EASA Updates CS‑23 to Strengthen Cybersecurity Compliance for Small Aeroplanes
EASA has issued an update to CS‑23, strengthening cybersecurity provisions for normal‑category aeroplanes through the integration of requirement 23.2500 and its associated guidance AMC 1 23.2500. The update formally introduces the F3532‑25 Standard Practice for Protection of Aircraft Systems from Intentional Unauthorised Electronic Interactions (IUEI) as a proportionate means of compliance for aircraft with Assessment Levels I, II, or III, ensuring cybersecurity measures remain aligned with aircraft complexity and operational exposure.
A key clarification concerns how applicants should demonstrate compliance with CS 23.2500(b) when equipment or systems could be vulnerable to intentional unauthorised electronic interaction. EASA now differentiates compliance pathways:
For aeroplanes with Assessment Level IV, applicants may consider AMC 20‑42 (EUROCAE ED 20X Standards), reflecting the higher criticality and integration of digital systems in more complex aircraft.
For aeroplanes with Assessment Levels I, II, or III, the update explicitly allows the use of ASTM F3532‑25, providing a streamlined, risk‑based approach tailored to CS‑23 aircraft. This ensures consistency with EASA’s broader cybersecurity framework and supports alignment with the EU Cyber Resilience Act (Regulation (EU) 2024/2847), promoting harmonised expectations for digital components used in aviation.
EASA also clarifies that for certification level 1 aeroplanes operated under VFR (day or night), cybersecurity threats do not need to be considered as potential sources of improper functioning under CS 23.2500. This exemption maintains regulatory proportionality for aircraft with minimal digital exposure and limited operational complexity.
The full updated text, including CS‑23, AMC, and GM material, is available in the EASA Easy Access Rules for Normal Category Aeroplanes and can be found in the related content below.
Please log in or sign up to comment.