The Space Compliance Roadmap, 2026 to 2030

Compliance programmes fail for a predictable reason: teams treat a 2030 deadline as a 2029 problem, then discover that authorization, cybersecurity, and insurance work has long lead times and dependencies. This guide turns the EU Space Act and NIS2 obligations into an actionable, year-by-year roadmap so you can sequence the work, not cram it.

Executive Summary

The two clocks that matter most for European space operators are the EU Space Act, with full compliance expected by 2030, and NIS2, whose national transposition deadline already passed in October 2024 — meaning cybersecurity obligations are live now, not in the future.

Key facts:

• The EU Space Act (COM(2025) 335) establishes a harmonised authorization and supervision framework; existing operators are expected to be compliant by 2030.

• NIS2 obligations are already in force through national transposition (deadline 17 October 2024); in-scope space entities should be acting now.

• The long-lead items are authorization, cybersecurity uplift, and insurance — start them early.

• The cheapest year to begin is always this year: gap analysis is low-cost and de-risks everything downstream.

Part 1: The Two Clocks

NIS2 — already running

NIS2 had to be transposed into national law by member states by 17 October 2024. Space is explicitly within scope, and operators classified as essential or important entities must already have risk-management measures, governance accountability, and incident-reporting capability in place. There is no 2030 grace period for NIS2 — treat it as a present obligation.

EU Space Act — converging on 2030

The EU Space Act creates the authorization-and-supervision regime that existing operators are expected to meet by 2030. While the legislative process and exact transitional dates continue to be finalised, the direction is set, and the preparation work is substantial enough that 2030 is not far away in programme terms.

Part 2: The Roadmap, Year by Year

2026 — Scope and baseline

• Determine your operator category and which regimes apply (EU Space Act, NIS2, national space law, and any non-EU regimes such as the UK or US for your markets).

• Run a gap analysis against each applicable framework. This is the highest-leverage, lowest-cost step.

• Stand up NIS2 now — governance, risk-management measures, and a working incident-reporting process. This is a present legal obligation, not a future one.

• Assign ownership — name an accountable person for compliance; NIS2 makes management bodies accountable.

2027 — Build the foundations

• Begin authorization preparation: assemble the technical, safety, debris, and financial documentation your National Competent Authority will expect.

• Close cybersecurity gaps identified in 2026; mature detection and incident response.

• Start the insurance conversation — third-party liability cover has lead time and affects mission economics.

• Establish your debris-mitigation and disposal posture against converging international timelines.

2028 — Integrate and test

• Submit or pre-engage on authorization where your timeline allows; early NCA dialogue de-risks the process.

• Exercise incident reporting end to end — a tabletop that proves you can meet NIS2 reporting timelines.

• Lock in insurance aligned to your modelled liability.

• Formalise supervision and reporting workflows so ongoing obligations are routine, not heroic.

2029 — Validate and harden

• Complete outstanding authorizations and resolve any conditions attached to them.

• Audit your evidence base — can you prove compliance on demand, with current documents?

• Rehearse continuity — what happens at end-of-life, and is your disposal commitment funded and insured?

2030 — Operate in steady state

• Be fully compliant with the EU Space Act regime for existing operations.

• Run compliance as an operating discipline — continuous monitoring, timely reporting, and prompt updates when regulations or your operations change.

Part 3: Sequencing — Why Order Matters

The work has dependencies that punish a late start:

• Authorization depends on documentation that itself takes months to produce (safety, debris, financial).

• Insurance depends on your liability model, which depends on your mission design and disposal plan.

• Cybersecurity uplift is organisational change, not a purchase — it takes time to embed.

Doing these in parallel from an early baseline is far cheaper than discovering, in 2029, that they are sequential.

Part 4: The Common Failure Modes

• Treating NIS2 as future work. It is already in force; this is the most common and most dangerous misconception.

• Underestimating authorization lead time. NCAs need complete, consistent evidence; gathering it late forces rushed, weak submissions.

• Leaving disposal and insurance to the end. Both shape mission economics and cannot be retrofitted cheaply.

• No single source of truth. Spreadsheets drift; obligations get missed at the seams between teams.

How Caelex Helps

Caelex turns this roadmap into a live programme: it determines your operator category and applicable regimes, runs the gap analysis, tracks every deadline across the EU Space Act, NIS2, and national laws, and keeps your evidence audit-ready — so the 2030 target is a series of managed steps instead of a year-end scramble.

Frequently Asked Questions

When does the EU Space Act apply to existing operators? The framework targets full compliance for existing operators by 2030, with the legislative detail and transitional arrangements being finalised — but the preparation work should begin now.

Is NIS2 really already in force? Yes. The transposition deadline for member states was 17 October 2024, and in-scope space entities should already have risk-management and incident-reporting measures in place.

What should I do first? A gap analysis. It is low-cost, tells you exactly which regimes and obligations apply to you, and de-risks every downstream decision.