Public Sector · Space

Houston,
we have a sovereign problem.
Who controls the command?

Space agencies and satellite operators routing mission-critical communications through US-controlled cloud infrastructure face CLOUD Act exposure. Under 18 U.S.C. § 2713, every command uplink, telemetry stream, and inter-agency briefing passing through US-jurisdiction infrastructure is accessible to US authorities — without ever notifying the operator.

Book a sovereign briefing → See the exposure
No US jurisdiction NIS2 space sector compliant Air-gapped ground station deployment available
Satellite Operations
Command & control, telemetry, on-orbit health monitoring, manoeuvre planning
Ground Stations
Mission control, tracking networks, uplink/downlink facilities, deep space comms
LEO Constellations
Multi-orbit fleet management, inter-satellite links, launch coordination, spectrum
Space Agencies
Inter-agency coordination, classified mission planning, Galileo, Copernicus, IRIS²
4,400+
Active satellites tracked by ESA — ground control and mission management for these assets are increasingly migrated to US cloud platforms, each command channel a potential CLOUD Act exposure point
72h
NIS2 Annex I essential entity notification window — space sector operators must report significant incidents affecting ground segment or satellite communications to national competent authorities
0
Legal mechanisms under GDPR Article 48 that permit a CLOUD Act order to be complied with lawfully — the same unresolved conflict now threatening satellite operators processing Earth observation data of EU territories
2031+
IRIS² sovereign satellite constellation target operational date — 18 participating EU member states requiring certified sovereign communications infrastructure for inter-agency ground-to-space coordination
The six risks

Why space sovereignty
cannot be an afterthought

Critical

Ground segment operations exposed to US jurisdiction

When mission control systems, satellite scheduling platforms, and ground station network management tools run on AWS, Microsoft Azure, or Google Cloud, the entire operational intelligence of a space programme sits under US jurisdiction. Under the CLOUD Act (18 U.S.C. § 2713), US authorities can compel disclosure of command sequences, telemetry archives, manoeuvre plans, and operational communications — with gag orders that prevent the space agency or operator from ever being notified. For national space programmes, this creates a structural intelligence leak embedded in the mission's own infrastructure.

CLOUD Act § 2713 · Extraterritorial compelled disclosure of mission operations
High Risk

Earth observation data sovereignty

Earth observation satellites capture imagery with strategic, commercial, and humanitarian value — topographic mapping, agricultural monitoring, maritime surveillance, disaster response, and classified reconnaissance. When the platforms that process, archive, and distribute this imagery run on US-controlled cloud infrastructure, a CLOUD Act order can compel disclosure of the raw imagery, analysis products, and access logs — revealing which territories are being monitored, at what resolution, and by whom. GDPR Article 48 provides no lawful basis for this disclosure, and the EU Space Programme regulation requires that Copernicus data processing remain under European jurisdiction.

EU Space Programme Regulation 2021/696 · Copernicus data sovereignty requirements
Structural

CLOUD Act meets Outer Space Treaty: an unresolved conflict

The 1967 Outer Space Treaty (OST) establishes that states retain jurisdiction and control over their space objects — including the communications infrastructure that controls them. When a national space agency or licensed satellite operator uses US cloud infrastructure for mission management, US domestic law (the CLOUD Act) gains the ability to access operational data that international law vests in the launching state. No international agreement resolves this conflict. Space agencies conducting dual-use or classified missions on US-hosted platforms are simultaneously complying with international space law and violating it — by ceding effective operational control to a foreign jurisdiction.

Outer Space Treaty Art. VIII + CLOUD Act · Jurisdictional conflict over space object control
High Risk · Coordination

Inter-agency space coordination on foreign platforms

Modern space programmes are inherently collaborative — requiring secure communications between national space agencies, international partners, launch providers, ground station networks, and research institutions across multiple sovereign jurisdictions. When these inter-agency coordination channels run on proprietary US platforms — Teams, Zoom, Slack — there is no open standard that allows agencies to communicate across organisational boundaries without routing through the vendor's US-jurisdiction infrastructure. A genuine open standard for federated communications is the only approach that allows each agency to maintain full digital sovereignty while still achieving the interoperability that multi-partner missions require.

CLOUD Act § 2713 + NIS2 Art. 21 · Multi-agency coordination sovereignty
Emerging · AI

Autonomous space systems and AI decision pipelines

The next generation of space operations relies on AI-driven autonomy — autonomous satellite manoeuvring, on-board anomaly detection, adaptive mission planning, and autonomous rendezvous operations. The AI inference models, training datasets, and decision logs that govern these systems represent some of the most sensitive operational intelligence a space programme holds. When AI operations infrastructure runs on US-controlled cloud platforms, the command logic and learning data that defines how a spacecraft behaves in critical scenarios is exposed to foreign jurisdictional access. Sovereign AI infrastructure for space autonomy is not optional — it is the condition for maintaining effective control of the space object as required by the Outer Space Treaty.

OST Art. VIII + EU AI Act · Sovereign AI for autonomous space operations
Operational · Compliance

NIS2 space sector essential entity obligations

The NIS2 Directive (2022/2555) explicitly lists space as a sector of essential entities in Annex I — encompassing operators of ground-based infrastructure that supports the provision of space-based services, including satellite control, telemetry, tracking, and command. As essential entities, these operators face the full Article 21 ICT supply-chain risk management obligations: every communications platform used in mission operations must be assessed, documented, and demonstrated to be adequately managed. A ground station operator using US-hosted communications for mission coordination must document the CLOUD Act exposure this creates — and would face significant difficulty demonstrating that this risk is adequately managed in any credible regulatory assessment.

NIS2 Annex I · Space Sector · Essential entity supply-chain accountability
The operational paradox

What space operators must protect vs. what US cloud exposes

Every space programme that uses US-hosted infrastructure for mission operations is simultaneously bound by national security obligations and exposed to foreign jurisdictional access — with no legal resolution in sight.

What US cloud exposes

Your mission intelligence is accessible to US authorities without your knowledge

  • Satellite command sequences and manoeuvre plans compelled under CLOUD Act gag orders
  • Earth observation imagery and analysis products exposed to foreign intelligence access
  • Inter-agency coordination channels accessible during active classified mission operations
  • AI decision logs and autonomous system configuration disclosed without notification
  • Ground station network topology and uplink/downlink schedules exposed as strategic intelligence
VS
What AMVLET provides

Sovereign communications infrastructure for mission-critical space operations

  • End-to-end encrypted operational channels for ground control, mission teams, and inter-agency coordination
  • No US jurisdiction — zero CLOUD Act applicability across all AMVLET infrastructure
  • Open standard federation enabling secure cross-agency communications without routing through any US-controlled intermediary
  • Air-gapped deployment for the most sensitive ground station environments
  • NIS2 space sector essential entity compliant — full supply-chain risk documentation available
Five regulatory layers

Every layer of the space regulatory stack
has a CLOUD Act exposure problem

AMVLET is purpose-built to address all five layers simultaneously — the only sovereign communications platform built for space operators and agencies.

Layer
Regulator
Who it covers
Framework
01
International Space Law
UN COPUOS · national space authorities
The 1967 Outer Space Treaty establishes that launching states retain jurisdiction and control over their space objects — including the ground infrastructure that commands them. US CLOUD Act compelled access to mission systems directly conflicts with this sovereign control requirement
All states operating spacecraft, licensed satellite operators, and ground station operators providing control services for space objects
OST Art. VIII
02
Network & Infrastructure Security
ENISA · national cyber authorities
NIS2 Directive Annex I explicitly classifies space sector operators — including ground-based infrastructure supporting satellite services — as essential entities subject to the strictest ICT supply-chain risk management obligations under Article 21, including 72-hour incident notification requirements
Ground station operators, satellite command and control providers, and space-based service operators with EU nexus — no size threshold applies
NIS2 Annex I
03
Data Protection
EDPB · national DPAs
GDPR applies to Earth observation data containing identifiable information about individuals or assets within EU territory, navigation service subscriber data, and all personal data processed by EU space operators. Article 48 provides no lawful basis for CLOUD Act compliance — creating a structural conflict for any operator using US-hosted processing infrastructure
All satellite operators processing EU personal data, Copernicus service providers, Galileo service operators, and space agencies with EU subscriber or user data
GDPR + OST
04
EU Space Programme
EUSPA · EU Commission · ESA
EU Space Programme Regulation 2021/696 mandates sovereign data processing for Galileo navigation, Copernicus Earth observation, and the GOVSATCOM governmental communications service. The IRIS² constellation programme (2031+) requires certified sovereign communications infrastructure for participating member states, with all inter-agency coordination outside US jurisdiction
EUSPA-contracted service providers, Copernicus data processors, Galileo service operators, member states participating in GOVSATCOM and IRIS²
EU Space Regulation
05
Government Cloud Sovereignty
EU Commission · Member State agencies
The EU Tech Sovereignty Package (May 2026) and Cloud and AI Development Act (CADA) explicitly restrict US cloud for sensitive public-sector workloads — a category that encompasses all space programme mission operations, ground segment management, and inter-agency coordination infrastructure classified as critical national infrastructure
Space agencies, licensed satellite operators, and ground station providers supplying services to EU governments, defence ministries, and critical infrastructure operators
CADA
What is actually at risk

Six categories of space operations data
exposed by US cloud infrastructure

Satellite command & control uplinks
Command sequences, manoeuvre orders, software uplink packages, and emergency safe-mode instructions for on-orbit assets — the most sensitive operational data a space programme generates. Compelled disclosure exposes the complete operational playbook for controlling the space object.
Mission telemetry and spacecraft health data
Continuous telemetry feeds including orbital parameters, attitude data, power system status, propellant levels, and sensor readings — data that reveals both current spacecraft condition and strategic vulnerabilities. Telemetry archives expose mission history and anomaly response patterns.
Earth observation imagery and analysis
Optical and SAR imagery, hyperspectral data, and derived intelligence products covering territories of strategic interest. Raw imagery archives, tasking requests, and analytical products that reveal which assets, infrastructure, and regions are under observation — and at what classification level.
Ground station network topology
Physical and logical architecture of ground station networks — antenna locations, uplink windows, coverage gaps, redundancy configurations, and inter-station routing. This topology data is strategic national infrastructure intelligence, revealing both capability and vulnerability across an entire space programme.
Inter-agency strategic planning communications
Mission planning documents, joint operation agreements, launch coordination, spectrum allocation negotiations, and classified programme communications between space agencies, defence ministries, and international partners — the full strategic intelligence of a nation's space programme, accessible via a single CLOUD Act order.
Autonomous systems configuration and AI decision logs
Training datasets, inference model parameters, decision logs, and configuration records for AI-driven autonomous operations — including on-board anomaly detection, autonomous manoeuvring, and adaptive mission planning. Disclosure reveals the full operational logic governing spacecraft behaviour in critical and classified scenarios.
Common questions

Space sovereignty: what agencies and operators are asking

Does the CLOUD Act apply to space agencies using US-hosted cloud infrastructure for mission operations?+
Yes. The CLOUD Act (18 U.S.C. § 2713) applies based on the nationality of the cloud provider, not the location of the data or the nature of the operator. If a space agency or satellite operator uses AWS, Microsoft Azure, or Google Cloud to manage any aspect of mission operations — command and control, telemetry processing, ground station management, inter-agency communications — US law enforcement can compel the provider to disclose that data regardless of where it is stored. The provider has no legal basis to refuse under US law, even for data belonging to a foreign national space programme. This directly conflicts with GDPR Article 48 for operators processing EU personal data, and with the Outer Space Treaty's principle that launching states retain jurisdiction and control over their space objects — including the infrastructure that controls them.
Is the space sector covered by NIS2, and what does that mean for ground operators?+
Yes — explicitly. NIS2 Directive Annex I lists space as one of the essential sectors, covering operators of ground-based infrastructure that supports the provision of space-based services. This includes satellite command and control operators, telemetry tracking and command (TT&C) providers, ground station network operators, and entities providing launch support communications. As essential entities, these operators face the full obligations under Article 21: comprehensive ICT supply-chain risk management covering all platforms used in operations, 72-hour notification requirements for significant incidents, and accountability for the security of every technology vendor in their operational chain. An operator using US-controlled communications platforms for mission coordination must document this as a supply-chain risk — and demonstrating that the risk is adequately managed, given the structural CLOUD Act exposure, is practically impossible.
How can space agencies from different countries communicate securely without routing through US infrastructure?+
This is the core operational challenge that open standard federation addresses. Proprietary platforms — Microsoft Teams, Zoom, Slack — cannot enable truly sovereign inter-agency communications because all traffic routes through the vendor's US-jurisdiction infrastructure, and neither frontend clients nor backend servers are interchangeable between organisations. A genuine open standard for federated communications requires both an open API between clients and servers, and an open federation protocol between servers from different vendors. This means each agency can deploy its own independently operated server — on its own sovereign infrastructure, under its own jurisdiction — while federating securely with partner agencies across national boundaries. No single server, no single vendor, and critically no US-jurisdiction intermediary sits in the communication path. This is the only architecture that enables both digital sovereignty and the interoperability that multi-nation space programmes require.
What happens to Earth observation data processed on US-controlled cloud platforms?+
Earth observation data processed on US-controlled cloud infrastructure — including raw imagery, derived products, and analysis metadata — is subject to CLOUD Act compelled disclosure. The consequences for a space programme are significant: not only can the imagery itself be compelled, but so can the tasking requests (revealing which territories are of interest), the access logs (revealing which users and organisations viewed which imagery), and the analytical products (revealing the intelligence conclusions drawn from the data). For commercial satellite operators, this creates GDPR exposure if the imagery contains identifiable information about EU persons or assets. For governmental operators, it creates a sovereign intelligence leak embedded in their own infrastructure. The EU Space Programme Regulation 2021/696 explicitly requires that Copernicus data processing remain under European jurisdiction for precisely this reason.
What does AMVLET provide specifically for space operations environments, including air-gapped ground stations?+
AMVLET provides a sovereign communications layer designed for the operational security requirements of space programmes — from routine inter-agency coordination to the most sensitive classified mission environments. For standard ground segment operations, AMVLET deploys on EU-sovereign cloud infrastructure with cryptographic keys held exclusively by the operator, supporting encrypted channels for mission teams, ground station operators, and inter-agency partners. For sensitive or classified environments, AMVLET's air-gapped deployment option enables fully isolated, offline-capable communications with no external network dependencies — purpose-built for ground stations operating under strict emissions security (EMSEC) and classification requirements. Open standard federation allows secure coordination with partner agencies and international space partners without routing through any US-controlled intermediary. Built-in audit trails, role-based access controls, and supervision tools support NIS2 Article 21 supply-chain documentation and classified programme security requirements.

Sovereign infrastructure for missions that cannot afford a single point of failure.

Talk to our space team about a deployment aligned to your mission security, regulatory, and inter-agency coordination requirements — from ground segment to classified operations.

Book a sovereign briefing → Explore Air-Gapped