Europe's defence-driven space security shift: what it means for dual-use startups
What these two courses cover — and why we're citing the lecturers directly
EU Space Academy is EUSPA's free e-learning platform. Unlike the ESA Space Economy Report we've covered elsewhere on this blog, its two security-focused courses — Foundations of EU Space for Security and Operationalising EU Space for Security — don't point to a stack of independent reports to check figures against. The material comes directly from the named lecturers teaching each module: officials from the European Commission's DG DEFIS and the EEAS, engineers from EUSPA and ENISA, researchers from the European Space Policy Institute (ESPI) and Italy's LINKS Foundation, and founders of three dual-use space companies.
Where we cite a figure below, we say so explicitly — "per EU Space Academy" — rather than implying it is independently verified news reporting. Read alongside our analysis of Europe's €13.5 billion space budget and the defence surge, this piece fills in the institutional plumbing behind that budget: which body controls which euro, which rule you now have to comply with, and which programmes are already writing checks to dual-use founders.
The institutional map: who actually runs EU space security
The first thing these courses correct is a common founder mistake: treating "ESA" and "the EU" as interchangeable. They are not. ESA has 22 member states (plus long-standing cooperation states such as Canada) and is headquartered in Paris; the EU has 27 member states. ESA is funded roughly 90% by the EU and its member states, and the two bodies collaborate closely — but defence competency sits with EU member states, not with ESA itself. EUSPA, the EU Agency for the Space Programme, is a separate body again, headquartered in Prague.
| Institution | Role in space security | Notes (per EU Space Academy) |
|---|---|---|
| DG DEFIS (European Commission) | Manages the European Defence Fund; governs Galileo, Copernicus and IRIS²; coordinates dual-use technology and industrial-standards policy | Described in the course as the largest and best-funded of these bodies, and the source of most new defence-related space initiatives |
| European Defence Agency (EDA) | Runs the Coordinated Annual Review on Defence (CARD), identifying capability gaps; supports PESCO joint procurement | Older than DG DEFIS but smaller; space has been a CARD-identified capability focus area since 2020 |
| EEAS Space Task Force | Plans CSDP missions touching space; links into Galileo governance; houses the EU Intelligence and Situation Centre (INTCEN) | Part of the EU's diplomatic service, with roughly 140 delegations worldwide |
| EUSPA | Manages Galileo and Copernicus operations; co-chairs the EU Space ISAC | Headquartered in Prague — a distinct body from ESA (Paris) |
| EU Satellite Centre (SatCen) | Geospatial intelligence: combines Copernicus with commercial imagery (e.g. Airbus Pléiades) into assessment reports for member states, EEAS/CSDP missions, EDA and Frontex | Based in Torrejón de Ardoz, Spain |
| ENISA | EU Agency for Cybersecurity; behind the NIS2 implementation guidance and the ECSF skills framework | Space is now explicitly inside its critical-infrastructure remit |
NIS2 just pulled space into critical-infrastructure compliance
Per EU Space Academy's cybersecurity module, the regulatory gap here was real until recently: 11 European states had adopted a national space law, but none of them attached legally binding cybersecurity requirements to it — in practice, you did not need to demonstrate cybersecurity to obtain a launch licence anywhere in Europe. That has changed with the EU's NIS2 Directive, which now treats the space sector as a critical or essential sector alongside energy, banking and health.
Concretely, EU-registered space operators now fall under NIS2's "risk management measures": documented risk analysis, incident-handling and business-continuity plans, supply-chain security checks, access control (including multi-factor authentication) and cryptographic controls — backed by mandatory incident reporting. The course also flags that NIS2's measures were written for critical infrastructure in general, not for satellites specifically — member states still have to translate the directive into space-adapted national rules, working with space agencies and industry to do it.
ENISA's European Cybersecurity Skills Framework (ECSF) is the practical tool for figuring out who inside your team should own this. It defines 12 standard cybersecurity role profiles — from Chief Information Security Officer to penetration tester — and is already used by 16 member states and mapped to more than 160 academic programmes in ENISA's Cyber Higher Education Database. For a small team, the course's own worked example is combining roles rather than hiring a full function: an information-security risk officer who merges the CISO and risk-manager profiles, an upskilled IT administrator handling implementation, and outsourced security architecture on a per-project basis.
The EU Space ISAC: a free threat-intel channel most SMEs don't know exists
One direct product of the EU Space Strategy for Security and Defence (adopted March 2023) is the EU Space ISAC — an Information Sharing and Analysis Center co-chaired by the European Commission and EUSPA, per the course. It is a nonprofit, member-driven body: EUSPA and the Commission frame the legal and administrative side, but 12 founding members — split deliberately into 6 SMEs and 6 large enterprises — set the actual agenda through two working groups (security and cybersecurity threats; norms, standards and best practices). It is explicitly not a regulator, not an incident-response service, and not the same thing as EUSPA's own Security Monitoring service — it exists purely so that competitors can share threat intelligence without being commercially exposed by it. New members join on a rolling basis.
For an SME building anything space-adjacent, this is a rare piece of EU security infrastructure that costs nothing but attention, and is structurally designed — by its board composition — to hear from companies your size, not just the primes.
Where the dual-use money actually flows
Every figure below is per EU Space Academy's course. For the macro national and EU-wide budget picture — Germany's €35B space-security plan, France's €4.2B strategy, the +12%-vs-−3% Europe-vs-world split — see our companion piece, Europe's €13.5 billion space budget and the defence surge. This piece is about the specific instrument most SMEs actually apply to: the European Defence Fund (EDF).
| Metric | Figure (per EU Space Academy) |
|---|---|
| EDF total budget, 2021–2027 | ~€8 billion for defence R&D across all domains |
| Space's rank within the EDF | #2 domain by funding per the course, after naval |
| EDF space stream spent, 2021–2024 | >€360 million |
| Space projects funded, 2021–2023 | 11 projects, >€310 million |
| 2024 EDF space-related calls | ~€50 million |
| Projected EDF space total, 2021–2027 | Up to ~€800 million (the course estimates space at ~10% of the €8B EDF) |
| PESCO space-related projects (ongoing) | 4 projects, including a common hub for governmental imagery and one on radio navigation |
PESCO (Permanent Structured Cooperation) runs alongside the EDF as a member-state-driven, legally binding commitment mechanism, and projects sitting in both frameworks can qualify for an EDF funding bonus. Two further mechanisms are worth knowing if you're a component or materials supplier rather than a systems integrator: a joint task force between the European Commission, ESA and EDA tracking non-dependence in space technologies, and the Observatory for Critical Technologies, which monitors which components are missing or fragile in the EU supply chain and where the remaining producers are concentrated. Per the course, both feed directly into what Horizon Europe, Cassini and future EDF calls prioritise.
Three founders who already built here
The courses' own "Security Start-up Talks" interviews are the most concrete evidence that this funding and policy environment is buildable, not just theoretical:
- Dcubed (Munich, with a US subsidiary) makes small mechanical components — pin-puller release devices and solar arrays — standardised enough to be export-classified as off-the-shelf products. Its founder describes a NASA order that required a US State Department "Buy American" waiver letter confirming no domestic alternative existed, and says that once the company's work touched defence customers directly, it started absorbing 150–200 cyberattacks a day and had to region-lock access to sensitive project files to the US, Europe and allied nations only.
- Prométhé Earth Intelligence (France) is building a 20-nanosatellite Earth observation constellation split across maritime, climate-risk and military-intelligence use cases. In 2023 it signed a contract with the French Air and Space Force to demonstrate near-real-time data links with the Kinéis IoT constellation — completed in October 2024, less than a year after its first satellite launched — and the company was part of the first CASSINI hackathon cohort.
- OroraTech (Munich, spun out of TUM in 2018) runs a 10-satellite thermal constellation for wildfire intelligence, with government clients including Greece and Canada. Its CEO frames the security case for Earth observation directly: as AI-generated disaster footage becomes harder to distinguish from reality, satellite data becomes one of the only neutral, repeatable ways to verify what is actually happening on the ground.
Cybersecurity is designed-in now, not bolted on
The clearest cautionary tale in the course is the February 2022 cyberattack on Viasat's KA-SAT network, hours before Russia's invasion of Ukraine. Beyond disrupting Ukrainian military communications, the attack — per the course — took roughly 9,000 Nordnet subscribers offline, disconnected about 30,000 Big Blue customers across Germany, France, Hungary, Greece, Italy and Poland, and disabled remote monitoring and control of 5,800 wind turbines belonging to the German company Enercon (the turbines kept spinning; operators simply lost the ability to control them). Every affected modem had to be physically replaced, since the attack had wiped the devices' firmware — a process that took Viasat months to complete for all its customers.
That single incident is why the course frames satellite cybersecurity spending as a genuine emerging market: one figure cited in the course, sourced to Northern Sky Research, projects the space cybersecurity industry at $33.2 billion over the next decade. Two free, practical tools the course recommends for threat modelling built specifically for satellite systems: SPARTA (built on the widely used MITRE ATT&CK framework, mapping tactics and countermeasures to space-specific attack chains) and ESA's equivalent, SPACESHIELD. For lifecycle documentation, the European Space Standard ECSS-E-ST-80-C lays out which security artefacts you need at which project phase — a Security Management Plan and Security Supply Chain Management Plan early on, a Mission Security Policy and System Security Engineering Plan by critical design review, and a Security Monitoring and Incident Handling Plan plus a penetration-testing plan before launch.
One design point worth budgeting for now rather than later: the course flags post-quantum cryptography as "totally and absolutely mandatory" for any system with a multi-year operational life, since satellites already in orbit cannot easily be swapped out once today's encryption is eventually broken. The practical implication is crypto agility — designing your system so the encryption algorithm itself can be updated in orbit and run in hybrid mode alongside legacy algorithms, rather than hard-coded at launch.
Operational proof and the technology stack behind it
Where this is already running
Border and customs enforcement is the least glamorous and most concrete demonstration that EU space assets are operational, not aspirational. Per the course: the EU processes roughly 400 million border crossings a year (about 239,000 flagged irregular), across a 60,000km coastline — three times the length of the US coastline — patrolled in part using Galileo-enabled AIS combined with Copernicus imagery to flag "dark vessels" that have switched off tracking or deviated from normal routes. In one 2023 case cited in the course, satellite tracking of the bulk carrier MV Matthew — which changed its stated destination repeatedly and was linked to a suspiciously purchased daughter vessel — led to a joint Irish Customs, police and naval interception, and the seizure of over 200kg of cocaine valued at roughly €157 million. Separately, Galileo's search-and-rescue payload, integrated into the international Cospas-Sarsat system, contributes to rescuing more than 3,000 people and saving around 2,000 lives every year, per the course.
The AI/GEOINT toolkit already prototyped with EU funding
Beyond enforcement, the course walks through a set of EU-funded prototypes (mostly built by Italy's LINKS Foundation) that double as a benchmark sheet if you're building Earth observation or signal-processing products:
| Task | Approach (per EU Space Academy) | Data / result |
|---|---|---|
| Land cover segmentation | SPADA — a teacher-student self-supervised model | Trained on Sentinel-2 plus Corine/Urban Atlas/LUCAS labels; outperformed S2GLC, the EU's previous reference dataset |
| Forest fire detection | XGBoost on fused multi-satellite hotspot data; MSG-SEVIRI for faster (but less accurate) 15-minute-cadence detection | Trained against the EFFIS database of fires over 10 hectares |
| Burned-area delineation | UPerNet decoder producing a delineation map plus a 0–4 severity score | Trained on 433 manually annotated Copernicus EMS fire events; cut mapping time from hours/days to minutes |
| Flood delineation | Multi-encoder CNN fusing Sentinel-1 SAR with a digital elevation model | SAR chosen specifically because it sees through the cloud cover that usually accompanies flood-triggering rain |
| Jamming detection | AI classifier on a Raspberry Pi + receiver prototype | Distinguishes intentional jamming/spoofing from natural interference such as ionospheric scintillation |
| Drone navigation without ground RTK | Galileo High Accuracy Service on a ~€230 commercial receiver | 8cm accuracy vs. RTK's 1cm — usable where ground reference networks don't reach |
None of these are hypothetical — the course describes each as a tested prototype, mostly built under Horizon Europe-style funding, several with published papers you can look up by the model names above.
What this means for your roadmap
- Write the dual-use and NIS2-readiness framing into your materials now. If your product touches Earth observation, comms, PNT or space domain awareness, evaluators and defence-adjacent customers will ask about both.
- Budget for cybersecurity compliance before it's mandated at your national level. NIS2 is already in force at EU level, and space-specific national transposition is coming.
- Apply to the EU Space ISAC even as a small team. Six of twelve founding board seats are reserved for SMEs by design, and membership is rolling.
- Track EDF space-stream calls and PESCO-linked projects, not just ESA tenders and Horizon Europe. It's a distinct funding line with its own trajectory toward roughly €800M by 2027. VIRA tracks ESA and EU calls as they open.
- Benchmark against the models above before pitching "novel." If you're building EO or signal-processing products, evaluators who've been through EU Space Academy's course may already know these baselines.
- Read this alongside our defence-budget analysis. Europe's €13.5 billion space budget and the defence surge covers the macro numbers behind the institutions and programmes described here.
FAQ
What is EU Space Academy, and what do these two courses cover?
EU Space Academy is EUSPA's free e-learning platform. Its "Foundations of EU Space for Security" and "Operationalising EU Space for Security" courses cover EU space-security governance and institutional cooperation, cybersecurity and digital resilience, the strategic and industrial dimensions of space security, operational applications such as geospatial intelligence and border/customs security, and frontier technologies including post-quantum cryptography and AI-driven Earth observation.
Which EU institutions actually run space security policy?
Per EU Space Academy's course, the European Commission's DG DEFIS manages the European Defence Fund and coordinates dual-use technology policy; the European Defence Agency runs the Coordinated Annual Review on Defence and supports PESCO; the EEAS houses the Space Task Force and EU INTCEN; EUSPA (based in Prague) manages Galileo and Copernicus and co-chairs the EU Space ISAC; and the EU Satellite Centre (Torrejón, Spain) provides geospatial intelligence to member states and CSDP missions.
Does the EU now require cybersecurity compliance for space systems?
Per EU Space Academy's cybersecurity course, yes: the NIS2 Directive now treats the space sector as a critical/essential infrastructure sector, requiring risk management, incident reporting and supply-chain security measures. Before NIS2, of the 11 European states with a national space law, none had legally binding cybersecurity requirements attached to launch licensing.
Where does EU dual-use space funding actually come from?
Mainly the European Defence Fund (EDF), which per EU Space Academy's course has an approximately €8 billion R&D budget for 2021-2027 with roughly 10% (up to about €800 million) earmarked for space; the space stream passed €360 million by 2024 (11 projects worth over €310 million in 2021-2023, plus roughly €50 million in 2024 calls). PESCO and national defence budgets add further channels — see our companion piece on Europe's €13.5 billion space budget for the macro numbers.
What is the EU Space ISAC, and can a small startup join?
Per EU Space Academy's course, the EU Space ISAC is a nonprofit, member-driven information-sharing body co-chaired by the European Commission and EUSPA. Its founding board deliberately reserves 6 of 12 seats for SMEs alongside 6 large enterprises, and it accepts new members on a rolling basis.
Sources
- EU Space Academy (EUSPA) — Foundations of EU Space for Security (course).
- EU Space Academy (EUSPA) — Operationalising EU Space for Security (course).