As our reliance on this orbital infrastructure deepens, the legal and regulatory frameworks governing it are facing a stress test unlike any other. This is particularly true in relation to cyber security.
The 2022 cyber attack on the Viasat satellite network, which disrupted military communications and knocked out thousands of wind turbines across Europe, was not an assault on a satellite in orbit, but on its terrestrial ground systems. Satellite communications are essential in modern warfare but they are also heavily relied on by remote communities who may lack access to traditional technology infrastructure. The Viasat attack served as a stark reminder that the greatest vulnerabilities often lie closest to home. Some threats are extra-territorial and some are extraterrestrial, but all must be addressed through the blunt tool of legislative and regulatory action to ensure that the rule of law exists to protect commercial operations, national security interests, and the human rights of those whose lives are impacted when essential technology fails.
Recently the European Commission’s landmark June 2025 proposal for a unified EU Space Act has decisively shifted the conversation on space operations from the technical to the legal domain – though other regulations are already in place that will affect cyber security in space. For decades, space has undergone a profound commercial transformation, evolving from a state-dominated arena into a busy economic ecosystem critical to global communications, finance, and logistics. This proliferation of commercial satellite constellations has not only created unprecedented opportunity but has also exposed a new, critical attack surface, making the cyber security of space assets a matter of international strategic importance.
The central challenge is no longer simply getting to space, but securing it once there - a task for which our existing international legal architecture from the 1960s and 1970s is dangerously ill-equipped. The possible emergence of binding regional regulations like the EU Space Act could mark a pivotal moment, setting a standard which will eventually be adopted universally but, as with other regional regulatory efforts, it risks forcing operators, investors, and legal advisors to navigate a complex and fragmented landscape of sometimes overlapping and sometimes conflicting duties, where a single cyber incident can have cascading geopolitical consequences.
The implications for businesses operating in or relying on the space sector are profound. Understanding this new reality requires a thorough analysis of the shifting legal obligations, the persistent gaps or conflicts in international law, and the tangible risks of operating in an increasingly contested domain.
Already here: a new constellation of EU regulations.
A set of finalised and already or soon to be applicable European regulations comprising NIS2, the Cyber Resilience Act (CRA), the revised Product Liability Directive (PLD), and the AI Act - is fundamentally reshaping the cyber security and liability landscape across sectors, with both general and specific obligations for the European space sector. This multi-layered framework moves beyond generic IT security, creating an interlocking system of legal accountability across the entire value chain.
- NIS2 establishes a baseline for operational resilience by classifying space operators, and by proxy their suppliers, as critical infrastructure.
- The CRA complements this by mandating ‘security-by-design’ for all products with digital elements, from satellite components to ground software.
- The PLD redefines liability in relation to consumer products, making software a ‘product’ and treating cyber security vulnerabilities – like malfunctioning navigation satellites or other consumer facing services – as actionable defects under a strict liability regime.
- The AI Act adds further obligations for autonomous systems used in critical functions.
This regulatory web culminates in the forthcoming EU Space Act which will impose even more stringent, sector-specific duties on operators of both space-based assets and ground infrastructure. The cumulative effect is a paradigm shift, placing the onus for security squarely on manufacturers and operators and transforming cyber resilience into a core tenet of market access and corporate liability
The new regulatory gravity: the proposed EU Space Act and its global reach
The proposed EU Space Act is the most significant development in space law in a generation, creating a single, harmonised legal framework for all space activities across the Union. Crucially, its ‘Resilience’ pillar establishes a standalone, mandatory cyber security framework specific to the space sector, overriding the more general obligations of the NIS2 Directive. This explicitly recognises that generic IT security rules are insufficient for the unique operational environment of space.
Operators will face legally binding duties analogous to those in the financial (DORA) and critical infrastructure (NIS2) sectors, including comprehensive ‘all-hazards’ risk assessments that extend to the entire supply chain, mandatory security controls, and stringent incident reporting requirements. Most significantly, the Act has broad extraterritorial scope, applying not only to EU-based entities but to any non-EU operator providing space services into the European market. This ‘Brussels Effect’ could compel US, UK, and other international operators to align their global operations with the EU's high standards to maintain market access, effectively setting an international baseline for compliance. Read more about the EU Space Act proposal here.
The international law vacuum and the attribution problem
While the EU moves towards hard-law regulation, other jurisdictions like the USA seem to rely on policy and technical best practices. The international legal framework remains rooted in a pre-digital era. The foundational Outer Space Treaty of 1967 was drafted to govern physical objects and kinetic actions, not malicious code, leaving a dangerous legal vacuum. Its core principles on State responsibility (Article VI) and liability (Article VII) are ambiguous when applied to cyber operations. This ambiguity is compounded by the single greatest obstacle to accountability in space: the problem of attribution. It is technically and legally difficult to prove definitively which State should be held responsible for a cyber attack launched by a non-State actor or proxy. This 'accountability gap' creates a zone of plausible deniability, incentivising states to use cyber proxies to achieve strategic objectives without facing legal or political consequences and leaving victims with no clear path to recourse under national or international law.
The geopolitical reality: when commercial assets become strategic targets
The convergence of commercial and military interests in space has created a new and perilous escalatory dynamic. A commercial satellite constellation like Starlink is a quintessential dual-use asset: it is simultaneously a private broadband service and a piece of vital, military-enabling infrastructure, as demonstrated by its role in the Ukraine conflict. Consequently, a major cyber attack on such a system would not be a mere corporate security incident; it would be a geopolitical crisis with a high risk of military escalation. Adversary nations now openly view such commercial systems as legitimate military threats and are actively researching methods to disable them through cyber means. A destructive attack could be interpreted as a strategic strike on its critical infrastructure, potentially crossing the threshold for a ‘use of force’ and justifying a military response. For the creators and operators of space technology this means the security of their assets is now inextricably linked to the national security of many nations, and their corporate risk management must account for the possibility of becoming a trigger for international conflict.
EU cyber security laws and the upcoming Space Act represent a necessary and bold step towards creating a predictable and secure regulatory environment, but they cannot solve the underlying geopolitical challenges alone. The critical task ahead is to bridge the chasm between robust regional regulation and the fragile, fragmented, outdated international legal order. For businesses in the space ecosystem, this requires a paradigm shift towards a multi-jurisdictional compliance strategy and a security-by-design ethos that treats cyber resilience not as a cost centre, but as a core strategic imperative.
