CRA Compliance Checklist: Satellite & Space Technology
Annex III Class II — satellite communication infrastructure and ground segment systems are critical infrastructure products; user terminals are Annex III Class I or Default depending on application
Satellite and space technology presents unique CRA challenges. Satellite communication systems and ground segment infrastructure are Annex III Class II as critical telecommunications infrastructure. User terminal equipment (VSATs, satellite broadband modems, satellite navigation receivers used in critical applications) may be Class I or II depending on their role. The 2022 Viasat/KA-SAT cyberattack demonstrated the severe real-world impact of satellite cybersecurity failures.
1. Scope & Classification
Classify satellite products by infrastructure role: ground segment and satellite communication systems as Class II; user terminals by application context
Satellite gateway infrastructure, network operations centres, and satellite management systems are Class II. VSAT terminals used in critical infrastructure (energy, military — if civilian-sold) are Class I or II. Consumer satellite broadband terminals may be Default or Class I.
Engage a Notified Body with satellite and telecommunications security expertise for Class II ground segment and critical terminal products
Satellite system assessments require specialised expertise. Engage Notified Bodies with experience in satellite communications security and ETSI EN 303 645 alignment.
Assess CRA intersection with ETSI EN 303 645 and ETSI TR 103 743 satellite cybersecurity guidance
ETSI has published cybersecurity guidance for satellite systems. Aligning with relevant ETSI standards provides a recognised technical framework for CRA compliance.
Compile SBOM for all ground segment software, user terminal firmware, satellite modem software, and network management systems
Satellite systems include complex software stacks across space and ground segments. For the ground segment and user terminals (in-scope products), compile comprehensive SBOMs.
2. Product Security (Annex I Part I)
Implement encrypted and authenticated uplink and command communications for satellite operations systems
Satellite command and control links must be encrypted and authenticated. Unauthenticated satellite control links create severe vulnerability to jamming, spoofing, and hijacking.
Implement strong authentication for all satellite network management systems and ground station interfaces
Ground station management systems with privileged access to satellite operations must implement MFA and strict access controls. The Viasat attack exploited management interface vulnerabilities.
Implement cryptographically signed firmware updates for user terminals — support secure OTA updates via satellite link
Satellite terminal firmware updates are often delivered via the satellite link itself. These must be cryptographically signed and verified before installation.
Implement anti-jamming and anti-spoofing capabilities appropriate to the satellite service type and user terminal classification
Satellite jammers and GNSS spoofers are active threat actors. Implement GNSS anti-spoofing for navigation terminals and frequency-hopping or signal diversity for communication terminals where technically feasible.
3. CVD Policy & Vulnerability Handling
Publish a CVD policy coordinated with space sector information sharing organisations and national space agencies
Satellite system vulnerabilities can affect communications across entire continents. Coordinate CVD with space sector ISACs, ESA's ESAC cybersecurity team, and national security authorities.
Define security support lifecycle appropriate to satellite system operational timelines — ground segment 10+ years, user terminals 7+ years
Satellite systems have long operational lifespans. Ground segment infrastructure requires 10+ year security support. User terminals for critical applications warrant at least 7 years.
4. Article 14 Incident Reporting
Define Article 14 triggers for satellite incidents — focus on ground segment compromise, mass user terminal wiping (cf. Viasat attack), and satellite service disruption
The Viasat/KA-SAT attack in February 2022 bricked tens of thousands of user terminals across Europe. This is the paradigmatic Class II satellite Article 14 trigger scenario.
Coordinate Article 14 ENISA reporting with national space authority notifications and, for affected critical infrastructure, parallel NIS2 reporting by operator customers
Satellite incidents affecting critical infrastructure customers simultaneously trigger CRA Article 14, NIS2 reporting by customers, and potentially national security authority notifications. Pre-plan all tracks.
5. CE Marking & Conformity Assessment
Complete Notified Body Type Examination for Class II ground segment and critical terminal products — align with ETSI EN 303 645 and relevant satellite security standards
Engage a Notified Body with satellite sector expertise. ETSI standards for satellite security provide the technical framework. Early engagement is essential given the novelty of CRA assessment for space systems.
Issue EU Declaration of Conformity referencing the CRA for all in-scope satellite products — coordinate with Radio Equipment Directive compliance for terminal equipment
Satellite user terminals using radio spectrum must also comply with the Radio Equipment Directive. Coordinate both compliance tracks and reference both in the DoC.
Track your Satellite & Space Technology compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
The satellite itself is in orbit — does CRA apply to the space segment?+
The CRA focuses on products placed on the EU market. Satellites themselves are not placed on the EU market in the conventional sense. However, the ground segment equipment, user terminals, and satellite management systems that are placed on the market are in scope. The security of the ground-to-space link and command and control systems — which are commercial products — falls within CRA scope.
We manufacture GNSS navigation receivers for use in vehicles and aviation — are they in CRA scope?+
Yes. GNSS receivers are products with digital elements in scope for the CRA. Their classification depends on application: standalone consumer GNSS units are Default; navigation receivers integrated into safety-critical aviation or maritime systems may be Class I or II. Anti-spoofing capabilities are increasingly important for CRA compliance given active GNSS spoofing threats in parts of Europe.
Our satellite broadband service is used by wind farms and utilities — does CRA apply to our user terminals?+
Yes. User terminals (satellite modems, VSAT units) are products with digital elements in CRA scope. If your terminals are used in critical infrastructure (energy, utilities), they are likely Annex III Class I and may be Class II if they form part of the critical infrastructure control network. The service itself (cloud-based management) is outside CRA scope, but the terminal hardware and firmware are fully in scope.
Need a CVD policy for Satellite & Space Technology?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.