Regulation (EU) 2015/340
This Part, set out in this Annex, establishes the administrative requirements applicable to the competent authorities with responsibility for the issue, maintenance, suspension or revocation of licences, ratings, endorsements and medical certificates for air traffic controllers and certification and oversight of training organisations and aero-medical centres.
Regulation (EU) 2023/893
(a) Competent authorities shall produce and update every two years an assessment of the human resources needed to perform their oversight functions, based on the analysis of the processes required by this Regulation and their application.
(b) Personnel authorised by the competent authority to carry out certification and/or oversight tasks shall be empowered to perform as a minimum the following tasks:
(1) examine documents, including licences, certificates, records, data, procedures and any other material relevant to the execution of the required task;
(2) take copies of or extracts from such records, data, procedures and other material;
(3) ask for an explanation;
(4) enter relevant premises and operating sites;
(5) perform audits and inspections, including unannounced inspections;
(6) take or initiate enforcement measures as appropriate.
(c) The competent authority may authorise its personnel to conduct assessments leading to the issue, revalidation and renewal of a unit endorsement provided that they meet the requirements set out in ATCO.C.045, with the exception of point (d)(1). Familiarity with the current operational practices and procedures of the unit, where the assessment is taking place, shall however be ensured.
[applicable until 3 August 2024 - Regulation (EU) 2015/340]
(a) Competent authorities shall produce and update every 2 years an assessment of the human resources needed to perform their oversight functions, based on the analysis of the processes required by this Regulation.
(b) Personnel authorised by the competent authority to carry out certification or oversight tasks, or both, shall be empowered to perform as a minimum the following tasks:
(1) examine documents, including licences, certificates, records, data, procedures and any other material relevant to the execution of the required task;
(2) take copies of or extracts from such records, data, procedures and other material;
(3) ask for an explanation;
(4) enter relevant premises and operating sites;
(5) perform audits and inspections, including unannounced inspections;
(6) take or initiate enforcement measures as appropriate.
[applicable from 4 August 2024 - Implementing Regulation (EU) 2023/893]
GM1 ATCO.AR.A.005(c) Personnel
ED Decision 2023/011/R
GENERAL
When competent authority personnel is authorised to conduct assessments for the issue and renewal of a unit endorsement who:
(a) do not hold the unit endorsement associated with the assessment, or
(b) hold the unit endorsement associated with the assessment without an OJTI endorsement,
an OJTI holding the valid unit endorsement associated with the assessment should be present to ensure supervision on the operational working position.
[applicable until 3 August 2024 - ED Decision 2015/010/R]
ATCO.AR.A.010 Tasks of the competent authorities
Regulation (EU) 2023/893
(a) The tasks of the competent authorities shall include:
(1) the issue, suspension and revocation of licences, ratings, endorsements and of medical certificates;
(2) the issue of temporary OJTI authorisations according to ATCO.C.025;
(3) the issue of temporary assessor authorisations according to ATCO.C.065;
(4) the revalidation and renewal of endorsements;
(5) the revalidation, renewal and limitation of medical certificates following referral by the AME or AeMC;
(6) the issue, revalidation, renewal, suspension, revocation, limitation and change of aero-medical examiner certificates;
(7) the issue, suspension, revocation and limitation of training organisation certificates and of the certificates of aero-medical centres;
(8) the approval of training courses, plans and unit competence schemes, as well as assessment methods;
(9) the approval of the assessment method for the demonstration of language proficiency and the establishment of requirements applicable to language assessment bodies according to ATCO.B.040;
(10) the approval of the need for the extended level (level five) language proficiency in accordance with ATCO.B.030(d);
(11) the monitoring of training organisations, including their training courses and plans;
(12) the approval and monitoring of the unit competence schemes;
(13) the establishment of appropriate appeal procedures and notification mechanisms;
(14) facilitating the recognition and exchange of licences, including the transfer of the records of air traffic controllers and return of the old licence to the issuing competent authority according to ATCO.A.010;
(15) facilitating the recognition of training organisation certificates and course approvals.
[applicable until 3 August 2024 - Regulation (EU) 2015/340]
The tasks of the competent authorities shall include:
(a) the issue, suspension and revocation of licences, ratings, endorsements and of medical certificates;
(b) the issue of temporary OJTI authorisations according to point ATCO.C.025;
(c) the issue of temporary assessor authorisations according to point ATCO.C.065;
(d) the revalidation and renewal of endorsements;
(e) the revalidation, renewal and limitation of medical certificates following referral by the aero-medical examiner (AME) or aero-medical centre (AeMC);
(f) the issue, revalidation, renewal, suspension, revocation, limitation and change of aero-medical examiner certificates;
(g) the issue, suspension, revocation and limitation of training organisation certificates and of the certificates of aero-medical centres;
(h) the approval of training courses, training plans and unit competence schemes, as well as assessment methods;
(i) the approval of the assessment method for the demonstration of language proficiency and the establishment of requirements applicable to language assessment bodies according to point ATCO.B.040;
(j) the approval of the need for the extended level (level five) language proficiency in accordance with point ATCO.B.030(d);
(k) the oversight of training organisations, including their training courses and plans;
(l) the approval and oversight of the unit competence schemes;
(m) the establishment of appropriate appeal procedures and notification mechanisms;
(n) facilitating the recognition and exchange of licences, including the transfer of the records of air traffic controllers and return of the old licence to the issuing competent authority according to point ATCO.AR.D.003;
(o) facilitating the recognition of training organisation certificates and course approvals, as well as the approval of the assessment method for the demonstration of language proficiency.
[applicable from 4 August 2024 - Implementing Regulation (EU) 2023/893]
ATCO.AR.A.015 Means of compliance
Regulation (EU) 2023/893
(a) The Agency shall develop Acceptable Means of Compliance (AMC) that may be used to establish compliance with Regulation (EC) No 216/2008 and its implementing rules. When AMC are complied with, the related requirements of the implementing rules are met.
(b) Alternative means of compliance may be used to establish compliance with the implementing rules.
(c) The competent authority shall establish a system to consistently evaluate that all alternative means of compliance used by itself or by organisations and persons under its oversight allow the establishment of compliance with Regulation (EC) No 216/2008 and its implementing rules.
(d) The competent authority shall evaluate all alternative means of compliance proposed by an organisation in accordance with ATCO.OR.B.005 by analysing the documentation provided and, if considered necessary, conducting an inspection of the organisation.
When the competent authority finds that the alternative means of compliance are in accordance with the implementing rules, it shall without undue delay:
(1) notify the applicant that the alternative means of compliance may be implemented and, if applicable, amend the approval or certificate of the applicant accordingly;
(2) notify the Agency of their content, including copies of all relevant documentation; and
(3) inform other Member States about alternative means of compliance that were accepted.
(e) When the competent authority itself uses alternative means of compliance to achieve compliance with Regulation (EC) No 216/2008 and its implementing rules it shall:
(1) make them available to all organisations and persons under its oversight; and
(2) notify the Agency without undue delay.
The competent authority shall provide the Agency with a full description of the alternative means of compliance, including any revisions to procedures that may be relevant, as well as an assessment demonstrating that the implementing rules are met.
[applicable until 3 August 2024 - Regulation (EU) 2015/340]
(a) The Agency shall develop acceptable means of compliance (“AMC”) that may be used to establish compliance with Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on the basis thereof.
(b) Alternative means of compliance may be used to establish compliance with the delegated and implementing acts.
(c) The competent authority shall inform the Agency of any alternative means of compliance used by organisations under their oversight or by themselves for establishing compliance with this Regulation.
[applicable from 4 August 2024 - Implementing Regulation (EU) 2023/893]
AMC1 ATCO.AR.A.015(d)(3) Means of compliance
ED Decision 2015/010/R
GENERAL
The information to be provided to other Member States following approval of an alternative means of compliance should contain a reference to the Acceptable Means of Compliance (AMC) to which such means of compliance provides an alternative, as well as a reference to the corresponding Implementing Rule of Regulation (EC) No 216/2008 indicating as applicable the subparagraph(s) covered by the alternative means of compliance.
GM1 ATCO.AR.A.015 Means of compliance
ED Decision 2023/011/R
GENERAL
Alternative means of compliance used by a competent authority or by organisations under its oversight may be used by other competent authorities or organisations only if processed again in accordance with ATCO.AR.A.015(d) and (e).
[applicable until 3 August 2024 - ED Decision 2015/010/R]
GM1 ATCO.AR.A.015(b) Means of compliance
ED Decision 2023/011/R
ALTERNATIVE MEANS OF COMPLIANCE — GENERAL
(a) A competent authority may establish means to comply with Commission Regulation (EU) 2015/340 which are different from the acceptable means of compliance (AMC) established by EASA.
(b) In that case, the competent authority is responsible for demonstrating how those alternative means of compliance (AltMoC) assist it to establish compliance with Commission Regulation (EU) 2015/340.
(c) AltMoC that are used by a competent authority, or by an organisation under its oversight, may be used by other competent authorities, or by other organisations, only if they are processed by those authorities in accordance with point ATCO.AR.A.015, and by those organisations in accordance with point ATCO.OR.B.005.
(d) AltMoC that are issued by the competent authority may cover the following cases:
(1) AltMoC to be used by organisations under the oversight of the competent authority, and which are made available to those organisations; and
(2) AltMoC to be used by the competent authority itself to discharge its responsibilities.
[applicable from 4 August 2024 - ED Decision 2023/011/R]
AMC1 ATCO.AR.A.015(b);(c) Means of compliance
ED Decision 2023/011/R
PROCESSING OF ALTERNATIVE MEANS OF COMPLIANCE (AltMoC)
To meet the objectives of points (b) and (c) of point ATCO.AR.A.015:
(a) the competent authority should establish the means to consistently evaluate over time that all the AltMoC that are used by itself or by organisations under its oversight allow for the establishment of compliance with Commission Regulation (EU) 2015/340;
(b) if the competent authority issues AltMoC for itself or for the organisations under its oversight, it should:
(1) make them available to all relevant organisations; and
(2) notify EASA of the AltMoC as soon as it is / they are issued, including the information that is described in point (d);
(c) the competent authority should evaluate the AltMoC that is/are proposed by an organisation by analysing the documentation provided and, if considered necessary, by inspecting the organisation; when the competent authority finds that the AltMoC is/are in accordance with Commission Regulation (EU) 2015/340, it should:
(1) notify the applicant that the AltMoC is/are approved;
(2) indicate that this/those AltMoC may be implemented, and agree when the organisation documents are to be amended accordingly; and
(3) notify EASA of the AltMoC approval as soon as it is / they are approved, including the information that is described in point (d); and
(d) the competent authority should provide EASA with the following information:
(1) a summary of the AltMoC;
(2) the content of the AltMoC;
(3) a statement that compliance with Commission Regulation (EU) 2015/340 is achieved; and
(4) in support of that statement, an assessment which demonstrates that the AltMoC reaches/reach an acceptable level of safety, taking into account the level of safety that is achieved by the corresponding EASA AMC.
(e) All these elements that describe the AltMoC are an integral part of the records to be kept, which are managed in accordance with point ATCO.AR.A.015.
[applicable from 4 August 2024 - ED Decision 2023/011/R]
GM1 ATCO.AR.A.015(b);(c) Means of compliance
ED Decision 2023/011/R
CASES FOR WHICH THERE IS NO CORRESPONDING EASA AMC
When there is no EASA AMC to a certain requirement in Commission Regulation (EU) 2015/340, the competent authority may choose to develop national guides or other types of documents to assist the organisations under its oversight to demonstrate compliance. The competent authority may inform EASA about such national guides or other types of documents so that they may be considered later for incorporation into the AMC that EASA issues and publishes through its rulemaking procedure.
[applicable from 4 August 2024 - ED Decision 2023/011/R]
ATCO.AR.A.020 Information to the Agency
Regulation (EU) 2023/893
(a) The competent authority shall without undue delay notify the Agency in case of any significant problems with the implementation of Regulation (EC) No 216/2008 and this Regulation.
(b) The competent authority shall provide the Agency with safety-significant information stemming from the occurrence reports it has received.
[applicable until 3 August 2024 - Regulation (EU) 2015/340]
(a) The competent authority shall notify the Agency in case of any significant problems with the implementation of Regulation (EU) 2018/1139 and its delegated and implementing acts within 30 days from the time the competent authority has become aware of the problems.
(b) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council18Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007 (OJ L 122, 24.4.2014, p. 18). and its delegated and implementing acts, the competent authority shall provide the Agency with safety-significant information stemming from the occurrence reports stored in its national database in accordance with Article 6(6) of Regulation (EU) No 376/2014, as soon as possible.
[applicable from 4 August 2024 - Implementing Regulation (EU) 2023/893]
(c) The competent authority of the Member State shall provide the Agency as soon as possible with safety-significant information stemming from the information security reports it has received pursuant to point IS.I.OR.230 of Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203.
[applicable from 22 February 2026 – Regulation (EU) 2023/203]
AMC1 ATCO.AR.A.020(b) Information to the Agency
ED Decision 2023/011/R
PROVISION OF SAFETY-SIGNIFICANT INFORMATION TO THE AGENCY
Each competent authority should appoint a coordinator to act as the point of contact for the provision of safety-significant information to the Agency.
[applicable from 4 August 2024 - ED Decision 2023/011/R]
GM1 ATCO.AR.A.020(b) Information to the Agency
ED Decision 2023/011/R
MEANING OF SAFETY-SIGNIFICANT INFORMATION STEMMING FROM OCCURRENCE REPORTS
The following should be considered safety-significant information from occurrence reports:
(a) conclusive safety analyses that summarise individual occurrence data and provide an in-depth assessment of the safety issue. These safety analyses can be used for Agency rulemaking or for safety promotion activities such as the European Aviation Safety Plan; and
(b) individual occurrence data where the Agency is the competent authority.
[applicable until 3 August 2024 - ED Decision 2015/010/R]
MEANING OF SAFETY-SIGNIFICANT INFORMATION STEMMING FROM OCCURRENCE REPORTS
Safety-significant information stemming from occurrence reports means a conclusive safety analysis that summarises individual occurrence data and provides an in-depth analysis of a safety issue, which may be relevant for the Agency’s safety action planning.
[applicable from 4 August 2024 - ED Decision 2023/011/R]
GM2 ATCO.AR.A.020(b) Information to the Agency
ED Decision 2023/011/R
SAFETY-SIGNIFICANT INFORMATION STEMMING FROM OCCURRENCE REPORTS
The conclusive safety analysis based on occurrence reports should contain the following:
(a) a detailed description of the safety issue, including the scenario in which the safety issue takes place; and
(b) an indication of the stakeholders affected by the safety issue, including types of operations and organisations;
and, as appropriate:
(c) a risk assessment establishing the severity and probability of all the possible consequences of the safety issue;
(d) information about the existing safety barriers that the aviation system has in place to prevent the likely safety-issue-related consequences from occurring;
(e) any mitigating actions already in place or developed to address the safety issue;
(f) recommendations for future actions to control the risk; and
(g) any other element(s) the competent authority considers essential for the Agency to properly assess the safety issue.
[applicable from 4 August 2024 - ED Decision 2023/011/R]
ATCO.AR.A.025 Immediate reaction to a safety problem
Regulation (EU) 2023/893
(a) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council19 Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007 (OJ L 122, 24.4.2014, p. 18–43)., the competent authority shall implement a system to appropriately collect, analyse and disseminate safety information.
(b) The Agency shall implement a system to appropriately analyse any relevant safety information received and without undue delay provide to Member States and the Commission any information, including recommendations or corrective actions to be taken, necessary for them to react in a timely manner to a safety problem involving products, parts, appliances, persons or organisations subject to Regulation (EC) No 216/2008 and its implementing rules.
(c) Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the safety problem.
(d) Measures taken in accordance with point (c) shall immediately be notified to all persons or organisations which need to comply with them under Regulation (EC) No 216/2008 and its implementing rules. The competent authority shall also notify those measures to the Agency and, when combined action is required, to the other Member States concerned.
[applicable until 3 August 2024 - Regulation (EU) 2015/340]
(a) Without prejudice to Regulation (EU) No 376/2014 and its delegated and implementing acts, the competent authority shall implement a system to appropriately collect, analyse and disseminate safety information.
(b) The Agency shall implement a system to appropriately analyse any relevant safety information received and without undue delay provide to Member States and the Commission any information, including recommendations or corrective actions to be taken, necessary for them to react in a timely manner to a safety problem involving products, parts, appliances, persons or organisations subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.
(c) Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the safety problem.
(d) Measures taken in accordance with point (c) shall immediately be notified to all persons or organisations which need to comply with them under Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority shall also notify those measures to the Agency and, when combined action is required, to the other Member States concerned.
[applicable from 4 August 2024 - Implementing Regulation (EU) 2023/893]
ATCO.AR.A.025A Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
Regulation (EU) 2023/203
(a) The competent authority shall implement a system to appropriately collect, analyse, and disseminate information related to information security incidents and vulnerabilities with a potential impact on aviation safety that are reported by organisations. This shall be done in coordination with any other relevant authorities responsible for information security or cybersecurity within the Member State to increase the coordination and compatibility of reporting schemes.
(b) The Agency shall implement a system to appropriately analyse any relevant safety-significant information received in accordance with point ATCO.AR.A.020, and without undue delay provide the Member States and the Commission with any information, including recommendations or corrective actions to be taken, necessary for them to react in a timely manner to an information security incident or vulnerability with a potential impact on aviation safety involving products, parts, non-installed equipment, persons or organisations subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.
(c) Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the potential impact on aviation safety of the information security incident or vulnerability.
(d) Measures taken in accordance with point (c) shall immediately be notified to all persons or organisations that shall comply with them under Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority of the Member State shall also notify those measures to the Agency and, when combined action is required, the competent authorities of the other Member States concerned.
[applicable from 22 February 2026 – Regulation (EU) 2023/203]
ED Decision 2023/010/R
(a) To appropriately collect and analyse information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should implement means that ensure the necessary confidentiality.
(b) When disseminating information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should properly select the appropriate recipient(s) to prevent the content of a report from being exploited to the detriment of aviation safety, by revealing, for instance, uncorrected vulnerabilities.
[Applicable from 22 February 2026 – ED Decision 2023/010/R]
ED Decision 2023/010/R
When deemed necessary, a two-step mechanism could be used: a report alerting about the information security event or incident and the availability of additional data that would require controlled and confidential distribution. This report should only alert recipients of the urgency and the necessity for organisations and competent authorities to establish further communication through secure means.
Therefore, the report should consist of two parts: one limited to mostly public information and one containing the sensitive data that should be restricted to the recipients who need to know. Wherever possible, reports should be based on an agreed taxonomy.
[Applicable from 22 February 2026 – ED Decision 2023/010/R]