DPO.AR.B.001 Management system
Regulation (EU) 2023/1769
(a) The Agency shall establish and maintain a management system, including, as a minimum, the following elements:
(1) documented policies and procedures to describe its organisation, means and methods to establish compliance with Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on their bases, as necessary, for the exercise of its certification, oversight and enforcement tasks; the procedures shall be kept up to date and serve as the basic working documents within the Agency for all related tasks;
(2) a sufficient number of personnel to perform its tasks and discharge its responsibilities under this Regulation; a system shall be in place to plan the availability of personnel in order to ensure the proper completion of all related tasks;
(3) personnel that are qualified to perform their allocated tasks and have the necessary knowledge and experience, and have received initial and recurrent training to ensure their continuing competence;
(4) adequate facilities and offices to perform the allocated tasks;
(5) a function to monitor the compliance of the management system with the relevant requirements and the adequacy of the procedures, including the establishment of an internal audit process and a safety risk management process; the compliance-monitoring function shall include a system to provide feedback about audit findings to the senior management of the Agency to ensure the implementation of corrective actions as necessary;
(6) a person or group of persons ultimately responsible to the senior management of the Agency for the compliance- monitoring function.
(b) The Agency shall, for each field of activity included in the management system, appoint one or more persons with the overall responsibility for the management of the relevant task(s).
(c) The Agency shall establish procedures for its participation in a mutual exchange of all the necessary information with any other competent authority(ies) referred to in Article 4 of Commission Implementing Regulation (EU) 2017/373 (11Commission Implementing Regulation (EU) 2017/373 of 1 March 2017 laying down common requirements for providers of air traffic management/air navigation services and other air traffic management network functions and their oversight, repealing Regulation (EC) No 482/2008, Implementing Regulations (EU) No 1034/2011, (EU) No 1035/2011 and (EU) 2016/1377 and amending Regulation (EU) No 677/2011 (OJ L 62, 8.3.2017, p. 1).) and provide them with assistance or request assistance from them, including any information that stems from mandatory and voluntary occurrence reporting as required by point DPO.OR.A.045.
(d) The management system established and maintained by the Agency shall comply with Annex I (Part-IS.AR) of Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.
DPO.AR.B.010 Changes in the management system
Regulation (EU) 2023/1769
(a) The Agency shall have a system in place to identify those changes that affect its capability to perform its tasks and discharge its responsibilities as set out in Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on the basis thereof. That system shall enable the Agency to take action, as appropriate, to ensure that the management system remains adequate and effective.
(b) The Agency shall update its management system to reflect any changes to Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on the basis thereof, in a timely manner, so as to ensure the effective implementation of its management system.
Regulation (EU) 2023/1769
(a) The Agency shall establish and maintain a record-keeping system that provides for adequate storage, accessibility, and reliable traceability of:
(1) the management system’s documented policies and procedures;
(2) the training, qualifications, and authorisation of personnel as required by point DPO.AR.B.001 (a)(3);
(3) the allocation of tasks, covering the elements required by point ATM/ANS.EQMT.AR.A.020 of Annex I to Delegated Regulation (EU) 2023/1768, as well as the details of the allocated tasks;
(4) the approval process as regards organisations involved in the design or production of ATM/ANS equipment, the certification process, and the registration of declarations of design compliance for ATM/ANS equipment and the continuing oversight, including:
(i) applications for the issue of approvals;
(ii) approvals issued to organisations involved in the design or production of ATM/ANS equipment, including the associated privileges and any changes to them;
(iii) ATM/ANS equipment certificates issued, including any changes to them that it has issued;
(iv) all valid declarations of design compliance of ATM/ANS equipment that it has registered;
(v) the Agency’s continuing oversight programme, including all assessment, audit and inspection records;
(vi) a copy of the oversight programme listing the dates when audits are due and when audits were carried out;
(vii) copies of all formal correspondence;
(viii) recommendations for the issue or continuation of a certificate or continuation of the registration of a declaration, details of findings, and actions taken by the organisations to close them, including the date of closure of each item, enforcement actions, and observations;
(ix) any assessment, audit or inspection report;
(x) copies of all organisation handbooks, procedures and processes or manuals and amendments to them;
(xi) copies of any other documents approved by the Agency;
(5) the notification and evaluation of the alternative means of compliance proposed by organisations involved in the design or production of ATM/ANS equipment and the assessment of these alternative means of compliance;
(6) safety information, ATM/ANS equipment directives, and follow-up measures;
(7) the use of flexibility provisions pursuant to Article 76(4) of Regulation (EU) 2018/1139.
(b) The Agency shall maintain a list of all the certificates it has issued and of any declarations it has registered.
(c) All the records referred to in points (a) and (b) shall be stored in a manner that ensures protection against damage, alteration and theft and kept for a minimum period of five years after the approvals and certificates cease to be valid or the declarations are withdrawn, subject to the applicable data protection law.