On May 28, 2026, the European Union Agency for Cybersecurity (“ENISA”) published the third edition of its NIS360 report, an annual benchmarking tool that assesses the cybersecurity maturity of entities in the sectors set out in Annex I of the NIS2 Directive (which includes certain entities in the energy, transport, healthcare, digital infrastructure, and space sectors), as well as the relative criticality of the relevant sectors. The NIS360 is designed to support national authorities, policymakers, and other stakeholders in understanding where sectors stand in terms of cybersecurity readiness, including where more support or oversight might be needed.
The most notable change is that, for the first time, ENISA has determined that the space sector is of “high criticality,” which ENISA states reflects its “growing role in society and across other sectors.” This criticality assessment is based on factors such as the level of digitalization in the sector, the potential impacts of incidents, and how quickly the impact of incidents would affect individuals and society more broadly. For context, other sectors of high criticality include banking, electricity, and various types of digital infrastructure (such as cloud and data center services), while sectors such as gas, healthcare, and drinking water are deemed of “moderate criticality.”
This assessment is consistent with ENISA’s thinking about space more generally. In its March 2025 Space Threat Landscape Report, ENISA stated that the commercial exploitation of space has “made the application of satellites a standard enabling practice across a myriad of sectors and solutions.” In other words, other sectors—from financial services and transport to energy and telecommunications—increasingly depend on satellite-based services for positioning, navigation, timing, Earth observation, and communications, among other things. A cyber incident affecting space infrastructure could therefore have cascading effects across multiple critical sectors, amplifying the potential for societal and economic harm.
Despite its elevated criticality, the space sector remains within the NIS360 report’s “risk zone,” alongside healthcare, railways, maritime transport, ICT service management, public administrations, and drinking and waste water. This means that the sector’s cybersecurity maturity falls below the level that its criticality warrants, and the report suggests that the space sector has made no progress its cyber maturity in the past year. ENISA identifies several factors that contribute to this maturity gap:
- Limited cyber regulation in the sector. While providers of ground-based infrastructure that supports the provision of space-based services are regulated as essential entities under the NIS2 Directive, and certain products used in space operations will be regulated by the Cyber Resilience Act, these frameworks do not apply uniformly across the space sector. The proposed EU Space Act would address this, as it would impose cyber resilience obligations on a broader range of space service providers, but this Act is still in the EU’s legislative process. For more details on the EU Space Act proposal, see our prior blog post here.
- Significant variation in the maturity of cyber governance frameworks and operational readiness. ENISA notes that different space sector operators have vastly different levels of maturity when it comes to the implementation of governance frameworks and operational controls. It notes in particular that some entities are “struggling in foundational areas such as defining cybersecurity roles and responsibilities, managing the cybersecurity of their assets, implementing network segmentation and managing vulnerabilities,” and in the context of incident response, many entities are “remaining mainly reactive and limited to untested plans.” Indeed, ENISA notes significant divergence space sector entities’ asset management, network segmentation, vulnerability management, and physical security, which are all aspects that are addressed the European Commission’s Space Act proposal.
- Limited cyber information sharing. Collaboration and threat intelligence sharing within the space sector is limited, despite the benefits this can bring for understanding how to minimize the likelihood of threats arising. ENISA also notes that collaboration with other sectors is limited, which is particularly concerning in light of how other sectors increasingly rely on space-based services.
ENISA recommends that there should be a more consistent approach to cyber within the space sector, and that public authorities should work to raise awareness and clarify cyber-related expectations. It also recommends that there should be a uniform approach to managing supply chain risks, in particular those arising from commercial-off-the-shelf components, which ENISA notes is a growing trend in the sector, and that there should be clearer mechanisms for intelligence sharing.
The NIS360 report highlights the growing importance of the space sector in critical infrastructure, and the importance of a high level of cybersecurity for space services that provide an infrastructure or service layer to the critical infrastructure sectors, among others. Operators in the sector should consider their cybersecurity governance, risk-management measures, and incident preparedness even if they are not directly subject to existing legislation. This will help them avoid reputational and operational damage from the heightened cyber threats they face, and assist in preparedness for the Space Act once it is finalized.
* * *
Covington’s Technology Regulatory and Privacy & Cybersecurity practices continue to monitor developments related to cybersecurity of critical infrastructure, and the space sector more generally, including the EU Space Act. If you have any questions about the issues raised in the blog, please do not hesitate to contact us.