A New Critical Sector Emerges in Cologne
Cologne is becoming a European hub for space activities – through three distinct but interlinked initiatives. In December 2024, the European Commission decided to locate the GOVSATCOM Hub at the site of the German Aerospace Center (DLR): a highly secure network node for satellite-based communication services for security-critical users (the GovSatCom and IRIS² programs). The state of North Rhine-Westphalia (NRW) is covering construction costs of up to €50 million, with ongoing operating costs funded by the European Commission. The symbolic groundbreaking took place on June 16, 2026; no official construction timeline or completion date had been announced at that point.
The GOVSATCOM Hub is part of the broader SpaceHub Cologne initiative, presented by the state of NRW, DLR, ESA, the European Commission and Cologne Bonn Airport on April 30, 2025 at the SpaceTech.NRW conference – a campus and ecosystem project to attract companies and start-ups around the DLR site. A third, separate initiative should be distinguished from this: on November 20, 2025, NRW, ESA, DLR and the German Space Agency signed a Letter of Intent (not yet a final agreement) to relocate the ESA directorate “Human and Robotic Exploration” (HRE) from Noordwijk to Cologne-Porz/Wahn – around 250 new jobs, nearly tripling staff numbers at the existing European Astronaut Centre. The HRE initiative has no technical connection to satellite communication; it concerns crewed and robotic exploration research.
GOVSATCOM Hub: a highly secure network node for satellite communication for security-critical users; construction funded by NRW (≤ €50 million), operations funded by the European Commission; groundbreaking June 16, 2026, construction timeline not officially communicated.
SpaceHub Cologne: the overarching settlement ecosystem at the DLR site (presented April 30, 2025), of which the GOVSATCOM Hub is part.
ESA HRE relocation: a separate initiative, Letter of Intent dated November 20, 2025, concerns exploration research — not satellite communication.
For operators of ground stations, satellite services, and the suppliers settling in the area, this is more than a location question: as the cluster grows, so does regulatory attention. The reason lies in NIS2.
NIS2 Classifies the Space Sector as Highly Critical
The NIS2 Directive ((EU) 2022/2555) explicitly names the space sector as highly critical in Annex I. In the original wording: „Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services [...]“ – meaning: operators of ground-based infrastructure, whether state-owned or privately owned/operated, that supports the provision of space-based services, as well as providers of space-based services themselves. One important caveat: infrastructure operated by the EU or on behalf of the EU under its own space program is, according to several assessments, not covered by this classification – this needs to be checked on a case-by-case basis, not assumed across the board. In Germany, NIS2 is implemented via the NIS2 Implementation Act (NIS2UmsuCG) and supplemented by the KRITIS Umbrella Act, which sets out operator obligations for physical resilience by July 2026.
Regardless of sector, an additional rule applies: providers of public electronic communications networks or publicly available electronic communications services fall within the scope of NIS2 regardless of company size. This can mean an additional, sector-independent coverage for operators of satellite-based connectivity with end-customer business – this classification is not legally trivial and should be reviewed case by case with reference to one's own business activity, not adopted wholesale from this article.
| Entity Type | Examples | Typical NIS2 Obligation |
|---|---|---|
| Ground infrastructure | Satellite control centers, ground stations, antenna facilities | Risk management, reporting of significant incidents |
| Space-based services | Satellite communication, Earth observation, navigation | Supply chain security, business continuity |
| Suppliers/integrators | Manufacturers of ground segment components, software | Contractual security requirements imposed by operators |
Whether a company qualifies as an „essential“ or „important“ entity depends, in addition to the sector, on company size – large companies generally fall into the stricter category, medium-sized ones into the second. Anyone settling in the GOVSATCOM Hub or SpaceHub Cologne area as a supplier or operator should clarify this classification early, not wait until the first inquiry from a supervisory authority.
BSI TR-03184-2: The Reference for the Ground Segment
The BSI has structured its Technical Guideline TR-03184 “Information Security for Space Systems” in two parts – developed in the context of NIS2's classification of the space sector as critical. Part 1 (published May 2023) addresses the space segment, i.e. the satellite or spacecraft itself. Part 2 (published May 14, 2025) is explicitly aimed at operators, manufacturers and service providers of ground segments – making it the relevant reference for ground stations and antenna facilities, not Part 1.
The core of Part 2 is an extensive table that describes threats and mitigation measures for various business processes across the entire lifecycle of a ground segment – from conception to decommissioning. The guideline deepens the IT-Grundschutz profile for the ground segment and is consistent with ISO 27001/27002, without mandating the IT-Grundschutz methodology. The central message: one-time hardening is not enough – continuous monitoring of configurations over the operating period is required, which is new for many ground segment operators because hardware and firmware lifecycles in space have traditionally been designed for long, unchanged operating periods.
# Entry in the asset/configuration register of a ground station asset_id: GS-COLOGNE-UPLINK-03 asset_type: Satellite uplink gateway nis2_classification: sector: space # NIS2 Annex I, must be checked case by case entity_type: ground_infrastructure classification: essential # depends on company size security_controls: bsi_tr03184_2_mapping: in_progress # Part 2 threat/measure table key_management: PKI # uplink/downlink encryption cert_rotation_days: 90 firmware_version: '4.2.1' last_config_review: '2026-06-01' incident_routing: - bsi_reporting_office - nis2_supervisory_authority review_cycle_days: 30
Don't start with the guideline, but with the question of what the ground station actually needs to deliver – which mission or service it supports, which outages you cannot afford. The asset inventory of gateways, certificates and configurations then provides the evidence needed to apply TR-03184-2 as an assessment grid — not as an end in itself.
Not Just an Asset Inventory: Factoring in Mission and Operational Resilience
A complete asset and certificate register is necessary, but not sufficient for space systems. The starting point should be what a ground station or satellite service actually needs to deliver – which mission, which service, which availability – and which risks stand in the way of that. From there follows which assets are actually relevant, not the other way around.
Specifically, this includes command-and-control paths between ground station and satellite, cryptography and key management, supply chains of ground segment manufacturers, operating processes and incident response, segmentation, physical security of antenna facilities, and radio-frequency-specific risks (jamming, spoofing). Asset, certificate and configuration management provide the evidence layer and the depth of implementation for this – they are the evidence, not the starting point.
What This Means in Practice for Ground Segment Operators
For companies settling in or already active in the Cologne space cluster, a pragmatic entry point can be described in seven steps.
Seven-Step Process
- 1Clarify mission and protection needs: which service/mission depends on the ground station, which outages are not tolerable — before the inventory begins.
- 2Determine scope: check whether your own ground station, service, or supplier role falls under NIS2 Annex I (space sector) — case by case, not across the board.
- 3Asset inventory: complete capture of ground segment infrastructure – gateways, antennas, certificates, key material, firmware versions.
- 4Threat mapping per BSI TR-03184-2: compare existing measures against the threats described there, prioritize gaps.
- 5Harden key and certificate management: operate PKI for uplink/downlink encryption with clear rotation cycles instead of a supplier black box.
- 6Build continuous configuration monitoring: version control across the entire lifecycle instead of one-time hardening.
- 7Align reporting channels: design the incident process so that NIS2 reporting deadlines and BSI reporting channels can be met without improvisation.
Common Pitfalls
Ground station treated as “just technology”: NIS2 relevance is overlooked because the facility is managed organizationally as plain operational technology rather than critical infrastructure.
One-time hardening instead of monitoring: a security acceptance check at commissioning is mistaken for permanent compliance – BSI TR-03184-2 explicitly requires ongoing configuration monitoring.
PKI as a supplier black box: key and certificate management for the satellite link sits entirely with the manufacturer, with the operator unable to demonstrate rotation cycles or key sovereignty itself.
Security sold as a pure asset inventory: anyone offering only inventory, without factoring in mission, operational resilience and command paths, delivers a necessary but not a sufficient answer.
Assessment and Next Steps
The expansion in Cologne will, over the coming years, create a new concentration of companies that, for the first time, need to engage with the NIS2 space sector. This is not a special case, but a consistent application of existing regulation to a growing industry – and with BSI TR-03184-2, a concrete technical assessment grid for the ground segment already exists.
Anyone settling in the Cologne cluster now, or already active there, has a timing advantage: the infrastructure is still being built out, and many security requirements can be planned in from the start rather than retrofitted later – provided the approach starts from mission and risk, not just from an inventory.
1. Check whether your own facility or service falls under NIS2 Annex I (space sector) — case by case, not across the board.
2. Clarify mission/protection needs and, building on that, set up an asset inventory of the ground segment infrastructure as the basis for a BSI TR-03184-2 mapping.
3. Reach out early to the topic-specific contact points of the Cologne cluster, for example the “Security and Resilience” theme area at the Space Innovation Hub.
A resilient governance approach here, too, sensibly begins with an information security management system as the overarching framework — as a structure for mission, risk and evidence, not as an asset listing. Our Space/NIS2 Readiness Check combines applicability assessment, asset/interface inventory, a PKI overview and mapping against BSI TR-03184-2 into an audit-ready documentation structure.