Preparing for NIS2 – new cybersecurity rules for the EU space sector and suppliers to the EU space sector

The EU's Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) is due to come into force in October 2024. The aim is to enhance the level of cybersecurity across a wide range of "critical" sectors in the EU. This will include the space sector. In so doing, it replaces and repeals the existing Network and Information Security Directive (EU) 2016/1148 (NIS 1 Directive).

New application to the space sector: The NIS 2 Directive reflects a considerable broadening of scope as compared to the NIS 1 Directive, bringing a large number of new industry sectors (and therefore, new types of entities) within scope of its obligations. A number of entities operating in the broader space sector will likely be in scope where they have an establishment in the EU, either because:

• they fall within the "Space" sector as defined in Annex I of the NIS 2 Directive (i.e. they are "Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services "); or
• they manufacture spacecraft/aircraft or related machinery; or
• they manufacture electrical, electronic or communication equipment, or various types of machinery or engines/turbines or related components or equipment; or
• they provide digital infrastructure (including telecoms network/service providers) or B2B ICT management services.

However, the Directive is not designed to cover infrastructures owned, managed or operated by or on behalf of the Union as part of its space programme.

Impact on space supply chains: In addition to those entities which are directly in-scope, other entities which are subcontractors or provide services in support of in-scope entities may also be impacted by the NIS 2 Directive. This is because the NIS 2 Directive requires in-scope entities to flow certain terms and obligations down their supply chain (including to suppliers which are outside the EU).

Wider range of compliance obligations: In addition to widening the scope of its coverage, the NIS 2 Directive significantly expands the range of obligations which in-scope entities will need to comply with, as well as considerably increasing the penalties and consequences of non-compliance. New measures under the NIS 2 Directive include: 

• imposing direct obligations on management in respect of an organisation's compliance, and onerous penalties (broadly in line with those under GDPR) where those are not complied with; 
• requiring all covered organisations to put in place robust cyber risk management measures;
• acknowledging the importance of security at all levels in supply chains and supplier relationships;
• clarifying and strengthening incident reporting requirements;
• providing supervisory authorities with a greater ability to supervise companies; and
• increasing the sanctions for non-compliance. 

When will the requirements apply? EU Member States officially have until 17 October 2024 to transpose the NIS 2 Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing national legislation becomes effective in the relevant Member State in which they operate. Some territories, such as Belgium and Croatia, have already issued their implementing legislation. Most, however, have not, and some territories (e.g. the Netherlands) have even announced that the NIS 2 Directive will not be implemented in time in their jurisdictions.

Next steps: Organisations which operate within the space sector or other affected sectors should, as a priority, conduct an assessment as to whether or not they are likely to fall within the scope of the Directive. This will enable them to be ready to put compliance plans in place in good time.

For more details, including guidance on the steps which in-scope entities should take to become compliant, please read more.