Space operators face a complex and evolving cybersecurity regulatory challenge. While the importance of cybersecurity in today’s digital world is widely recognized, international approaches remain inconsistent. Long-term global compliance requirements are still unclear. With new regimes emerging across multiple jurisdictions, the cybersecurity landscape continues to shift, posing a challenge that space operators must address now, particularly given industry lead times.
The challenge in space
Many sectors face complexities in implementing cybersecurity compliance but the challenge is acute for space, which relies on long lead times and interdependent supply chains.
Operators face the convergence of current, imminent and anticipated cybersecurity regulations. Operators must meet current obligations, prepare for near-term changes and anticipate future frameworks — while making decisions that may not align with future rules.
For example, a satellite operator designing a new constellation today must select encryption standards, authentication protocols and supply chain partners based on current regulations. The satellites are likely to be designed three to five years before launch and their operational life may extend another 15 years beyond that. Today’s compliance requirements may become obsolete under regulations introduced during development, at launch or mid-operation.
Similarly, supply chain decisions, such as selecting component manufacturers or ground station providers, made now could conflict with future security certification requirements, potentially forcing costly redesigns or operational limitations. This temporal mismatch between space industry timelines and regulatory evolution creates a compliance dilemma.
A rapidly evolving regulatory landscape
Cybersecurity and resilience requirements are increasing across all sectors — and space is no exception. Space is often identified as a sector requiring particular attention, as seen in:
- The EU’s NIS2 Directive, which classifies space as a sector of high criticality.
- Australia’s Security of Critical Infrastructure Act 2018, which explicitly includes space technology and satellite infrastructure.
- Space-specific cybersecurity guidance in the US, which highlights the adoption of sector-focused measures.
Operators may also be subject to broader cross-cutting cybersecurity requirements, such as:
- The U.K.’s NIS regime, which applies to operators of essential services and digital service providers, potentially including satellite operators providing communications or navigation services.
- Singapore’s Cybersecurity Act, which regulates critical information infrastructure and may capture satellite ground stations supporting telecommunications services.
The regulatory picture does not stop there. A significant number of cybersecurity laws and regulations are under development, many of which will impact the space sector. The draft EU Space Act published last year is a key example, aiming to establish a harmonized EU regime for space cybersecurity and to replace NIS2 for space operators. Beyond these known developments, further laws and regulations are likely to emerge in the coming years.
This fragmentation creates significant operational challenges. Space operators must dedicate substantial resources to tracking, interpreting and implementing requirements across jurisdictions. Conflicting obligations — where one regime mandates practices that another restricts — add further risk and complexity.
Key compliance considerations and practical steps
Strong cybersecurity compliance offers more than risk mitigation. It can be a commercial advantage for both customers and investors, with cybersecurity increasingly becoming a procurement prerequisite. Operators who approach this challenge strategically, rather than reactively, can build resilient frameworks that adapt to regulatory changes whilst strengthening their competitive position. The key is developing a compliance architecture that addresses current obligations whilst remaining flexible enough to accommodate future requirements. Strategic compliance mapping and planning are essential. Practical steps include:
- Scope applicable requirements: carefully and critically identify which regulations apply to your specific operations. In some cases, requirements may apply to particular activities (or parts of) which may limit some of the regulatory burden.
- Analyze requirements across applicable regimes: consider the practical steps required for compliance and the potential gaps between current and anticipated regulations to factor future developments into current plans where possible.
- Leverage convergence opportunities: where there arecommon requirements across different frameworks, build core compliance capabilities to meet obligations across multiple regulatory frameworks efficiently.
- Develop phased compliance roadmaps: prioritize the adoption of measures based on the assessments above to support operational and resource planning.
- Engage with regulatory processes: with multiple regulatory frameworks still being shaped, ensure that industry-specific considerations are reflected in final requirements so that outcomes are technically informed and operationally realistic.
Strategic advantages of early compliance
Early adopters of robust, adaptable cybersecurity frameworks are likely to be better positioned as regulations mature and customers increasingly prioritize security in procurement decisions.
Active industry engagement during the regulatory development phase offers operators the opportunity to shape more workable, technically informed requirements that balance security objectives with operational realities.
By taking action today, operators can meet existing requirements whilst positioning themselves to adapt efficiently to tomorrow’s evolving regulatory landscape.
Hayley Blyth is an associate in Bird & Bird’s Commercial Group in London, specializing in the space and satellite and technology and communications sectors. She co-leads Bird & Bird’s global space and satellite practice, advising public and private sector clients on space law, regulation, commercial considerations and policy.
SpaceNews is committed to publishing our community’s diverse perspectives. Whether you’re an academic, executive, engineer or even just a concerned citizen of the cosmos, send your arguments and viewpoints to opinion (at) spacenews.com to be considered for publication online or in our next magazine. If you have something to submit, read some of our recent opinion articles and our submission guidelines to get a sense of what we’re looking for. The perspectives shared in these opinion articles are solely those of the authors and do not necessarily represent their employers or professional affiliations.
