Anhang I Sektor 11

Space sector under NIS 2

Annex I, sector 11. Ground-based infrastructure supporting space-based services. Narrow scope, often misread.

Simon OrzelSimon Orzel·

What this page covers

NIS 2 lists space as sector 11 in Annex I (highly critical sectors). The wording is narrower than the name suggests. The directive does not cover everything that touches space. It covers operators of ground-based infrastructure that supports the provision of space-based services.

That distinction matters. A satellite manufacturer building hardware in a clean room is not in scope by virtue of the space sector. A company operating a ground station, a mission control centre or a telemetry, tracking and command facility likely is, if it meets the size test in Article 2 and is not carved out.

This page reads the Annex I entry verbatim, sets out the size test from Article 2, points to the EU Space Programme Regulation as a related regime, and lists the most common scoping errors we see in practice.

Where this comes from
NIS 2 directive, German transposition (BSIG) and the related EU space regime.

Directive (EU) 2022/2555, Annex I, sector 11 (Space)

Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.

This is the full sectoral definition. Three filters apply at the same time. First, the asset class is ground-based infrastructure. Second, the function is to support space-based services. Third, providers of public electronic communications networks are excluded because they are addressed under sector 8 (digital infrastructure) and the EECC regime.

Regulation (EU) 2021/696 (EU Space Programme)

Establishing the Union Space Programme and the European Union Agency for the Space Programme (EUSPA).

The Space Programme Regulation governs the EU components Galileo, EGNOS, Copernicus, GOVSATCOM and SST. EUSPA operates parts of those services. NIS 2 sits alongside this regime. Operators of ground-based infrastructure that supports such programmes can fall under both. They are not automatically exempt from NIS 2 because they are part of an EU programme.

BSIG, Anlage 1, Nummer 11 (German transposition of NIS 2)

Weltraum: Betreiber von Bodeninfrastrukturen, die sich im Eigentum von Mitgliedstaaten oder privaten Parteien befinden und von diesen verwaltet und betrieben werden, die die Erbringung weltraumgestützter Dienste unterstützen, mit Ausnahme von Anbietern öffentlicher elektronischer Kommunikationsnetze.

Germany transposes the Annex I wording one to one. There is no separate German broadening of the sector. The BSI is the competent authority for cybersecurity supervision under §61 BSIG. Sector policy sits with the Federal Ministry for Economic Affairs and Climate Action (BMWK) and the German Space Agency at DLR.

The three filters in Annex I sector 11
All three must be present for the directive to apply through this sector.
Filter 1

Ground-based infrastructure

The asset class is physical ground infrastructure. Typical examples are satellite ground stations, antennas, gateway sites, mission control centres, satellite operation centres, telemetry, tracking and command (TT&C) facilities and dedicated data processing centres for satellite payload data. Space-based assets (satellites themselves) are not the in-scope object here.

Filter 2

Supports space-based services

The function of the infrastructure must be to support the provision of services delivered from or through space (navigation, earth observation, satellite communications, secure connectivity). General-purpose data centres or office IT that happens to belong to a space company do not become in-scope just because the owner is in the sector.

Filter 3

Not a public electronic communications network

Providers of public electronic communications networks are explicitly excluded from sector 11. They are addressed under sector 8 (digital infrastructure) and the European Electronic Communications Code. This avoids double regulation of telecoms operators that also use satellite links.

Article 2 size test and operator focus
Two further rules sit on top of the sectoral definition.

Article 2(1) size test still applies

Being named in Annex I is necessary but not sufficient. Article 2(1) adds the size test. The default threshold is medium-sized enterprise or above (50 or more staff, or more than 10 million EUR annual turnover and balance sheet total above 10 million EUR). Some entity types are in scope regardless of size under Article 2(2), but those overrides do not generally pick up commercial space operators.

Operator, not manufacturer

The directive consistently uses the word operators. The legal trigger is operating ground-based infrastructure that supports space-based services. Designing, building or selling satellites, launchers or ground hardware is not what sector 11 is about. Manufacturers can still be covered through other sectors (for example as digital service providers, or under Annex II manufacturing) if those sectoral entries fit.

Authorities and reference points
Who supervises and who sets sector policy. Use this to find the right contact, not as legal advice.
DE

BSI as cybersecurity supervisor, BMWK and DLR as sector policy

Under the BSIG, the Federal Office for Information Security (BSI) supervises cybersecurity duties for in-scope entities, including space sector entities. Sector policy and space programme matters sit with the Federal Ministry for Economic Affairs and Climate Action (BMWK) and the German Space Agency at DLR. Operators of EU Space Programme components in Germany also coordinate with EUSPA.

EU

ENISA and EUSPA at EU level

ENISA supports the cybersecurity dimension of NIS 2 across all sectors. EUSPA is responsible for the operational management and service provision of EU space programme components. ENISA has published sector guidance for space; EUSPA has its own security framework for EU programme operators. NIS 2 does not replace either of those, but it forms the baseline.

Cross-EU

National authorities elsewhere

Other Member States designate their own NIS 2 competent authorities. National space agencies (for example CNES in France, ASI in Italy, NSO in the Netherlands) act as policy and programme partners, not as NIS 2 supervisors. Cooperation with ESA continues under the ESA Convention; ESA itself is an intergovernmental organisation and not a Member State competent authority under NIS 2.

Common scoping mistakes
The misreadings we see most often when companies self-assess against sector 11.

  • We build satellites or ground hardware, so we are in scope under space.

    Sector 11 targets operators of ground-based infrastructure that supports space services. Pure manufacturing is not the trigger. A satellite or antenna manufacturer should check Annex II sector 5 (manufacturing) and any digital service provider duties separately, instead of assuming the space entry covers it.

  • We are a research lab or university institute working on space topics, so NIS 2 covers everything we do.

    Research entities are addressed under Annex I sector 10 (research) only where they are research organisations as defined in Article 6(41). Working on space topics does not by itself make the lab a sector 11 operator. The question is whether the lab operates ground-based infrastructure supporting space-based services and whether it meets the Article 2 size test.

  • Only EU agencies like ESA or EUSPA are meant here.

    The Annex wording explicitly covers ground-based infrastructure owned, managed and operated by Member States or by private parties. Private operators of ground stations and mission control centres are part of the target population. ESA as an intergovernmental organisation has its own legal regime, but the private operator landscape is squarely inside NIS 2.

Practitioner view

If you operate ground infrastructure for satellite services, treat the scoping question as two layers. Layer one is the Annex I sector 11 test on what your facility actually does. Layer two is the Article 2 size test on the legal entity that runs it. Both have to be yes for sector 11 to bring you in.

If your entity is in scope, the duties are the same as for any other essential or important entity under Articles 20, 21, 23 and 27. There is no space-specific control catalogue inside NIS 2 itself. EU programme operators may carry additional security requirements from Regulation (EU) 2021/696 and EUSPA frameworks, but those sit on top, not instead.

How the platform handles this

The applicability check asks whether you operate ground-based infrastructure that supports space-based services, then applies the Article 2 size test and the public electronic communications carve-out. If the result is in scope, sector 11 gets tagged on your obligation register so reporting, registration and supervision routes go to the right authority.

If the result is out of scope under sector 11, the platform still checks the other Annex I and Annex II entries. A space company can be out under sector 11 and in under, for example, manufacturing or ICT service management. The output is a single obligation register, not a single yes or no.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Annex I, sector 11 — EUR-Lex
  • Directive (EU) 2022/2555 (NIS 2), Article 2 (scope) and Article 6 (definitions) — EUR-Lex
  • Regulation (EU) 2021/696 (EU Space Programme) — EUR-Lex
  • German BSI-Gesetz (BSIG), Anlage 1, Nummer 11 — gesetze-im-internet.de
  • ENISA sector overviews on space — enisa.europa.eu
  • EUSPA (European Union Agency for the Space Programme) — euspa.europa.eu
  • BMWK and DLR Raumfahrtmanagement — bmwk.de, dlr.de
Check applicability for your entity
Run the Annex I sector 11 test and the Article 2 size test against your facility in a few minutes.
Open applicability check