- Application for DPO
- Classification or notification of changes
- Acceptance of approvals issued by third countries
- Categorisation of systems or equipment
- Categorisation of software
- Commercial off the shelf (COTS) systems or equipment
- Cloud-based architectures
- Development Assurance for Software or Hardware
- Non-compliance
- Partnership Agreements
- Registry of certificates, statements of compliance, defects
- Scope/Applicability
- Means of compliance (MOC)
- Conformity assessment during the transition period
- Implementation support to stakeholders
Application for DPO
Our product will require certification under the new framework and our company would like to become an approved Design or Production Organisation. COMMISSION IMPLEMENTING REGULATION (EU) 2023/1769 includes DPO.OR.A.010 which states: "An application for a design or production organisation approval shall be made in a form and manner established by the Agency". Where can I find these these forms, and how does the application process work in practice?
The “Application for Design or Production Organisation (DPO) Approval” is now available on the EASA Application Services website. Organisations that are interested to become an approved DPO can find the new form (FO.AOA.00085) on the Application forms website. Detailed instructions to help applicants fill in the form are embedded at the bottom of the form itself. Additional information related to DPO and other ATM/ANS topics can be found on the EASA ATM website.
As always, any queries related to the approval of an ATM/ANS Organisation, ATCO Training Organisation, or Design or Production Organisation (DPO) can be sent to: AtmAnsOrg [at] easa.europa.eu.
The process of becoming an approved DPO begins when an organization submits an application. Once an application is received and accepted, an EASA project team will be created and assigned to the project. It is also possible to schedule a “pre-application” meeting with EASA to clarify specific points before an application is formally submitted. However, please be aware that your project schedule may need to accommodate delays that result from scheduling constraints.
If a manufacturing company has several subsidiaries in several countries, is a DPO certificate expected for each of the subsidiaries or would there be a way to get an overall for the entire company?
Any natural or legal person who has demonstrated, or is set to demonstrate, their capability to design or produce ATM/ANS equipment, may apply for a design or production organisation approval under the conditions laid down in EU IR 2023/1769.
In this context, if the legal entity has formalized control over other legal entities (i.e., subsidiaries), then these subsidiaries can be covered by the DPO approval. For example, if the legal corporate entity (aka the “parent company”) submits an application as DPO, then it can choose to include subsidiary organisations under Section 2.3 “Additional Locations” on the DPO application form.
However, be aware that this is not simply a matter of legal definition on paper. The DPO applicant must demonstrate that all subsidiaries are also meeting the requirements needed for DPO approval (e.g., competencies, procedures, etc).
In accordance with ATM/ANS.EQMT.CERT.005 on Eligibility, any natural or legal person who has demonstrated, or is in the process of demonstrating (i.e. is an applicant), their design capability in accordance with point ATM/ANS.EQMT.CERT.010, may apply for the issuance of an ATM/ANS equipment certificate.
A DPO needs an organisation approval at latest by September 2028, but it could already apply now. Formally speaking, the certification process of an ATM/ANS equipment could be launched during the DPO approval process. However, it should be noted that the certificate of ATM/ANS equipment could be issued by EASA only after the DPO is approved. The same applies for an ATM/ANS equipment declaration of design compliance; the DPO could issue the declaration but only after the DPO approval is completed and issued.
Which cost can be expected to perform a DPO approval? (external cost, e.g. to be paid to EASA)
An estimate of workload connected with the approval procedure is provided by EASA as part of the quotation that may be requested in the application. As DPO is an entirely new domain for the Agency, these activities in accordance with the principles in the F&C regulation will be charged on an hourly rate basis. This is stated under Chapter IV, Article 21, Subparagraph 2 (page 10 of Regulation 2019/2153):
“The hourly rates set out in Part II of the Annex shall apply as of the entry into force of this Regulation to any tasks ongoing at the entry into force of this Regulation and for which fees or charges are calculated on an hourly basis.”
The level of effort depends on a number of specific factors linked to the organization itself and the type of equipment under consideration, so the assessment is done based on the documentation and exposition of activities accompanying the application. This is why EASA only provides detailed estimates in conjunction with a submitted application. The following provides additional detail:
- An applicant is entitled to request a financial quotation, and the Agency will provide the quotation before starting the investigation. This ensures that the DPO applicant has all the financial elements to make a business decision. An applicant can request a financial estimate (including working hours) via point 8 of the Application form. After submitting the application, EASA will reply with a quotation of estimated cost. Invoicing will be done based on the actual effort.
- The production of the estimate should not last more than a few working days, in parallel to the assessment of technical and administrative eligibility of the application, and the information is provided to the applicant. Procedurally, there is a maximum period of 90 days for the applicant to evaluate the quote and accept it.
- If the applicant would decide not to accept the quotation, there would be no fees/charges incurred. The investigation would start once the quotation is accepted.
- It is also important to be aware that an approved DPO organisation will incur additional costs under the EASA oversight activity. This oversight activity will also be invoiced for hours worked and travel costs.
If an organization has other questions linked to filling out the DPO application forms or about the logic applied to the initial investigation in order to better prepare the approach, it is possible to schedule a “pre-application” meeting with EASA to clarify specific points before an application is formally submitted.
In order to apply for EASA acceptance of a Federal Aviation Administration (FAA) approval, does our company have to be an EASA-approved design or production organisation (DPO) beforehand?
The current EU-USA Bilateral Agreement and the EASA-FAA Technical Implementation Procedures (TIP) do not address ATM/ANS ground equipment conformity assessment and ATM/ANS design or production organisation approval.
In accordance with ATM/ANS.EQMT.CERT.005 'Eligibility', any natural or legal person who has demonstrated, or is in the process of demonstrating (i.e. is an applicant), their design capability in accordance with point ATM/ANS.EQMT.CERT.010, may apply for the issuance of an ATM/ANS equipment certificate. This includes non-EU (e.g., US) stakeholders.
In order to perform maintenance and provide support of equipment produced by our company and that is already deployed in Europe, does our company need to be an approved design or production organisation (DPO)?
Responsibilities in relation to ‘routine maintenance’ are in the sphere of the ATM/ANS provider’s responsibilities as prescribed under Regulation (EU) 2017/373, and are performed following the instructions/manuals provided by the design and production organisation of the equipment.
Therefore, there is no need to become an approved DPO in order to perform the maintenance.
In contrast, a change to already deployed equipment must be performed in accordance with Regulation (EU) 2023/1768. During the transition period, the air navigation service provider (ANSP) may change the equipment using a 'Statement of Compliance'. However, after the transition period, the implementation of changes for equipment subject to Article 4 or 5 will require an approved DPO.
What about home-made ANSP equipments? Does the ANSP need to be accredited as a DPO?
It depends on the criticality and the categories. For example, Air/Ground communciation is certified equipment, so it need to be certified. If it involves AIS or MET,then there are two possibilities: a Statement of Compliance can be issued by the ANSP, or the ANSP can contract this to an approved DPO.
If an ANSP designs and builds an integrated system, e.g. integrating software from various suppliers onto a data centre infrastructure (noting this may involve "DPO" activities, and some specifications can only be fully implemented/verified at this level) is the ANSP expected to certify as a DPO?
In those cases, yes, the ANSP has to be certified as an approved DPO to have those privileges.
Classification or notification of changes
Major and minor changes (Major/Minor changes) - the description of what is a major and what is a minor change (for major changes, the need to issue an SoC/Declaration/Certificate) is defined in general terms in the regulatory proposals. There was no consensus on the interpretation at the EASA webinar. It is necessary to define the criteria for including the change in the big/small category
The definition of major/minor changes are provided at the AMC/GM level. Further details on the delineation between minor and major changes will be clarified in the forthcoming set of AMC/GM associated to Regulation (EU) 2023/1769 and apply regardless of when the system was deployed/implemented.
The new regulation does not require a notification and documentation of a small change - in cases where the SoC is not changed. A different approach compared to today's DoVs, which cover the entire life cycle of a component/equipment - for small changes, a TF change is made. Will this create a problem at the end of the transition period? – TF will not be updated and SoCs will only have some changes
The details for the notification and management (incl.) documentation) of minor changes are illustrated at AMC/GM level.
What should an air navigation service provider (ANSP) expect to receive from a design or production organisation (DPO) for minor changes that are not notifiable to EASA and do not result in an update to the certification, and is the ANSP still expected to notify these minor updates as changes to the functional system?
The DPO is eligible to design and implement minor changes to its CERT/DECL equipment, but has to notify these changes to EASA in any case.
The DPO is required to communicate to the ANSP any update to the technical manuals and maintenance instructions of the equipment.
The ANSP is responsible to notify a change to the functional system in accordance with the change management procedure approved by the competent authority, which may or may not require prior approval.
Acceptance of approvals issued by third countries
Some of the equipment produced by our company has a Federal Aviation Administration (FAA) approval and some equipment does not. For the FAA-approved equipment, can you confirm that our company can apply to have the FAA certification accepted by EASA?
It is acknowledged that there is an EU-USA agreement on cooperation in the regulation of civil aviation safety (i.e. via a Bilateral Aviation Safety Agreement (BASA)). However, there currently are no Technical Implementation Procedures (TIP) for ATM/ANS equipment in place to allow direct acceptance/recognition of FAA approvals/certificates.
Categorisation of systems or equipment
We are still not sure, in which category some specific equipment falls and thus we would appreciate a more detailed allocation oversight of specific systems to categories (e.g. electr. flight strips; network equipment, Server HW, virtualisation and operating systems, used for all kinds of systems).
First step is to assess the scope of the equipment and which function it supports. This assessment will determine the category to which it belongs.
Division of today's EATMN components into CA categories. For some existing systems, the categorization is debatable (e.g. EFS). Does the new regulation require anything similar as so called “distribution of systems and constituents within the functional system”?
The new regulatory framework clearly defined the ATM/ANS equipment subject to the various attestation methods – certification/ declaration of design compliance and statement of compliance. The scope will be further illustrated at DS/AMC/GM level.
Does a primary surveillance radar (PSR) being provided to the European Union require certification under Regulation (EU) 2023/1768? If so, are there any published detailed specifications (DSs) for PSRs?
No, the PSR that only performs the surveillance function does not require certification.
Since the PSR is used to provide surveillance data for the purpose of ensuring safe and interoperable air navigation, it is considered ATM/ANS equipment that falls under Article 5(1)(b) of Commission Delegated Regulation (EU) 2023/1768. Therefore, a PSR would require a declaration of design compliance (see also Annex III to Regulation (EU) 2023/1768) rather than certification.
At the moment, DSs only contain general requirements for PSRs, but no specific technical requirements. However, DSs will follow regular updates in accordance with Rulemaking Task (RMT).0744.
Categorisation of software
For surveillance (SUR) equipment, e.g. ADS-B station, there is also processing equipment (including software) for at least converting the received signal to ASTERIX. Does this mean that this equipment will always be subject to certification by EASA?
The key criteria for the equipment is the intended function that the equipment supports. Software (SW) per se is not always subject to certification but the function the SW supports. If the intended supported function is not subject to certification, then the SW is not required to undergo the certification process. In the example, an ADS-B station will support the SUR function, and thus, as per Article 5 of Regulation (EU) 2023/1768, the equipment (including the associated SW) will be subject to a declaration by a design or production organisation (DPO).
GM1 GE.GEN.003 'Software': It is stated that firmware is considered as software. Is this also the case for libraries, operating systems, enterprise service bus (in service-oriented architecture (SOA)), security software, and all software used for virtualisation (e.g. VMware)?
Yes, if those are part of the equipment definition that is subject to the certification/declaration process.
Commercial off the shelf (COTS) systems or equipment
Is it correct to assume that COTS IT/network elements (e.g. servers, routers, switches) do not have the need for certification or declaration, if they are not part of the equipment subject to certification/declaration? E.g. certified software is delivered by DPO, which can be run on any platform/network at the ANSP, which is not certified but fulfils the specifications provided by the DPO.
Boundaries of the system / constituent are defined by the DPO. As such, COTS IT equipment can be well outside of the system subject to certification / declaration. Such system can be composed of SW only.
When a certain equipment requires underlying/supporting infrastructure (e.g. IT, network, cloud), the characteristics and requirements for this infrastructure are to be defined by the DPO and provided to the ANSP with the installation and operation instructions and any other integration requirements. The underlying infrastructure does not necessitate to be part of the equipment design and therefore does not necessarily form part of the certification envelope.
Cloud-based architectures
How the case of an ANSP cloud based architecture and a SW application produced by a DP0 which is subject to certification or declaration will be handled ?
The ANSP has to demonstrate to meet the functional requirements and the interface requirements. If the system is cloud based, then it is possible that the information security aspects may require specific scrutiny. However, the requirements are not dictating any specific architecture or HW/SW.
Development Assurance for Software or Hardware
Who is going to define software / software assurance level (SWAL) requirements for a particular ATM/ANS system? EASA, ANSP, ...?
The design or production organisation (DPO) should anticipate the SWAL that is expected by the air navigation service provider (ANSP). This SWAL needs to be incorporated into the DPO’s software development process of the equipment. The EASA attestation is granted according to that SWAL. It is the responsibility of the DPO to declare the SWAL that will be followed for the development of the equipment. This needs to be documented by the DPO in the certification programme.
The ANSP has the responsibility to select equipment in accordance with the safety assessment and the SWAL requirement for the functional system.
Did I understand correctly that the software assurance level (SWAL) assignment and stating that the equipment is safe for use is moved to design or production organisations (DPOs)? I got that impression from previous sessions and disagree since safety (as security) depends on the operational usage of the equipment. What is your opinion?
If the software design assurance level (SW DAL) of equipment depends on ATM functions of the air navigation service provider (ANSP), how do you guarantee that certified/declared equipment will be available with such an expected level? Aren't we creating a chicken-and-egg issue?
This is similar to the case of safety objectives; the market will tend to provide products that are demanded by the ANSPs. A design or production organisation (DPO) will develop products per their anticipated selected software assurance level (SWAL). The ANSP will select the equipment that meet the required SWAL to meet their safety objectives of the functional system.
See also answer to FAQ ‘Who is going to define software/SWAL requirements for a particular ATM/ANS system? EASA, ANSP, ...?’.
ED-153 considers that the air navigation service provider (ANSP) shall allocate the software assurance level (SWAL). Which standard support that the DPO shall allocate the SWAL? As in a previous comment, ANSP should allocate the SWAL and DPO should evidence. Why the change? (in a previous question, the answer was that the DPO allocate the SWAL)
Non-compliance
The implementation of a change from the awarding of a public contract to the introduction into operation is a long-term process, during which the following situations may occur (we are considering the transition period): - Issuance of the specification for the given device during implementation - Failure to certify the supplier by the end of the transition period - Reluctance of the contracted supplier to certify. We consider it appropriate to agree with the procedure of the provider/regulator for these cases. Does EASA work on something as a guidelines in this matter?
The new regulatory framework consisting of 5 regulations has been published on 15 September 2023 and will be applicable as from beginning of October 2023. Any DS/AMC/GM will be associated to facilitate the implementation of the ATM/ANS ground equipment conformity assessment. If a regulated party is not in a position to apply any of the requirements, the Flexibility provisions under Article 71 of EASA BR could be applied for a certain period of time.
For a system subject to SoC: If there is a documented non-compliance with some detailed specification, does that automatically mean, it must not be put into operation, or can it be put into operation based on some evaluation criteria? If yes, which are these criteria?
Considering that the detailed specifications are “soft law”, deviations to the detailed specifications (i.e., non-compliances) can be declared within the statement of compliance. Please refer to the associated AMC/GM Article 6 of the Delegated Act.
Partnership Agreements
What is the process to follow for an NSA to support EASA in its activity?
There will be need for coordination and information exchange between EASA and NSAs. If the question is about possible contribution of NSA into EASA assessments, then it is reminded that partnership agreements are possible. EASA intends to make use of that instrument, to get support from NSAs when needed.
Registry of certificates, statements of compliance, defects
Does EASA plan to publish an EU-open database recording: a. Certified DPO with the details of the certificates ( validity, etc.), b. Certified GE with the details of the certificates, c. Issued SoC by ANSP or DPO, d. Known defects on certified and declared GE?
Some of the elements of the list will be included in EASA registry that is going to be created. For elements A and B, EASA needs to consider which info could be public. EASA does not anticipate the need for C at the moment. For d. the information will be made available to interested parties, for example, for occurrence reporting. This needs to be assessed internally, but at the moment EASA does not anticipate making this available for public information.
Scope/Applicability
We assume that only those systems are subject to Certification/Declaration/SoC, where applicable specific Detailed Specifications have been issued. Is this assumption correct?
In fact, systems that require attestation are defined in Articles 4, 5 and 6 of the Delegated Regulation (EU) 2023/1768. All these systems have to fulfil at least the general requirements contained in the detailed specifications. Additionally, systems will have to comply to specific detailed specifications in case they are available.
We assume that Electronic Flight Strips are not subject to certification (EFS does not fall into 3b, as EFS does not provide separation of aircraft or prevention of collision, it is not 3a either, there it must be 3c). Please confirm.
EFS falls in the scope of the ATC equipment that supports ATCO’s in providing separation.
What parts of the system need to be certified/how can we define the equipment/constituent that needs to be certified. E.g. Flight strips System with several servers, operating system and virtualisation, switches, operating position equipment plus some software components. Can the DPO only certify the software, with definition of hardware requirements and the customer (or we) purchases any COTS HW, which fulfills these requirements?
It is a decision of the DPO to set the boundaries of the equipment that they wish to certify/declare.
COTS HW is not automatically excluded because it is COTS. However, if COTS HW is part of the supporting infrastructure, then it may fall out of the product boundaries.
Is the following requirement applicable for all ATM/ANS Equipment in "PART 2 — ATM/ANS equipment subject to certification / Subpart A — Air traffic services: "DS GE.CER.ATS.110 ATS recording ATM/ANS equipment specified in this Subpart is to provide recording and replay capability of technical and operational data, and system status."?
Yes, it is applicable for all in Part 2.
DoV refers to the systems structured according to support of the functions and services provided within the functional system defined by the respective ANSP, while SoC refers to components/equipment. DoV also covers the integration process within ANSP, while a SoC is at the level of today's DSU, DoC. Is this assumption correct?
Not exactly. E.g. point 3 of Annex VIII (Essential requirements) of EASA Basic Regulation also refers to “The systems and procedures shall include in particular those required to support the following functions and services (…)”. Thus, the principle is the same. As regards the integration, it remains as today the ATM/ANS provider’s responsibilities as only the ANSP has the global picture of the complete functional systems and how it will behave or continue to behave after the integration.
The DoV is also documenting the integration of components/devices into the provider's systems within its FS, the new regulatory framework does not cover this integration - the SoC issuing process ends before the device is integrated into the FS, the integration is done as a change to FS. Is this assumption correct?
Yes, the integration should be assessed as part of the change to the functional system.
In Part 3, Subpart C, what about PSR and SMR?
They will be introduced in due course, at further updates, as EASA moves forward. Hopefully, before the transition period expires.
Could you please elaborate a bit more on the Statements of Compliance (SoCs) in case there are no detailed specifications DSs? If there are no DSs, then no SoC is required, right? Otherwise, any single and simple system would need a SoC?
Equipment that falls under Article 6 of Regulation (EU) 2023/1768 is subject to compliance with the DSs in DS-GE.SoC. The attestation of compliance must be made through an SoC.
DSs contain general requirements that must be complied with (Subpart A ‘General’ in DS-GE.SoC), even when there are no lower-level specific requirements in the DSs. Therefore, an SoC is required when the equipment falls under Article 6, even when there are no specific DSs.
From your explanations, we infer that if we need to put into service a system but there are no DSs, then we only need to comply with the GENERAL part of the DSs: Is this interpretation right?
That is correct.
If a detailed specification (DS) does not exist for certain hardware (HW) or software (SW), e.g. the application that provides to air traffic controllers (ATCO) the radar availability chart on the auxiliary display, is it subject to this regulatory package? I would say neither CERT, DECL nor SoC are applicable in this case? Only change management should be applied?
It is not the lack of lower-level specific requirements in a DS that determines if certain equipment is subject to CERT/DECL/SoC, but rather Articles 4, 5, and 6 of Regulation (EU) 2023/1768.
Articles 4, 5 and 6 address what is included at each category. Therefore, equipment supporting air traffic control (ATC) service provision will be subject to compliance with the DSs.
It is important to note that DSs always contain general requirements that must be complied with, even when there are no lower-level specific requirements in the DS.
Means of compliance (MOC)
Should the ATM/ANS Equipment Release Form attach external documentation/evidence how the GE is compliant with the AMCs and DSs?
The release form is a declaration that what the manufacturer produced is in compliance with the applicable detailed specifications. There is no requirement or need for additional evidences.
Conformity assessment during the transition period
We assume that all systems in operation before September 13 are grandfathered and only need SoC after major changes. Please confirm.
According to the transitional provisions, systems in operation before 5 October (entry into force date) holding EC declarations in accordance with Regulation (EU) No 552/2004 are deemed to have been issued with certificate, declaration, or statement of compliance.
In case of major change, there is a need to reissue the SoC.
What happens with the equipment sold by a DPO during the transition period and installed by the ANSP but at the end of the transition period, the DPO is not certified by EASA?
During provisional period, it is possible to issue a statement of compliance (SoC). It becomes legacy equipment at the start of 2028. Therefore, legacy ATM/ANS GE issued with a SoC during this transition period (2023-2028) will be subject to evaluation by EASA and subject to certification/declaration. After 2028, this path will be closed.
In the following scenario, an ANSP put into service a GE (i.e. ADS-B) with its SoC, in September 2028 the manufacturer is not approved as DPO. Should the ANSP deinstall it and deploy a GE from another DPO?
Between 2023 and 2028, attestation of equipment is achieved though a SoC. After 2028, there will be an EASA evaluation. If those equipment are installed, they will remain in operation. But if they need to be updated/modified, there will be a need to conduct certification/declaration.
Does it mean that if during the transition period there is only one DPO but many manufactures, ANSPs are not forced to procure the equipment from that DPO? They can thus procure an equipment from non-DPO manufacturers till September 2028?
EASA confirms that during transition period, the main means for attestation will be the Statement of Compliance (SoC) by the ANSP.
To have a certificate of equipment, we need to have an approved DPO. However, during the transitional period, there may not be many approved DPOs. Therefore, the main means would be the SOC.
During the transition period (2023-2027) there will be a mixture of DPOs and equipment that is certified, and Statements of Compliance (SoC). If there is a certificate of conformity, then there is no need for the ATM/ANS provider to issue a SoC.
For SoC and DoV, we assume that the issuance of existing DoVs will be simply replaced by the issuance of SoCs (at least within the transitional period until 2028, once the DoV or its part are to be change). Is this correct?
During the transition period (13 September 2028):
- ATM/ANS equipment subject to certification and ATM/ANS equipment subject to declaration of design compliance shall be deemed to have been issued with a certificate or declaration respectively in accordance with Article 4 or Article 5 on a provision basis, i.e. unless the Agency determine based on an assessment that such ATM/ANS equipment does not ensure a level of safety, security, performance and interoperability equivalent to that required by Regulation (EU) 2018/1139 and the new delegated act.
- ATM/ANS equipment which is subject to a statement of compliance, the EC declarations of verification (DoV) of systems that have been issued shall continue to be valid for an unlimited duration and shall be deemed to have a statement of compliance pursuant to Article 6 of the new delegated act.
Implementation support to stakeholders
What is the EASA plan to ensure wide communication towards ATM GE providers and common understanding of the regulation framework?
EPAS 2023-2025 contains 3 new tasks, 2 for the regulatory activities (covering the detailed specifications, AMC and GM material), and also 1 task requiring implementation support to Stakeholders (National Supervisory Authorities). EASA is also thinking about additional ways that materials can provided to any stakeholder to facilitate common understanding (e.g. Specific trainings and presentations, FAQs, etc).