ARA.GEN.115 Oversight documentation
Regulation (EU) No 1178/2011
The competent authority shall provide all legislative acts, standards, rules, technical publications and related documents to relevant personnel in order to allow them to perform their tasks and to discharge their responsibilities.
ARA.GEN.120 Means of compliance
Regulation (EU) No 290/2012
(a) The Agency shall develop Acceptable Means of Compliance (AMC) that may be used to establish compliance with Regulation (EC) No 216/2008 and its Implementing Rules. When the AMC are complied with, the related requirements of the Implementing Rules are met.
(b) Alternative means of compliance may be used to establish compliance with the Implementing Rules.
(c) The competent authority shall establish a system to consistently evaluate that all alternative means of compliance used by itself or by organisations and persons under its oversight allow the establishment of compliance with Regulation (EC) No 216/2008 and its Implementing Rules.
(d) The competent authority shall evaluate all alternative means of compliance proposed by an organisation in accordance with ORA.GEN.120 by analysing the documentation provided and, if considered necessary, conducting an inspection of the organisation.
When the competent authority finds that the alternative means of compliance are in accordance with the Implementing Rules, it shall without undue delay:
(1) notify the applicant that the alternative means of compliance may be implemented and, if applicable, amend the approval or certificate of the applicant accordingly; and
(2) notify the Agency of their content, including copies of all relevant documentation;
(3) inform other MS about alternative means of compliance that were accepted.
(e) When the competent authority itself uses alternative means of compliance to achieve compliance with Regulation (EC) No 216/2008 and its Implementing Rules it shall:
(1) make them available to all organisations and persons under its oversight; and
(2) without undue delay notify the Agency.
The competent authority shall provide the Agency with a full description of the alternative means of compliance, including any revisions to procedures that may be relevant, as well as an assessment demonstrating that the Implementing Rules are met.
AMC1 ARA.GEN.120(d)(3) Means of compliance
ED Decision 2012/006/R
GENERAL
The information to be provided to other Member States following approval of an alternative means of compliance should contain a reference to the Acceptable Means of Compliance (AMC) to which such means of compliance provides an alternative, as well as a reference to the corresponding Implementing Rule, indicating as applicable the subparagraph(s) covered by the alternative means of compliance.
GM1 ARA.GEN.120 Means of compliance
ED Decision 2012/006/R
GENERAL
Alternative means of compliance used by a competent authority or by organisations under its oversight may be used by other competent authorities or organisations only if processed again in accordance with ARA.GEN.120(d) and (e).
ARA.GEN.125 Information to the Agency
Regulation (EU) 2023/203
(a) The competent authority shall notify the Agency in case of any significant problems with the implementation of Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on the basis thereof within 30 days from the time the authority became aware of the problems.
(b) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council19 Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007 (OJ L 122, 24.4.2014, p. 18). and the delegated and implementing acts adopted on the basis thereof, the competent authority shall provide the Agency with safety-significant information stemming from the occurrence reports stored in the national database, as soon as possible.
(c) The competent authority of the Member State shall provide the Agency as soon as possible with safety-significant information stemming from the information security reports it has received pursuant to point IS.I.OR.230 of Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203.
[applicable from 22 February 2026 — Implementing Regulation (EU) 2023/203]
ARA.GEN.135 Immediate reaction to a safety problem
Regulation (EU) No 1178/2011
(a) Without prejudice to Regulation (EU) No 376/2014 and the delegated and implementing acts adopted on the basis thereof, the competent authority shall implement a system to appropriately collect, analyse and disseminate safety information.
(b) The Agency shall implement a system to appropriately analyse any relevant safety information received and without undue delay provide to Member States and the Commission any information, including recommendations or corrective actions to be taken, necessary for them to react in a timely manner to a safety problem involving products, parts, non-installed equipment, persons or organisations subject to Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on the basis thereof.
(c) Upon receiving the information referred to in (a) and (b), the competent authority shall take adequate measures to address the safety problem.
(d) Measures taken under point (c) shall immediately be notified to all persons or organisations that need to comply with them under Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on the basis thereof. The competent authority shall also notify those measures to the Agency and, when combined action is required, the other Member States concerned.
ARA.GEN.135A Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
Regulation (EU) 2023/203
(a) The competent authority shall implement a system to appropriately collect, analyse, and disseminate information related to information security incidents and vulnerabilities with a potential impact on aviation safety that are reported by organisations. This shall be done in coordination with any other relevant authorities responsible for information security or cybersecurity within the Member State to increase the coordination and compatibility of reporting schemes.
(b) The Agency shall implement a system to appropriately analyse any relevant safety-significant information received in accordance with point ARA.GEN.125(c), and without undue delay provide the Member States and the Commission with any information, including recommendations or corrective actions to be taken, necessary for them to react in a timely manner to an information security incident or vulnerability with a potential impact on aviation safety involving products, parts, non-installed equipment, persons or organisations subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.
(c) Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the potential impact on aviation safety of the information security incident or vulnerability.
(d) Measures taken in accordance with point (c) shall immediately be notified to all persons or organisations that shall comply with them under Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority of the Member State shall also notify those measures to the Agency and, when combined action is required, the competent authorities of the other Member States concerned.
[applicable from 22 February 2026 — Implementing Regulation (EU) 2023/203]
AMC1 ARA.GEN.135A Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
ED Decision 2023/010/R
(a) To appropriately collect and analyse information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should implement means that ensure the necessary confidentiality.
(b) When disseminating information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should properly select the appropriate recipient(s) to prevent the content of a report from being exploited to the detriment of aviation safety, by revealing, for instance, uncorrected vulnerabilities.
GM1 ARA.GEN.135A Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
ED Decision 2023/010/R
When deemed necessary, a two-step mechanism could be used: a report alerting about the information security event or incident and the availability of additional data that would require controlled and confidential distribution. This report should only alert recipients of the urgency and the necessity for organisations and competent authorities to establish further communication through secure means.
Therefore, the report should consist of two parts: one limited to mostly public information and one containing the sensitive data that should be restricted to the recipients who need to know. Wherever possible, reports should be based on an agreed taxonomy.
[applicable from 22 February 2026 — ED Decision 2023/010/R]