The publication of the NIS2 & CER Directives and the Aviation sector

Vasileios Papageorgiou • 16 January 2023
in community Cybersecurity

The publication of the NIS2 & CER Directives and the Aviation sector


The NIS2 Directive, an important EU legislation with the aim of setting up a high common level of cybersecurity across the EU, has been published on 27/12/2022. The Directive amends the previous Directive on the security of network and information systems (the NIS Directive) that entered into force in August 2016.

The NIS2 Directive will be applicable in a number of industry sectors including the Transport and in turn the Aviation sector. However, the security requirements laid down in NIS2, may be considered to be fulfilled for the entities that comply with the corresponding security requirements of Regulations (EC) No 300/2008 & (EU) 2018/1139 as well as their relevant Delegated & Implementing Acts.


The Regulation of Part-IS (Delegated & Implementing Act) that sets the requirements for the management of information security risks with a potential impact on aviation safety for organisations is the most prominent example of such applicable rules in the Aviation domain, facilitating the achievement of a uniform and high level of protection from information security threats to Aviation organisations.

Moreover, the published Directive welcomes the exchange of information and cooperation between the NIS Cooperation Group and different stakeholders, including relevant EU institutions and Agencies such as EASA, to assist the Group in identifying and reacting to changing and new policy priorities and challenges in the field of cybersecurity.

In parallel with the publication of the NIS2 Directive, the Directive on the resilience of critical entities (CER Directive) was published on the same day. The CER Directive aims to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage in numerous sectors including the transport sector. The common entry into force of both Directives underlines the collective aim of strengthening both the cyber and physical resilience of critical entities and networks in the EU.

EU Member States will have to transpose NIS 2 & CER Directives into their national laws by the 17th of October 2024 and shall apply those measures by the 18th of October 2024.

Related content

Comments (2)

Grégoire LEWIS

Thanks. What difference should we expect from Part-IS ? Indeed, they seems somehow to be similar. For example Part-IS states that "Where an organisation ... complies with security requirements laid down in Article 14 of Directive (EU) 2016/1148 (aka NIS1) that are equivalent to the requirements laid down in this Regulation, compliance with those
security requirements shall be considered to constitute compliance with the requirements laid down in this Regulation".


Hi Grégoire, indeed there are similarities between Part-IS and the NIS2. While there are a few differences on their nature in legal and practical terms, I would sum it up by saying that the main objective between those two is different.

The NIS2 Directive aims to provide legal measures to boost the overall level of cybersecurity and preparedness in the EU, both at the level of the MS as well as at the industry level across a number of sectors, including the transport and the aviation sector.

On the other hand, Part-IS aims to provide organisations with the tools to identify and manage information security risks that may have a potential impact on aviation safety. For this reason, Part-IS and its provisions are tailored to the aviation sector and its stakeholders needs, supporting its implementation with relevant AMC/GM material that will published within this year.

Consequently, some security requirements are overlapping between the two rules. Those requirements may be considered fulfilled if complying with the rules as described above, including Part-IS, with the aim of avoiding potential overlaps and duplications on both regulations.

You are not allowed to comment on content in a group you are not member of.

View group