish","type":"post","link":"https:\/\/www.eh.at\/en\/eu-space-act-vs-nis2-how-the-compromise-text-reshapes-the-cybersecurity-architecture\/","title":{"rendered":"EU Space Act vs NIS2: How the compromise text reshapes the cybersecurity architecture"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

27.05. 2026
Gernot Fritz<\/a>, Amina Kovacevic<\/a>\u00a0<\/em><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

European space law is currently undergoing a fundamental regulatory shift. This is particularly visible in the area of cybersecurity. While the European Commission\u2019s original proposal for the EU Space Act<\/a> of 25 June 2025 still placed strong emphasis on a standalone, sector-specific cybersecurity regime for the space sector, the current Council compromise text of 30 March 2026, the Cyprus Compromise Proposal<\/a>, now takes a noticeably different approach.<\/p>

Cybersecurity is no longer treated primarily as an isolated space-specific issue. Instead, the space sector is to be systematically integrated into the existing European cybersecurity architecture. This is one of the most important changes in the current state of negotiations.<\/p>

The background to this development is clear. Space infrastructure has long become part of critical digital infrastructure. Satellites support communications networks, navigation, weather services, financial transactions, energy supply and security-relevant applications. At the same time, the attack surface continues to expand. Cyberattacks on ground stations, satellite control systems or communication links are no longer a hypothetical scenario, but a real risk with potentially significant economic and security implications.<\/p>

The Commission\u2019s original proposal therefore already placed the resilience of space infrastructure at the centre of the EU Space Act. The Council compromise text, however, now goes one step further: the new space rules are closely linked to the existing NIS2 framework.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

NIS2 becomes the foundation of the new Space Act regime<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

This change of direction is particularly apparent in the relationship with the NIS2 Directive.<\/p>

The original proposal largely treated the EU Space Act as a sector-specific lex specialis in relation to Article 21 of the NIS2 Directive. Space operators were to derive their cybersecurity obligations primarily from the Space Act. The main objective was to avoid double regulation and to create a dedicated security regime for the space sector.<\/p>

The Council compromise text now largely reverses this logic.<\/p>

The NIS2 Directive is expressly recognised as the horizontal foundation on which the EU Space Act builds. The Space Act is intended to complement, specify and, in some respects, extend the existing European cybersecurity rules, but no longer to replace them.<\/p>

This new architecture is particularly visible in Article 75. The provision expressly states that the regulation shall apply without prejudice to the NIS2 Directive. Space operators that already qualify as essential or important entities under the NIS2 Directive therefore generally remain subject to the existing NIS2 regime.<\/p>

At the same time, the compromise text requires national Space Act authorities to cooperate closely with the competent NIS2 authorities, Computer Security Incident Response Teams, CSIRTs, and other cybersecurity bodies. Supervisory and information-sharing mechanisms are also much more closely interconnected.<\/p>

This makes one thing clear: the EU Space Act is increasingly developing into a sector-specific layer on top of existing European cybersecurity regulation.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

Article 75a becomes the central cybersecurity provision<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

At the heart of this new architecture is the newly inserted Article 75a.<\/p>

This provision is set to become the core rule for cybersecurity obligations under the EU Space Act. It creates a two-tier system for space actors.<\/p>

Space operators that already qualify as essential or important entities within the meaning of the NIS2 Directive will primarily have to comply with the planned sector-specific implementing act under NIS2 for the space sector. The concrete technical and organisational requirements are therefore expected to be specified increasingly within the NIS2 system.<\/p>

What is particularly noteworthy is that the Space Act itself provides for amendments to the NIS2 Directive. Pursuant to the new Article 118a, the Commission is to be required to adopt a dedicated implementing act laying down technical, methodological and sectoral requirements for space operators.<\/p>

For NIS2-regulated operators, the EU Space Act will therefore no longer primarily regulate cybersecurity directly. Instead, it triggers a sector-specific concretisation within the existing NIS2 architecture.<\/p>

For all other space actors, however, direct cybersecurity obligations under the Space Act itself will continue to apply. This concerns, in particular, operators outside the traditional scope of NIS2, certain research actors, third-country operators with an EU nexus, and operators of Union-owned space infrastructure.<\/p>

This point is particularly important from a regulatory perspective. Many actors in the space sector would not be fully covered by the NIS2 Directive alone. The Council compromise text therefore clearly seeks to close existing protection gaps while creating a cybersecurity framework that is as coherent as possible.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

All-hazards approach and mission-related resilience<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

In substance, Article 75a is much more closely aligned with the logic of the NIS2 Directive than the Commission\u2019s original proposal. At the same time, the Space Act remains clearly shaped by the specific characteristics of space activities.<\/p>

The provision requires appropriate technical, operational and organisational measures to manage cybersecurity risks. At the same time, it expressly follows an all-hazards approach. The objective is not only to protect traditional IT infrastructure, but the entire space mission throughout its full lifecycle.<\/p>

This is one of the distinctive features of the Space Act. Cybersecurity is not understood as a purely IT-related issue in isolation. Rather, the regulation connects digital security, operational control, physical resilience and mission capability into one integrated security approach.<\/p>

The catalogue of minimum measures is correspondingly broad.<\/p>

It includes, among other things, risk analysis and information security policies, incident handling, business continuity and disaster recovery, supply chain security, secure development and maintenance of network and information systems, vulnerability management, cybersecurity training, policies on cryptography and encryption, access controls and asset management, as well as multi-factor authentication and secure communication systems.<\/p>

The strong focus on mission-critical communication and control structures is particularly striking. Telemetry, tracking and telecommand systems are implicitly at the centre of the security architecture. Ultimately, the security of a satellite depends to a significant extent on who has technical control over the space segment.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

Supply chains become a central security factor<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Supply chain security plays a particularly important role in the Council compromise text.<\/p>

Operators will in future have to expressly take into account the security practices and security measures of their direct suppliers, technology providers and service providers. This is not limited to traditional IT supply chains, but extends to the entire relevant value chain.<\/p>

This is highly relevant in practice for the space industry. Space missions typically rely on complex international supply chains involving highly specialised components, software solutions and service providers. Many systems are dual-use, security-critical or dependent on a small number of global suppliers.<\/p>

Cybersecurity therefore becomes not only a question of individual systems, but also of the broader technological and geopolitical dependencies of a mission.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

Simplified regime for smaller actors<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Another important change concerns smaller market participants.<\/p>

The Council compromise text provides for a simplified regime for research and educational institutions as well as small and micro-enterprises. This so-called light regime is intended to take account of the specific risk profile of smaller actors and to limit regulatory requirements more closely to certain critical risks.<\/p>

The rationale is understandable. The New Space sector is strongly shaped by young, innovative and often resource-constrained companies. Overly rigid or costly cybersecurity requirements could create significant barriers to innovation.<\/p>

The compromise text therefore seeks to differentiate regulatory requirements more clearly according to risk profile, company size and the potential impact on other space operations.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

Incident reporting and stronger authority coordination<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

The stronger link with the NIS2 Directive is also clearly visible in the area of incident reporting.<\/p>

Significant security incidents are to be reported largely in line with the logic of Article 23 of the NIS2 Directive. For NIS2-regulated operators, the existing reporting channels via CSIRTs and competent authorities are to be used. At the same time, relevant information is to be forwarded to the Space Act authorities.<\/p>

In this way, the legislator seeks to avoid parallel reporting channels and duplicate notifications. At the same time, however, this creates a significantly more complex coordination architecture between cybersecurity authorities, Space Act authorities, CSIRTs, the European Union Agency for Cybersecurity, ENISA, EU-CyCLONe and other European bodies.<\/p>

The planned EU Space Resilience Network, EUSRN, will be particularly important in this context. This network is intended to form the institutional bridge between space regulation and European cybersecurity governance.<\/p>

The Commission\u2019s original proposal placed greater emphasis on a standalone Space Act resilience system. The Council compromise text now integrates the space sector much more deeply into the existing European cybersecurity architecture.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

Conclusion: space becomes part of European cybersecurity governance<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

The cybersecurity provisions in the Council compromise text illustrate how significantly the EU Space Act has changed over the course of the negotiations.<\/p>

The focus is no longer on a fully standalone, sector-specific cybersecurity regime for space actors. Instead, the text creates a close interconnection with existing European cybersecurity structures, in particular the NIS2 Directive.<\/p>

For companies, this means one thing above all: space infrastructure is increasingly being treated, from a regulatory perspective, as critical digital infrastructure.<\/p>

Cybersecurity is therefore finally moving from a technical specialist topic to a core requirement for market access, certification, operational resilience and compliance in the European space sector.<\/p>

At the same time, many practical questions remain open. Numerous technical details are only expected to be specified in forthcoming implementing acts. These implementing acts are therefore likely to be decisive for how strict, practical and innovation-friendly the future European space cybersecurity regime will ultimately be.<\/p>

One thing, however, is already clear: European cybersecurity governance will no longer stop at the atmosphere.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

If you are active in the space sector \u2013 as an operator, supplier, technology provider or investor \u2013 the key question will not only be which new obligations apply. What will matter is how these obligations can be translated into governance, supply chains, contracts and operational resilience. <\/em>We would be pleased to support you with this.<\/em><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

27.05. 2026Gernot Fritz, Amina Kovacevic\u00a0 European space law is currently undergoing a fundamental regulatory shift. This is particularly visible in the area of cybersecurity. While the European Commission\u2019s original proposal for the EU Space Act of 25 June 2025 still placed strong emphasis on a standalone, sector-specific cybersecurity regime for the space sector, the current […]<\/p>\n","protected":false},"author":20,"featured_media":52469,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"rank_math_lock_modified_date":false,"inline_featured_image":false,"footnotes":""},"categories":[235],"tags":[1011,1012],"group":[],"area":[],"location":[],"systype":[],"class_list":["post-52736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-legal-update-en","tag-eu-space-act-2","tag-nis2"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/posts\/52736"}],"collection":[{"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/comments?post=52736"}],"version-history":[{"count":4,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/posts\/52736\/revisions"}],"predecessor-version":[{"id":52753,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/posts\/52736\/revisions\/52753"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/media\/52469"}],"wp:attachment":[{"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/media?parent=52736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/categories?post=52736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/tags?post=52736"},{"taxonomy":"group","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/group?post=52736"},{"taxonomy":"area","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/area?post=52736"},{"taxonomy":"location","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/location?post=52736"},{"taxonomy":"systype","embeddable":true,"href":"https:\/\/www.eh.at\/en\/wp-json\/wp\/v2\/systype?post=52736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}