- Sovereignty as a Service – IRIS² and the EU’s New Connectivity Model - 16 March, 2026
Secure connectivity has become a strategic utility. States rely on reliable, encrypted links for diplomacy, crisis management, and defence, while economies depend on resilient networks for everything from logistics to finance.
The EU’s solution is the Infrastructure for Resilience, Interconnectivity and Security by Satellite (IRIS²), a multi-orbital satellite system meant to provide secure services for public authorities while also enabling commercial connectivity.
At first glance, the story appears familiar. Europe already built flagship space programmes such as Galileo and Copernicus. IRIS², however, is less a “European Starlink” than a governance experiment. The system is built around a 12-year concession and a public-private partnership, embedding sensitive public-sector requirements in a commercially operated model.
That design choice raises a central political question: who controls access, priority, and accountability when secure connectivity becomes scarce, especially in a crisis?
Why IRIS² exists
Before IRIS², Europe’s secure satellite communications were largely a patchwork of national capabilities, ad hoc pooling and commercial purchases. This setup was uneven by design, and in key situations it could entail dependence on non-European providers for surge capacity or coverage.
The EU’s secure connectivity programme for 2023-2027 addresses this gap with a clear premise: the Union needs satellite communications under civil and governmental control with a strong security dimension. The programme’s EU budget contribution is €2.4 billion for 2023-2027, and the model anticipates additional public and private investment to build out capability.
IRIS² is the headline infrastructure of this broader initiative. The Commission describes it as a multi-orbital constellation of around 290 satellites, designed to provide secure connectivity services to the EU and its Member States while also supporting wider connectivity objectives.
The roll-out is phased. The GOVSATCOM program first pools and shares existing capacity, while IRIS² is intended to later deliver full governmental services by 2030.
From launch to implementation
A recurring weakness in debates on European strategic autonomy is their tendency to remain at the level of aspiration. IRIS² is different in that it already follows a concrete institutional trajectory.
First, the programme establishes a legal and policy framework that treats secure satcom as an EU-level capability rather than a purely national add-on.
Second, it codifies an incremental approach: GOVSATCOM as a bridge delivering earlier benefits while IRIS² is built as the longer-term system.
Third, it locks in a delivery model. The EU will not only procure infrastructure; it will procure a service, operated over time, under security requirements.
The point is not that Europe suddenly has sovereign connectivity. Instead, the EU is attempting to build sovereignty through governance, procurement, and operational rules.
The governance model
The Commission awarded the 12-year concession contract for IRIS² in late 2024 to the SpaceRISE consortium, composed of SES, Eutelsat, and Hispasat and supported by a wider industrial ecosystem across the satcom value chain.
The contract structure matters because it blends two logics that do not naturally align.
The first is security logic. Government users need assured access, robust encryption, and clear authority over sensitive functions such as service continuity and emergency prioritisation.
The second is commercial logic. Operators must manage cost, risk, and long-term profitability, especially when the constellation is large and technologically complex.
The EU’s response is layered governance. The European Union Agency for the Space Programme (EUSPA), for example, coordinates user relations and manages key secure ground-segment elements in GOVSATCOM, in cooperation with Member States and other entities. The European Space Agency (ESA), meanwhile, is entrusted with a qualification and validation role for governmental infrastructure, supporting delivery against EU requirements.
In principle, the EU adopts a familiar model of distributing roles across institutions, pooling national assets, outsourcing what can be outsourced, and anchoring the public interest in regulation and security requirements.
In practice, it creates a predictable accountability puzzle. When responsibilities are divided across the Commission, EUSPA, ESA, Member States, and private operators, failure modes multiply. If service is degraded, priorities clash, or security requirements collide with commercial constraints, the central question becomes who has the authority to fix it, and fast?
What sovereign access depends on
In a concession model, control is defined by a bundle of contractual and institutional levers that determine who can decide what, when, and with what enforcement power.
In principle, the EU can hard-code sovereignty through the service model, incorporating minimum service levels, security accreditation requirements, audit rights, and clear change-control rules for software, encryption, and ground-segment updates.
Those levers matter only if they remain effective when commercial incentives and public imperatives diverge, because this is precisely when strategic systems tend to be stress-tested.
This is also where the risk profile changes. The EU is not only protecting itself from external dependency; it is managing the risk of a new dependency on an operator model whose incentives must be aligned, monitored, and corrected over a 12-year lifecycle.
This may appear to be a theoretical debate until a practical question arises: what happens when multiple public authorities demand priority access simultaneously?
The hardest test case: priority access in a crisis
Secure connectivity becomes politically contentious when demand spikes, capacity is finite, and choices must be made quickly.
That is why the most revealing governance question for IRIS² is how priority access is allocated and enforced. The Commission’s own framing highlights governmental use cases ranging from crisis management and surveillance to secure communications for EU delegations and external action.
In a high-pressure scenario, such as major cyber disruption, escalation in Europe’s neighbourhood, and simultaneous demand from border agencies, defence users or diplomatic services, the system would need more than a generic principle of “public users first.” It would require a clearly defined escalation chain, predefined user classes, and a dispute-resolution mechanism that prevents priority decisions from turning into ad hoc bargaining among Member States.
The EU’s phased approach makes this particularly sensitive. During the transition, pooled capacities (GOVSATCOM) and new infrastructure (IRIS²) will coexist. While this hybrid phase can be operationally effective, it complicates governance due to differences in capabilities, contractual constraints, security classifications and potentially decision chains inside one secure connectivity label.
Governance therefore must be coherent across the bridge and the end-state system, or sovereign access risks becoming a brand applied to multiple rulebooks.
What IRIS² can solve – and what it cannot
IRIS² is often discussed under the banner of strategic autonomy, but autonomy operates at several layers.
First, there is supplier autonomy. IRIS² is designed to strengthen Europe’s control over critical infrastructure and reduce reliance on external providers for sensitive connectivity.
Second, there is operational autonomy. The EU’s ability to task and prioritise services in real time depends on governance arrangements that are mostly invisible to the public, like security accreditation and escalation procedures.
Third, there is technological autonomy. IRIS² is expected to integrate advanced security features, including links to Europe’s quantum communications efforts through EuroQCI, which aims to build a quantum-secure infrastructure across the EU and its territories.
This third layer is easy to oversell. Quantum key distribution is not a magic shield; rather it represents a set of capabilities constrained by engineering challenges, gradual integration processes, and heavy dependence on interoperable ground infrastructure.
What follows is a simple point with large implications. IRIS² is not only a commercial contest; it is part of a geopolitical rivalry over resilience and secure infrastructure.
Europe is not trying to out-scale Starlink satellite-for-satellite. Instead, it seeks to institutionalise resilience through assured service for public missions, even if that looks slower and less glamorous. But institutionalised resilience only works if governance is treated as a first-order design challenge.
The real metric is decision authority
IRIS² will likely be judged publicly by visible markers such as launches, coverage maps and headline budgets. Yet the programme’s strategic value will be decided by another metric: whether Europe can make fast, legitimate, and enforceable decisions over secure connectivity when access becomes contested.
A concession model can work, especially if it mobilises private capital and operational expertise. But it shifts the centre of gravity from hardware to rules and questions like who gets priority access, how is security accreditation enforced, and which accountability mechanisms remain robust when political pressure is high and time is limited.
If IRIS² succeeds, it will not just add another constellation to the sky. It will establish a European capacity to govern critical connectivity under pressure without improvising rules mid-crisis.
Questions
1. Does building strategic infrastructure through a public-private concession strengthen EU autonomy, or does it risk creating a new kind of dependency inside Europe itself?
2. If IRIS² becomes a shared EU utility, how much control should member states be willing to hand to Brussels when fast decisions are needed?
3. When security and business goals pull in different directions, who will make the decisions: EU institutions, member states, or the private operators running the system?
Readings
Borek, R., Hopej, K., & Chodosiewicz, P. (2020). GOVSATCOM makes EU stronger on security and defence. Security and Defence Quarterly, 28(1), 44–53. https://doi.org/10.35467/sdq/118743
Tricco, G. (2023). The upcoming of Iris2: Bridging the digital divide and strengthening the role of the EU in International Space Law. Journal of Law, Market& Innovation, 17-42 Pages. https://doi.org/10.13135/2785-7867/7952
Wrange, J. (2026). Strategic autonomy: A ‘quantum leap forward on’ European total defence? European Journal of International Security, 1–22. https://doi.org/10.1017/eis.2025.10034
