Key data
| Regulation | Council Decision (CFSP) 2026/1716, of 13 July 2026 |
|---|---|
| Publication | 14 July 2026 |
| Entry into force | 13 July 2026 |
| Affected parties | Operators, contractors and entities participating in the EU Space Programme and the Secure Connectivity Programme (GOVSATCOM/IRIS²) |
| Category | European Regulation — Common Foreign and Security Policy (CFSP) |
| Year | 2026 |
| Official reference | OJ:L_202601716 |
Operators and contractors working with European critical space infrastructures have new security obligations that come into force immediately. The Council Decision (CFSP) 2026/1716, published on 14 July 2026 and in force from the previous day, establishes specific and binding instructions for all systems and services associated with the EU Space Programme and the Secure Connectivity Programme—known as GOVSATCOM/IRIS²—.
This is not a recommendation or a best practices guide: under the Common Foreign and Security Policy (CFSP), these instructions generate direct obligations for Member States and for all actors—public and private—participating in these programmes.
What does this regulation establish?
The Decision regulates three areas of activity on the EU's critical space infrastructures:
- Deployment: technical and operational security conditions in the implementation of space systems and services.
- Operation: continuous requirements during the operation of infrastructures linked to GOVSATCOM and IRIS².
- Use: access and use rules for entities that use these systems in their activities.
The specific compliance mechanisms established by the regulation are:
| Mechanism | Description |
|---|---|
| Security audits | Periodic verification of compliance with the technical and operational requirements established in the instructions. |
| Access controls | Specific protocols to limit and manage access to critical systems and infrastructures. |
| Sensitive information management | Specific protocols for the treatment, storage and transmission of classified or sensitive information in the European space field. |
The binding nature within the CFSP framework is a key differentiating element: unlike other technical or sectoral regulations, this Decision does not allow discretionary transposition by Member States. Its application is direct and immediate.
Economic and operational impact
The regulation does not establish specific economic sanctions or fine amounts in the published text. However, the operational impact for affected entities is significant in several areas:
- Adaptation costs: Organizations will need to review and, where necessary, update their access control systems, internal audit procedures and sensitive information management protocols to align with the instructions.
- Specialized human resources: Compliance with security instructions in the space and government connectivity field requires personnel with security clearance and specific technical knowledge.
- Risk of contractual exclusion: Non-compliance with the instructions may result in loss of contracts or eligibility to participate in the IRIS² and EU Space Programme, with the resulting direct economic impact for contractor companies.
- Supply chain impact: Prime contractors will need to pass these requirements on to their subcontractors and suppliers that have access to the systems or sensitive information related to them.
Who does it affect?
Council Decision (CFSP) 2026/1716 directly affects:
- Space systems operators that deploy or manage infrastructures linked to the EU Space Programme.
- Contractors and subcontractors that provide technical, maintenance or development services within GOVSATCOM or IRIS².
- Entities that use the services of secure government connectivity provided by these programmes.
- EU Member States, which have direct obligations arising from the CFSP framework.
- Public bodies and agencies that access or manage information in the field of these space programmes.
Outside the scope of this Decision are commercial telecommunications or satellite operators that do not specifically participate in the GOVSATCOM or IRIS² programmes of the European Union.
Practical example
A Spanish aerospace engineering company acting as a contractor in the IRIS² programme for the development of satellite constellation components will need to, from 13 July 2026:
- Undergo security audits in accordance with the instructions established in the Decision, which will verify its technical and operational procedures.
- Implement or update its access controls to the systems and facilities where information or components of the programme are worked on, restricting access only to authorized personnel.
- Establish specific protocols for the management of any sensitive information generated or received within the framework of the contract, including its storage and transmission.
- Pass these requirements on to its suppliers and subcontractors that have access, even if partial, to the systems or information of the programme.
If this company does not adapt its procedures, it is exposed to losing the security clearance necessary to continue participating in the contract, which is equivalent to the effective termination of the same.
What should companies do now?
- Identify if you participate in the affected programmes: Check if your activity is linked to the EU Space Programme, GOVSATCOM or IRIS². If you have active or pending contracts with the EU Agency for the Space Programme (EUSPA) or with the European Commission in this field, you are affected.
- Review existing contracts: Check if your contracts include security clauses that already reference or need to be updated in accordance with the new CFSP Decision 2026/1716.
- Audit current access controls: Assess whether your physical and logical access control systems comply with the security requirements required by the regulation for critical space infrastructures.
- Update sensitive information management protocols: Review internal procedures for the treatment of classified or sensitive information and adapt them to the instructions of the Decision.
- Extend obligations to the supply chain: Communicate to your subcontractors and suppliers with access to systems or information of the programme that they are also subject to these security instructions.
- Consult with a CFSP security specialist advisor: Given the binding nature and the scope of the Common Foreign and Security Policy, it is advisable to have specialized legal advice on European security regulations.
Frequently asked questions
When does Council Decision CFSP 2026/1716 come into force and what is the deadline for adaptation?
The Decision came into force on 13 July 2026, one day before its publication in the EU Official Journal (14 July 2026). No transitional period is established in the available data, so the obligations apply immediately to the operators, contractors and affected entities.
Which European space programmes does this security regulation affect?
The Decision specifically affects the EU Space Programme and the Secure Connectivity Programme of the Union, which includes the GOVSATCOM and IRIS² components. It does not apply to commercial satellite telecommunications operators that do not participate in these specific programmes.
What specific obligations does the regulation impose on contractors?
The Decision imposes three types of specific obligations: undergoing security audits, implementing specific access controls to systems and facilities, and applying protocols for the management of sensitive information in the European space field. These obligations apply to both the deployment and operation and use of the systems.
What happens if a company does not comply with the CFSP security instructions?
Although the Decision does not detail specific economic sanctions, non-compliance with security instructions within the CFSP framework may result in the loss of security clearances and, therefore, exclusion from contracts linked to the EU Space Programme or IRIS²/GOVSATCOM, with the resulting direct economic impact.
Do the obligations of this Decision also affect subcontractors?
Yes. The security instructions apply to all actors involved in the deployment, operation or use of the systems, which includes subcontractors and suppliers with access to the systems or sensitive information related to the programmes. Prime contractors are responsible for passing these requirements on to their supply chain.
Official source
Consult the complete regulation in the official source
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=OJ:L_202601716