Regulation (EU) 2023/203
(a) The competent authority shall verify:
(1) compliance with the requirements applicable to organisations or type of operations prior to the issue of a certificate, approval or authorisation, as applicable;
(2) continued compliance with the applicable requirements of organisations it has certified, specialised operations it has authorised and organisations from which it received a declaration;
(3) continued compliance with the applicable requirements of non-commercial operators of other-than complex motor-powered aircraft; and
(4) implementation of appropriate safety measures mandated by the competent authority as defined in ARO.GEN.135(c) and (d).
(b) This verification shall:
(1) be supported by documentation specifically intended to provide personnel responsible for safety oversight with guidance to perform their functions;
(2) provide the persons and organisations concerned with the results of safety oversight activity;
(3) be based on audits and inspections, including ramp and unannounced inspections; and
(4) provide the competent authority with the evidence needed in case further action is required, including the measures foreseen by ARO.GEN.350 and ARO.GEN.355.
(c) The scope of oversight defined in (a) and (b) shall take into account the results of past oversight activities and the safety priorities.
(d) Without prejudice to the competences of the Member States and to their obligations as set out in ARO.RAMP, the scope of the oversight of activities performed in the territory of a Member State by persons or organisations established or residing in another Member State shall be determined on the basis of the safety priorities, as well as of past oversight activities.
(e) Where the activity of a person or organisation involves more than one Member State or the Agency, the competent authority responsible for the oversight under (a) may agree to have oversight tasks performed by the competent authority(ies) of the Member State(s) where the activity takes place or by the Agency. Any person or organisation subject to such agreement shall be informed of its existence and of its scope.
(f) The competent authority shall collect and process any information deemed useful for oversight, including for ramp and unannounced inspections.
(g) With regard to the certification and oversight of the organisation’s compliance with point ORO.GEN.200A, in addition to complying with points (a) to (f), the competent authority shall review any approval granted under point IS.I.OR.200(e) of this Regulation or point IS.D.OR.200(e) of Delegated Regulation (EU) 2022/1645 following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.
[applicable from 22 February 2026 — Implementing Regulation (EU) 2023/203]
GENERAL
The competent authority should assess the organisation and monitor its continued competence to conduct safe operations in compliance with the applicable requirements. The competent authority should ensure that accountability for assessing organisations is clearly defined. This accountability may be delegated or shared, in whole or in part. Where more than one competent authority is involved, a responsible person should be appointed under whose personal authority organisations are assessed.
EVALUATION OF OPERATIONAL SAFETY RISK ASSESSMENT
As part of the initial certification or the continuing oversight of an operator, the competent authority should normally evaluate the operator’s safety risk assessment processes related to hazards identified by the operator as having an interface with its operations. These safety risk assessments should be identifiable processes of the operator’s management system.
As part of its continuing oversight, the competent authority should also remain satisfied as to the effectiveness of these safety risk assessments.
(a) General methodology for operational hazards
The competent authority should establish a methodology for evaluating the safety risk assessment processes of the operator’s management system.
When related to operational hazards, the competent authority’s evaluation under its normal oversight process should be considered satisfactory if the operator demonstrates its competence and capability to:
(1) understand the hazards and their consequences on its operations;
(2) be clear on where these hazards may exceed acceptable safety risk limits;
(3) identify and implement mitigations, including suspension of operations where mitigation cannot reduce the risk to within safety risk limits;
(4) develop and execute effectively robust procedures for the preparation and the safe operation of the flights subject to the hazards identified;
(5) assess the competence and currency of its staff in relation to the duties necessary for the intended operations and implement any necessary training; and
(6) ensure sufficient numbers of qualified and competent staff for such duties.
The competent authority should take into account that:
(1) the operator’s recorded mitigations for each unacceptable risk identified are in place;
(2) the operational procedures specified by the operator with the most significance to safety appear to be robust; and
(3) the staff on which the operator depends in respect of those duties necessary for the intended operations are trained and assessed as competent in the relevant procedures.
EVALUATION OF OPERATORS’ VOLCANIC ASH SAFETY RISK ASSESSMENT
In addition to the general methodology for operational hazards, the competent authority’s evaluation under its normal oversight process should also assess the operator’s competence and capability to:
(a) choose the correct information sources to use to interpret the information related to volcanic ash contamination forecast and to resolve correctly any conflicts among such sources; and
(b) take account of all information from its type certificate holders (TCHs) concerning volcanic ash-related airworthiness aspects of the aircraft it operates, and the related pre-flight, in-flight and post flight precautions to be observed.
GENERAL
(a) Responsibility for the conduct of safe operations lies with the organisation. Under these provisions a positive move is made towards devolving upon the organisation a share of the responsibility for monitoring the safety of operations. The objective cannot be attained unless organisations are prepared to accept the implications of this policy, including that of committing the necessary resources to its implementation. Crucial to the success of the policy is the content of Part-ORO, which requires the establishment of a management system by the organisation.
(b) The competent authority should continue to assess the organisation's compliance with the applicable requirements, including the effectiveness of the management system. If the management system is judged to have failed in its effectiveness, then this in itself is a breach of the requirements which may, among others, call into question the validity of a certificate, if applicable.
(c) The accountable manager is accountable to the competent authority as well as to those who may appoint him/her. It follows that the competent authority cannot accept a situation in which the accountable manager is denied sufficient funds, manpower or influence to rectify deficiencies identified by the management system.
(d) Oversight of the organisation includes a review and assessment of the qualifications of nominated persons.
VOLCANIC ASH SAFETY RISK ASSESSMENT — ADDITIONAL GUIDANCE
Further guidance on the assessment of an operator’s volcanic ash safety risk assessment is given in ICAO Doc 9974 (Flight safety and volcanic ash — Risk management of flight operations with known or forecast volcanic ash contamination).
CHECKLIST FOR CRM TRAINING OVERSIGHT
The following list includes the major elements for the monitoring of the operator’s CRM training:
(a) development of CRM training considering the operator’s management system;
(b) content of the CRM training syllabus;
(c) qualification of CRM trainer;
(d) training facilities:
(1) classroom;
(2) flight simulation training device (FSTD);
(3) aircraft; and
(4) cabin training device;
(e) training methods:
(1) classroom training (instructions, presentations and behavioural exercises);
(2) computer-based training (CBT);
(3) line-oriented flight training (LOFT); and
(4) check or test;
(f) training analysis:
(1) pre-course reading and study;
(2) integration of the different training methods;
(3) competence and performance of the trainer or instructor;
(4) assessment of flight crew members; and
(5) effectiveness of training.
OVERSIGHT OF AN OPERATOR CONVERSION COURSE (OCC) FOR MULTI-CREW PILOT LICENCE (MPL) HOLDERS
As part of the initial certification or the continuing oversight of an operator, the competent authority should include the assessment of the OCC provided to MPL holders, who undertake their first conversion course on a new type or at an operator other than the one that was involved in their training for the MPL.
The assessment of the OCC should evaluate whether the operator, in the process of development of the OCC, took the following aspects into account:
— the time elapsed after completion of the initial training, between base training and hiring, and the Line Flying Under Supervision (LIFUS);
— the necessary feedback loop between the Approved Training Organisation (ATO) and the operator involved in the licence training.
OPERATIONAL APPROVALS ISSUED BY NON-EU STATE OF REGISTRY
When verifying continued compliance of non-commercial operators using an aircraft registered in a third country holding operational approvals for operations in PBN, MNPS and RVSM airspace issued by a non-EU State of Registry, the competent authority should at least assess if:
(a) the State of registry has established an equivalent level of safety, considering any differences notified to the ICAO Standards for RVSM, RNP, MNPS and MEL; or
(b) there are reservations on the safety oversight capabilities and records of the State of registry; or
(c) operators of the State of registry are subject to an operating ban pursuant Regulation (EC) No 2111/2005; or
(d) relevant findings on the State of registry from audits carried out under international conventions exist; or
(e) relevant findings on the State of registry from other safety assessment programmes of States exist.
ACTIVITIES WITHIN THE TERRITORY OF THE MEMBER STATE
(1) activities of:
(i) organisations certified or authorised by or declaring their activity to the competent authority of any other Member State or the Agency; or
(ii) persons performing operations with other-than-complex motor-powered aircraft; and
(2) activities of persons holding a licence, certificate, rating, or attestation issued by the competent authority of any other Member State.
(b) Audits and inspections of such activities, including ramp and unannounced inspections, should be prioritised towards those areas of greater safety concern, as identified through the analysis of data on safety hazards and their consequences in operations.
ARO.GEN.305 Oversight programme
Regulation (EU) 2015/140
(a) The competent authority shall establish and maintain an oversight programme covering the oversight activities required by ARO.GEN.300 and by ARO.RAMP.
(b) For organisations certified by the competent authority, the oversight programme shall be developed taking into account the specific nature of the organisation, the complexity of its activities, the results of past certification and/or oversight activities required by ARO.GEN and ARO.RAMP and shall be based on the assessment of associated risks. It shall include within each oversight planning cycle:
(1) audits and inspections, including ramp and unannounced inspections as appropriate; and
(2) meetings convened between the accountable manager and the competent authority to ensure both remain informed of significant issues.
(c) For organisations certified by the competent authority an oversight planning cycle not exceeding 24 months shall be applied.
The oversight planning cycle may be reduced if there is evidence that the safety performance of the organisation has decreased.
The oversight planning cycle may be extended to a maximum of 36 months if the competent authority has established that, during the previous 24 months:
(1) the organisation has demonstrated an effective identification of aviation safety hazards and management of associated risks;
(2) the organisation has continuously demonstrated under ORO.GEN.130 that it has full control over all changes;
(3) no level 1 findings have been issued; and
(4) all corrective actions have been implemented within the time period accepted or extended by the competent authority as defined in ARO.GEN.350(d)(2).
The oversight planning cycle may be further extended to a maximum of 48 months if, in addition to the above, the organisation has established, and the competent authority has approved, an effective continuous reporting system to the competent authority on the safety performance and regulatory compliance of the organisation itself.
(d) For organisations declaring their activity to the competent authority, the oversight programme shall be based on the specific nature of the organisation, the complexity of its activities and the data of past oversight activities and the assessment of risks associated with the type of activity carried out. It shall include audits and inspections, including ramp and unannounced inspections, as appropriate.
(d1) For organisations holding a specialised operations authorisation, the oversight programme shall be established in accordance with (d) and shall also take into account the past and current authorisation process and the validity period of the authorisation.
(e) For persons holding a licence, certificate, rating, or attestation issued by the competent authority the oversight programme shall include inspections, including unannounced inspections, as appropriate.
(f) The oversight programme shall include records of the dates when audits, inspections and meetings are due and when such audits, inspections and meetings have been carried out.
SPECIFIC NATURE AND COMPLEXITY OF THE ORGANISATION, RESULTS OF PAST OVERSIGHT
(a) When determining the oversight programme for an organisation, the competent authority should consider in particular the following elements, as applicable:
(1) the implementation by the organisation of industry standards, directly relevant to the organisation’s activity subject to this Regulation;
(2) the procedure applied for and scope of changes not requiring prior approval;
(3) specific approvals held by the organisation;
(4) specific procedures implemented by the organisation related to any alternative means of compliance used; and
(5) number of subcontractors.
(b) For the purpose of assessing the complexity of an organisation’s management system, AMC1 ORO.GEN.200(b) should be used.
(c) Regarding results of past oversight, the competent authority should also take into account relevant results of ramp inspections of organisations it has certified or authorised, persons and other organisation having declared their activity or persons performing operations with other-than-complex motor-powered aircraft that were performed in other Member States in accordance with ARO.RAMP.
PROCEDURES FOR OVERSIGHT OF OPERATIONS
(a) Each organisation to which a certificate has been issued should have an inspector specifically assigned to it. Several inspectors should be required for the larger companies with widespread or varied types of operation. This does not prevent a single inspector being assigned to several companies. Where more than one inspector is assigned to an organisation, one of them should be nominated as having overall responsibility for supervision of, and liaison with, the organisation’s management, and be responsible for reporting on compliance with the requirements for its operations as a whole.
(b) Audits and inspections, on a scale and frequency appropriate to the operation, should cover at least:
(1) infrastructure,
(2) manuals,
(3) training,
(4) crew records,
(5) equipment,
(6) release of flight/dispatch,
(7) dangerous goods,
(8) organisation’s management system.
(c) The following types of inspections should be included, as part of the oversight programme:
(1) flight inspection,
(2) ground inspection (e.g. documents and records),
(3) training inspection (e.g. ground, aircraft/FSTD),
(4) ramp inspection.
The inspection should be a ‘deep cut’ through the items selected, and all findings should be recorded. Inspectors should review the root cause(s) identified by the organisation for each confirmed finding.
The competent authority should be satisfied that the root cause(s) identified and the corrective actions taken are adequate to correct the non-compliance and to prevent re-occurrence.
(d) Audits and inspections may be conducted separately or in combination. Audits and inspections may, at the discretion of the competent authority, be conducted with or without prior notice to the organisation.
(e) Where it is apparent to an inspector that an organisation has permitted a breach of the applicable requirements, with the result that air safety has, or might have, been compromised, the inspector should ensure that the responsible person within the competent authority is informed without delay.
(f) In the first few months of a new operation, inspectors should carry out oversight activities with a particular focus on the operator’s procedures, facilities, equipment, operational control and management system. They should also carefully examine any conditions that may indicate a significant deterioration in the organisation's financial management. When any financial difficulties are identified, inspectors should increase technical surveillance of the operation with particular emphasis on the upholding of safety standards.
(g) The number or the magnitude of the non-compliances identified by the competent authority will serve to support the competent authority's continuing confidence in the organisation's competence or, alternatively, may lead to an erosion of that confidence. In the latter case, the competent authority should review any identifiable shortcomings of the management system.
FINANCIAL MANAGEMENT
Examples of trends that may indicate problems in a new organisation's financial management are:
(a) significant lay-offs or turnover of personnel;
(b) delays in meeting payroll;
(c) reduction of safe operating standards;
(d) decreasing standards of training;
(e) withdrawal of credit by suppliers;
(f) inadequate maintenance of aircraft;
(g) shortage of supplies and spare parts;
(h) curtailment or reduced frequency of revenue flights; and
(i) sale or repossession of aircraft or other major equipment items.
STORAGE PERIODS OF RECORDS
If the organisation’s oversight cycle has been extended, the minimum storage periods for records should be aligned with the extended oversight cycle to ensure that the competent authority has access to all relevant records.
AUDIT
(a) The oversight programme should indicate which aspects of the approval will be covered with each audit.
(b) Part of an audit should concentrate on the organisation’s compliance monitoring reports produced by the compliance monitoring personnel to determine if the organisation is identifying and correcting its problems.
(c) At the conclusion of the audit, an audit report should be completed by the auditing inspector, including all findings raised.
RAMP INSPECTIONS
(a) When conducting a ramp inspection of aircraft used by organisations under its regulatory oversight, the competent authority should, as far as possible, comply with the requirements defined in ARO.RAMP.
(b) When conducting ramp inspections on other-than-suspected aircraft, the competent authority should take into account the following elements:
(1) repeated inspections should be avoided of those organisations for which previous inspections have not revealed safety deficiencies;
(2) the oversight programme should enable the widest possible sampling rate of aircraft flying into their territory; and
(3) there should be no discrimination on the basis of the organisation’s nationality, the type of operation or type of aircraft, unless such criteria can be linked to an increased risk.
(c) For aircraft other than those used by organisations under its regulatory oversight, when conducting a risk assessment, the competent authority should consider aircraft that have not been ramp inspected for more than 6 months.
INDUSTRY STANDARDS
(a) For organisations having demonstrated compliance with industry standards, the competent authority may adapt its oversight programme, in order to avoid duplication of specific audit items.
(b) Demonstrated compliance with industry standards should not be considered in isolation from the other elements to be considered for the competent authority’s risk-based oversight.
(c) In order to be able to credit any audits performed as part of certification in accordance with industry standards, the following should be considered:
(1) the demonstration of compliance is based on certification auditing schemes providing for independent and systematic verification;
(2) the existence of an accreditation scheme and accreditation body for certification in accordance with the industry standards has been verified;
(3) certification audits are relevant to the requirements defined in Annex III (Part-ORO) and other Annexes to this Regulation as applicable;
(4) the scope of such certification audits can easily be mapped against the scope of oversight in accordance with Annex III (Part-ORO);
(5) audit results are accessible to the competent authority and open to exchange of information in accordance with Article 15(1) of Regulation (EC) No 216/2008; and
(6) the audit planning intervals of certification audits i.a.w. industry standards are compatible with the oversight planning cycle.
OVERSIGHT PLANNING CYCLE
(a) When determining the oversight planning cycle and defining the oversight programme, the competent authority should assess the risks related to the activity of each organisation and adapt the oversight to the level of risk identified and to the organisation’s ability to effectively manage safety risks.
(b) The competent authority should establish a schedule of audits and inspections appropriate to each organisation's business. The planning of audits and inspections should take into account the results of the hazard identification and risk assessment conducted and maintained by the organisation as part of the organisation’s management system. Inspectors should work in accordance with the schedule provided to them.
(c) When the competent authority, having regard to an organisation's safety performance, varies the frequency of an audit or inspection, it should ensure that all aspects of the operation are audited and inspected within the applicable oversight planning cycle.
(d) The section(s) of the oversight programme dealing with ramp inspections should be developed based on geographical locations, taking into account aerodrome activity, and focusing on key issues that can be inspected in the time available without unnecessarily delaying the operations.
OVERSIGHT PLANNING CYCLE
(a) For each organisation certified by the competent authority all processes should be completely audited at periods not exceeding the applicable oversight planning cycle. The beginning of the first oversight planning cycle is normally determined by the date of issue of the first certificate. If the competent authority wishes to align the oversight planning cycle with the calendar year, it should shorten the first oversight planning cycle accordingly.
(b) The interval between two audits for a particular process should not exceed the interval of the applicable oversight planning cycle.
(c) Audits should include at least one on-site audit within each oversight planning cycle. For organisations exercising their regular activity at more than one site, the determination of the sites to be audited should consider the results of past oversight, the volume of activity at each site, as well as main risk areas identified.
(d) For organisations holding more than one certificate, the competent authority may define an integrated oversight schedule to include all applicable audit items. In order to avoid duplication of audits, credit may be granted for specific audit items already completed during the current oversight planning cycle, subject to four conditions:
(1) the specific audit item should be the same for all certificates under consideration;
(2) there should be satisfactory evidence on record that such specific audit items were carried out and that all corrective actions have been implemented to the satisfaction of the competent authority;
(3) the competent authority should be satisfied that there is no evidence that standards have deteriorated in respect of those specific audit items being granted a credit;
(4) the interval between two audits for the specific item being granted a credit should not exceed the applicable oversight planning cycle.
OVERSIGHT DECLARED ORGANISATIONS
(a) When determining the oversight programme of organisations having declared their activity, the competent authority should make a selection of operators to be inspected/audited based on the elements specified in ARO.GEN.305(d).
(b) For each selected operator an inspection is a sample inspection of the pre-defined inspection criteria on the basis of key risk elements and the applicable requirements.
(c) The results of past oversight activities should include information from approval activities, e.g. SPA or from other survey programmes such as ACAM.
(d) The oversight programme should also include a certain percentage of unannounced inspections.
(e) The oversight programme should be developed on a yearly basis. All operators should be considered for inclusion into the programme not later than 12 months after the date of the first declaration received. At least one inspection should be performed within each 48-month cycle starting with the date of the first declaration received.
(f) Additional audit/inspections to specific operators may be included in the oversight programme on the basis of the assessment of associated risks carried out within the occurrences reporting scheme(s).
OVERSIGHT OF AUTHORISATION HOLDERS
(a) When determining the oversight programme of high risk commercial specialised operators holding an authorisation specialised operations authorisation holders, the competent authority should assess the risks related to the type of activity carried out by each organisation and adapt the oversight to the level of risk identified and to the organisation’s ability to effectively manage safety risks.
(b) An oversight cycle not exceeding 24 months should be applied. The oversight planning cycle may be extended to a maximum of 48 months if the competent authority has established that during the previous 24 months the organisation has been able to effectively manage safety risks.
(c) The competent authority should establish a schedule of audits and/or inspections, including unannounced inspections, appropriate to each organisation's business. The planning of audits and inspections should take into account the results of the hazard identification and risk assessment conducted and maintained by the organisation as part of the organisation’s management system. Inspectors should work in accordance with the schedule provided to them.
(d) If the specialised operations authorisation is time limited, the competent authority should adapt the schedule of audits and inspections to the duration of the specialised operation authorisation. Audits or inspections may not be necessary if an authorisation is issued for a single flight or event.
(e) When scheduling audits and inspections, the competent authority should also take into account the activity conducted by authorised organisations in other Member States. In this case the competent authority should coordinate the audit and inspection schedule with the authority of the Member State in which territory the activity is taking place.
(f) Additional audits or inspections to specific operators may be included in the oversight programme on the basis of the assessment of associated risks carried out within the occurrences reporting scheme(s).
OVERSIGHT OF AUTHORISATION HOLDERS
Past and current authorisation process refers to relevant results of past and current authorisation and oversight activities.
PERSONS HOLDING A LICENCE, CERTIFICATE, RATING OR ATTESTATION
The oversight of persons holding a licence, certificate, rating or attestation should normally be ensured as part of the oversight of organisations. Additionally, the competent authority should verify compliance with applicable requirements when endorsing or renewing ratings.
To properly discharge its oversight responsibilities, the competent authority should perform a certain number of unannounced verifications.
ARO.GEN.310 Initial certification procedure – organisations
Regulation (EU) No 965/2012
(a) Upon receiving an application for the initial issue of a certificate for an organisation, the competent authority shall verify the organisation’s compliance with the applicable requirements. This verification may take into account the statement referred to in ORO.AOC.100(b).
(b) When satisfied that the organisation is in compliance with the applicable requirements, the competent authority shall issue the certificate(s), as established in Appendices I and II. The certificate(s) shall be issued for an unlimited duration. The privileges and scope of the activities that the organisation is approved to conduct shall be specified in the terms of approval attached to the certificate(s).
(c) To enable an organisation to implement changes without prior competent authority approval in accordance with ORO.GEN.130, the competent authority shall approve the procedure submitted by the organisation defining the scope of such changes and describing how such changes will be managed and notified.
VERIFICATION OF COMPLIANCE
(a) Upon receipt of an application for an air operator certificate (AOC), the competent authority should:
(1) assess the management system and processes, including the operator’s organisation and operational control system;
(2) review the operations manual and any other documentation provided by the organisation; and
(3) for the purpose of verifying the organisation’s compliance with the applicable requirements, conduct an audit at the organisation’s facilities. The competent authority should require the conduct of one or more demonstration flights operated as if they were commercial flights, or an in-flight inspection should be conducted at the earliest opportunity.
(b) The competent authority should ensure that the following steps are taken:
(1) The organisation's written application for an AOC should be submitted at least 90 days before the date of intended operation, except that the operations manual may be submitted later, but not less than 60 days before the date of intended operation. The application form should be printed in language(s) of the competent authority's choosing.
(2) An individual should be nominated by the responsible person of the competent authority to oversee, to become the focal point for all aspects of the organisation certification process and to coordinate all necessary activity. The nominated person should be responsible to the responsible person of the competent authority for confirming that all appropriate audits and inspections have been carried out. He/she should also ensure that the necessary specific or prior approvals required by (b)(3) are issued in due course. Of particular importance on initial application is a careful review of the qualifications of the organisations’ nominated persons. Account should be taken of the relevance of the nominee's previous experience and known record.
(3) Submissions that require the competent authority's specific or prior approval should be referred to the appropriate department of the competent authority. Submissions should include, where relevant, the associated qualification requirements and training programmes.
(c) The ability of the applicant to secure, in compliance with the applicable requirements and the safe operation of aircraft, all necessary training and, where required, licensing of personnel, should be assessed. This assessment should also include the areas of responsibility and the numbers of those allocated by the applicant to key management tasks.
(d) In order to verify the organisation’s compliance with the applicable requirements, the competent authority should conduct an audit of the organisation, including interviews of personnel and inspections carried out at the organisation’s facilities.
The competent authority should only conduct such an audit after being satisfied that the application shows compliance with the applicable requirements.
(e) The audit should focus on the following areas:
(1) detailed management structure, including names and qualifications of personnel required by ORO.GEN.210 and adequacy of the organisation and management structure;
(2) personnel:
(i) adequacy of number and qualifications with regard to the intended terms of approval and associated privileges;
(ii) validity of licences, ratings, certificates or attestations as applicable;
(3) processes for safety risk management and compliance monitoring;
(4) facilities — adequacy with regard to the organisation’s scope of work;
(5) documentation based on which the certificate should be granted (organisation documentation as required by Part-ORO, including technical manuals, such as operations manual or training manual).
(f) In case of non-compliance, the applicant should be informed in writing of the corrections that are required.
(g) When the verification process is complete, the person with overall responsibility, nominated in accordance with (b)(2), should present the application to the person responsible for the issue of an AOC together with a written recommendation and evidence of the result of all investigations or assessments which are required before the operator certificate is issued. Approvals required should be attached to the recommendation. The competent authority should inform the applicant of its decision concerning the application within 60 days of receipt of all supporting documentation. In cases where an application for an organisation certificate is refused, the applicant should be informed of the right of appeal as exists under national law.
ARO.GEN.330 Changes — organisations
Regulation (EU) No 965/2012
(a) Upon receiving an application for a change that requires prior approval, the competent authority shall verify the organisation’s compliance with the applicable requirements before issuing the approval.
The competent authority shall prescribe the conditions under which the organisation may operate during the change, unless the competent authority determines that the organisation’s certificate needs to be suspended.
When satisfied that the organisation is in compliance with the applicable requirements, the competent authority shall approve the change.
(b) Without prejudice to any additional enforcement measures, when the organisation implements changes requiring prior approval without having received competent authority approval as defined in (a), the competent authority shall suspend, limit or revoke the organisation’s certificate.
(c) For changes not requiring prior approval, the competent authority shall assess the information provided in the notification sent by the organisation in accordance with ORO.GEN.130 to verify compliance with the applicable requirements. In case of any non-compliance, the competent authority shall:
(1) notify the organisation about the non-compliance and request further changes;
(2) in case of level 1 or level 2 findings, act in accordance with ARO.GEN.350.
AMC1 ARO.GEN.330 Changes – organisations
ED Decision 2019/019/R
AOC HOLDERS
(a) Changes to personnel specified in Part-ORO:
(1) Any changes to the accountable manager specified in ORO.GEN.210(a) that affect the certificate or terms of approval/approval schedule attached to it, require prior approval under ARO.GEN.330(a) and ORO.GEN.130(a) and (b).
(2) When an organisation submits the name of a new nominee for any of the persons nominated as per ORO.GEN.210(b) or for a safety manager as defined under AMC1 ORO.GEN.200(a)(1), the competent authority should require the organisation to produce a written résumé of the proposed person's qualifications. The competent authority should reserve the right to interview the nominee or call for additional evidence of his or her suitability before deciding upon his or her acceptability.
(b) A simple management system documentation status sheet should be maintained, which contains information on when an amendment was received by the competent authority and when it was approved.
(c) The organisation should provide each management system documentation amendment to the competent authority, including for the amendments that do not require prior approval by the competent authority. Where the amendment requires competent authority approval, the competent authority, when satisfied, should indicate its approval in writing. Where the amendment does not require prior approval, the competent authority should acknowledge receipt in writing within 10 working days.
(d) For changes requiring prior approval, in order to verify the organisation's compliance with the applicable requirements, the competent authority should conduct an audit of the organisation, limited to the extent of the changes. If required for verification, the audit should include interviews and inspections carried out at the organisation’s facilities.
CHANGE OF NAME OF THE ORGANISATION
(a) On receipt of the application and the relevant parts of the organisation’s documentation as required by Part-ORO, the competent authority should re-issue the certificate.
(b) A name change alone does not require the competent authority to audit the organisation, unless there is evidence that other aspects of the organisation have changed.
ARO.GEN.330A Changes to the information security management system
Regulation (EU) 2023/203
(a) For changes managed and notified to the competent authority in accordance with the procedure set out in point IS.I.OR.255(a) of Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203, the competent authority shall include the review of such changes in its continuing oversight in accordance with the principles laid down in point ARO.GEN.300. If any non-compliance is found, the competent authority shall notify the organisation thereof, request further changes and act in accordance with point ARO.GEN.350.
(b) For other changes requiring an application for approval in accordance with point IS.I.OR.255(b) of Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203:
(1) upon receiving the application for the change, the competent authority shall check the organisation’s compliance with the applicable requirements before issuing the approval;
(2) the competent authority shall establish the conditions under which the organisation may operate during the implementation of the change;
(3) if it is satisfied that the organisation complies with the applicable requirements, the competent authority shall approve the change.
[applicable from 22 February 2026 — Implementing Regulation (EU) 2023/203]
ARO.GEN.345 Declaration – organisations
Regulation (EU) 2018/1975
(a) Upon receiving a declaration from an organisation carrying out or intending to carry out activities for which a declaration is required, the competent authority shall verify that the declaration contains all the information required:
(1) pursuant to ORO.DEC.100 of Annex III (Part-ORO) to this Regulation; or
(2) for balloon operators pursuant to BOP.ADD.100 of Annex II (Part-BOP) to Regulation (EU) 2018/395; or
(3) for sailplane operators pursuant to SAO.DEC.100 of Annex II (Part-SAO) to Implementing Regulation (EU) 2018/1976.
After having verified the required information, the competent authority shall acknowledge receipt of the declaration to the organisation.
(b) If the declaration does not contain the required information, or contains information that indicates non-compliance with applicable requirements, the competent authority shall notify the organisation about the non-compliance and request further information. If deemed necessary the competent authority shall carry out an inspection of the organisation. If the non-compliance is confirmed, the competent authority shall take action as defined in ARO.GEN.350.
ACKNOWLEDGEMENT OF RECEIPT
The competent authority should acknowledge receipt of the declaration in writing within 10 working days.
VERIFICATION — DECLARATION
The verification made by the competent authority upon receipt of a declaration does not imply an inspection. The aim is to check whether what is declared complies with applicable regulations.
ARO.GEN.350 Findings and corrective actions – organisations
Regulation (EU) 2019/1384
(a) The competent authority for oversight in accordance with ARO.GEN.300(a) shall have a system to analyse findings for their safety significance.
(b) A level 1 finding shall be issued by the competent authority when any significant non-compliance is detected with the applicable requirements of Regulation (EC) No 216/2008 and its Implementing Rules, with the organisation’s procedures and manuals or with the terms of an approval, certificate, specialised operation authorisation or with the content of a declaration which lowers safety or seriously hazards flight safety.
The level 1 findings shall include:
(1) failure to give the competent authority access to the facilities of the organisation in accordance with point ORO.GEN.140 of Annex III (Part-ORO) to this Regulation, or for balloons operators in accordance with points BOP.ADD.015 and BOP.ADD.035 of Annex II (Part-BOP) to Regulation (EU) 2018/395, during normal operating hours and after two written requests;
(2) obtaining or maintaining the validity of the organisation certificate or specialised operations authorisation by falsification of submitted documentary evidence;
(3) evidence of malpractice or fraudulent use of the organisation certificate or specialised operations authorisation; and
(4) the lack of an accountable manager.
(c) A level 2 finding shall be issued by the competent authority when any non-compliance is detected with the applicable requirements of Regulation (EC) No 216/2008 and its Implementing Rules, with the organisation’s procedures and manuals or with the terms of an approval, certificate, specialised operation authorisation or with the content of a declaration which could lower safety or hazard flight safety.
(d) When a finding is detected during oversight or by any other means, the competent authority shall, without prejudice to any additional action required by Regulation (EC) No 216/2008 and its Implementing Rules, communicate the finding to the organisation in writing and request corrective action to address the non-compliance(s) identified. Where relevant, the competent authority shall inform the State in which the aircraft is registered.
(1) In the case of level 1 findings the competent authority shall take immediate and appropriate action to prohibit or limit activities, and if appropriate, it shall take action to revoke the certificate, specialised operations authorisation or specific approval or to limit or suspend it in whole or in part, depending upon the extent of the level 1 finding, until successful corrective action has been taken by the organisation.
(2) In the case of level 2 findings, the competent authority shall:
(i) grant the organisation a corrective action implementation period appropriate to the nature of the finding that in any case initially shall not be more than three months. At the end of this period, and subject to the nature of the finding, the competent authority may extend the three-month period subject to a satisfactory corrective action plan agreed by the competent authority; and
(ii) assess the corrective action and implementation plan proposed by the organisation and, if the assessment concludes that they are sufficient to address the non-compliance(s), accept these.
(3) Where an organisation fails to submit an acceptable corrective action plan, or to perform the corrective action within the time period accepted or extended by the competent authority, the finding shall be raised to a level 1 finding and action taken as laid down in (d)(1).
(4) The competent authority shall record all findings it has raised or that have been communicated to it in accordance with point (e) and, where applicable, the enforcement measures it has applied, as well as all corrective actions and date of action closure for findings.
(e) Without prejudice to any additional enforcement measures, when the authority of a Member State acting under the provisions of ARO.GEN.300(d) identifies any non-compliance with the applicable requirements of Regulation (EC) No 216/2008 and its Implementing Rules by an organisation certified by, or authorised by or declaring its activity to the competent authority of another Member State or the Agency, it shall inform that competent authority and provide an indication of the level of finding.
TRAINING
For a level 1 finding it may be necessary for the competent authority to ensure that further training by the organisation is carried out and audited by the competent authority before the activity is resumed, dependent upon the nature of the finding.
CORRECTIVE ACTION IMPLEMENTATION PERIOD
The 3-month period should commence from the date of the communication of the finding to the organisation in writing and requesting corrective action to address the non-compliance(s) identified.
ARO.GEN.355 Findings and enforcement measures – persons
Regulation (EU) No 379/2014
(a) If, during oversight or by any other means, evidence is found by the competent authority responsible for oversight in accordance with ARO.GEN.300(a) that shows a non-compliance with the applicable requirements by a person holding a licence, certificate, rating or attestation issued in accordance with Regulation (EC) No 216/2008 and its Implementing Rules, the competent authority shall act in accordance with ARA.GEN.355(a) to (d) of Annex VI (Part-ARA) to Commission Regulation (EU) No 1178/201145 OJ L 100, 5.4.2012, p. 1..
(b) If, during oversight or by any other means, evidence is found showing a non-compliance with the applicable requirements by a person subject to the requirements laid down in Regulation (EC) No 216/2008 and its Implementing Rules and not holding a licence, certificate, rating or attestation issued in accordance with that Regulation and its Implementing Rules, the competent authority that identified the non-compliance shall take any enforcement measures necessary to prevent the continuation of that non-compliance.
GENERAL
This provision is necessary to ensure that enforcement measures will be taken also in cases where the competent authority may not act on the licence, certificate or attestation. The type of enforcement measure will depend on the applicable national law and may include for example the payment of a fine or the prohibition from exercising.
It covers two cases:
(a) persons subject to the requirements laid down in Regulation (EC) No 216/2008 and its Implementing Rules who are not required to hold a licence, certificate or attestation; and
(b) persons who are required to hold a licence, rating, certificate or attestation, but who do not hold the appropriate licence, rating, certificate or attestation as required for the activity they perform.
ARO.GEN.360 Findings and enforcement measures – all operators
Regulation (EU) No 379/2014
If, during oversight or by any other means, evidence is found showing a non-compliance with the applicable requirements by an operator subject to the requirements laid down in Regulation (EC) No 216/2008 and its Implementing Rules, the competent authority that identified the non-compliance shall take any enforcement measures necessary to prevent the continuation of that non-compliance.