As our reliance on this orbital infrastructure deepens, teh legal and regulatory frameworks governing it are facing a stress test unlike any other. This is particularly true in relation to cyber security.
the 2022 cyber attack on the Viasat satellite network, which disrupted military communications and knocked out thousands of wind turbines across Europe, was not an assault on a satellite in orbit, but on its terrestrial ground systems. Satellite communications are essential in modern warfare but they are also heavily relied on by remote communities who may lack access to customary technology infrastructure. The Viasat attack served as a stark reminder that the greatest vulnerabilities often lie closest to home. Some threats are extra-territorial and some are extraterrestrial, but all must be addressed through the blunt tool of legislative and regulatory action to ensure that the rule of law exists to protect commercial operations, national security interests, and the human rights of those whose lives are impacted when essential technology fails.
Recently the European Commission’s landmark June 2025 proposal for a unified EU Space Act has decisively shifted the conversation on space operations from the technical to the legal domain – though other regulations are already in place that will affect cyber security in space. For decades, space has undergone a profound commercial transformation, evolving from a state-dominated arena into a busy economic ecosystem critical to global communications, finance, and logistics. This proliferation of commercial satellite constellations has not only created unprecedented chance but has also exposed a new, critical attack surface, making the cyber security of space assets a matter of international strategic importance.
The central challenge is no longer simply getting to space, but securing it once there – a task for which our existing international legal architecture from the 1960s and 1970s is dangerously ill-equipped. The possible emergence of binding regional regulations like the EU Space Act could mark a pivotal moment, setting a standard which will eventually be adopted universally but, as with other regional regulatory efforts, it risks forcing operators, investors, and legal advisors to navigate a complex and fragmented landscape of sometimes overlapping and sometimes conflicting duties, where a single cyber incident can have cascading geopolitical consequences.The implications for businesses operating in or relying on the space sector are profound. Understanding this new reality requires a thorough analysis of the shifting legal obligations, the persistent gaps or conflicts in international law, and the tangible risks of operating in an increasingly contested domain.
Already here: a new constellation of EU regulations.
A set of finalised and already or soon to be applicable European regulations comprising NIS2, the Cyber Resilience Act (CRA), the revised Product Liability Directive (PLD), and the AI Act – is fundamentally reshaping the cyber security and liability landscape across sectors, with both general and specific obligations for the European space sector. This multi-layered framework moves beyond generic IT security, creating an interlocking system of legal accountability across the entire value chain.
* NIS2 establishes a baseline for operational resilience by classifying space operators, and by proxy their suppliers, as critical infrastructure.
* the CRA complements this by mandating ‘security-by-design’ for all products with digital elements, from satellite components to ground software.
* The PLD redefines liability in relation to consumer products, making software a ‘product’ and treating cyber security vulnerabilities – like malfunctioning navigation satellites or other consumer facing services – as actionable defects under a strict liability regime.* The AI Act adds further obligations for autonomous systems used in critical functions.
This regulatory web culminates in the forthcoming EU Space Act.
Summary of the Text: Space Cybersecurity – A Growing Crisis
This text outlines the escalating cybersecurity threats facing the space sector, highlighting a critical gap between evolving risks and the existing legal and regulatory frameworks. Here’s a breakdown of the key points:
1. Increasing Regulation – The EU Leading the Way:
* EU Space act: The EU is taking a proactive approach with a new Space Act, imposing legally binding cybersecurity duties on space operators. This goes beyond the general NIS2 directive,recognizing the unique vulnerabilities of the space surroundings.
* Broad Scope: the Act has meaningful extraterritorial reach, potentially forcing international operators (US, UK, etc.) to comply with EU standards to access the European market – creating a potential global baseline.
* Comprehensive Requirements: The Act will mandate all-hazards risk assessments, security controls, and incident reporting.
2. The International Legal vacuum & Attribution problem:
* Outdated laws: Current international space law (Outer Space Treaty of 1967) is inadequate for addressing cyberattacks, focusing on physical actions rather than malicious code.
* Ambiguity & Accountability Gap: The treaty’s principles of state responsibility and liability are unclear when applied to cyber operations. Attributing cyberattacks to specific states is incredibly difficult, creating a “zone of plausible deniability” and incentivizing the use of cyber proxies.
* US Approach: The US appears to be relying on policy and best practices rather than hard law.
3. Geopolitical Risks & Dual-Use Assets:
* Convergence of Commercial & Military: Commercial space assets (like Starlink) are increasingly vital for military operations, making them strategic targets.
* Escalation Risk: A cyberattack on a commercial satellite could be interpreted as a strategic strike, potentially triggering military escalation.
* New Risk Profile for Businesses: Space technology companies must now consider the national security implications of their assets and incorporate cyber resilience into their risk management, recognizing the potential to contribute to international conflict.
4. the need for a Paradigm Shift:
* Regulation Isn’t Enough: While EU regulations are a positive step, they can’t solve the broader geopolitical challenges.
* bridging the Gap: A critical need exists to reconcile robust regional regulations with the outdated international legal order.
* Business Imperative: Space businesses need to adopt a multi-jurisdictional compliance strategy and prioritize “security-by-design,” viewing cyber resilience as a core investment, not just a cost.
In essence, the text paints a picture of a rapidly evolving threat landscape in space, where traditional legal frameworks are failing to keep pace, and the stakes are incredibly high – potentially reaching the level of international conflict. The EU is attempting to lead the way with stricter regulations, but a global solution is needed to address the fundamental challenges of attribution and accountability.