The EU Faces Legal Changes Ahead for Cybersecurity in Space

Cybersecurity remains one of the central topics when it comes to the space sector, not the least because of the role that satellite networks play in society, from satellite communications to Earth Observation (EO), to navigation. Nevertheless, few national space legislations have expressly addressed the need to meet cybersecurity requirements.

One such case is the United Kingdom approach. The Space Industry Regulations 2021 contain a specific chapter on cybersecurity that requires a licensee to draw up and maintain a cybersecurity strategy for the network and information systems used in relation to spaceflight operations. The regulations also establish a duty to report incidents that have an adverse effect on the security of such systems and that may have a significant impact on future essential services.

In the United States, Space Policy Directive-5 also establishes a set of cybersecurity principles for space systems, including the implementation of cybersecurity plans, noting that “integrating cybersecurity into all phases of development and ensuring full life-cycle cybersecurity are critical for space systems.”

In the European Union, there is no EU space law applicable to space activities, nor can the EU approve such a law. Under Article 189 of the Treaty on the Functioning of the European Union (TFEU), the EU cannot harmonize the laws and regulations of the member states when it comes to space activities. Indeed, though the recent EU Space Programme Regulation – Regulation (EU) 2021/696 of 28 April 2021— does address cybersecurity, it does so with relation to the EU flagship programs Galileo, EGNOS, Copernicus, SST, and GovSatCom. Hence, lacking express cybersecurity requirements enshrined in national laws, it would seem that no cybersecurity obligations would directly apply to space actors.

However, changes are coming to the EU cybersecurity regulatory framework with direct impact to the space sector.

There is a proposal for a directive on measures for a high common level of cybersecurity across the union (NIS 2 Directive), which will replace to current NIS Directive. Unlike the current NIS Directive, the future directive, as it is written at the moment, is going to apply to the space sector, to “operators of ground-based infrastructure, owned, managed and operated by member states or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.” Despite this last wording, public electronic communications networks are still going to be subject to the NIS 2 Directive, as this future directive is going to apply also to “providers of public electronic communications networks and of electronic communications services that are publicly available” (thus repealing the current cybersecurity provisions applicable to public telecom service and networks under the European Electronic Communications Code – EECC).

The new NIS 2 Directive contains extremely demanding cybersecurity obligations that all public and private entities performing the above activities and providing services in a member state shall comply with. These measures include risk analysis, incident handling, supply chain security, testing and auditing procedures, use of cryptography and encryption, notification of cyber incidents. Breach of such obligations leads to substantial consequences, including administrative fines of a maximum of at least 10 million euro or up to 2 percent of the total worldwide annual turnover of the undertaking to which the entity belongs in the preceding financial year, whichever is higher.

Other possible consequences of breach include: suspension of a certification or authorization; and a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in the relevant entity, and of any other natural person held responsible for the breach, from exercising managerial functions in that entity.

Another directive on the resilience of critical entities (CER Directive) is also being proposed, which will replace the current ECI (European Critical Infrastructures) Directive. The CER Directive aims to complement the NIS 2 Directive with relation to physical security. It will also apply to “operators of ground-based infrastructure, owned, managed and operated by member states or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks,” as well as to providers of public electronic communications networks and of electronic communications services that are publicly available.

However, unlike the NIS 2 Directive, only entities in these sectors that have been identified as a “critical entity” by a member state are subject to the obligations. These obligations are also quite demanding and include, for instance, adequate physical protection, risk and crisis management procedures, incident recovery, employee security management, incident notification, risks assessments.

These two new proposed directives are going to thoroughly impact the space sector. Even though they do not apply throughout the whole space value chain, they apply to operators of ground-based infrastructure supporting the provision of space-based services, as well as to public telecom service and network providers (which include providers of satcom networks and services). What is more, the consequences of breach are considerable.

Both directives raise however some questions that could be discussed and addressed in future versions, such as: their application to only certain stakeholders in the (non-satcom) space sector – ground segment operators; and the different treatment of (public/publicly available) satcom vis-à-vis other space activities. Given the central role of satellites worldwide including for achieving the Sustainable Development Goals (SDGs) and the EU green and digital transition, there is growing need to protect space assets from cyber threats. This may require a more ambitious legal framework. States should as a result assess addressing cybersecurity for space activities in general and do so in their national laws (such as in their space laws), in a manner that is well coordinated with the future NIS 2 and CER Directives and that avoids duplicated burdens for space actors.

In any case, even if national space laws do not address cybersecurity obligations, they often contain a set of obligations that require cyber resilience: for instance, most national space laws address the need to safeguard health, safety and the environment, with some of them expressly referring to space debris mitigation and remediation. What is more, cyber resilience is also an important instrument to avoid or mitigate potential liability that may arise from space activities.

Nevertheless, the NIS 2 and CER Directives are going to bring substantial obligations to space stakeholders. Space actors should start preparing for the changes ahead. VS

Helena Correia Mendonça is the principal consultant at the Information, Communication & Technology practice at Vieira de Almeida & Associados. Helena has been involved in various space sector projects, both in Europe and Africa. She further works on Emerging Technologies, especially on DLT/Blockchain, AI, robotics, autonomous vehicles and Fintech related issues.