AGEFI Luxembourg - juillet août 2025

AGEFI Luxembourg 46 Juillet / Août 2025 Informatique financière O n 25 June 2025, the European Commission published its proposal for an EUSpace Act, creating a harmonised legal framework on the safety, resilience and sustainability of space activi- ties within the EU. Harmonized rules should facilitate European companies to grow and oper- ate across borders. In addition to the Luxembourg “Space for Finance” initiative, the fi- nancial and insurance sector can also benefit from a clearer and harmonised reg- ulatory framework for space activities. EUSpaceAct in short In short, the EU Space Acts (the “ Act ”) aims to har- monisethelegalframeworkforspaceactivitiesacross theEUinthreecoreareas,namelythesafety,resilience and environmental sustainability. The Act sets out minimum key rules for tracking space objects and mitigatingspacedebris(safety),ensuringphysicaland cybersecurityrequirementstoprotectEuropeanspace infrastructureincludinggroundsegments(resilience), and assessing the environmental footprint of their space activities (sustainability). A central and publicly available Union Register for Space Objects (URSO) will list all space service providers that are allowed to freelyprovide their ser- vicesacrosstheEU,includingthird-countryspaceop- erators and international organisations. Upon registration,providerswillreceiveane-certificatecon- firming compliance with the Act. The proposal will be subject to discussions in the European Parliament and Council before its final version is voted on and will likely undergo amendments. The current pro- posal provides for application from1 January 2030. Who is concerned? The Act will apply directly to (i) public and private spaceoperators,includingoperatorsofspaceobjects, but also launchers, launch site operators and providersofin-spaceservices,(ii)collisionavoidance service providers, (iii) primary providers of space- based data, which does not only refer to (earth) ob- servation data but can also include for example satellite-based telecom providers, and (iv) interna- tional organisations providing space services or space-based data in the EU and operating space ob- jects for these purposes. TheActappliestobothpubliclyandprivatelyowned and operated space assets, including dual-use assets under civilian control. Only space objects exclusively used fordefenceor national securitypurposes, or temporarily placed undermilitary opera- tion and control, fall outside its scope. Al- though some derogations exist, non-EU space operators and launchers offering services to EU space operators or related to EU space assets will have to comply with the same obligations as their EU- basedcounterparts. TheEuropeanCom- mission (not Member States’ authorities) will oversee non-EU space operators through their designated EU-based legal rep- resentatives. The broader space industry supplychainwill be indirectly affected. Supplier contracts must include mandatory ele- ments such as information se- curity requirements, obligations toprovide data neededby the space operator to cal- culate the environmental footprint of its activities, andprovisions ensuringcomplianceof spaceobjects andcomponentswith legal designandmanufactur- ing standards. Obligations of space operators Besides mandatory authorisation and registration, a mix of technical, organisational and governance obligations apply to space operators. Research and education institutions as well as small-sized enter- prises may benefit from certain exemptions and simplified regimes. Authorisation and registration Member States may grant authorisations only to space operators meeting the Act’s requirements. Once authorised, the space operatormay register in the URSO and receive an e-certificate confirming compliance. Satellite constellations may, under cer- tain conditions, benefit froma simplified ‘single au- thorisation’ regime. Under this, one authorisation may cover the entire constellation based on the as- sessment of a single satellite,while authorities retain the right to inspect others in the constellation. Member Statesmust recognise theauthorisations is- suedbyothers, but onlyas regardsEU-level require- ments.MemberStatesmaystillapplymorestringent national standards. As a result, a full level playing field is not guaranteed and forum shopping cannot be excluded. Safety-related obligations Spacecraftoperatorsandlaunchersmustmeetspecific safety obligations. For example, launchersmust sub- mitalaunchandflightsafetyplanaswellasspacede- bris mitigation plans containing debris control measures and end-of-life disposal plans. Spacecraft operators must subscribe to collision avoidance ser- vices, ensure spacecraft manoeuvrability, comply with space traffic coordination requirements, justify theirorbitalchoices,andsubmitspacedebrisandlight and radiopollutionmitigationplans. Resilience-related obligations Space operators - including spacecraft operators, launchers, launch site operators and in-space service providers - must manage, in accordance with the principle of proportionality, risks to both their net- work/information systems and physical infrastruc- ture. Measures similar to those under the Digital Operational ResilienceAct (DORA) for the financial sector, include, among other things, cybersecurity policiesandstafftraining,identityandaccesscontrol protocols for ground segments, business continuity and response and recovery plans, testing pro- grammes for network and information systems - in- cluding threat ledpenetration testing (TLPT) prior to launch, crisis communication strategies and incident management processes. In principle, the Act’s requirements will take prece- dence over those of the NIS2 Directive concerning space infrastructure ground segments. However, in- cident reporting obligations under theActwill apply without prejudice to the reporting obligations pur- suant to theNIS2 andCERDirectives.AswithNIS2, the management body of a space operator may be held liable for riskmanagement implementation. Operators sharing cybersecurity information on a voluntary basis must ensure arrangements protect sensitive data and comply with business confiden- tiality, personal data protection, and competition law. These arrangements must include mandatory elements suchas specific conditions toenter, specific operational aspects such as the use of dedicated ICT platforms and details governing the involvement of public authorities. Sustainability-related obligations Space operators must comply with environmental sustainabilityrequirements.Theseincludecalculating anddeclaringtheenvironmentalfootprintoftheirac- tivitiesaspartoftheauthorisationprocess.Thedecla- rationmust include an electronic footprint certificate issued by a qualified technical body for space activi- ties.Aggregateddatasetsfromthesedeclarationsmay bemade publicly available via a central database. Support for companies It is no coincidence that the European Commission published its Vision for a European Space Economy on the same day as theAct. TheVisionoutlines over 40 actions to strengthen the EU’s space ecosystem, in- cluding support for emerging areas such as space mining and in-space resource utilisation which are key interests for the Luxembourg space ecosystem. TheActincludestargetedinitiativestosupportspace commercialisation and improve access to finance. For example, theEuropeanCommissioncommits to co-funding joint R&D projects in areas such as en- cryption technologies, on-board safety systems and in-spaceoperationsandservices(ISOS)technologies. Vouchers will be made available for coaching pro- grammes related to environmental footprint calcu- lations. Further, initiativeswill also be introduced to support SMEaccess toTLPTserviceswithin theEU. Acentralised information portal will help operators navigate and implement theAct. Effect on finance and insurance sector The use of space-based data is increasingly impor- tant to the finance and insurance sector. In this con- text, the Luxembourg Space Agency and the European Investment Bank launched their “Space for Finance”partnership inMay 2025, aiming to ex- pand the satellitedatausage in thefinancial domain. Thanks to theAct’s (cyber)securityand resilience re- quirements, banks and investorswill be able toplace greater trust in the reliability of satellite-based data. This enhanced confidence could, for instance, sup- port ESG reporting and compliance. Space-based data can thus certainly improve financial services’ reporting and sustainability efforts. Investors will benefit from a clearer, harmonised regulatory framework which includes e-certification, manda- tory registration, andpubliclyavailabledata related to the environmental footprint of space activities. Theinsurancesectorwhichalreadyusesspace-based data,suchasEarthObservation(EO)imagery,toval- idateclaimsandassessnaturaldisasterdamage,may also benefit from the Act’s positive impact on the safety and resilience of space activities, which they can integrate in their own risk assessments. Conclusion The Act marks a significant step towards a unified and forward-looking regulatory framework for space activities across the European Union. By es- tablishing clear rules on safety, resilience and sus- tainability, theAct not only strengthens the security and environmental integrity of Europe’s space in- frastructure but also creates a more predictable en- vironment for businesses, investors, and insurers. As the legislative process unfolds, the final shape of the Act will determine how effectively it balances regulatory oversight with industry growth and competitiveness. Sigrid HEIRBRANT Counsel - Avocat à la cour NautaDutilh Avocats Luxembourg S.à r.l. From orbit to office: what the EU SpaceAct means for financial leaders Par Anne-Sophie Morvan, Chief Commercial Officer et Alexandre Keilmann, Marketing Manager, LUXHUB L ’échéance approche à grands pas. Le 9 octobre 2025, les prestataires de services de paiement (PSP)membres SEPA établis au seinde la zone euro de- vront être enmesure d’émettre des virements instantanés, mais aussi de vérifier l’identité des bénéfi- ciaires de virements qu’ils soient instantanés, ounon. Cette obliga- tion, dénommée «Verification of Payee (VOP) » a été introduite par la règlementation sur les paie- ments instantanés (IPR).Adésor- maismoins de 3mois de l’échéance, ces PSP sont-ils prêts ? Comment peuvent-ils se confor- mer auplus vite, évitant alors d’im- portants risques de fraudes ainsi que de potentielles sanctions ? VOP en très bref IPR impose aux PSP de vérifier, en temps réel et sans frais additionnels, la correspondance entre lenomdudestina- taire et l’identifiant de son compte. Cette vérificationdoit être réalisée avant que le payeur ne sevoit offrir lapossibilitéd’au- toriser le virement concerné. Quatre ré- sultats sont possibles dans le cas où le bénéficiaire est identifié par son nom : une correspondance exacte ( MATCH ), une correspondance partielle ( CLOSE MATCH ), une absence de correspon- dance ( NOMATCH ) ouunevérification impossible ( VERIFICATION CHECK NOT POSSIBLE ). Le non-respect de cette obligation pour- rait exposer lesPSPàdes sanctions admi- nistratives, notamment financières, ainsi qu’à une responsabilité juridique accrue vis-à-vis de leurs clients. Pour les PSP, le défi est important et l’heure tourne. Pour une vérification efficace, ils doivent potentiellement être en mesure de se connecter à quelques 3 000 banques et établissements de paiement et de mon- naieélectronique,mobiliserleurséquipes –métiers, informatiques et juridiquesno- tamment –pour répondre à cetteproblé- matiquerèglementaire,etbiensûrimplé- menter un service fiable garantissant cette vérification du bénéficiaire. S’appuyer sur un RVM pour accélérer sa conformité Des acteurs spécialisés, les RVM (Rou- ting and/or Verification Mechanisms) peuvent alors intervenir pour le compte des PSP à plusieurs niveaux, facilitant ainsi leur conformité à l’obligationVOP. Cela se manifeste tout d’abord dans les différentes formalités à accomplir auprès du schéma VOP de l’EPC (European PaymentsCouncil) dans le contexte des- quelles les RVMaccompagnent en prin- cipe leurs clients. Ce schéma définit l’ensemble des règles et normespermettant l’interopérabilité et l’accessibilité entre les acteurs de la chaîne VOP. L’inscription dans le regis- tre des participants est indispensable pour pouvoir opérer. Les deux pre- mières phases d’adhésion sont déjà closes : les PSP n’ayant pas encore effec- tué les démarches sont invités à le faire dans les plus brefsdélais, avec le support de leur RVM le cas échéant. Après l’enregistrement suit laphased’in- tégrationdans l’EDS (EPCDirectorySer- vices) qui peut elle aussi être facilitée par la collaboration avec un RVM dans le cadre d’un « onboarding simplifié ». Enfin, lavocationprincipalede cesRVM est de réaliser (i) les services de routing et (ii) de vérification des requêtes VOP : (i) Services de routing Le premier service est pertinent pour le PSP lorsque son client veut initier un vi- rement et qu’il doit lui fournir le résultat de lavérification. Pour ce faire, au travers du RVM de son choix, le PSP initie une demande sur base des informations fournies par le payeur. Cette demande est routée par le RVMvers le PSP du bé- néficiaire, sous réserve que ce PSP soit l’une des 3 000 entités identifiées auprès de l’EPC. LeRVMrestitue ensuite immé- diatement le résultat qui lui a été com- muniqué au PSP du payeur. Ce dernier peut ainsi prendre une décision quant à l’autorisation de son virement. (ii) Services de vérification Lesecondserviceestquantàluipertinent lorsque le client duPSPest lebénéficiaire d’un potentiel virement. Ainsi, a contra- rio,lePSPdoitrépondreàlademandedu PSP du payeur sur la concordance entre les éléments qui lui sont soumis et ceux dont il dispose dans ses bases de don- nées. Dans ce contexte, un RVM peut se positionner en amont, réceptionner ces requêtes et les traiter au nom et pour le compte du PSP du payeur sur base d’un algorithmedéveloppé surbasedes règles définies par l’EPC. La VOP n’est pas une simple exigence technique et règlementaire : ellemarque une étape clé dans la sécurisation des paiements en Europe. Pour les presta- taires de services de paiement, il s’agit désormais d’un enjeu stratégique et opé- rationnel majeur, à moins de trois mois de l’échéance. LUXHUB, en tant que RVMmais égale- ment Regtech spécialisée dans le secteur des paiements, accompagne aujourd’hui de nombreux PSP dans lamise en place de la vérificationdubénéficiaire. Son ex- pertise Open Banking et des enjeux de conformité font de LUXHUB un parte- naire de choix pour les prestataires de services de paiement européens, avec la mise à disposition d’une plateforme ro- buste et éprouvée. Plus d’informations sur https://luxhub.com/products/payee-verification-platform/ VOP : dernière ligne droite pour les prestataires de services de paiement