Back to news

EU Space Act Sets a 12-Hour Cyberattack Reporting Clock for Satellite Operators

Share:
EU Space Act Sets a 12-Hour Cyberattack Reporting Clock for Satellite Operators

The European Union's draft Space Act would force any satellite operator selling services into EU markets, regardless of where the company is headquartered, to report a significant cyberattack within 12 hours of detecting it. That timeline is tighter than the 24-hour standard the bloc already imposes on power grids, hospitals, and other critical sectors under its NIS2 directive, and it sits inside a resilience chapter that is still being fought over in Brussels as the regulation moves toward a Council vote.

A resilience chapter written to override NIS2

The European Commission's proposal, unveiled in June 2025, dedicates Articles 75 through 95 to cybersecurity and operational resilience, an analysis from trade advisory firm Access Partnership detailed shortly after the text was published. The Commission designated this resilience chapter as lex specialis, meaning it would take precedence over NIS2 for space operators rather than stacking on top of it. In practice that still means new obligations: Article 88 introduces a mandatory threat-led penetration testing regime, requiring operators to have their systems tested by accredited assessors before launch, or before the first batch of satellites for a constellation, and at least once every three years afterward. Article 93 sets the incident-reporting clock, and layers it on top of parallel duties to notify the EU Agency for the Space Programme and national authorities, on top of any separate report already owed to a NIS2 computer security incident response team.

The incident that keeps getting cited

EU officials point to the 2022 Viasat KA-SAT hack as the case the new reporting rules are designed to prevent from happening again in slow motion. Russian-linked wiper malware knocked out modem connectivity across Europe hours before that year's invasion of Ukraine, disrupting Ukrainian military communications and knocking roughly 5,800 German wind turbines offline. The ENISA Space Threat Landscape report, published in February 2025, cites that attack as evidence that the space sector has become a routine target for nation-state operators, hacker-for-hire groups, and opportunistic criminals alike, and argues that regulation has lagged the threat.

Washington calls the reach discriminatory

The Act's market-access standard applies to any operator whose services are consumed inside the EU, not just to EU-registered companies, a scope US officials have compared to how the GDPR reached American tech firms. The State Department submitted formal comments in November 2025 that Breaking Defense reported called the draft discriminatory and warned it could complicate US government cooperation with the European Space Agency and EUMETSAT on weather data, remote sensing, and spaceflight safety, arguing the law's national-security carve-out is not written broadly enough to protect joint military and intelligence work.

Still not settled

A Council of the European Union progress report released on May 8, 2026 ahead of that month's Competitiveness Council meeting found member states still split on the regulation's scope, how it treats dual-use and third-country operators, and whether it creates a duplicate regulatory layer on top of existing national rules. Every member state has maintained a scrutiny reservation on the text through the current Cyprus presidency, meaning none has yet signed off. Industry analysts do not expect final adoption before 2027 or 2028, but the compliance clock for satellite operators, and the argument over whose incident-reporting deadline actually wins, starts running well before that.

News first reported by Breaking Defense and the Office of Space Commerce, with cybersecurity analysis from Access Partnership.