With the publication in July 2018 of the Regulation (EU) 2018/1139, also known as “the Basic Regulation”, on common rules in the field of civil aviation, that replaced the previous Regulation (EU) 216/2008, EASA is mandated to implement measures taking also into account interdependencies between safety and cybersecurity.
Aviation Products Certification
The Basic Regulation establishes, amongst other things, the legal framework to comply with the certification requirements for civil aircraft. Therefore, every aircraft designed and manufactured in the European Union requires a “certification” issued by EASA. The procedures for certification of aeronautical products (aircraft, engines and propellers) are contained in EC Regulation 748/2012 Annex I - Part 21.
Following up the updated mandate in the Basic Regulation of July 2018, EASA has implemented amendments to the certification provisions in order to address information security aspects in the certification process of aeronautical products. More precisely, the EASA ED Decision 2020/006/R of July 2020 issued amendments to CS-25, CS-27, CS-29, CS-APU, CS-E, CS-ETSO, CS-P, and to the related acceptable means of compliance (AMC) and/or guidance material (GM), together with the creation of AMC 20-42, AMC/GM to CS-23 and AMC/GM to Part 21.
In the context of aircraft certification, cybersecurity is commonly understood as the protection of aviation information systems against intentional unauthorised electronic interactions (IUEI), and the means to mitigate their consequences on safety. To this extent, the above-mentioned amendments to the Certification Specifications (CS), with a wording adapted to the specific context, all require that “aeroplane equipment, systems and networks, considered separately and in relation to other systems, must be protected from intentional unauthorised electronic interactions that may result in adverse effects on the safety of the aeroplane”.
Organisational Information Security Risks
In the interconnected world of aviation, information security risks are not only limited in the level of the product. Aviation is a “system of systems” comprising, alongside with aeronautical products and their associated technologies, people, processes and other intangible assets that are in turn vulnerable to security threats. Aviation organisations, authorities and their assets, being an integral part of this system, need to be protected as well from information security risks that may potentially have a safety impact.
For this reason, a set of rules, also known as Part-IS (Information Security) has been published, laying down requirements for the management of information security risks with a potential impact on aviation safety for both organisations and authorities across the entire aviation domain. The provisions of the relevant Delegated (EU) 2022/1645 and Implementing (EU) 2023/203 Regulations include the identification and management of information security risks which could affect information and communication technology systems and data used for civil aviation purposes, detecting information security events, identifying those which are considered information security incidents, and responding to, and recovering from, those information security incidents to a level commensurate with their impact on aviation safety.
Part-IS provisions will be applicable from the 16th of October 2025 for those organisations in the scope of the Delegated Rule and from 22nd of February 2026 for all other organisations and authorities covered by the Implementing Rule.
Following the introduction of certification provisions for information security aspects in aeronautical products and the implementation of Part-IS which aims to address information security risks focusing on assets related to people and processes, the regulatory framework is paving the way towards a cyber-resilient aviation system in the EU.
EASA regulations on products relies extensively on industry standards developed specifically on the topic of airworthiness information security. The picture bellow describes how Certification Specifications are calling the Acceptable Means of Compliance 20-42 which present a summarized version of the process and calls the specialized standards.
Today to address airworthiness information security (The protection of the airworthiness of an aircraft from intentional unauthorized electronic interaction), the specifications and acceptable means of compliance rely on:
- EUROCAE ED-202A “Airworthiness security process specification” a resource for both the Authorities and the industry for aircraft certification when the systems impacted by a modification or a new development may be affected by intentional unauthorized electronic interaction that can affect aircraft safety. It describes the activities that need to be performed in support of the airworthiness process when it comes to the threat of intentional unauthorized electronic interaction (the “What”).
- EUROCAE ED-203A “Airworthiness security methods and considerations” which provides the tools that can be used for showing compliance for airworthiness security during the aircraft design and development life cycle (the “How”).
- EUROCAE ED-204A “Information security guidance for continuing airworthiness” which provides complementary tools for airworthiness security focusing on the instructions and recommendations to be developed by the manufacturer and followed by the operators of the aircraft in order to maintain the security protection.
Other standards have been developed, although not yet referenced in EASA regulatory material. In particular the ED-201A which addresses the big picture of aviation information security and the complex relationship between the different stakeholders, specifically how information security risk is shared along a functional chain, like a supply chain for example. The group developed also ED-205A, similar to ED-202A but for air traffic management ground systems, very likely to provide the required process for the regulatory framework on the conformity assessment of ATM/ANS systems and ATM/ANS constituents in preparation. Last, in June 2022 EUROCAE published ED-206 which address Information Security Event Management, which is very likely to be referenced in Guidance Material to Part IS requirements related to reporting.
Last Regulation & Standards Topics on the Community: