The EU Space Act proposal: A GDPR for outer space?

On 25 June 2025, the Fee unveiled its much-awaited proposal for an EU Area Act, the primary try to control the house financial system on the supranational stage. The press launch accompanying its launch describes the proposed EU Area Act as ‘a brand new set of formidable measures to make Europe’s house sector cleaner, safer and extra aggressive in Europe and its export markets’. The Fee’s initiative builds on the 2024 Draghi Report, which emphasised that house is essential to supply important companies to residents and to make sure the Union’s safety, and known as for motion to sort out the problems undermining the EU’s competitiveness within the house business: low ranges of funding, market fragmentation, international dependencies and inefficient governance preparations.

At first look, the draft appears to be like fairly formidable: along with the Fee’s explanatory memorandum, the 119 articles and 140 recitals occupy a 150-page doc, with out contemplating the annexes. The proposal is meant to control a broad vary of ‘house companies’, equivalent to, for example, the launch and operation of satellites, but additionally the supply of space-based knowledge for digital communication. It lays down harmonised technical guidelines on chosen elements of house actions, specifically security, together with the monitoring of house objects, cybersecurity, and environmental sustainability. Different elements of the house financial system, such because the legal responsibility of house operators or the usage of house assets, will not be lined.

This weblog put up argues that the Fee’s regulatory design attracts closely from the expertise of the Normal Knowledge Safety Regulation (GDPR) and different items of laws on the digital financial system. It means that the blueprint of the digital single market is especially evident on three points. First, the proposal marks a shift within the EU’s strategy to house: it brings house companies squarely inside the framework of the only market, as proven by the selection of Article 114 TFEU as its the only real authorized foundation, and suits a pattern in direction of the ‘actification’ of EU laws that has been widespread within the regulation of digital applied sciences. Second, the broad private scope of the proposed regulation, which covers non-EU operators offering house companies within the Union, is indicative the ambition to train world affect, because the EU legislature tried to do, for example, on knowledge safety and synthetic intelligence. Lastly, the proposal features a strong enforcement framework, together with the ability to impose hefty sanctions, that will replicate classes learnt from the appliance of the GDPR.

From house coverage to the only market

The EU Area Act proposal is predicated on Article 114 TFEU, fairly than on Article 189(1) TFEU, which endows the EU with a self-standing competence on house. Whereas this alternative would possibly at first sight seem stunning, it displays the bounds of the EU house coverage competence. European house coverage is primarily geared in direction of the institution and administration of a Union Area Programme, which was arrange by Regulation (EU) 2021/696, bringing beneath one helm satellite tv for pc constellations offering for Earth commentary (Copernicus), navigation (EGNOS, Galileo) and governmental communication companies (GOVSATCOM). The newest addition to EU house initiatives is IRIS2, an formidable public-private partnership to spice up connectivity inside the newly established Union Safe Connectivity Programme. Below its house coverage competence the EU may ‘promote joint initiatives, help analysis and technological improvement and coordinate the efforts wanted for the exploration and exploitation of house’ (Article 189(1) TFEU), however Article 189(2) TFEU expressly excludes the harmonisation of nationwide legal guidelines.

Nevertheless, there’s a sturdy case for harmonisation within the house financial system. With the sector booming, the necessity for regulation is more and more pressing. Launching and working satellites are inherently dangerous actions that require to be regulated, particularly as orbits have change into congested, exacerbating problems with house visitors administration and air pollution from particles. At current, about half of the EU Member States have enacted legal guidelines to control the house sector. Most lately, the Italian regulation on the house financial system was printed on 24 June 2025, simply sooner or later earlier than the Fee introduced the EU Area Act proposal. Nationwide legal guidelines diverge considerably by way of scope, regulatory design and substantive guidelines. For example, Sweden’s Act on Area Actions, courting again to 1982, requires a licence to hold out house actions, however doesn’t lay down any standards for its granting nor any technical necessities house operators should adjust to. In distinction, the French or the Italian laws are extra detailed and complete. On the one hand, divergences between nationwide legal guidelines hinder cross-border cooperation, which is the rule within the house business, improve prices for companies, and should stifle the expansion of the house financial system, because the Fee emphasised in its impression evaluation (p. 10 ff.). Then again, the shortage of widespread requirements on security and environmental sustainability may set off regulatory competitors between the Member States and result in a race to the underside.

The selection of the authorized foundation for the EU Area Act has implications on the regulatory method and on the content material of the proposed laws. The proposal suits a pattern in direction of the ‘actification’ of EU regulation that took off beneath the Fee’s Priorities Programme 2019-2024 and has featured prominently within the context of the digital single market, which incorporates the Knowledge Governance Act, the Digital Providers Act (DSA), the Digital Markets Act (DMA), the Knowledge Act and the Synthetic Intelligence Act (AI Act). Their precursor is normally recognized within the Normal Knowledge Safety Regulation (GDPR). Actification doesn’t merely confer with giving items of EU laws an eponymous brief title in an effort to improve public consciousness. It additionally stands for harmonisation by means of laws, versus directives. The principle benefit is that laws are instantly relevant, with out want for implementation in nationwide legal guidelines: this protects time and permits for higher uniformity. Nevertheless, EU ‘acts’ usually don’t lay down a completely exhaustive regulatory framework and should necessitate some extent of implementation by the use of home laws, partially resembling directives. As a result of stronger compression on the autonomy of the Member States in comparison with directives, the selection of a regulation to partially harmonise guidelines for the house financial system requires some justification. Within the explanatory memorandum, the Fee factors to the advantages a regulation would convey by way of consistency and uniform safety of the rights of house companies operators, along with the same old arguments on subsidiarity and proportionality.

The only market logic underlying the proposal can also be evident in its content material, as a few of its key provisions incorporate ideas and ideas which are widespread to EU legislative devices for market harmonisation. Article 3 accommodates a free motion clause, stopping Member States from proscribing the supply of space-based knowledge and house companies by imposing stricter requirements on security, resilience and environmental sustainability, besides in duly motivated instances of goal necessity. One other acquainted device for market integration is the precept of mutual recognition, which applies to nationwide authorisations for finishing up house actions: Article 6(2) requires the Member States to recognise authorisations issued by one other Member State insofar as they relate to harmonised technical necessities.

Launching the Brussels impact into orbit

Some extent of commonality with a number of items of digital single market laws is the broad definition of the non-public scope of the EU Area Act. The proposed regulation is meant to use not solely to house companies suppliers established within the Union, but additionally to suppliers established in third international locations once they present space-based knowledge or house companies within the Union (Article 1(2)(a)). Therefore, the appliance of the regulation might relaxation, alternatively, on a territorial connection (the institution) or on the supply of companies inside the EU single market (market strategy).

Related standards exist within the GDPR and in different devices for the regulation of digital companies. Pursuant to its Article 3, the GDPR applies to knowledge processing carried out within the context of the actions of an information controller or processor within the Union (connection, albeit unfastened, to the place of multinational), but additionally to the processing of non-public knowledge of knowledge topics within the Union by controllers or processors established in third international locations, the place the processing pertains to the providing of products of companies within the Union of to the monitoring of behaviour that takes place within the Union (market criterion). The DSA and the DMA even rely completely on {the marketplace} strategy: they apply, respectively, to middleman companies supplied to recipients established or situated within the Union (Article 2(1) DSA) and to core platform companies offered or supplied by gatekeepers to customers established or situated within the Union (Article 1(2) DMA). The place of multinational of middleman service suppliers and gatekeepers is irrelevant for figuring out the scope of both regulation. Lastly, the AI Act once more combines the institution and {the marketplace} standards: it applies each to deployers of AI methods established or situated inside the Union and to suppliers putting AI methods or fashions on the EU market, no matter their place of multinational (Article 2(1)(a) and (b) AI Act).

As with the regulation of digital applied sciences, resort to a market criterion to delimit the scope of the envisaged Area Act might pursue a twin operate. On the one hand, it goals to make sure a level-playing area and to stop operators established in third international locations from making the most of probably laxer authorized regimes on security, cybersecurity, or environmental sustainability. Then again, this strategy additionally means that the EU aspires to set world requirements, pushing house operators to evolve to its guidelines except they need to forgo their capability to supply companies within the European market. This world projection of regulatory energy, which Anu Bradford famously termed the ‘Brussels impact’, might function de facto, triggering spontaneous compliance by companies the place the price of decoupling services and products meant for the EU single market and people destined to international markets is larger than the price of conforming to EU requirements globally, or de jure, the place third States comply with the lead and draw inspiration from EU regulation in designing their home authorized regimes. EU establishments have consciously pursued the Brussels impact, notably, within the fields of knowledge safety and AI regulation. By arguing that the proposed harmonisation would ‘set up the Union as a world normal setter’ and would offer ‘a chance for the Union to take the lead in setting world requirements’, the explanatory memorandum suggests an analogous sample for the EU Area Act proposal.

The EU regulation of the digital financial system resulted in frictions with third international locations, particularly the US, on knowledge safety guidelines and on the obligations of tech giants. To mitigate the danger of regulatory clashes, the Area Act proposal combines the requirement that non-EU operators be topic to the EU guidelines with a system of  recognition of the legal guidelines of third international locations. Below Article 105 of the proposal, the Fee would have the ability to undertake choices recognising the authorized and supervisory framework of a 3rd nation as equal to the foundations laid down within the EU Area Act. This scheme is clearly impressed by the GDPR, the place equivalence choices present a foundation for the switch of non-public knowledge to 3rd international locations, however its scope is outwardly broader, since beneath the GDPR the equivalence scheme solely covers the switch and the following processing, not knowledge processing actions that happen within the Union. As well as, it’s unclear whether or not the idea of equivalence ought to be interpreted in the identical method as within the GDPR or could possibly be construed extra flexibly beneath the Area Act, which lacks the GDPR’s sturdy give attention to elementary rights safety.

A strong enforcement framework

Below the EU Area Act proposal, house operators would require an authorisation to hold out house actions and would want to register in a Union Register of Area Objects (URSO), however operators established within the EU and people established in third international locations could be topic to partially distinct authorized regimes. It could be for the Member States to authorise and supervise house operators established within the EU. For that objective, every Member State must designate a reliable nationwide authority (Article 28). These resemble nationwide supervisory authorities beneath the GDPR. Just like the GDPR, the EU Area Act proposal lays down intimately the duties and powers of nationwide supervisors (Articles 29-30). If the proposal is adopted in its present kind, nationwide authorities will get pleasure from a wide selection of investigatory, corrective and sanctioning powers. In respect of sanctions, the proposal leaves it to the Member States to introduce ‘efficient, proportionate and dissuasive’ penalties for infringement of the harmonised requirements, nevertheless it supplies standards for his or her willpower and requires that nationwide authorities have the ability to convey house operators to courtroom (Article 31).

Maybe conscious of the shortcomings of the GDPR enforcement system, the place the competence of nationwide authorities on cross-border instances usually resulted in delays and disagreements between supervisors, in drafting the Area Act proposal the Fee tried to centralise supervision over third nation operators on the supranational stage, equally to what the EU legislature did within the DSA and the DMA. Monitoring compliance by non-EU operators with the necessities laid down within the proposed regulation could be a activity for the Fee itself, with the help of the European Union Company for the Area Programme (EUSPA) (Article 48). The Fee and EUSPA would share extensive investigative powers (Articles 49-52), together with the ability to conduct on-site inspections. Investigations may then result in a discovering of an infringement and to the imposition of corrective measures by the Fee, together with the suspension or withdrawal of authorisation (Articles 54-55). The Fee would even be entitled, on a proposal by EUSPA, to impose penalties as much as twice the earnings the operator gained from the infringement or, if that quantity can’t be established, as much as 2% of the whole annual turnover of the corporate (Article 56).

Along with the Fee, which might be granted vital supervision and enforcement powers, EUSPA is projected to achieve considerably from the adoption of the EU Area Act. At current, EUSPA’s core duties are restricted to the administration of sure elements of the Union Area Programme, most notably as regards safety accreditation, operational safety, communication, promotion and market improvement. Below the EU Area Act proposal, it will achieve extra competences. Not solely would EUSPA present technical experience to the Fee within the supervision of third nation house operators and share investigative powers, it will even be entrusted with the administration of URSO and the issuance of e-certificates testifying the conformity of house objects with the necessities laid down within the regulation. Moreover, when granting authorisations to Union house operators the Member States may select to entrust EUSPA with finishing up the required technical evaluation of compliance with the harmonised requirements.

Conclusion

The expertise of regulating digital applied sciences was clearly a supply of inspiration to the Fee when it designed the EU Area Act proposal. Its enforcement equipment, specifically, presents quite a few similarities with the GDPR, whereas the scope of the proposal and the system of supervision over third nation operators recommend the ambition to train world regulatory affect. Analogies with the regulation of the digital single market may recommend what may go flawed with the Fee’s plan to make the house business ‘cleaner, safer and extra aggressive’. Companies are going to face compliance prices, which may closely have an effect on the numerous small and medium-sized enterprises lively within the house sector in Europe. As well as, the Brussels impact may misfire if the primary space-faring States and the most important personal operators within the world house financial system don’t converge in direction of the EU requirements, undermining the competitiveness of the European business.

These issues will play a task in a legislative course of that guarantees to be lengthy and sophisticated. Even whether it is adopted comparatively rapidly, the EU Area Act proposal won’t produce change in a single day, as a result of the Fee didn’t envisage its entry into drive earlier than 2030, to provide the business time to adapt to the brand new technical guidelines. Nevertheless, if its elementary scheme survives the extreme lobbying and the political compromises that lie forward, the EU is poised to change into a significant regulator of the house financial system as it’s for digital applied sciences.

Alberto Miglio is affiliate professor of EU regulation on the College of Turin.