Easy Access Rules for Information Security (Regulations (EU) 2023/203 and 2022/1645)

ED Decision 2023/009/R

EXAMPLES

The following Table 1 provides some examples of information security management activities that may be contracted in relation to the provisions referred to as in IS.D.OR.200.

Table 1: Examples of information security management activities that may be contracted

ED Decision 2023/009/R

PRIOR ASSESSMENT

The purpose of the prior assessment is to evaluate suppliers’ competencies, sustainability as well as qualifications in relation to the information security activities to be contracted. This prior assessment may need to be carried out taking into account other legal requirements or procurement procedures that apply to the organisation, and may therefore be carried out in different ways, such as:

(a)in case of public bids, inclusion of eligibility requirements in the procurement documents for the potential suppliers;

(b)review of the information security certifications granted by external and impartial auditors to the potential suppliers;

(c)review of self-assessment questionnaires compiled by the potential suppliers;

RISK ASSESSMENT ASSOCIATED WITH THE PROVISION OF THE CONTRACTED ACTIVITIES

The risk assessment should take into account the maturity level of the contracted organisation, and should consider the following:

(a)identification and assessment of critical and sensitive information and assets that may be shared with, or provided by, external suppliers;

(b)identification of the information security requirements of the organisation that are applicable to the contracted organisation;

(c)evaluation, by means of a supplier assessment, of the ability of the contracted organisation (both existing and new contracted organisations) to meet the information security requirements of the contracting organisation;

(d)assessment of risks that may be introduced by the contracted organisation.

This agreed risk assessment should also consider the roles and responsibilities of the contracting and contracted organisation as well as their interfaces.

ED Decision 2023/009/R

(a)OVERSIGHT OF THE CONTRACTED ORGANISATION

In order to exercise oversight of the contracted organisation, the organisation under Part-IS should have:

(1)a process to ensure compliance with the provisions regarding contracted activities contained in this Regulation;

(2)a structured process to follow the expected execution of the contract that includes:

(i)definition and agreement of the scope of the activities;

(ii)definition of the roles and responsibilities of the parties (i.e. contracting and contracted organisation).

(iii)definition and review of key performance indicators;

(iv)reaction to deviation from contractual obligations;

(v)performance of compliance audits, according to the predefined scope and objectives, with the aim of evaluating operational and associated assurance activities.

(vi)provision of feedback on the result of the compliance audits both within the organisation and to the contracted organisation, and response to findings. The feedback on the outcome of the compliance audits within the contracting organisation should reach the accountable manager or, in the case of design organisations, the head of the design organisation, or delegated person(s) to ensure proper monitoring of the response to findings (i.e. implementation of corrective actions) or, if deemed necessary, termination of the contract.

Note: The right of the organisation to conduct compliance audits of the contracted organisation should be included in the contract between the parties.

(b)MANAGEMENT OF THE RISKS ASSOCIATED WITH THE CONTRACTED ACTIVITIES

In order to properly manage the risks associated with the contracted activities, the organisation should meet the following criteria:

(1)A prior assessment of the suppliers is conducted before outsourcing any information security management activities. The assessment should evaluate suppliers’ competencies, sustainability as well as qualifications in relation to the activities to be contracted.

(2)There is an assessment of the risks associated with the provision of the contracted activities that has been agreed between the organisation under Part-IS and the contracted organisation.

(3)The organisation establishes and maintains appropriate information security communication channels with the contracted organisation.

ED Decision 2023/009/R

AUDIT OF CONTRACTED ORGANISATIONS

The following aspects should be considered by the organisation when auditing a supplier contracted to perform information security management activities:

—the scope of the audit as well as the objective should be limited to processes, resources (i.e. contracted organisation personnel, systems/equipment, networks) and data used for the execution of Part-IS contracted activities;

—compliance and/or implementation audits should be done at the contracting organisation’s discretion;

—findings identified during an audit should be addressed through a remediation plan with a time frame to be validated by the contracting organisation.

ED Decision 2023/009/R

In order to ensure access by the competent authority to the contracted organisation upon request, the organisation under Part-IS should ensure that such a requirement or clause is included in the contractual documentation.

The competent authority’s access to the contracted organisations should be at least equivalent to that granted to the contracting organisation and, in any case, sufficient to ensure the assessment of continued compliance of the contracted activities with the applicable requirements.

ED Decision 2023/009/R

Access to the contracted organisation means to have visibility of evidence for compliance of the contracted activities (such as artefacts, documents, independent certifications).

Evidence of compliance could be achieved either by transfer of documents and/or access to information at the premises in accordance with the ‘audit scope’ as defined in the contract.

In those cases where the organisation would use commercial off-the-shelf services with standard contractual clauses as part of the contracted information security management activities, the organisation should consider whether these clauses provide sufficient access to the required information.

The opportunity to visit the premises should be evaluated considering different aspects such as the sensitivity of the related information or the practical accessibility to the contracted organisation (e.g. the contracted organisation is a service provider with distributed resources).

Regulation (EU) 2022/1645

(a)The accountable manager of the organisation or, in the case of design organisations, the head of the design organisation, designated in accordance with Regulation (EU) No 748/2012 and Regulation (EU) No 139/2014 as referred to in points 1(a) and (b) of Article 2 of this Regulation, shall have corporate authority to ensure that all activities required by this Regulation can be financed and carried out. That person shall:

(1)ensure that all necessary resources are available to comply with the requirements of this Regulation;

(2)establish and promote the information security policy referred to in point IS.D.OR.200(a)(1);

(3)demonstrate a basic understanding of this Regulation.

(b)The accountable manager or, in the case of design organisations, the head of the design organisation, shall appoint a person or group of persons to ensure that the organisation is in compliance with the requirements of this Regulation, and shall define the extent of their authority. That person or group of persons shall report directly to the accountable manager or, in the case of design organisations, to the head of the design organisation, and shall have the appropriate knowledge, background and experience to discharge their responsibilities. It shall be determined in the procedures who deputises for a particular person in the case of lengthy absence of that person.

(c)The accountable manager or, in the case of design organisations, the head of the design organisation shall appoint a person or group of persons with the responsibility to manage the compliance monitoring function referred to in point IS.D.OR.200(a)(12).

(d)Where the organisation shares information security organisational structures, policies, processes and procedures, with other organisations or with areas of their own organisation which are not part of the approval or declaration, the accountable manager or, in the case of design organisations, the head of the design organisation, may delegate its activities to a common responsible person.

In such a case, coordination measures shall be established between the accountable manager of the organisation or, in the case of design organisations, the head of the design organisation, and the common responsible person to ensure adequate integration of the information security management within the organisation.

(e)The accountable manager or the head of the design organisation, or the common responsible person referred to in point (d), shall have corporate authority to establish and maintain the organisational structures, policies, processes and procedures necessary to implement point IS.D.OR.200.

(f)The organisation shall have a process in place to ensure that they have sufficient personnel on duty to carry out the activities covered by this Annex.

(g)The organisation shall have a process in place to ensure that the personnel referred to in point (f) have the necessary competence to perform their tasks.

(h)The organisation shall have a process in place to ensure that personnel acknowledge the responsibilities associated with the assigned roles and tasks.

(i)The organisation shall ensure that the identity and trustworthiness of the personnel who have access to information systems and data subject to the requirements of this Regulation are appropriately established.

ED Decision 2023/009/R

The objectives of the requirements contained in points (a) through (e) are:

(a)to ensure that an effective organisational structure is in place in order to comply with the requirements of this Regulation;

(b)to provide trust to other organisations with whom they share risks.

ED Decision 2023/009/R

PROMOTION OF INFORMATION SECURITY POLICY

The accountable manager or, in the case of design organisations, the head of the design organisation of the organisation should make sure that the information security policy is known and easily accessible for staff members as appropriate to their duties.

ED Decision 2023/009/R

BASIC UNDERSTANDING OF THE REGULATION

In order to demonstrate a basic understanding of this Regulation, the accountable manager of the organisation or, in the case of design organisations, the head of the design organisation should have the ability to explain the overarching objectives of the Regulation and its implications for the organisation.

ED Decision 2023/009/R

BASIC UNDERSTANDING OF THE REGULATION

In the event that the accountable manager or, in the case of design organisations, the head of the design organisation has no previous experience in the areas of activity pertinent to Part-IS, he or she may gain the necessary understanding by attending a training covering the content the Regulation and the technical basis for compliance. In particular, the training material should cover the overarching objectives of Part-IS, and the assessment should evaluate the understanding of these regulatory objectives.

ED Decision 2023/009/R

APPOINTMENT OF A PERSON OR GROUP OF PERSONS

The person or group of persons appointed under point IS.D.OR.240(b) with the responsibility to ensure compliance with the requirements of this Regulation should represent the management structure of the organisation.

The person or group of persons has direct access to the accountable manager or, in the case of design organisations, to the head of the design organisation (or the common responsible person, if appointed) to provide guidance, direction and support for the planning, implementation and operation of the process and standards to comply with the Regulation. They should have direct access to keep the accountable manager or, in the case of design organisations, the head of the design organisation (or the common responsible person) properly informed on compliance and information security matters (for instance, through meetings organised on a regular basis).

Appointments should take into account the possibility that a person may not be able to carry out the organisational tasks assigned to them for a period of time, and thus also identify the necessary deputies.

These appointed persons should demonstrate a complete understanding of the requirements of this Regulation, to be able to ensure that the organisation’s processes and standards accurately reflect the applicable requirements. It is their role to ensure that compliance is proactively managed, and that any early warning signs of non-compliance are documented and acted upon.

A description of the functions and the responsibilities of the appointed persons and deputies, including their names, should be contained in the ISMM (see point IS.D.OR.250(a)(2)).

ED Decision 2023/009/R

A condition of a lengthy absence of an appointed person occurs when that person is unable to perform the assigned organisational duties. For example, if an information security management activity is required to be carried out by appointed persons at a specified interval, an absence is considered lengthy when it exceeds this interval and therefore a vulnerability in the management activity may arise.

ED Decision 2023/009/R

Appointments may be made by email, organisational chart, roles & responsibilities table, etc. usually in use by the organisation. The organisation may adopt any titles for the foregoing information security management positions, but it should identify to the competent authority the titles and the persons chosen to carry out these functions.

ED Decision 2023/009/R

COMPLIANCE MONITORING FUNCTION

The person appointed under point IS.D.OR.240(c) with the responsibility to manage the compliance monitoring function required under point IS.D.OR.200(a)(12) may be the same person as, or report to, the person responsible for the compliance monitoring function required under the implementing regulation for the domain.

ED Decision 2023/009/R

COORDINATION

The criteria to establish coordination that ensures adequate integration of the information security management within the organisation are the following:

(a)the scope and boundaries of the organisations have been established and communicated to the common responsible person;

(b)the requirements of this Regulation have been communicated to and shared with the common responsible person;

(c)the common responsible person has direct access to the accountable manager or, in the case of design organisations, to the head of the design organisation;

(d)issues are proactively managed and any early warning signs of non-compliance are documented and acted upon.

ED Decision 2023/009/R

COMMON RESPONSIBLE PERSON

If a common responsible person (CRP) is delegated by the accountable manager or, in the case of design organisations, by the head of the design organisation for the activities under this Regulation, this person should also be given the appropriate delegation that is necessary to implement the provisions of IS.D.OR.200, including the authority and the financial means to mobilise and control the resources across the organisations, or parts of the organisation involved. This delegation may also include the appointment of the person or group of persons referred to in IS.D.OR.240(b) and (c) and, in general, the CRP may be assisted in the performance of his or her duties by additional personnel.

The possibility of delegating a CRP applies to an organisation that shares information security organisational structures, policies, processes and procedures with other organisations or with parts of its own organisation that are not part of the authorisation or declaration, and therefore this CRP is expected to have information security responsibilities and competencies. In particular, the CRP should be capable of managing the organisation’s information security strategy and its implementation to ensure the achievement of the objectives described in Article 1. According to the European Cybersecurity Skills Framework (ECSF) published by ENISA in September 2022, this person may be described, for instance, as (Chief) Information Security Officer, Cybersecurity Programme Director or Information Security Manager. However, it should be noticed that these descriptions and the related skills do not consider the aviation safety perspective that is required in Article 1.

Where an entity holds multiple authorisations or declarations, the relevant accountable managers or, in the case of design organisations, the relevant head of the design organisations may delegate to the same CRP, who will therefore be responsible for implementing the provisions of IS.D.OR.200 for a functional cluster sharing information security structures, policies, processes and procedures.

ED Decision 2023/009/R

SUFFICIENT PERSONNEL

To determine the sufficiency of the personnel, the following elements should be taken into consideration:

(a)the organisational structures, policies, processes and procedures subject to information security management;

(b)the amount of coordination required with other organisations, contractors and suppliers;

(c)the level of risk associated with the activities performed by the organisation.

ED Decision 2023/009/R

SUFFICIENT PERSONNEL

For the purpose of this Regulation, personnel refers to the combination of the personnel directly employed by the organisation, as well as the personnel contracted as specified in IS.D.OR.235.

The activities reported in Appendix II, on the main tasks stemming from the implementation of Part-IS, should be considered when establishing the organisational structure necessary to comply with the requirements of this Regulation.

ED Decision 2023/009/R

NECESSARY COMPETENCE

(a)To determine the competence needed by the personnel performing the activities, the following elements should be taken into consideration:

(1)work roles and the associated tasks;

(2)required knowledge, skills and abilities.

(b)As part of the process to ensure that personnel maintain the necessary competence, the organisation should:

(1)assess the personnel qualifications and experience with respect to the competence required for the assigned work roles to identify gaps;

(2)align the personnel qualifications and experience with the competence expected to fulfil their roles by organising adequate learning programmes for existing members of personnel, by recruiting new resources, or by a combination thereof;

(3)maintain the personnel competence during the time they are assigned to the work role.

ED Decision 2025/014/R

NECESSARY COMPETENCE AND TRAINING PROGRAMME

A training programme should start with the identification of the competence required by the personnel for each role, followed by the identification of the gaps between the existing competence and the required one.

In order to develop the list of competencies an organisation may use, as initial guidance, an existing cybersecurity competence framework such as the European e-Competence Framework (e-CF) or the NICE (National Initiative for Cybersecurity Education) based on the NIST Cybersecurity Framework (NIST CSF).

In Appendix II, the main tasks of this Regulation are listed and mapped to the competences derived from the EU e-CF or, for ease of mapping, to the functions and categories of the NIST CSF. This mapping may be used to establish a baseline to identify the aforementioned competence gaps. However, it should be noticed that existing cybersecurity/information security competence frameworks typically focus primarily on the protection of standard information technologies; therefore, the proposed list of competencies may need to be adapted to the technologies or integrated with processes used in the organisation.

The bridging of the identified gaps should be seen as the objective of the training programme, which should further include the scope, content, methods of delivery (e.g. classroom training, e-learning, notifications, on-the-job training) and frequency of training that best meet the organisation’s needs considering the size, scope, required competencies, and complexity of the organisation.

Finally, as information security/cybersecurity evolves due to the rise of new threats, the organisation should periodically review the adequacy of the training programme.

ROLE-BASED COMPETENCE FRAMEWORK

Although under this Regulation there are no provisions for specific roles, besides the optional nomination of a CRP, for organisations characterised by a large number of staff members and hierarchical layers it may be convenient to identify some roles and the related required competencies. To this end, EASA has developed an adaptation of the European Cybersecurity Skills Framework (ECSF) published by ENISA in September 2022 that can be found in Appendix VI.

ED Decision 2023/009/R

ACKNOWLEDGEMENT OF RESPONSIBILITIES

Regarding any assigned role and task, the organisation should specify all information security responsibilities an employee has in a clear and transparent manner.

As part of this, all personnel performing the activities required under this Regulation should acknowledge, in a traceable and verifiable manner, understanding of the assigned roles and the associated information security responsibilities.

ED Decision 2023/009/R

ACKNOWLEDGEMENT OF RESPONSIBILITIES

Acknowledgement of receipt such as a valid electronic or wet signature, confirmation email, etc., is a traceable proof of acknowledgement.

ED Decision 2023/009/R

IDENTITY AND TRUSTWORTHINESS

For the personnel who have access to information systems and data subject to the requirements of Part-IS, the identity should be determined on the basis of documentary evidence.

To establish the trustworthiness of such personnel, the organisation should have a documented process and appropriate criteria to ensure that individuals can be trusted to perform their role.

ED Decision 2023/009/R

IDENTITY AND TRUSTWORTHINESS

(a)Trustworthiness may be established, for example, by:

(1)prior to employment, a background check carried out in accordance with the applicable rules of Union and national law. This check may include verification of:

(i)education, previous employment and any gaps in the previous years;

(ii)absence of criminal record;

(iii)any other relevant information or intelligence considered relevant to the suitability of a person to work in the expected role;

(2)during employment, monitoring the employee’s commitment and conduct.

Note: The absence of criminal record may be verified by means of a certificate issued by the responsible authority in the Member State in accordance with Regulation (EU) 2016/1191. In the case of prospective foreign employees, the above checks may be carried out on the basis of equivalent certificates issued by the country of origin, such as a ‘certificate of good conduct’.

(b)Furthermore, the process and criteria to establish personnel’s trustworthiness may have to consider whether:

(1)the information systems and data to be accessed have been associated with a high severity of the safety consequences with the risk assessment process under IS.D.OR.205;

(2)controls or mitigating measures for risk treatment identified during the risk analysis rely on organisational/operational procedures — for instance, correct configuration and administration of information technologies, database operations, information security monitoring, etc.

In such cases, the personnel who have administrator rights or unsupervised and unlimited access to the systems and data mentioned in (a) (1), or the personnel who applies the measures under above point (b)(2), may be subject to more stringent criteria.

(c)Intelligence and any other relevant information may be gathered by screening and analysing public sources such as social media and websites, within the limits set by relevant national laws and regulations.

(d)Some organisations subject to Part-IS may also be subject to Regulation (EU) 2015/1998 that requires successful completion of background checks for personnel in certain roles, as well as a mechanism for the ongoing review of these checks. In such cases the organisation may consider suitable for the establishment of the personnel’s identity and trustworthiness required under Part-IS, in relation to their role, the process and the relevant criteria defined in Regulation (EU) 2015/1998 for standard and enhanced background checks. However, it should be noted that compliance with the provisions for the establishment of identity and trustworthiness under Part-IS does not constitute compliance with the provisions on background checks as defined in Regulation (EU) 2015/1998.

Regulation (EU) 2022/1645

(a)The organisation shall keep records of its information security management activities

(1)The organisation shall ensure that the following records are archived and traceable:

(i)any approval received and any associated information security risk assessment in accordance with point IS.D.OR.200(e;)

(ii)contracts for activities referred to in point IS.D.OR.200(a)(9);

(iii)records of the key processes referred to in point IS.D.OR.200(d);

(iv)records of the risks identified in the risk assessment referred to in point IS.D.OR.205 along with the associated risk treatment measures referred to in point IS.D.OR.210;

(v)records of information security incidents and vulnerabilities reported in accordance with the reporting schemes referred to in points IS.D.OR.215 and IS.D.OR.230;

(vi)records of those information security events which may need to be reassessed to reveal undetected information security incidents or vulnerabilities.

(2)The records referred to in point (1)(i) shall be retained at least until 5 years after the approval has lost its validity.

(3)The records referred to in point (1)(ii) shall be retained at least until 5 years after the contract has been amended or terminated.

(4)The records referred to in point (1)(iii), (iv) and (v) shall be retained at least for a period of 5 years.

(5)The records referred to in point (1)(vi) shall be retained until those information security events have been reassessed in accordance with a periodicity defined in a procedure established by the organisation.

(b)The organisation shall keep records of qualification and experience of its own staff involved in information security management activities

(1)The personnel’s qualification and experience records be retained for as long as the person works for the organisation, and for at least 3 years after the person has left the organisation.

(2)Members of the staff shall, upon their request, be given access to their individual records. In addition, upon their request, the organisation shall provide them with a copy of their individual records on leaving the organisation.

(c)The format of the records shall be specified in the organisation’s procedures.

(d)Records shall be stored in a manner that ensures protection from damage, alteration and theft, with information being identified, when required, according to its security classification level. The organisation shall ensure that the records are stored using means to ensure integrity, authenticity and authorised access.

ED Decision 2023/009/R

Records are required to document results achieved or to provide evidence of activities performed. Records become factual when recorded and cannot be modified. Therefore, they are not subject to version control. Even when a new record is produced covering the same issue, the previous record remains valid.

The ‘approval received’ referred to in point (a)(1)(i) includes any ‘certificate’ received by the organisation when it is provided for by the implementing rule for its domain.

ED Decision 2023/009/R

When complying with the requirements under points (a)(1)(vi) and (a)(5), the organisation should establish a data retention policy defining procedures to:

(a)manage relevant security data files;

(b)establish the periodical assessment of their content; and

(c)define the criteria to allow deletion of records of information security events when the objective of the requirement under (a)(5) has been met.

ED Decision 2023/009/R

The objective of the requirement under (a)(1)(vi) is to ensure detection of possible indication of information security incidents or vulnerabilities which are not obvious by normal operation (e.g. previously unknown situations), while the objective of the requirement under (a)(5) is to allow the necessary flexibility to control the volume of the stored information security events.

Records of information security events include those events identified to be within the scope of the detection activities under IS.D.OR.220(a), as well as other information security data produced by assets that have been identified under IS.D.OR.205.

A data retention policy clarifies what information should be stored or archived and for how long. Some guidance about data retention can be found in EUROCAE ED-206, Chapter 2.6.

Once a data set completes its retention period, it can be deleted or moved as permanent historical data to a secondary or tertiary storage.

ED Decision 2023/009/R

When complying with the requirements under points (c) and (d) for all the records required by points IS.D.OR.245 (a) and (b), the organisation should consider the following:

(a)Records should be kept in paper form or in electronic format or a combination of both media. The records should remain accessible whenever needed within a reasonable time and usable throughout the required retention period. The retention period starts when the record has been created.

(b)Records data integrity, availability and authenticity should be protected in consistency with protection of corresponding operational data, and as such, should be within the scope of the ISMS.

(c)Storage systems should be protected against unauthorised access (i.e. data leakage attempts against personal data/modification of records) and thus should have information security measures implemented in consistency with the level of information security risk associated with them.

(d)Once records are not required to be retained anymore, the destruction of records and decommissioning of assets used for their storage should be implemented appropriately.

ED Decision 2023/009/R

RECORDS ACCESSIBILITY THROUGHOUT THE RETENTION PERIOD

It is recommended to follow best practices for data retention and, for data that may need to be restored, backup strategies, such as the use of automated backup tools, segregation or geographic separation of backup storage location(s), and to consider offline backups to prevent ransomware risks. These practices should be considered also when record-keeping is contracted to service providers with distributed resources.

Special attention should be paid to significant hardware and software changes, ensuring that stored digital records remain accessible and readable. (e.g. file system, application file format, forward compatible database versions, etc.). Paper-based information needs to be archived in an adequate environment, in which records are protected against degradation factors (e.g. excessive heat, light or humidity).

RECORDS DATA INTEGRITY AND PROTECTION FROM UNAUTHORISED ACCESS

A commonly used method to achieve authenticity and integrity protection is the use of digital signatures at document level. Digital signatures can be added to the document’s file (e.g. PDF) to ensure that a record has not been modified by someone other than its author (integrity) and that the author is who is expected to be (authenticity).

Moreover, to prevent unauthorised access, records can be protected for example by implementing a role-based access control (RBAC) approach, or certain records can be password protected at the file level. Commercial applications feature built-in basic password protection functions for their file formats. Access protection can also be achieved by protecting the environment where the individual records are stored (e.g. access protection on databases, file shares, directories, etc.).

Regulation (EU) 2025/22

(a)The organisation shall make available to the competent authority an information security management manual (ISMM) and, where applicable, any referenced associated manuals and procedures, containing:

(1)a statement signed by the accountable manager or, in the case of design organisations, by the head of the design organisation, confirming that the organisation will at all times work in accordance with this Annex and with the ISMM. If the accountable manager or, in the case of design organisations, the head of the design organisation, is not the chief executive officer (CEO) of the organisation, then such CEO shall countersign the statement;

(2)the title(s), name(s), duties, accountabilities, responsibilities and authorities of the person or persons referred to in point IS.D.OR.240(b) and (c);

(3)the title, name, duties, accountabilities, responsibilities and authorities of the common responsible person referred to in point IS.D.OR.240(d), if applicable;

(4)the information security policy of the organisation as referred to in point IS.D.OR.200(a)(1);

(5)a general description of the number and categories of staff and of the system in place to plan the availability of staff as required by point IS.D.OR.240;

(6)the title(s), name(s), duties, accountabilities, responsibilities and authorities of the key persons responsible for the implementation of point IS.D.OR.200, including the person or persons responsible for the compliance monitoring function referred to in point IS.D.OR.200(a)(12);

(7)an organisation chart showing the associated chains of accountability and responsibility for the persons referred to in points (2) and (6);

(8)the description of the internal reporting scheme referred to in point IS.D.OR.215;

(9)the procedures that specify how the organisation ensures compliance with this Part, and in particular:

(i)the documentation point IS.D.OR.200(c);

(ii)the procedures that define how the organisation controls any contracted activities referred to in point IS.D.OR.200(a)(9);

(iii)the ISMM amendment procedure defined in point (c);

(10)the details of currently approved alternative means of compliance.

(b)The initial issue of the ISMM shall be approved and a copy shall be retained by the competent authority. An approval shall not be required for declaring organisations. The ISMM shall be amended as necessary to remain an up-to-date description of the ISMS of the organisation. A copy of any amendments to the ISMM shall be provided to the competent authority.

(c)Amendments to the ISMM shall be managed in a procedure established by the organisation. Any amendments that are not included within the scope of this procedure and any amendments related to the changes referred to in point IS.D.OR.255(b), shall be approved by the competent authority. An approval shall not be required for declaring organisations.

(d)The organisation may integrate the ISMM with other management expositions or manuals it holds, provided there is a clear cross reference that indicates which portions of the management exposition or manual correspond to the different requirements contained in this Annex.

ED Decision 2023/009/R

The organisation may choose to document some of the information required under point IS.D.OR.250(a) in separate documents (e.g. procedures). In this case, it should ensure that the manual contains adequate references to any document kept separately. Any such documents are then to be considered an integral part of the organisation’s information security management system manual.

In the event where an entity holds multiple authorisations or declarations, the ISMM may apply to one or more organisations at a time based on a common ISMS. This ISMM should include at least an approval document of each organisation and should formally be approved by each organisation’s accountable manager or, in the case of design organisations, by each head of the design organisations or responsible person. A common responsible person may be appointed as per IS.D.OR.240(d) and the guidelines of GM1 IS.D.OR.240(e).

To ensure that all parties involved can fulfil their responsibilities, all manuals, procedures, and communication between them are advised to be, at least, in one common language, e.g. English. Those parties involved include the competent authorities with which that common language should be agreed upon.

Regulation (EU) 2025/22

(a)Changes to the ISMS may be managed and notified to the competent authority in a procedure developed by the organisation. This procedure shall be approved by the competent authority, except for declaring organisations.

(b)With regard to changes to the ISMS not covered by the procedure referred to in point (a), the organisation shall apply for and obtain an approval issued by the competent authority, except for declaring organisations, for which an approval is not required.

With regard to these changes:

(1)the application shall be submitted before any such change takes place, in order to enable the competent authority to determine continued compliance with this Regulation and to amend, if necessary, the organisation certificate and related terms of approval attached to it;

(2)the organisation shall make available to the competent authority any information it requests to evaluate the change;

(3)the change shall be implemented only upon receipt of a formal approval by the competent authority, except for declaring organisations, which may implement the change immediately;

(4)the organisation shall operate under the conditions prescribed by the competent authority during the implementation of such changes.

ED Decision 2023/009/R

Without prejudice to the communication of changes as required for each organisation in the corresponding implementing regulation for the domain as listed in point Article 2(1) of Regulation (EU) 2022/1645, the procedure referred to in IS.D.OR.255(a) should take into account the criticality of the changes when proposing how they will be managed. In particular, those changes that could have an impact on the achievement or maintenance of compliance with the provisions under Part-IS, or which could lead to an unacceptable level of risk (e.g. as per the guidance provided in GM1 IS.D.OR.205(c)), should be subjected to scrutiny. Upon establishment of this procedure, any further changes to it should be subject to approval by the competent authority.

Where prior approval is sought from the competent authority for a change not covered by an approved procedure, or where no such approved procedure exists, the organisation should provide at least the following information:

—the nature and purpose of the change;

—the implementation plan of the change;

—the verification plan of the change;

—the potential impact on aviation safety introduced by the change.

A significant deviation from the original implementation plan during the change process is an event that should be reported to the competent authority as this deviation may require reconsidering the change impact.

ED Decision 2023/009/R

Point IS.D.OR.255 is structured as follows:

Point (a) introduces the possibility for the organisation to agree with the competent authority that changes to the ISMS can be implemented without prior approval as long as these changes are covered in a change procedure.

Point (b) introduces an obligation of prior approval (by the competent authority) for changes not covered by the procedure mentioned above, and indicates how those changes should be handled.

The organisation should consider the establishment of a procedure in order to manage and notify changes to the competent authority as provided for under IS.D.OR.255(a). In case of lack of any approved procedure, the organisation will have, for any change, to apply for and obtain an approval as required under IS.D.OR.255(b). In any case, all changes should be notified to the competent authority upon implementation.

ED Decision 2023/009/R

RELATION BETWEEN CHANGES TO THE ISMS AND CONTINUOUS IMPROVEMENT

Changes stemming from the continuous improvement process established by the organisation (see IS.D.OR.260) should be handled as any other change according to the guidelines in AMC1 IS.D.OR.255 and GM1 IS.D.OR.255.

EXAMPLE OF CHANGES THAT MAY HAVE AN IMPACT ON THE ISMS

Below are some examples of changes that may have an impact on the ISMS, or which could lead to an unacceptable level of risk and therefore should be subject to scrutiny by the competent authority according to the provisions established under IS.D.OR.255:

(a)Changes to the scope of the ISMS, interfaces or related policies:

—The organisation expands its business functions, and integrates another company within its organisational structure.

—The organisation has identified non-conformities indicating an incorrect scope.

—The organisation amends its information security policy and/or information security objectives with a potential impact on aviation safety.

—Changes to the interfaces of the organisation resulting e.g. from modification in the insourced or outsourced activities.

(b)Changes in responsibilities and accountability as well as in the organisational structure involving the implementation and continuing monitoring of compliance with this Regulation:

—The accountable manager has delegated certain responsibilities under Part-IS to a person or a group of persons.

—The organisation contracts information security management activities as per IS.D.OR.235.

(c)Changes to the methodology used for risk management:

—The organisation changes the classification for likelihood or impact in their risk management methodology e.g. to obtain more granularity.

—The organisation implements changes to their risk treatment methodology.

—The organisation integrates its information security risk management into existing management systems.

(d)Changes to the security event management process:

—The organisation decides to contract security event management activities.

—The organisation changes the process to notify security events and the criteria to escalate to higher management for a quicker resolution.

—The organisation changes its policy for mitigating vulnerabilities.

—The organisation changes its incident recovery procedure.

EXAMPLE OF CHANGES THAT DO NOT HAVE AN IMPACT ON THE ISMS

Not all operational changes related to information security have an impact on the ISMS, therefore not all changes are required to be reported to the competent authority, following the provisions established under IS.D.OR.255. The following scenarios may be representative of such changes:

—After a successfully detected security event which could have easily evolved to an incident, the organisation decides to roll out an extensive cyber security awareness campaign for all employees.

—Update in the staff training programme and/or training content as a result of the continuous improvement processes established within the organisation.

—The organisation replaces the software tool that it uses for encrypting sensitive files with another software solution.

—The organisation has decided to make an internal restructuring for business reasons, changing the names of departments or sections, without making any changes in the responsibilities and accountability (e.g. accountable manager) involving the ISMS of the organisation.

—The organisation decides to update an existing preventive control e.g. configuring a new firewall in its internal network.

Regulation (EU) 2022/1645

(a)The organisation shall assess, using adequate performance indicators, the effectiveness and maturity of the ISMS. That assessment shall be carried out on a calendar basis predefined by the organisation or following an information security incident.

(b)If deficiencies are found following the assessment carried out in accordance with point (a), the organisation shall take the necessary improvement measures to ensure that the ISMS continues to comply with the applicable requirements and maintains the information security risks at an acceptable level. In addition, the organisation shall reassess those elements of the ISMS affected by the adopted measures.

ED Decision 2023/009/R

The continuous improvement process (CIP), as required by IS.D.OR.200(b), should aim to continuously improve the effectiveness, suitability and adequacy of the ISMS. This should be achieved by a proactive and systematic assessment of the ISMS and all its elements — including its maturity. The assessment should take into account the outcomes and conclusions of other information security and assurance processes including audits, management reviews, evaluation of performance, effectiveness and maturity, as well as the outcomes of the derived corrective actions and corrections.

The steps to be performed should be at least the following:

(a)Identification of improvement opportunities based on the outcomes of the assessment of the ISMS with respect to its suitability, effectiveness, adequacy and, if deemed necessary, efficiency, as well as on any other suggestion for improvement. The assessment should consider performance indicators which reflect its processes and elements and the defined objectives for effectiveness and maturity.

(b)Evaluation of the identified opportunities regarding cost benefit, absence or reduction of undesired effects and achievement of the targeted objectives and intended outcomes.

(c)Proposal of the evaluated improvement opportunities to the management, and recommend actions to support their review and decision-making.

(d)According to the decision taken under point (c), planning, development and implementation of actions and changes to the ISMS, its processes or elements to achieve the improvements.

(e)Evaluation the effectiveness of the implemented actions and ISMS changes, and, as applicable, verification that the root cause of identified deficiencies has been eliminated.

The management should assess and review the outcomes of the CIP at planned intervals to ensure the continuing effectiveness, adequacy and suitability of the ISMS, to decide on the prioritisation of the implementation of actions and changes, as well as to revise or set new objectives or targets for continuous improvement.

ED Decision 2025/014/R

Point IS.D.OR.260 covers assurance processes for the ISMS in a manner that can be considered equivalent to the safety assurance in ICAO Doc 9859 ‘Safety Management Manual (SMM)’, which includes performance monitoring and measurement, management of change and continuous improvement of the SMS.

In this Regulation:

—IS.D.OR.260(a) addresses, using adequate performance indicators, the effectiveness and maturity assessment of the ISMS;

—IS.D.OR.260(b) addresses the improvement measures, i.e. corrections and corrective actions, for the deficiencies detected in IS.D.OR.260(a) and the continuous improvement process.

Similar provisions for continuous improvement are provided for in other information management systems such as ISO/IEC 27001 (see Appendix IV to this document).

The context and risk environment of organisations are never static and therefore require a dynamic adaptation, evolution and change of the organisation’s objectives, architectures, organisational structures and processes to maintain the information security risks at an acceptable level. Consequently, the ISMS should be considered as an evolving and learning part/element of the organisation which needs to be continuously monitored and improved to ensure alignment with the organisation’s safety objectives and effectiveness.

The CIP aims to continuously improve the effectiveness, suitability, adequacy and, if deemed necessary, the efficiency of the ISMS. An organisation may integrate the Part-IS CIP in some other already operated CIP and may apply methods such as Plan-Do-Check-Act (PDCA) Cycle or Define-Measure-Analyse-Improve-Control (DMAIC) (see also GM1 IS.D.OR.200).

The CIP is based on a proactive and systematic assessment of the ISMS and all its elements including the information security processes and controls driven by the ISMS. The assessment should be carried out against organisational targets for desired levels of performance, effectiveness and maturity. These targets, besides ensuring the achievement of compliance with the requirements under this Regulation, may also aim to include objectives established by the organisation’s policy or standards and by management decisions.

The above-mentioned assessment is based on the outcome of performance evaluations, audits, risk and incident processes, as well as already applied corrections and corrective actions. Some factors that should be considered when performing the assessment are the following:

—Adequacy refers to whether the system establishes the disciplines needed to manage information security, e.g. by using broadly accepted industry standards, in a sufficient manner with regard to compliance with the requirements of this Regulation.

—Effectiveness of the ISMS and the effective implementation of processes and controls driven by the ISMS is assessed by analysing whether:

—the information security risks are managed to achieve the safety objectives;

—the intended outcomes of the ISMS are achieved, and the requirements or objectives are met;

—all types of deficiencies are managed including failures to fulfil or correctly implement a requirement or control.

—Efficiency of the ISMS refers to the implementation of streamlined processes; however, efficiency improvements should not adversely impact effectiveness.

Identification of improvement opportunities

Improvement opportunities may be identified from the results of the CIP assessment or may be introduced as suggestions from other sources. The identification often involves deviations or corrective actions as well as ineffective processes or controls which are not remediated.

Suggestions for improvements stem from sources including:

—Risk management: the results of regular risk analysis and subsequent risk treatment are a primary factor in improving the ISMS, where the risk treatment process involves monitoring of the implemented security measures and evaluating their effectiveness.

—Performance & effectiveness evaluation: conclusions from (key) performance indicators, their measurement, analysis and continued monitoring as well as the result of the assessment of the effectiveness including the outcomes of the subsequently applied corrections and corrective actions

—Evaluation of maturity including the results of the subsequent corrections and corrective actions

—Lessons learned from the security incident detection, handling and response process and from a potential treatment of a root cause

—Results of (internal) audits may be used to verify whether the ISMS and controls within the audit scope meet the organisation’s requirements, and to determine where there are potential areas for improvement.

—Review and evaluation by management of the current action plan, setting or revision of the objectives or decision on improvement opportunities and actions

—Organisation’s suggestion programme (suggestions for improvement), reviews, surveys or assessments with employees or feedback from suppliers or interfacing parties

Any outcome of this process should be documented. The resulting actions may be integrated into an overarching action plan which is centrally consolidated and periodically reviewed according to the relevant policies. The resulting action plan may be further divided into a tactical, short-/mid-term action plan and a strategic, long-term action plan.

ED Decision 2023/009/R

(a)ISMS EFFECTIVENESS EVALUATION

When complying with IS.D.OR.260(a), the organisation should have a process in place to monitor, measure, evaluate and review the effectiveness of its ISMS that defines:

(1)who monitors, measures, analyses and evaluates the results and takes accountable decisions;

(2)when the above steps should be performed;

(3)which methods for monitoring, measurement, analysis and evaluation are applied to ensure comparable and reproducible results.

The calendar basis of the assessments should be commensurate with the maximum level of risk established under IS.D.OR.205.

The process to monitor, measure, evaluate and review the effectiveness of the organisation’s ISMS referred to under AMC1 IS.D.OR.260(a) should include as a minimum:

(1)the gathering and retention of metrics of the activities, and additional information that could be useful for monitoring purposes;

(2)the analysis of the metrics in order to identify trends and deviations from predefined performance targets.

(b)ISMS MATURITY ASSESSMENT

The organisation should assess the maturity of its ISMS using a suitable maturity model in order to identify areas for improvement to the ISMS. To do so, the organisation should:

(1)define or adopt a maturity model which represents a set of important and relevant processes and capabilities that are expected to be implemented and maintained;

(2)for each assessed process or capability, ensure that the model defines criteria against which specific aspects, characteristics and effectiveness should be assessed and evaluated when determining a maturity level;

(3)define for each assessed process or capability its desired target maturity level.

(c)For each assessed information security process or capability contained in the maturity model, the organisation should:

(1)evaluate and justify the current maturity level;

(2)identify any area for improvement it should make to reach the targeted maturity level;

(3)collect and record the evidence regarding strengths and weaknesses of the implemented ISMS and its evaluated maturity.

ED Decision 2023/009/R

(a)As general guidance, the elements of the ISMS that should be monitored, measured and evaluated should be, as a minimum:

(1)the risk assessment and treatment process (including risks at the interfaces with other organisations);

(2)the management of non-conformities and corrective actions;

(3)the incident and vulnerability management;

(4)the personnel competence management.

(b)Existing maturity models for ISMS maturity evaluation

As general guidance, for the definition or the adoption of a maturity model (MM), the following existing models may be considered:

—Cybersecurity Capability Maturity Model (C2M2), version 1.1: this model was published by the US Department of Energy in 2014. It introduces the notion of Maturity Indicator Levels (MIL) ranging from 0 to 3 and addresses not only performance levels but also performance practices (under Approach Objectives and approach progression) as well as assurance practices (under Management Objectives and institutionalization progression).

—Systems Security Engineering – Capability Maturity Model (SSE-CMM): published by ISO as ISO 21827 in 2008. It focuses on engineering practices, much less on operational practices that are split in 11 ‘Security Base Practices’, and 11 ‘Project and Organizational Base Practices’. It introduces the notion of five Capability Levels, from ‘Performed Informally’ to ‘Continuously Improving’.

—NIST Cybersecurity Framework (NIST CSF), version 1.1: published by NIST in April 2018. Although it is not proposed as a MM, the framework defines four ‘Implementation Tiers’, from ‘Partial’ to ‘Adaptive’, which are a qualitative measure of organisational cybersecurity risk management practices. It focuses on the functionality and repeatability of cybersecurity risk management.

—ATM Cybersecurity Maturity Model, edition 1: published in February 2019 by the EUROCONTROL NM for organisations in the ATM domain. Whilst not being designed for wider application, it can be adapted as necessary. It defines five maturity levels, ranging from ‘Non-existent’ to ‘Adaptive’ inspired by the ‘Tier’ terminology from the NIST CSF. In fact, the model is founded on NIST CSF, together with some elements of ISO/IEC 27001.

The following Table 1 maps the MM mentioned above to a hypothetical five-level MM.

Table 1: Mapping matrix of an existing MM to a hypothetical five-level MM

No specific maturity level is required. However, if and when compliance is achieved, organisations will determine which requirements of which models have already been met (mandatory) and can opt to reach a level that is beneficial to the organisation (voluntary). In the longer term, achieving higher maturity levels may increase the confidence of oversight authorities, which can have an impact upon the level of oversight activities regarding such organisation.

ED Decision 2023/009/R

When a deficiency is identified, the organisation should react in a timely manner following a defined process leading to a managed status regarding the deficiency, its associated consequences and, if needed, the prevention of its future recurrence or occurrence elsewhere.

Based on an evaluation of the impact and extent of the deficiency and the potential consequences for the ISMS, the process should include as criteria for compliance:

(a)deciding on corrections and their implementation without undue delay in order to limit the impact of the deficiency and deal with its consequences as well as, as applicable, to control or eliminate it;

(b)deciding on the need for, and the implementation of, corrective actions to eliminate the cause(s) of, and contributing factors to, the deficiency based on a root cause analysis and an evaluation of actions remediating the cause aimed at being proportionate to the consequences and impact of the deficiency;

(c)verifying the implemented actions:

(1)to be effective and to result in acceptable residual risks,

(2)not to have unintended side effects leading to other deficiencies, new risks, or an ISMS not aligned with the applicable requirements, as well as

(3)for corrective actions, to effectively remediate or eliminate the root cause;

(d)reporting to and reviewing the identified deficiencies, action plan and results of the action taken with the accountable manager of the organisation or, in the case of design organisations, with the head of the design organisation and, as necessary, with other involved or affected roles and parties;

(e)documenting as evidence the detected deficiencies, the planned and implemented corrections and/or corrective actions with deadlines and responsible persons, the management feedback, the outcomes of the process step under point (c) above and, if necessary, the change decisions made for the ISMS itself.

ED Decision 2023/009/R

The ‘necessary improvement measures’ referred to in IS.D.OR.260(b) refer to correction or corrective actions to eliminate deficiencies or actions aimed at improving the effectiveness as well as the maturity of the ISMS.

A process satisfying the criteria defined in AMC1 IS.D.OR.260 should include the following aspects:

(a)identifying the extent, impact, context and triggers of the deficiency, evaluating it according to some established criteria, analysing potential consequences on the ISMS including a potential existence in other areas;

(b)deciding on corrections and their implementation to immediately limit the impact and manage the consequences of the deficiency as well as, as applicable, to control or eliminate it;

(c)deciding on corrective actions required to eliminate the (root) cause(s) of the deficiency that are proportionate to the consequences;

(d)reassessing the elements of the ISMS which may be affected by the implemented actions to ensure that no further risk is introduced;

(e)verifying the implemented actions referred to in point (c) of AMC1 IS.D.OR.260(b);

(f)reporting to and reviewing the outcomes of the process steps with the management (see point (d) of AMC1 IS.D.OR.260(b));

(g)documenting and evidencing the result of the process steps above (see point (e) of AMC1 IS.D.OR.260(b)).

ED Decision 2023/009/R

The following is a non-exhaustive list of examples of information security threat scenarios with a potential harmful impact on safety that may be considered by authorities and organisations.

Example 1: Aircraft to ATC digital communications

—Threat vector assets/domain

—ATC voice and ground automation systems

—ground communications providers

—air-ground/ground-air RF communications service providers

—aircraft and the assets used for voice and datalink communications

—Non-exhaustive summary of potential threats

—threat (availability): exceeding system performance, saturation of communication channel

—threat (integrity): man-in-the-middle or injection attacks

—threat (confidentiality): passive listening to communication, spying on hardware device

—Summary of threats scenarios and their potential harmful impacts on safety

—Disruption of services prevent ATC communication with a single or multiple aircraft and/or ATC ground system.

—Manipulation of data through a man-in-the-middle attack would present false information to the pilot and/or ATC system with the potential of creating a safety hazard or injection of data to the aircraft or ground systems to disrupt the service and capability.

—There are no specific regulatory requirements for encryption of data or voice for datalink communications; however, for confidentiality purposes, the assets used to provide and deliver the services should be controlled and limited to only those resources that require access to ensure that the services cannot be disrupted and manipulated in any way.

Example 2: Tampered air traffic data

—Threat vector assets/domain

—Internet service provider (ISP)

—ATM services network(s)

—surveillance data

—ATC systems

—Non-exhaustive summary of potential threats

—ISP compromise (confidentiality): An attacker gains unauthorised access to the systems or infrastructure of the ISP providing network services to ATM system.

—data tampering (integrity): Once the ISP is compromised, an attacker could manipulate data in transit. This could involve injecting false data or removing/modifying legitimate data.

—denial of service (availability): an attacker could also potentially disrupt the communication of data entirely, resulting in a denial of service (DoS) to the ATM system.

—malware injection (integrity/availability): An attacker could potentially use the compromised ISP as a launching pad to inject malware into the systems, causing further disruptions or enabling additional attacks.

—Summary of threats scenarios and their potential harmful impacts on safety

—ISP compromise: interception and/or manipulation of sensitive data, impacting the safe management of air traffic.

—data tampering: incorrect situational awareness, potentially resulting in reduced separation between aircrafts, and incorrect air traffic control decisions.

—denial of service: reduction of the ATC’s ability to ensure separation leading to the activation of contingency procedures, including capacity reduction, with the eventual possibility of large areas of airspace being closed.

Example 3: Aircraft operator, CAMOs’ and aircraft maintenance organisations’ software supply chain and ground infrastructure, including equipment used to support aircraft management, operations and maintenance

—Threat vector assets/domain

—aircraft operators’, CAMOs’ and maintenance organisations’ supply chain

—aircraft operator or maintenance internal ground infrastructure used to manage aircraft and operations (hardware/software) and other information technology assets

—information technology assets used to update systems on an aircraft (software and hardware) used for maintenance activities

—Non-exhaustive summary of potential threats

—threat (availability): hardware/software/system disruption

—threat (integrity): compromised hardware/software/system

—threat (confidentiality): compromised hardware/software/system

—Summary of threats scenarios and their potential harmful impacts on safety

—Disruption to the dissemination of meteorological information while the aircraft is airborne, may reduce the ability of the flight crew to avoid potentially hazardous meteorological conditions (e.g. severe storms/fog at night).

—Manipulation of navigation data/database will have the effect that flight plans and navigation displays cannot be trusted.

—Lack of control and access to information such as fleet maintenance programme or flight crew planning affects the ability of organisations to maintain safe operations.

Application of bow-tie analysis to this example

Two coordinated bow-tie analyses of different risk dimensions are combined, as the ultimate interest lies only in the aviation safety consequence.

Example 4: Design and production organisations’ software, supply chain, design and manufacturing ground infrastructure

—Threat vector assets/domain

—design and production organisations’ supply chain for parts, hardware and software

—design and production organisations’ ground internal infrastructure used to manage software/hardware used in the manufacturing and development of products that will be used by aircraft manufacturers, operators or ATM/ANS ground automation systems (hardware/software) information technology assets

—design and production organisations’ information technology assets used by their customers to update systems on an aircraft (software/hardware) used for maintenance operations or ATM/ANS ground automation systems

—Non-exhaustive summary of potential threats

—threat (availability): systems used to store, transmit and exchange information are rendered unavailable for essential operations through DoS attacks

—threat (integrity): systems used to store, transmit and exchange information are compromised through man-in-the middle attacks

—threat (confidentiality): systems used to store, transmit and exchange information are accessed by insider or external threats

—Summary of threats scenarios and their potential harmful impacts on safety

—Disruption of systems used to store, transmit and exchange information in a manner that would prevent the proper management of the aircraft and its systems and adversely affect the operations of the aircraft

—Systems used to store, transmit and exchange information can no longer be considered trusted. If they are not maintained at a level to ensure that all information exchange, data and software can be considered trusted, both ground and aircraft operations are disrupted.

—Uncontrolled access to systems used to store, transmit and exchange information (including information that is received and exchanged with the supply chain) can provide technical details that could be used to craft more sophisticated attacks targeting safety-critical systems.

Example 5: Training system

—Threat vector assets/domain

—supply chain of all software and hardware that will be used in the training systems or training devices (including flight simulators) used to train pilot or ATM/ANS ground systems personnel

—internal infrastructure used in of all software and hardware that will be used in the design, manufacturing or production of products (hardware or software) that will be used in aircraft or ATM/ANS ground systems

—management of internal operating domains and system of all software and hardware that will be used in the design, manufacturing or production of products (hardware or software) that will be used in aircraft or ATM/ANS ground systems

—Non-exhaustive summary of potential threats

—threat (availability): training systems or training devices are rendered unavailable by means of DoS attacks when they are needed to be used

—threat (integrity): training systems or training devices are compromised through man-in-the middle attacks

—threat (confidentiality): functional models, information and data that are embedded in training systems or training devices are accessed by insider or external threats

—Summary of threats scenarios and their potential harmful impacts on safety

—Disruption of training systems (hardware and software) will have an impact on the organisations’ ability to maintain qualified staff. It would also prevent the aircraft and its systems from being properly operated and affect maintenance operations for ATM/ANS ground systems.

—The training model or the failure modes and associated emergency conditions differ from the real aviation system behaviour and therefore induce inappropriate responses. If the training systems cannot be trusted, this will affect the ability of organisations to maintain sufficiently qualified staff for their operations (pilots, maintenance or ATM/ANS ground personnel who have been exposed to improper training should be re-qualified).

—Lack of control and access to training systems affects the ability of organisations to maintain a training system that is known to be in a trusted state. In addition, uncontrolled access to training systems that embed functional models, information and data can provide technical details that could be used to craft more sophisticated attacks on the training system itself or on the real-world safety-critical system.

Example 6: Airport’s fuel delivery system and associated infrastructure

—Threat vector assets/domain

—ground fuel storage and distribution infrastructure

—digital systems used to control fuel pumping and metering

—supply chain for fuel delivery, including third-party fuel suppliers

—airport information technology assets used for fuel inventory management and scheduling deliveries

—Non-exhaustive summary of potential threats

—threat (availability): disruption of fuel supply or delivery systems

—threat (integrity): tampering with fuel control systems or measurement devices

—threat (confidentiality): unauthorised access to fuel supply and delivery data

—Summary of threats scenarios and their potential harmful impacts on safety

—Disruption to fuel delivery can lead to flight delays or cancellations, causing operational disruptions and potential safety issues if fuel reserves become critically low.

—Tampering with fuel control systems or measurement devices could lead to incorrect fuel loads being delivered to aircraft, impacting aircraft weight and balance calculations, and potentially causing fuel exhaustion incidents.

—Unauthorised access to fuel supply data could allow threat actors to manipulate fuel scheduling or inventory data, potentially causing disruptions to airport operations and fuel availability for aircraft.

Example 7: National competent authority’s NOTAM system and associated infrastructure

—Threat vector assets/domain

—National NOTAM system infrastructure and digital interface

—Supply chain for NOTAM system maintenance and updates

—National competent authority’s IT assets used for NOTAM creation, distribution, and storage

—Non-exhaustive summary of potential threats

—threat (availability): disruption of the NOTAM system or its access

—threat (integrity): tampering with NOTAM data or unauthorised NOTAM creation

—threat (confidentiality): unauthorised access to NOTAM data

—Summary of threats scenarios and their potential harmful impacts on safety

—Disruption to the NOTAM system could prevent the dissemination of critical aeronautical information to pilots and air traffic controllers, potentially leading to safety issues.

—Tampering with NOTAM data or unauthorised creation of NOTAMs could lead to incorrect information being disseminated, potentially resulting in pilots making decisions based on false or misleading data.

—Unauthorised access to NOTAM data could lead to information leakage, potentially revealing sensitive operational information.

Example 8: Aviation authority’s airworthiness directive (AD) system and associated infrastructure

—Threat vector assets/domain

—EASA AD system infrastructure and digital interface

—supply chain for AD system maintenance and updates

—EASA IT assets used for AD creation, distribution, and storage

—Non-exhaustive summary of potential threats

—threat (availability): Disruption of the AD system or its access

—threat (integrity): tampering with AD data or unauthorised AD creation

—threat (confidentiality): unauthorised access to AD data

—Summary of threats and their potential harmful impacts on safety

—Disruption to the AD system could prevent the dissemination of critical airworthiness information to aircraft operators and maintenance organisations, potentially leading to safety issues.

—Tampering with AD data or unauthorised creation of ADs could lead to incorrect information being disseminated, potentially resulting in aircraft operators and maintenance organisations making decisions based on false or misleading data.

—Unauthorised access to AD data could lead to information leakage, potentially revealing sensitive operational information.