Securing the Final Frontier: Cybersecurity Risk, Regulation, and Compliance Trends in Space and Satellite Operations

Space and satellite systems underpin a wide range of critical functions, including global communications, navigation, scientific research, defense operations, and essential infrastructure services. As both government and commercial operators increase their reliance on these assets, cybersecurity has become a core operational concern and area of growing regulatory focus.

The cyber threat landscape is constantly evolving across the global space economy. State-sponsored actors and criminal groups are targeting both space and ground segments, creating significant risks to operational continuity and downstream critical infrastructure. Simultaneously, regulatory efforts are accelerating in the United States, and particularly in the European Union, as government officials recognize the criticality of space and satellite systems to commercial and military applications.

This Legal Update summarizes key threat trends, outlines the evolving regulatory environment in the United States and European Union, and provides practical recommendations for space-sector operators.

I. Cyber Threat Landscape For Space Systems

State-Sponsored Activity

State-backed actors continue to pose the most capable and consequential threat to space systems, frequently targeting both on-orbit assets and ground infrastructure.

• GPS Jamming: Earlier this year, repeated GPS jamming incidents across Europe by suspected Russian state actors have underscored the escalating risks to satellite-based positioning, navigation, and timing systems.
• Campaigns against Private and Government Space Entities: In 2023, US intelligence agencies reported an increase in intrusions targeting domestic space companies by foreign intelligence services seeking access to proprietary data and attempting to disrupt satellite communications. Japanese and Polish space agencies have also reported being targeted by cyberattacks, with potential nation-state attributions.
• Viasat Incident: In 2022, Viasat and several nation states attributed significant cyberattacks on Viasat’s KA-SAT network to Russia, as malware wiped thousands of modems on the eve of Russia’s invasion of Ukraine. Further attacks on Viasat disrupted internet services across Europe. The intrusion underscored the exposure of commercial space-based networks to geopolitical conflict.

Criminal and Ransomware Activity

Ransomware groups are escalating operations against space-sector companies to monetize sensitive data and disrupt services for leverage. The Space Information Sharing and Analysis Center (“ISAC”) reported roughly 25 space-sector organizations targeted by ransomware groups in 2024, reflecting increased criminal interest in the sector’s high-value data and potential for operational disruption.

Supply Chain Risks

Complex, globally distributed supply chains for both software and hardware components create systemic cyber risk exposure across the space systems lifecycle. The SolarWinds compromise demonstrated how trusted software updates can serve as entry points for adversaries. Satellite operators dependent on niche or proprietary vendors face comparable exposure. On the hardware side, reliance on components sourced from foreign or adversarial suppliers introduces integrity and espionage risks. Recent US government efforts—such as the DoD Commercial Space Integration Strategy and Bureau of Industry and Security ICTS rules—seek to mitigate these kinds of vulnerabilities through supply chain vetting and strict origin controls.

Artificial Intelligence-Enhanced Attacks

Malicious cyber actors are effectively using artificial intelligence tools to facilitate social engineering-backed intrusions and carry out sophisticated attacks. In the past year, 87% of organizations reported having faced an AI-driven cyberattack. As this trend continues, space operators will face increasing pressure to ensure their cyber tools and incident response preparedness stay up to speed with AI developments.

II. Space-specific Cybersecurity Challenges

Space systems and their supporting networks face distinctive cybersecurity challenges unlike those of traditional IT systems.

Reliance on remote management: Satellites must be managed remotely, which necessitates the maintenance of continuous communication links. These remote-access channels, often operated through distributed ground stations and contractors, create persistent exposure points.

Reliance on legacy systems: Many space assets operate for decades, often with hardware and software that cannot easily be patched or upgraded. In certain cases, original system designs pre-date modern encryption standards, and retrofitting strong cryptography is technically or economically infeasible.

Interconnected and complex supply chains: The sector depends on an intricate ecosystem of contractors, component suppliers, launch providers, and ground operators. Each link introduces potential exposure, from insecure vendor software to compromised manufacturing sources.

Resource constraints and fast-paced changes: Smaller companies and start-ups, now central to commercial space innovation, may lack the mature cybersecurity programs or resources to comply with evolving standards. Established space industry companies may face challenges regularly implementing new tools and updates across diverse systems, slowing the rate adoption for the most up-to-date cybersecurity practices and technology.

III. REGULATORY AND POLICY MOMENTUM

United States

While the US space industry currently lacks a single, unified cybersecurity regulator, space operators may still be subject to regulatory requirements, contractual obligations, and industry standards enforced by various federal agencies. The proposed Space Infrastructure Act would formally designate space systems, services, and technology as a US critical infrastructure sector and direct the Secretary of Homeland Security to designate a Sector-Specific Agency, establishing a framework for enhanced cybersecurity coordination and oversight. Additionally, in December 2025, a bipartisan group of senators reintroduced the Satellite Cybersecurity Act, which would require the Commerce Department to create voluntary cybersecurity guidelines for the satellite industry and would direct the development of a strategy to improve coordination on federal digital security for space systems.

This section highlights key space-specific cybersecurity requirements, technical standards, and non-binding guidance that operators should track to ensure compliance and robust risk management.

• Executive Order 14144 (and superseding Executive Order 14306): The EO mandates a review of civil space contract requirements in the Federal Acquisition Regulation (FAR) with recommendations for updates to civil space cybersecurity language; directs a study of space ground systems operated by federal agencies to improve cyber defenses; and requires the Committee on National Security Systems to review and update relevant policies and guidance regarding space system cybersecurity. The EO signals the government’s intent to standardize and elevate baseline cybersecurity expectations for space operators providing services to the US government.
• Space Policy Directive 5 – Cybersecurity Principles for Space Systems: The SPD, published in 2020, established the first comprehensive US cybersecurity principles for space systems, outlining best practices for securing space vehicles, ground systems, and supporting infrastructure against cyber threats.
• National Security Requirements (CNSSP No. 12 and DoDI 8581.01): CNSSP No. 12 sets information assurance requirements for procurement of space systems supporting national security missions. DoDI 8581.01 applies similar principles across DoD space programs. These directives define rigorous technical requirements for classified or defense-related missions and may inform standards passed down to commercial operators supporting defense or intelligence functions.
• NIST Guidance: Collectively, the following NIST publications offer a practical baseline for space system operators developing risk-based cybersecurity programs aligned with federal government expectations.

• NIST IR 8270 – Introduction to Cybersecurity for Commercial Satellite Operations: This guidance introduces risk management concepts tailored to commercial satellite operators.
• NIST IR 8401 – Satellite Ground Segment: This guidance maps the cybersecurity framework to satellite ground systems, providing controls and reference frameworks.
• NIST IR 8441 – Cybersecurity Framework Profile for Hybrid Satellite Networks: This guidance focuses on cybersecurity for hybrid satellite networks, ground-based and space-based elements that may be owned and operated by different entities.
  
  
• CISA Guidance and Advisories: CISA publications—such as Strengthening Cybersecurity of SATCOM Network Providers and Customers and Space Systems Security and Resilience Landscape—also offer voluntary best practices for space operators.

European Union

The European Union is significantly strengthening its regulatory posture on space sector cyber resilience through the current application of the NIS2 Directive and the proposed EU Space Act.

• NIS2 Directive: The NIS2 Directive currently applies foundational cybersecurity and incident reporting mandates to specific space industry participants, notably ground-based infrastructure operators that support space services and electronic communication providers.
• EU Space Act (Proposed): The EU Space Act, proposed in June 2025, would establish a unified regulatory framework for space activities across the European Union, introducing detailed safety, sustainability, and resilience obligations. Under the Act, EU space operators would need to obtain authorization from Member State authorities to carry out space activities by demonstrating compliance with a series of technical criteria, including cybersecurity requirements. Notably, it applies extraterritorially to non-EU operators offering space-based data or services into the European Union. The US Government, through the Departments of Commerce and State, has provided comments on some of the proposed EU Space Act provisions that it claims would “impose unacceptable regulatory burdens,” describing these as “non-tariff barriers” and requesting greater alignment with US space policy.
• European Union Agency for Cybersecurity (“ENISA”) “Space Threat Landscape” Report: Though non-binding, the ENISA report details the cybersecurity threat landscape and key recommendations for space operators.
• Cyber Resilience Act (“CRA”): Manufacturers of hardware and software with a data connection to a device or network used in the space industry will be subject to cybersecurity and vulnerability handling requirements from December 2027, including certifications, technical documentation and reporting obligations.

IV. Governance and Cybersecurity Recommendations for Space Operators

In light of the evolving threat landscape for space operators and the potential for additional regulatory developments and scrutiny, space operators should consider the following recommendations.

• Risk-Based Cybersecurity Programs: Develop and document risk-based programs proportionate to mission-critical systems, applying NIST and/or ENISA guidance where appropriate.
• Board Oversight: Management and boards must maintain active oversight of their cybersecurity posture. Under NIS2 and the proposed EU Space Act, boards may face personal accountability for compliance failures.
• Vendor and Supply Chain Controls: Incorporate cybersecurity and data integrity clauses in contracts with ground operators, software vendors, and component suppliers. Such clauses, where relevant, should include minimum control baselines, vulnerability disclosure timelines, audit rights, and incident notification.
• Incident Response Planning: Establish and regularly test space system-specific incident response plans through tabletop exercises, and update procedures after incidents. Align playbooks to regulatory timelines (e.g., staged notifications under NIS2 and the CRA) and cross-border considerations.
• Regulatory Monitoring: Track evolving US and EU requirements, particularly potential updates to the FAR and the EU Space Act’s legislative trajectory.

These recommendations are intended to strategically align business resources with high-priority areas for resilience enhancement. In the space and satellite sector, strengthening resilience against evolving cyber threats is critical, as it substantially mitigates associated legal, reputational, and operational risks.