On 25 June 2025, the European Commission (“EC”) announced its long-awaited proposal for a Regulation on the safety, resilience, and sustainability of space activities in the EU (the “Draft EU Space Act” or “Draft EUSA”). The Draft EUSA proposes to impose obligations on providers of “space services,” which are:

  • The operation and control of human-made objects sent to space;
  • The provision of space launch services;
  • Services provided by “primary providers of space-based data,” a term covering providers that carry out the first processing of either communications data or observation data received from outer space (which may include electronic communications service providers);
  • In-space services and operations; and
  • Collision-avoidance services.

Most of the obligations in the Draft EUSA would apply to providers of space services that are located in the EU, and those located outside the EU but that provide services to space operators in the EU. However, the rules on safety described below would apply to space objects that generate data or enable the provision of space services in the EU. These rules, and certain rules on collision avoidance, would also apply to space objects that at or lower than a geostationary orbit.

The explanatory memorandum notes that 13 EU Member States have passed national legislation related to space, which creates the risk of a fragmented internal market for the space sector. The Draft EUSA therefore establishes rules in four main areas in an attempt to harmonize the law relating to this sector, namely authorization and registration requirements, and obligations to ensure safety, resilience, and sustainability of space services. We describe these in more detail below.

  1. A harmonized authorization and enforcement framework for providers of space services

The Draft EUSA would require all organizations wishing to provide space services to first obtain an authorization from a Member State competent authority. An applicant organization would first need to provide to the competent authority a technical file demonstrating their compliance with the safety, resilience, and sustainability requirements of the Draft EUSA, which are described in more detail below. The Draft EUSA would also establish:

  • A process for the Commission to authorize the use of EU-owned assets in private companies’ space missions, which includes a review by the European Space Agency (“ESA”);
  • Rules for providers of space services that are not established in the EU. Among other things, these providers must subscribe to a collision avoidance space service provider, and must apply to be registered in a database operated by the ESA (after the Commission has approved the provider’s application for registration), subject to limited exceptions;
  • A requirement for the ESA to establish the “Union Register of Space Objects” (“URSO”), which will contain details of registered providers and the space missions and space objects that are part of their registration; and
  • A framework for monitoring compliance and enforcement. Member State authorities will have competence for taking enforcement action against providers located in their Member State and any qualified technical bodies responsible for assessing compliance with the Draft EUSA’s safety, resilience, and sustainability requirements. The Commission, with the help of the ESA, will be responsible for overseeing providers that use EU-owned assets and providers outside the EU.

Non-compliance with the Draft EUSA could result in fines. There is no set limit for fines issued by Member State authorities, which must be “effective, proportionate, and dissuasive.” The Commission may—on the ESA’s recommendation—issue fines of up to: (a) twice the amount of profits gained from the infringement; (b) or twice the amount of the losses that could have been avoided if the infringement had not occurred; or (c) if calculating these numbers is impossible, 2% of the provider’s worldwide annual turnover. Non-compliance could also result in the imposition of daily penalty payments for up to six months.

  1. Safety obligations

The Draft EUSA would impose a number of specific obligations that aim to reduce the risk of collisions and space debris. Among others, it would require:

  • launch operators to prepare and submit to competent authorities launch safety plans, and to take appropriate measures to mitigate the risks of collisions between their launchers and other objects, as well as to limit space debris creation;
  • spacecraft operators to: allow trackability of their spacecraft; make use of available collision avoidance services; ensure spacecraft have a certain level of manoeuvrability; maintain a list of contacts that will receive “high interest alerts”; take various specified measures to mitigate the risks of the creation of space debris; and mitigate light and radio pollution;
  • operators of satellite constellations (i.e., groups of at least 10 space objects that work together for a particular purpose) to ensure that each spacecraft has its own propulsion system; carry out daily collision risk screenings, and comply with specific reporting obligations. Operators of “mega-” and “giga-” constellations—essentially larger satellite groups—are subject to stricter obligations, including taking into account the constellation’s impact on orbit congestion and on other constellations. Giga-constellation operators must also submit to competent authorities their plans to show how the satellites would be able to manoeuvre to avoid collisions.
  1. Security and resilience obligations

Operators of ground-based infrastructure that supports space-based services are already subject to general cyber security obligations under the EU’s revised Network and Information Security Directive (“NIS2,” which we describe here). Certain providers of space services may also be designated as “critical entities” under the Critical Entities Resilience Directive (“CERD”). The Draft EUSA will act as lex specialis to NIS2, and is intended to act as a complement to the CERD. In any event, the Draft EUSA would require providers to take comprehensive, appropriate, and proportionate measures, based on an all-hazards approach, to manage the risks posed to their network and information systems, with the goal of ensuring the resilience of space infrastructure and maintaining control of space missions. These measures would need to address the entire lifecycle of space missions, from conception and design to end-of-life.

The Draft EUSA would also impose significantly more detailed cybersecurity risk-management requirements on space providers than are set out in NIS2, although the topics addressed by these requirements are similar to those set out in NIS2. Among these requirements, space operators would need to:

  • Identify and assess all sources of risk, regularly review the identified risks, and remediate any cyber or physical vulnerabilities;
  • Maintain policies for the categorization and management of information and assets of space infrastructure, based on the need to ensure the security of information and the level of criticality for space missions;
  • Implement ID management and access controls for physical and digital systems and information, which must in particular allow for the restriction of physical and logical access to critical assets;
  • Implement physical resilience measures, including by physically segregating critical assets;
  • Implement incident detection and prevention mechanisms, including ensuring that spacecraft automatically receive notifications in the event of a security event. The security monitoring systems in ground infrastructure must be logically separated from the rest of the infrastructure;
  • Implement cryptography and encryption policies, and use encryption to protect at least critical assets and functions;
  • Implement backup management, business continuity and disaster recovery policies and plans, including crisis communication and disclosure policies;
  • Establish and keep under review cybersecurity testing and training programs;
  • Establish a supply chain risk management framework, with the aim of limiting cyber risk resulting from supply chains.

The Draft EUSA would also require space operators to report “significant” incidents affecting assets that they own. An incident will be significant if it:

  • Has caused or could cause: severe operational disruption of space activities carried out by EU operators, or considerable financial loss to EU space operators; or
  • It has an impact on, or could impact, other natural or legal persons by causing considerable material or non-material damage.

Again, this is similar to the reporting threshold for incidents under NIS2 and, like NIS2, there is a requirement for a 24-hour “early warning” notification, which is reduced to 12 hours for significant incidents affecting assets owned by EU public authorities.

  1. Environmental sustainability obligations

The Commission’s Explanatory Memorandum to the Draft EUSA states that the policies and tools for evaluating the sustainability impact of space activities are “underdeveloped”. The Draft EUSA would therefore empower the Commission to develop and mandate the use of a space‑specific Life Cycle Assessment (“LCA”) methodology and a sustainability‑linked “performance classification” system for spacecraft.

The Draft EUSA would also establish specific requirements for space operators to gather data on the environmental impact of their operations, submit information on the environmental footprint declaration of their operations, as part of the authorization application described above.

The Commission intends the LCA requirements in the Draft EUSA to complement product sustainability measures laid down elsewhere, including in the Eco-design for Sustainable Products Regulation and the Circular Economy Action Plan framework. The Commission also intends the EF studies conducted under the Draft EUSA to support the development of improved eco-design practices and contribute to mapping energy and materials flows in the space sector, including flows of strategic and critical raw materials, and enable higher supply chain resilience.

Beyond simply requiring operators to assess the environmental impact of their space operations, the Draft EUSA would also require space operators to take proactive steps to reduce their impact. Specifically:

  • Space operators must design their spacecraft and missions specifically to limit the generation of space debris and mitigate the impact of any debris generated. 
  • Space operators must design spacecraft (except for mini-satellites) to receive in‑space servicing, which will extend the useful lifespan of the spacecraft.

Finally, the Draft EUSA would empower the Commission to create a Union Space Label Framework. Space operators that adhere voluntarily to higher standards than those set out in the Draft EUSA would be entitled to a label demonstrating adherence to those higher standards, including in relation to the prevention of space debris, sustainability of space operations, reduction in light and radio pollution from space operations, resilience of supply chain and space infrastructure, capability for in‑space servicing, and reduction in overall environmental impact of space activities.*          *          *

Covington’s Technology Regulatory, Environmental, and Public Policy Practices will continue to monitor developments in the Draft EUSA. If you have any questions about the issues raised in the blog, or are interested in engaging with the legislative process, please do not hesitate to contact us

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Read more about Paul MaynardEmail
Show more Show less
Photo of Seán Finan Seán Finan

Seán Finan is an associate in the Life Sciences team. His practice covers environmental, food and beverage and pharmaceutical regulation.

Seán has specific experience in a number of key areas for EU and UK clients in the technology, food and beverage, pharmaceutical, cosmetic…

Seán Finan is an associate in the Life Sciences team. His practice covers environmental, food and beverage and pharmaceutical regulation.

Seán has specific experience in a number of key areas for EU and UK clients in the technology, food and beverage, pharmaceutical, cosmetic and consumer goods industries, including:

Environmental and ESG compliance issues, including CSRD, CSDDD and green taxonomy issues; green public procurement issues; extended producer responsibility obligations, etc.;
Advertising claims, particularly environmental claims and greenwashing;
General food regulation; novel food regulation; genetically modified and “precision bred” products; and
Chemicals legislation (REACH, CLP, biocides, etc.).

Seán has represented clients in judicial review actions involving novel foods against multiple national regulators.

Seán is qualified in both England & Wales, and the Republic of Ireland.

Seán is a co lead of the firm’s Disability and Mental Health affinity group.

Read more about Seán FinanEmail
Show more Show less