Cybersecurity and the Space Sector – who is subject to the amended act on the National Cybersecurity System and what needs to be implemented in practice

ByAdrian Korczyński

Regulatory Overview

The space sector has finally received dedicated cybersecurity regulations. The EU legislator has recognized its status as a high-priority sector for Member States, noting that space-based services are critical for navigation, Earth observation, communications, and emergency response. Consequently, cybersecurity risk is no longer just an IT issue; it has a tangible impact on the security of public services.

In this context, an amendment to the Act on the National Cybersecurity System (u.k.s.c.) is being introduced into the Polish legal system to implement Directive (EU) 2022/2555 (the NIS2 Directive). The Polish legislature passed the implementing act on January 23, 2026, and it will enter into force on April 3, 2026.

A significant addition to the scope of the Act is the space sector. The Directive classifies covered entities as either essential or important, which differentiates their scope of obligations and liability.

Which Space Sector Entities Are Covered by the Act?

The Act defines the space sector as including “operators of ground-based infrastructure that support the provision of space-based services” (excluding telecommunications entrepreneurs entitled to provide public networks) and the Polish Space Agency. Therefore, the Act primarily applies to the ground segment, including ground stations, data processing and distribution centers, and infrastructure supporting satellite services.

What Size of Entities Does the Act Cover?

Generally, the Act applies to medium and large enterprises as defined by EU thresholds. In the space sector, large entities will be classified as essential, while medium-sized entities will be classified as important.

In practice, ground infrastructure operators supporting space services are classified as:

  • Important entities – if they meet the criteria for a medium-sized enterprise (up to 250 employees, turnover $\le$ EUR 50 million, or an annual balance sheet $\le$ EUR 43 million).
  • Essential entities – if they exceed the criteria for a medium-sized enterprise (i.e., they are large enterprises).

Micro and small enterprises are generally exempt from the Act unless a specific administrative decision is issued recognizing them as essential or important.

What Are the Obligations for Space Sector Entities?

Under the Act, space sector companies must manage cybersecurity risks and will be subject to supervision. Key obligations include:

  • Systematic risk assessment of potential incidents.
  • Implementation of technical and organizational measures proportionate to the risk, such as physical security (access control), human resource security, supply chain security, business continuity planning, and staff cybersecurity education.
  • Incident management – spanning prevention, monitoring, and reporting. This requires establishing a permanent internal threat detection unit or utilizing external services such as SOC-as-a-Service.

Liability and Penalties

A significant change is the direct liability of management and penalties imposed specifically on the management board. Financial penalties for non-compliance are substantial; for essential entities, they can reach EUR 10,000,000 or 2% of the entity’s total annual turnover.

Self-Assessment Questions for Space Sector Operators:

  1. Do you operate ground infrastructure supporting space services (ground stations, data processing, etc.)?
  1. Do you meet the criteria of at least a “medium-sized enterprise” according to EU thresholds?

Action Plan:

  • Determine your status: If you fall under the Act, you must independently apply for entry into the register of essential and important entities.
  • Prepare procedures: Establish processes, roles, monitoring systems, and training programs.
  • Build an incident response path: Utilize internal structures or outsource to a professional 24/7 SOC team.
  • Audit your supply chain: Update contracts with requirements for subcontractors and cloud service providers.
  • Prepare the Board: Inform the management of the upcoming changes, liability risks, and the required budget for board and staff training.

How Can 3HT Partners Help?

Navigating the complexities of the amended Act requires a unique blend of space-domain expertise and advanced cybersecurity capabilities.

3HT Partners provides a comprehensive compliance path for the space sector:

  • Status Audit & Gap Analysis: We help you determine your classification under NIS2/u.k.s.c. and identify technical and procedural gaps.
  • SSDLC & Zero Trust Implementation: We introduce Secure Software/Hardware Development Lifecycles and Zero Trust architectures tailored to ground segment infrastructure.
  • SOC-as-a-Service: We offer a professional, 24/7 security operations center to handle incident detection and reporting, ensuring compliance with strict regulatory timelines.
  • Management Board Training: We provide dedicated awareness sessions for executives regarding their new legal responsibilities and the strategic importance of cyber-resilience.

Ensure your organization is ready. Contact us for a strategic & operational support.

Co-author: Magdalena Ostasz

A legal advisor with 20 years’ experience. She is a Head of the Legal Department at the AGH University in Kraków. She is also a researcher and academic lecturer at the Faculty of Computer Science and the Faculty of Space Technologies. She specializes in the legal aspects of cybersecurity. She lectures on open-source intelligence, the national cybersecurity system and cybersecurity in the space sector.

Adrian Korczyński is a cybersecurity expert with two decades of experience, having progressed from a developer to the Director of the Cyber Security Business Unit. He has proven skills in designing and implementing advanced systems for encryption, Identity and Access Management (IAM), strong authentication, and security monitoring. He has delivered projects across the banking, telecommunications, public, and healthcare sectors, with significant international engagement. As CISO at Comarch, he was responsible for ensuring cyber resilience, business continuity planning (BCP), incident handling, and data protection.

Similar Posts