Applicability of Regulation (EU) 2023/203 to Small ATOs Operating Mechanically Controlled Helicopters

Dear colleagues,

Our ATO recently received a notice from our national aviation authority that, under Regulation (EU) 2023/203, we will be required to implement a full Information Security Management System (ISMS). We operate a small helicopter flight school using non-networked, mechanically controlled aircraft such as the Robinson R44 and provide PPL(H) and LAPL(H) training.

We are concerned about the proportionality of this requirement, especially considering:
- AOC holders operating similar helicopters under commercial conditions are explicitly excluded from the scope of the regulation (Art. 2 (c)(iii)), even though they are typically subject to stronger regulatory oversight.
- Our systems are not connected to external networks, and our aircraft have no digital interfaces that would allow a cyberattack to impact flight safety.
- The ELA2 exemption for ATOs under Art. 2(d) does not apply to helicopters like the R44, although their risk profile is comparable to ELA2 airplanes.

We are interested in learning how other small ATOs are interpreting this regulation and whether there has been any guidance or flexibility from your competent authority regarding implementation.

Does anyone else feel that a risk-based, proportionate approach would be more suitable here?

Looking forward to your insights and experiences.

Best regards,
Henry