Implementing Regulation (EU) 2023/203

Cover Regulation to Implementing Regulation (EU) 2023/203

COMMISSION IMPLEMENTING REGULATION (EU) 2023/203

of 27 October 2022

laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, No 965/2012, No 1178/2011, 2015/340, 2017/373 and 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, No 1321/2014, No 965/2012, No 1178/2011, 2015/340, 2017/373, No 139/2014 and 2021/664 and amending Commission Regulations (EU) No 1178/2011, No 748/2012, No 965/2012, No 139/2014, No 1321/2014, 2015/340, 2017/373 and 2021/664

Regulation (EU) 2023/203

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91⁸, and in particular Articles 17(1) point (b), 27(1) point (a), 31(1) point (b), 43(1) point (b), 53(1) point (a) and 62(15) point (c) thereof

Whereas:

(1)In accordance with the essential requirements set out in Annex II, point 3.1(b), to Regulation (EU) 2018/1139, continuing airworthiness management organisations and maintenance organisations are to implement and maintain a management system to manage safety risks.

(2)In addition, in accordance with the essential requirements set out in Annex IV, point 3.3(b) and point 5(b), to Regulation (EU) 2018/1139, pilot training organisations, cabin crew training organisations, aero-medical centres for aircrew and operators of flight simulation training devices are to implement and maintain a management system to manage safety risks.

(3)Moreover, in accordance with the essential requirements set out in Annex V, point 8.1(c), to Regulation (EU) 2018/1139, air operators are to implement and maintain a management system to manage safety risks.

(4)Furthermore, in accordance with the essential requirements set out in Annex VIII, point 5.1(c) and point 5.4(b), to Regulation (EU) 2018/1139, air traffic management and air navigation service providers, U-space service providers and single common information service providers, and training organisations and aero-medical centres for air traffic controllers are to implement and maintain a management system to manage safety risks.

(5)Those safety risks may derive from different sources, such as design and maintenance flaws, human performance aspects, environmental threats and information security threats. Therefore, the management systems implemented by the European Union Aviation Safety Agency (‘the Agency’) and the national competent authorities and organisations referred to in the recitals above, should take into account not only safety risks stemming from random events, but also safety risks deriving from information security threats where existing flaws may be exploited by individuals with a malicious intent. Those information security risks are constantly increasing in the civil aviation environment as the current information systems are becoming more and more interconnected, and increasingly becoming the target of malicious actors.

(6)The risks associated with those information systems are not limited to possible attacks to the cyberspace, but encompass also threats, which may affect processes and procedures as well as the performance of human beings.

(7)A significant number of organisations already use international standards, such as ISO 27001, in order to address the security of digital information and data. Those standards may not fully address all the specificities of civil aviation. Therefore, it is appropriate to set out requirements for the management of information security risks with a potential impact on aviation safety.

(8)It is essential that those requirements cover all aviation domains and their interfaces, since aviation is a highly interconnected system of systems. Therefore, they should apply to all the organisations and competent authorities covered by Regulation (EU) No 748/2012, Regulation (EU) No 1321/2014, Regulation (EU) No 965/2012, Regulation (EU) No 1178/2011, Regulation (EU) 2015/340, Regulation (EU) No 139/2014 and Regulation (EU) 2021/664, also those that are already required to have a management system in accordance with the existing Union aviation safety legislation. However, some organisations should be excluded from the scope of this Regulation in order to ensure appropriate proportionality to the lower information security risks they pose to the aviation system.

(9)The requirements laid down in this Regulation should ensure a consistent implementation across all aviation domains, while creating a minimal impact on the Union aviation safety legislation already applicable to those domains.

(10)The requirements laid down in this Regulation should be without prejudice to information security and cybersecurity requirements laid down in Point 1.7 of the Annex to Commission Implementing Regulation (EU) 2015/1998⁹ and in Article 14 of Directive (EU) 2016/1148 of the European Parliament and of the Council¹⁰.

(11)The security requirements laid down in Articles 33 to 43 of Title V “Security of the Programme” of Regulation (EU) 2021/696 of the European Parliament and of the Council¹¹ are considered to be equivalent with the requirements laid down in this Regulation, except as regards point IS.I.OR.230 of Annex II to this Regulation which should be complied with.

(12)In order to provide legal certainty, the interpretation of the term ‘information security’ as defined in this Regulation, reflecting its common use in civil aviation globally, should be considered as being consistent with that of the term ‘security of network and information systems’ as defined in Article 4(2) of Directive (EU) 2016/1148. The definition of information security used for the purposes of this Regulation should not be interpreted as divergent from the definition of security of network and information systems laid down in Directive
(EU) 2016/1148.

(13)In order to avoid duplication of legal requirements, where organisations covered by this Regulation are already subject to security requirements arising from Union acts referred to in recitals (10) and (11) which are in their effect equivalent to the provisions laid down in this Regulation, compliance with those security requirements should be considered to constitute compliance with the requirements laid down in this Regulation.

(14)Organisations covered by this Regulation that are already subject to security requirements arising from Regulation (EU) 2015/1998 or Regulation (EU) 2021/696, or both, should also comply with the requirements of Annex II (Part IS.I.OR.230 “Information security external reporting scheme”) to this Regulation as neither Regulation contains provisions related to external reporting of information security incidents.

(15)For the sake of completeness, Regulations (EU) No 1178/2011, No 748/2012, No 965/2012,
No 139/2014, No 1321/2014, 2015/340, 2017/373 and 2021/664 should be amended in order to introduce the information security management system requirements prescribed in this Regulation together with the management systems set out therein, and to set out the competent authorities’ requirements as regards the oversight of organisations implementing the aforementioned information security management requirements.

(16)In order to provide organisations with sufficient time to ensure compliance with the new rules and procedures, this Regulation should apply 3 years after its entry into force, except for the air navigation service provider of the European Geostationary Navigation Overlay Service (EGNOS) defined in Commission Implementing Regulation (EU) 2017/373¹², where due to the ongoing security accreditation of the EGNOS system and services in line with Regulation (EU) 2021/696, it should become applicable from 1 January 2026.

(17)The requirements laid down in this Regulation are based on Opinion No 03/2021¹³, issued by the Agency in accordance with Article 75(2) points (b) and (c) and Article 76(1) of Regulation (EU) 2018/1139.

(18)The requirements laid down in this Regulation are in accordance with the opinion of the Committee for the application of common safety rules in the field of civil aviation established by Article 127 of Regulation (EU) 2018/1139,

HAS ADOPTED THIS REGULATION:

Regulation (EU) 2023/203

This Regulation sets out the requirements to be met by the organisations and competent authorities in order:

(a)to identify and manage information security risks with potential impact on aviation safety which could affect information and communication technology systems and data used for civil aviation purposes,

(b)to detect information security events and identify those which are considered information security incidents with potential impact on aviation safety,

(c)to respond to, and recover from, those information security incidents.

ED Decision 2023/008/R

When taking measures under this Regulation, affected entities — irrespective of their size — are encouraged to ensure that the measures they take are proportionate to the nature and safety risk of their activities.

Regulation (EU) 2024/1109

1.This Regulation applies to the following organisations:

(a)maintenance organisations subject to Section A of Annex II (Part-145) to Regulation (EU) No 1321/2014(¹⁴), except those solely involved in the maintenance of aircraft in accordance with Annex Vb (Part-ML) to Regulation (EU) No 1321/2014;

(b)continuing airworthiness management organisations (CAMOs) subject to Section A of Annex Vc (Part-CAMO) to Regulation (EU) No 1321/2014, except those solely involved in the continuing airworthiness management of aircraft in accordance with Annex Vb (PartML) to Regulation (EU) No 1321/2014;

(c)air operators subject to Annex III (Part-ORO) to Regulation (EU) No 965/2012(¹⁵), except those solely involved in the operation of any of the following:

(i)an ELA 2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012(¹⁶);

(ii)single-engine propeller-driven aeroplanes with a Maximum Operational Passenger Seating Configuration of 5 or less that are not classified as complex motor-powered aircraft, when taking off and landing at the same aerodrome or operating site and operating under Visual Flight Rules (VFR) by day rules;

(iii)single-engine helicopters with a Maximum Operational Passenger Seating Configuration of 5 or less that are not classified as complex motor-powered aircraft, when taking off and landing at the same aerodrome or operating site and operating under VFR by day rules.

(d)approved training organisations (ATOs) subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011(¹⁷), except those solely involved in training activities of ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012, or solely involved in theoretical training;

(e)aircrew aero-medical centres subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011;

(f)flight simulation training device (FSTD) operators subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011, except those solely involved in the operation of FSTDs for ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012;

(g)air traffic controller training organisations (ATCO TOs) and ATCO aero-medical centres subject to Annex III (Part ATCO.OR) to Regulation (EU) 2015/340(¹⁸);

(h)organisations subject to Annex III (Part-ATM/ANS.OR) to Regulation (EU) 2017/373(¹⁹), except the following service providers:

(i)air navigation service providers holding a limited certificate in accordance with point ATM/ANS.OR.A.010 of that Annex;

(ii)flight information service providers declaring their activities in accordance with point ATM/ANS.OR.A.015 of that Annex;

(i)U-space service providers and single common information service providers subject to Regulation (EU) 2021/664(²⁰).

(j)approved organisations involved in the design or production of ATM/ANS systems and ATM/ANS constituents subject to Commission Implementing Regulation (EU) 2023/1769²¹.

2.This Regulation applies to the competent authorities, including the European Union Aviation Safety Agency (‘the Agency’), referred to Article 6 of this Regulation and in Article 5 of Delegated Regulation (EU) 2022/1645.

3.This Regulation also applies to the competent authority responsible for the issuance, continuation, change, suspension or revocation of aircraft maintenance licences in accordance with Annex III (Part-66) to Regulation (EU) No 1321/2014.

3a.This Regulation also applies to the competent authority designated in accordance with Annex I (Part-AR.UAS) to Commission Implementing Regulation (EU) 2024/1109²².

4.This Regulation is without prejudice to information security and cybersecurity requirements laid down in point 1.7 of the Annex to Regulation (EU) 2015/1998(²³) and in Article 14 of Directive (EU) 2016/1148 of the European Parliament and of the Council(²⁴).

Regulation (EU) 2023/203

For the purpose of this Regulation, the following definitions shall apply:

(1)‘information security’ means the preservation of confidentiality, integrity, authenticity and availability of network and information systems;

(2)‘information security event’ means an identified occurrence of a system, service or network state indicating a possible breach of the information security policy or failure of information security controls, or a previously unknown situation that can be relevant for information security;

(3)‘incident’ means any event having an actual adverse effect on the security of network and information systems as defined in Article 4(7) of Directive (EU) 2016/1148;

(4)‘information security risk’ means the risk to organisational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event. Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets;

(5)‘threat’ means a potential violation of information security which exists when there is an entity, circumstance, action or event that could cause harm;

(6)‘vulnerability’ means a flaw or weakness in an asset or a system, procedures, design, implementation, or information security measures that could be exploited and results in a breach or violation of the information security policy.

ED Decision 2023/008/R

For the sake of common understanding, the following is a description of the terms used in the AMC & GM to Part-IS.D.OR of Commission Delegated Regulation (EU) 2022/1645 as well as in the AMC & GM to Part-IS.AR and Part-IS.I.OR of Commission Implementing Regulation (EU) 2023/203:

Regulation (EU) 2024/1109

1.The organisations referred to in Article 2(1) shall comply with the requirements of Annex II (PartIS.I.OR) to this Regulation.

2.The competent authorities referred to in Article 2(2), (3) and (3a) shall comply with the requirements of Annex I (Part-IS.AR) to this Regulation.

Regulation (EU) 2023/203

1.Where an organisation referred to in Article 2(1) complies with security requirements laid down in accordance with Article 14 of Directive (EU) 2016/1148 that are equivalent to the requirements laid down in this Regulation, compliance with those security requirements shall be considered to constitute compliance with the requirements laid down in this Regulation.

2.Where an organisation referred to in Article 2(1) is an operator or an entity referred to in the national civil aviation security programmes of Member States laid down in accordance with Article 10 of Regulation (EC) No 300/2008 of the European Parliament and of the Council²⁶, the cybersecurity requirements contained in point 1.7 of the Annex to Regulation (EU) 2015/1998 shall be considered to be equivalent with the requirements laid down in this Regulation, except as regards point IS.I.OR.230 of Annex II to this Regulation that shall be complied with as such.

3.Where the organisation referred to in Article 2(1) is the air navigation service provider of the European Geostationary Navigation Overlay Service (EGNOS) referred to in Regulation (EU) 2021/696²⁷, the security requirements contained in Articles 33 to 43 of Title V of that Regulation are considered to be equivalent with the requirements laid down in this Regulation, except as regards point IS.I.OR.230 of Annex II to this Regulation that shall be complied with as such.

4.The Commission, after consulting the Agency and the Cooperation Group referred to in Article 11 of Directive (EU) 2016/1148, may issue guidelines for the assessment of the equivalence of requirements laid down in this Regulation and Directive (EU) 2016/1148.

ED Decision 2025/013/R

Pursuant to Article 44 of Directive (EU) 2022/2555 (the NIS 2 Directive), the previous Directive
(EU) 2016/1148 (the NIS Directive) was repealed with effect from 18 October 2024. In accordance with the NIS 2 Directive, references to the repealed Directive shall be construed as references to Directive (EU) 2022/2555 and shall be read in accordance with the correlation table set out in its Annex III.

In accordance with this table, references to Article 14 of Directive (EU) 2016/1148 shall be now read as references to Article 21 and Article 23 of Directive (EU) 2022/2555. For an exact correlation, please refer to Annex III to Directive (EU) 2022/2555.

To ensure legal certainty, the equivalence of any requirements should be assessed by the competent authority against the requirements of the national legislation when Directive (EU) 2022/2555 is transposed.

When utilising this equivalence, organisations should consider the following:

—The equivalence between Regulation (EU) 2023/203 and Directive (EU) 2022/2555 requirements as assessed by the competent authority.

—Possible differences in the perimeter of applicability of the rules, in particular as regards the elements that are within the scope under the two different frameworks.

The competent authority will decide whether or not the measures implemented by the organisation under the NIS framework can be considered sufficient for satisfying requirements of similar nature under this rule.

ED Decision 2025/013/R

Even though the provisions in Regulation (EU) 2023/203 are equivalent to the cybersecurity requirements in point 1.7 of the Annex to Regulation (EU) 2015/1998, in order to ensure effective management of safety consequences by leveraging the requirements of Regulation (EU) 2015/1998, organisations need to consider the differences in the scope of the rules in terms of which elements are covered under the two different regulatory frameworks.

Taking the example of an airport operator, elements such as body scanners, X-ray machines and anti-RPAS systems fall under the scope of the requirements of point 1.7 of the Annex to Regulation
(EU) 2015/1998. Elements such as runway lighting control systems and safety training databases fall under the scope of aviation safety rules. On the other hand, the protection of information and the verification of trustworthiness and identity can be considered elements that overlap between the two frameworks.

Consequently, an organisation that has developed a system in accordance with point 1.7 of the Annex to Regulation (EU) 2015/1998 can use it to address safety issues by extending the scope of the system, where necessary, to ensure that all safety-related elements are included. Moreover, compliance with point IS.I.OR.230 has to be ensured.

Regulation (EU) 2023/1769

1.Without prejudice to the tasks entrusted to the Security Accreditation Board (SAB) referred to in Article 36 of Regulation (EU) 2021/696, the authority responsible for certifying and overseeing compliance with this Regulation shall be:

(a)with regard to organisations referred to in Article 2(1), point (a), the competent authority designated in accordance with Annex II (Part-145) to Regulation (EU) No 1321/2014;

(b)with regard to organisations referred to in Article 2(1), point (b), the competent authority designated in accordance with Annex Vc (Part-CAMO) to Regulation (EU) No 1321/2014;

(c)with regard to organisations referred to in Article 2(1), point (c), the competent authority designated in accordance with Annex III (Part-ORO) to Regulation (EU) No 965/2012;

(d)with regard to organisations referred to in Article 2(1), points (d) to (f), the competent authority designated in accordance with Annex VII (Part-ORA) to Regulation
(EU) No 1178/2011;

(e)with regard to organisations referred to in Article 2(1), point (g), the competent authority designated in accordance with Article 6(2) of Regulation (EU) 2015/340;

(f)with regard to organisations referred to in Article 2(1), point (h), the competent authority designated in accordance with Article 4(1) of Regulation (EU) 2017/373;

(g)with regard to organisations referred to in Article 2(1), point (i), the competent authority designated in accordance with Article 14(1) or 14(2), as applicable, of Regulation
(EU) 2021/664.

(h)with regard to organisations referred to in Article 2(1), point (j), the competent authority designated in accordance with Article 3(1) of Implementing Regulation (EU) 2023/1769.

2.Member States may, for the purposes of this Regulation, designate an independent and autonomous entity to fulfil the assigned role and responsibilities of the competent authorities referred to in paragraph 1. In that case, coordination measures shall be established between that entity and the competent authorities, as referred to in paragraph 1, to ensure effective oversight of all the requirements to be met by the organisation.

3.The Agency shall cooperate in full compliance with the applicable rules on secrecy, protection of personal data and protection of classified information with the European Union Agency for the Space Programme (EUSPA), and the SAB referred to in Article 36 of Regulation
(EU) 2021/696 in order to ensure effective oversight of the requirements applicable to EGNOS air navigation service provider.

ED Decision 2025/013/R

The applicability of Annex I (Part-IS.AR) to Implementing Regulation (EU) 2023/203 to competent authorities is specified in Article 4(2) and called for under the authority requirements for a management system in the implementing or delegated acts for each domain. Therefore, the Part-IS.AR requirements apply to the competent authority under Article 6(1) irrespective of the allocation of roles and responsibilities to an independent and autonomous entity designated by the State under Article 6(2).

At the same time, this independent and autonomous entity designated by the State is not subject to the Part-IS.AR requirements; this entity has only to fulfil the responsibilities for certifying and overseeing organisations’ compliance with Implementing Regulation (EU) 2023/203.

This entity typically holds the role of a national information security body within the Member State and is normally subject to similar requirements to those existing in Part-IS.AR.

Regulation (EU) 2023/203

Competent authorities under this Regulation shall inform, without undue delay, the single point of contact designated in accordance with Article 8 of Directive (EU) 2016/1148 of any relevant information included in notifications submitted pursuant to point IS.I.OR.230 of Annex II to this Regulation and point IS.D.OR.230 of Annex I to Delegated Regulation (EU) 2022/1645 by operators of essential services identified in accordance with Article 5 of Directive (EU) 2016/1148.

Regulation (EU) 2023/203

Annexes VI (Part-ARA) and VII (Part-ORA) to Regulation (EU) No 1178/2011 are amended in accordance with Annex III to this Regulation.

Regulation (EU) 2023/203

Annex I (Part 21) to Regulation (EU) No 748/2012 is amended in accordance with Annex IV to this Regulation.

Regulation (EU) 2023/203

Annexes II (Part-ARO) and III (Part-ORO) to Regulation (EU) No 965/2012 are amended in accordance with Annex V to this Regulation.

Regulation (EU) 2023/203

Annex II (Part-ADR.AR) to Regulation (EU) No 139/2014 is amended in accordance with Annex VI to this Regulation.

Regulation (EU) 2023/203

Annexes II (Part-145), III (Part-66) and Vc (Part-CAMO) to Regulation (EU) No 1321/2014 are amended in accordance with Annex VII to this Regulation.

Regulation (EU) 2023/203

Annexes II (Part ATCO.AR) and III (Part ATCO.OR) to Regulation (EU) 2015/340 are amended in accordance with Annex VIII to this Regulation.

Regulation (EU) 2023/203

Annexes II (Part-ATM/ANS.AR) and III (Part-ATM/ANS.OR) to Regulation (EU) 2017/373 are amended in accordance with Annex IX to this Regulation.

Regulation (EU) 2023/203

For the consolidated version of Regulation (EU) 2021/664, please refer to the Easy Access Rules for U-space (Regulation (EU) 2021/664).

Regulation (EU) 2023/203

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 22 February 2026.

However, as regards the case of the EGNOS air navigation service provider subject to Regulation (EU) 2017/373 it shall apply from 1 January 2026.

Regulation (EU) 2023/203

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

For the Commission

The President

Ursula VON DER LEYEN

ANNEX I — INFORMATION SECURITY — AUTHORITY REQUIREMENTS [PART-IS.AR]

Regulation (EU) 2023/203

This Part establishes the management requirements to be met by the competent authorities referred to in Article 2(2) of this Regulation.

The requirements to be met by those competent authorities for the performance of their certification, oversight and enforcement activities are contained in the Regulations referred to in Article 2(1) of this Regulation and in Article 2 of Delegated Regulation (EU) 2022/1645.

Regulation (EU) 2023/203

(a)In order to achieve the objectives set out in Article 1, the competent authority shall set up, implement and maintain an information security management system (ISMS) which ensures that the competent authority:

(1)establishes a policy on information security setting out the overall principles of the competent authority with regard to the potential impact of information security risks on aviation safety;

(2)identifies and reviews information security risks in accordance with point IS.AR.205;

(3)defines and implements information security risk treatment measures in accordance with point IS.AR.210;

(4)defines and implements, in accordance with point IS.AR.215, the measures required to detect information security events, identifies those which are considered incidents with a potential impact on aviation safety, and responds to, and recovers from, those information security incidents;

(5)complies with the requirements contained in point IS.AR.220 when contracting any part of the activities described in point IS.AR.200 to other organisations;

(6)complies with the personnel requirements contained in point IS.AR.225;

(7)complies with the record-keeping requirements contained in point IS.AR.230;

(8)monitors compliance of its own organisation with the requirements of this Regulation and provides feedback on findings to the person referred to in point IS.AR.225 (a) to ensure effective implementation of corrective actions;

(9)protects the confidentiality of any information that the competent authority may have related to organisations subject to its oversight and the information received through the organisation’s external reporting schemes established in accordance with point IS.I.OR.230 of Annex II (Part-IS.I.OR) to this Regulation and point IS.I.OR.230 of Annex I (Part-IS.I.OR) to Delegated Regulation (EU) 2022/1645;

(10)notifies the Agency of changes that affect the capacity of the competent authority to perform its tasks and discharge its responsibilities as defined in this Regulation;

(11)defines and implements procedures to share, as appropriate and in a practical and timely manner, relevant information to assist other competent authorities and agencies, as well as organisations subject to this Regulation, to conduct effective security risk assessments relating to their activities.

(b)In order to continuously meet the requirements referred to in Article 1, the competent authority shall implement a continuous improvement process in accordance with point IS.AR.235.

(c)The competent authority shall document all key processes, procedures, roles and responsibilities required to comply with point IS.AR.200(a) and establish a process for amending this documentation.

(d)The processes, procedures, roles and responsibilities established by the competent authority in order to comply with point IS.AR.200(a) shall correspond to the nature and complexity of its activities, based on an assessment of the information security risks inherent to those activities, and may be integrated within other existing management systems already implemented by the competent authority.

ED Decision 2025/015/R

An information security management system (ISMS) is a systematic approach to establish, implement, operate, monitor, review, maintain and continuously improve the state of information security of an organisation. Its objective is to protect the information assets, such that the operational and safety objectives of an organisation can be reached in a risk-aware, effective and efficient manner.

Generally speaking, an ISMS establishes an information security risk management process, based upon the results of information security impact analyses, which basically determine its scope. If information security breaches may cause or contribute to aviation safety consequences, information security requirements need to limit the impact or influence of information security breaches on levels of aviation safety, which are deemed acceptable. Hence, all roles, processes, or information systems, which may cause or contribute to aviation safety consequences, are within the scope of Regulation (EU) 2023/203. The ISMS provides for means to decide on needed information security controls for all architectural layers (governance, business, application, technology, data) and domains (organisational, human, physical, technical). It further allows to manage the selection, implementation, and operation of information security controls. Finally, it allows to manage the governance, risk management and compliance (GRC) within the ISMS scope.

The overall risk assessment considers safety consequences influenced by information security risks. These may emerge as threats, hazards, escalation factors that weaken barriers, or direct triggers of existing hazards. When conducting this assessment, both aspects, information security and safety need to be coordinated throughout the process. This ensures mutual understanding of the objectives and the implementation of preventive measures against of all types of threats or weaknesses, as well as mitigating measures.

The risk management process is thus based on aviation safety risk assessments and derived information security risk acceptance levels, which are designed to effectively treat and manage information security risks with a potential impact on aviation safety caused by threats exploiting vulnerabilities of information assets in aeronautical systems.

Interacting bow-ties is one possible way that allows for a higher-level and non-exhaustive illustration of how different disciplines of risk assessment may need to collaborate to establish a common risk perspective. The below Figure 1 from ICAO Doc 10204 ‘Manual on Aviation Information Security’ illustrates these interactions.

Figure 1: Bow-tie representation of management of aviation safety risks posed by information security threats

In the drawing, the term ‘context’ in the communication between the safety assessment process (SAP) and the information security assessment process (ISAP) carries slightly different notions, which need to be understood and distinguished.

In order to satisfy the safety requirements, the SAP will provide context information, such as:

—the architecture of the systems and the functional descriptions of the elements within the scope, including those related to the barriers. Systems should be understood as the dynamic interaction between people, processes, and products, or services;

—all identified relevant safety hazards;

—the top events and their relations (e.g. triggers) to those hazards.

In addition to context information, it provides the target likelihood of the related information security successful compromise. This target likelihood is commensurate with the safety objectives related to the severity of the safety consequence. However, it needs to be complemented to include information about the acceptable level of uncertainty, in order to be able to rely adequately on the results of the ISAP.

In turn, the ISAP will return context information such as:

—modification to the architecture of the systems and functional descriptions of the elements modified or added, whether those were safety barriers or other items;

—additional threats;

—potentially additional safety hazards;

—additional direct triggers of hazards;

—additional escalating factors affecting barriers.

In addition to context information, it provides the achieved likelihood of an information security successful compromise. While this likelihood is consistent with the safety objectives set by the SAP, the achieved level of uncertainty also needs to be considered.

The interaction between SAP and ISAP is iterative and continues until the safety risk is acceptable, i.e. the target likelihood of the related information security successful compromise has been achieved. The interaction can start from safety consequences identified through the SAP that fall within the scope of the ISMS risk analysis, or from existing information security assessments.

ISMS implementation and maintenance

An ISMS, as defined in this Regulation, employs the perspectives of governance, risk and compliance, and an approach that combines the safety risk and performance dimensions to determine the information security controls that are appropriate to and compliant with the specific context and can effectively provide the level of protection required to achieve the aviation safety objectives by:

—Governance perspective refers to providing management direction and leadership aimed to achieve the entity’s own overarching objectives:

—leadership and commitment of the senior management defining and ensuring the close involvement of the management and a ‘top-down’ ISMS implementation

—information security and safety objectives aligned and consistent with the entity’s business objectives and monitored by, e.g., management reviews

—information security policies stating the principles and objectives to be achieved

—roles, responsibilities, competencies and resources required for an effective ISMS

—effective, target-group-oriented communication to internal and external stakeholders

—Risk perspective refers to a key aspect of an ISMS in an aviation safety context according to this Regulation, and serves as a basis for transparent decision-making and prioritisation of controls and risk treatment options. It further refers to the assessment, treatment and monitoring of information security risks in support of the management of aviation safety risks for the key processes and information assets upon which they depend. This includes protection requirements, risk exposure, attitude towards risks and risk acceptance criteria, methods and industry standards.

—Compliance perspective refers to the compliance with regulatory, legal and contractual requirements. This includes:

—this Regulation,

—the entity’s own policies and standards and may further include international or industry standards adopted by the entity from ISO, EUROCAE, etc.

This perspective comprises the definition, implementation and maintenance of the required information security provisions whose effectiveness and compliance should be regularly monitored and assured by, e.g., (internal) audits.

Based on these perspectives, we may identify the following processes and subject areas that have been shown to be relevant for the establishment of an effective ISMS. These ISMS processes and subject areas can be summarised as follows:

(a)context establishment defining the scope, interfaces, dependencies and requirements of interested parties;

(b)leadership and commitment of the senior management;

(c)information security and safety objectives;

(d)information security policies;

(e)roles, responsibilities, competencies and resources required for an effective ISMS;

(f)communication to internal and external stakeholders to achieve a sufficient level of information security awareness and training of all involved parties;

(g)information security risk management including risk assessment and treatment;

(h)information security incident management establishing processes for the handling of information security incidents and vulnerabilities;

(i)performance & effectiveness monitoring, measurement and evaluation;

(j)internal audits and management reviews;

(k)corrections and corrective actions;

(l)continuous improvement;

(m)relationship with suppliers;

(n)documentation, record-keeping, and evidence collection.

Additional critical success factors for the implementation and operation of an ISMS include the following:

—The ISMS should be integrated with the entity’s processes and overall management structure or even — at least partially, with safeguards for their respective integrity, and as reasonably applicable — with an overarching management system comprising information security, aviation safety and quality management.

—Information security has to be considered at an early stage in the overall design of processes and procedures, of systems and of information security controls, to be seamlessly integrated, for maximum effectiveness, minimal functional interference and optimised cost. None of these benefits can be achieved by integrating it later.

—The risk management process determines appropriate characteristics of preventive controls to reach and maintain acceptable risk levels.

—The incident management process ensures that the organisation detects, reacts and responds to information security incidents in a timely manner. This is achieved by defining responsibilities, procedures, scenarios and response plans in advance to ensure a coordinated, targeted and efficient response.

—Continuous monitoring and reassessment are undertaken and improvements are made in response.

The above-mentioned core components are related to the requirements in this Regulation, for which Figure 2 provides a high-level depiction of the aspects that are more prominent in the implementation phase and those that characterise the operational phase, as well as the review and possible improvement, if the functions do not perform as planned.

Figure 2: Representation of the Part-IS requirements from an ISMS’s life cycle perspective

Plan-Do-Check-Act approach

The Plan-Do-Check-Act (PDCA) refers to a process approach that is often used to establish, implement, operate, monitor, review and improve management systems. Figure 3 depicts the PDCA applied to an ISMS.

Figure 3: Plan-Do-Check-Act approach applied to an ISMS

Benefits of an ISMS

The benefits of a management system operating in a dynamic, uncertain or unpredictable risk environment are realised in the long term only when the organisation improves existing controls, processes and solutions based on the assessments of risks, performance and maturity as well as the learnings from incidents, audits, non-conformities and their root causes. A successful adoption and deployment of an ISMS allows an entity to:

—achieve greater assurance to the management and interested parties that its information assets are adequately protected against threats on a continual basis;

—increase its trustworthiness and credibility providing confidence to interested parties that information security risks with an impact on aviation safety are adequately managed;

—increase the resilience of the entity’s key processes against unauthorised electronic interactions and maintains the entity’s ability to decide and act;

—support the timely detection of control gaps, vulnerabilities or deficiencies aimed to prevent information security incidents or at least to minimise their impact;

—detect and timely react to changes in the entity’s environment including system architecture and threat landscape or the adoption of new technologies;

—provide a foundation for effective and efficient implementation of a comprehensive information security strategy in times of digital transformation, increasing interconnectivity of systems, emerging information security threats and new technologies.

Relation to ISO/IEC 27001

The international standard ISO/IEC 27001 is a widely adopted standard for ISMS which specifies generic requirements for establishing, implementing, maintaining and continually improving an ISMS. It also includes requirements for the assessment and treatment of information security risks. The requirements are applicable to all entities, regardless of type, size or nature. The conformity of an ISMS with the ISO/IEC 27001 standard can be certified by an accredited certification body. ISO/IEC 27001 is compatible with other management system standards (quality, safety, etc.) that have also adopted the structure and terms defined in Annex SL to ISO/IEC Directives, Part 1, Consolidated ISO Supplement. This compatibility allows an entity to operate a single management system that meets the requirements of multiple management system standards.

ISO/IEC 27001 allows entities to define their own scope of audit and their own organisational risk appetite. This, in turn, leads to information security requirements that provide the ISMS with criteria for the acceptability of information security risks in line with the entity’s risk appetite (see Figure4).

Figure 4: Relation between the entity’s risk appetite and the information security objectives

The requirements for an ISMS specified by this Regulation are in most parts consistent and aligned with ISO/IEC 27001; however, this Regulation introduces provisions specific to the context of aviation safety. If an ISO/IEC 27001-based ISMS is already operated by an entity for a different scope and context, it can be adapted and extended to the scope and context of this Regulation in a straightforward manner based on an analysis of the scope and the gaps. In order to take credit from ISO/IEC 27001 certifications to achieve compliance with Part-IS, aviation safety needs to be included in the organisational risk management, with the relevant risk acceptance level determined by the applicable regulation (see Figure 5). Therefore, careful determination of the scope of the ISMS related to aviation safety risks is needed, as it might differ from the one related to the other organisational risks. To allow demonstration of compliance with Regulation (EU) 2023/203, careful delineation between aspects of the ISMS related to aviation safety risks and other organisational risks may be required. This could have an influence upon the decision to integrate ISMSs.

Figure 5: Introduction of aviation safety aspects in the entity’s risk appetite

PART-IS versus ISO/IEC 27001:2022 cross reference table

For a mapping between the Part-IS provisions and the clauses and associated controls in ISO/IEC 27001:2022, refer to Appendix IV.

ED Decision 2023/010/R

The competent authority should define and document the scope of the ISMS, by determining activities, processes, supporting systems, and identifying those which may have an impact on aviation safety.

The information security policy should be endorsed by the person identified as per IS.AR.225(a) and reviewed at planned intervals or if significant changes occur. Moreover, the policy should cover at least the following aspects with a potential impact on aviation safety by:

(a)committing to comply with applicable legislation, consider relevant standards and best practices;

(b)setting objectives and performance measures for managing information security;

(c)defining general principles, activities, processes for the competent authority to appropriately secure information and communication technology systems and data;

(d)committing to apply ISMS requirements into the processes of the competent authority;

(e)committing to continually improve towards higher levels of information security process maturity as per IS.AR.235;

(f)committing to satisfy applicable requirements regarding information security and its proactive and systematic management and to the provision of appropriate resources for its implementation and operation;

(g)assigning information security as one of the essential responsibilities for all managers;

(h)committing to promote the information security policy through training or awareness sessions within the competent authority to all personnel on a regular basis or upon modifications;

(i)encouraging the implementation of a ‘Just-Culture’ and the reporting of vulnerabilities, suspicious/anomalous events and/or information security incidents;

(j)committing to communicate the information security policy to all relevant parties, as appropriate.

Note: A significant change is a notable alteration or modification that has a meaningful impact on the competent authority operations, such as a structural change within the authority due to reorganisations, a change in the business processes (e.g. working from home, use of personal devices), a technological evolution (e.g. distributed computing resources, artificial intelligence/machine learning) or an evolution in the threat landscape.

ED Decision 2023/010/R

INFORMATION SECURITY POLICY AND OBJECTIVES

The information security policy should suit the competent authority’s purpose and direct its own information security activities. Such policy should contain the needs for information security in the competent authority’s context, a high-level statement of direction and intent of the information security activities, the principles and most important strategic and tactical objectives to be achieved by the ISMS, as well as the general information security objectives or a specification of a framework (who, how) for setting information security objectives. The information security policy should also contain a description of the established ISMS, including roles, responsibilities and references to topic-specific policies and standards.

The information security objectives should be:

—consistent and aligned with the information security policy and consider the applicable information security requirements, derived from the overarching competent authority’s objectives, and the results from the risk assessment and treatment (which, in turn, supports the implementation of the competent authority’s strategic goals and information security policy);

—regularly reviewed to ensure that they are up to date and still appropriate;

—measurable if practicable (to be able to determine whether the objective has been met), aimed to be SMART (specific, measurable, attainable, realistic, timely) and aligned with all affected responsible persons.

When defining information security objectives, e.g., based on the overarching competent authority’s objectives, the information security requirements or the results of risk assessments, it should be determined how these objectives will be achieved. The degree to which information security objectives are achieved must be measurable. If possible, it should be measured by key performance indicators (KPIs) which have been defined in advance (refer to resources such as COBIT 5 for Information Security). It is recommended to start with the definition of a limited number of information security objectives which are relevant for the competent authority, more of a long-term nature and measurable with a reasonable effort relative to the delivered benefits.

ED Decision 2023/010/R

COMPLIANCE MONITORING

When establishing compliance with the provisions under point IS.AR.200(a)(8), the competent authority should implement a function to periodically monitor compliance of the management system with the relevant requirements and adequacy of the procedures including the establishment of an internal audit process and an information security risk management process. Compliance monitoring should include a feedback mechanism of audit findings to the person of the competent authority as identified in IS.AR.225(a) to ensure implementation of corrective actions as necessary.

ED Decision 2023/010/R

COMPLIANCE MONITORING

For the purpose of compliance monitoring, internal audits should be conducted at planned intervals to provide assurance on the status of the ISMS to the management and to provide information on the following:

—conformity of the ISMS to the requirements of this Regulation and the competent authority’s own requirements either stated in the information security policy, procedures and contracts or derived from information security objectives or outcomes of the risk treatment process;

—effective implementation and maintenance of the ISMS.

Internal audits should follow an independent approach and a decision-making process based on evidence. Moreover, when setting up an audit programme, the importance of the processes concerned, and definitions of the audit criteria and scopes should be considered. Documented information should be retained evidencing the audit results, their reporting to the relevant management and the audit programme.

ED Decision 2023/010/R

When establishing compliance with the provisions under points IS.AR.200(a)(9), the competent authority should implement and maintain information security controls that are sufficiently robust and effective to protect information and ensure the need-to-know principle (i.e. limiting access to information to only those who need it to perform their duties). It should protect the source of information in accordance with the relevant provisions established in Regulation (EU) 2018/1139. It should also comply with Regulation (EU) No 376/2014.

ED Decision 2023/010/R

When establishing compliance with the provisions under point IS.AR.200(a)(11), the competent authority should implement and maintain a process to proactively share applicable and relevant information for performing information security risk assessments with other competent authorities, the Agency and other affected organisations within the scope of this Regulation, as soon as it becomes aware of such information. The competent authority should define and document which kind of information needs to be shared and with whom.

ED Decision 2023/010/R

When establishing compliance with the provisions under point IS.AR.200(c), the competent authority should:

(a)provide an outline of the structure of the specific information security personnel (internal and external), including their roles and responsibilities that will be used to manage and maintain the elements included within the scope of the ISMS and will be approved by the person identified in IS.AR.225(a). The competent authority should review the outline of the structure at planned intervals or if significant changes occur (see the Note in AMC1 IS.AR.200(a)(1));

(b)identify and categorise all relevant contracted organisations or qualified entities used to implement the ISMS. The competent authority should define and document procedures for the management of interfaces with all other entities and coordination between the competent authority and other national authorities, contracted organisations or qualified entities;

(c)identify and define all key processes and procedures, and internal and external reporting schemes that will be used to maintain compliance with the objectives of this Regulation over the life cycle of the ISMS. The competent authority may adjust existing processes or procedures for compliance;

(d)identify and document any other information that will be used to maintain compliance with the objectives of this Regulation;

(e)when creating and updating documented information, ensure appropriate identification and description (e.g. a title, date, author, or reference number) as well as a review and an approval for suitability and adequacy;

(f)control the documented information required by the ISMS to ensure that it is:

(1)available and suitable for use, where and when it is needed;

(2)adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

ED Decision 2023/010/R

The amount of documented information that should be developed to maintain compliance with the objectives of this Regulation may vary between competent authorities due to various factors, such as size and complexity, or the need for harmonisation with other management processes already in place. As general guidance, taking into account the documents required to comply with point IS.AR.200(a) and the record-keeping requirements referred to in IS.AR.230, the following is a non-exhaustive list of information that should be documented:

(a)information security policy that should include the authority’s information security objectives — see IS.AR.200(a)(1);

(b)responsibilities and accountabilities for roles relevant to information security — see the personnel requirements referred to in points IS.AR.225(a) and (b) and the related AMC and GM;

(c)scope of the ISMS and the interfaces with, and dependencies on, other parties — see IS.AR.200(a)(2) and the information security requirements referred to in points IS.AR.205(a) and (b);

(d)information security risk management process — see the information security requirements referred to in points IS.AR.205 and IS.AR.210;

(e)archive of the risks identified in the information security risk assessment along with the associated risk treatment measures (often referred to as ‘risk register’ or ‘risk ledger’) — see IS.AR.230;

(f)evidence of the competencies necessary for the personnel performing the activities required under this Regulation — see IS.AR.225(c) and the related AMC and GM;

(g)evidence of the current competencies of the personnel performing the activities required under this Regulation — see IS.AR.230(b)(1);

(h)(key) performance indicators derived from evidence of the monitoring and measurement of the ISMS processes.

ED Decision 2023/010/R

PROPORTIONALITY IN ISMS IMPLEMENTATION

When implementing the processes and procedures, as well as establishing the roles and responsibilities required under point IS.AR.200(d), the competent authority should primarily consider the risks that it may be posing to other organisations, as well as its own risk exposure. Other aspects that may be relevant include the authority’s needs and objectives, information security requirements, its own processes, and the size, complexity and structure of the authority, all of which may change over time.

INTEGRATION OF ISMS UNDER THIS REGULATION WITH EXISTING MANAGEMENT SYSTEMS

A competent authority may take advantage of existing management systems when implementing an ISMS by integrating it with those existing systems.

By integrating the ISMS with existing management systems, the competent authority may reduce the effort and costs required to implement and maintain the ISMS, while also ensuring consistency and alignment with the authority’s overall management approach. Below is a non-exhaustive list of potential synergies that can be exploited when integrating the ISMS with an existing management system:

—Leverage existing policies and procedures: an authority may use its existing policies and procedures as a foundation for its ISMS. This may help to ensure consistency and minimise the need for additional documentation.

—Align the ISMS with other management systems: an authority may align the ISMS with other management systems, such as safety management systems (SMSs), to ensure that the ISMS is consistent with the authority’s overall management approach.

—Use existing risk management processes: an authority may use their existing risk management processes to identify and assess the information security risks potentially leading to aviation safety risks.

—Reuse existing controls: an authority may reuse existing controls, such as access controls or incident management process, to implement the information security controls required by the ISMS.

—Continuous improvement process: an authority may use the continuous improvement process of existing management systems to improve the ISMS over time.

Regulation (EU) 2023/203

(a)The competent authority shall identify all the elements of its own organisation which could be exposed to information security risks. This shall include:

(1)the competent authority’s activities, facilities and resources, and the services the competent authority operates, provides, receives or maintains;

(2)the equipment, systems, data and information that contribute to the functioning of the elements referred to in point (1)

(b)The competent authority shall identify the interfaces that its own organisation has with other organisations, and which could result in the mutual exposure to information security risks.

(c)For the elements and interfaces referred to in points (a) and (b), the competent authority shall identify the information security risks which may have a potential impact on aviation safety.

For each identified risk, the competent authority shall:

(1)assign a risk level according to a predefined classification established by the competent authority;

(2)associate each risk and its level with the corresponding element or interface identified in accordance with points (a) and (b).

The predefined classification referred to in point (1) shall take into account the potential of occurrence of the threat scenario and the severity of its safety consequences. Through this classification, and taking into account whether the competent authority has a structured and repeatable risk management process for operations, the competent authority shall be able to establish whether the risk is acceptable or needs to be treated in accordance with point IS.AR.210.

In order to facilitate the mutual comparability of risks assessments, the assignment of the risk level per point (1) shall take into account relevant information acquired in coordination with the organisations referred to in point (b).

(d)The competent authority shall review and update the risk assessment carried out in accordance with points (a), (b) and (c) in any of the following cases:

(1)there is a change in the elements subject to information security risks;

(2)there is a change in the interfaces between the competent authority’s organisation and other organisations, or in the risks communicated by the other organisations;

(3)there is a change in the information or knowledge used for the identification, analysis and classification of risks;

(4)there are lessons learnt from the analysis of information security incidents.

ED Decision 2023/010/R

Part-IS does not require the use of any specific information security framework, such as ISO, NIST or others to develop the risk assessment or in general to implement risk management. Each framework offers different benefits and none of these frameworks is perfect for an individual competent authority, and should be customised and tailored to meet the overall needs of a competent authority as well as the specific need to consider aviation safety aspects.

Competent authorities whose information security frameworks have achieved industry certifications can provide this information as supporting artefacts; however, these competent authorities should show the applicability of the industry certification to the scope of this Regulation (see GM1 IS.AR.200).

General guidance on risk management, including risk assessment, can be found in ISO/IEC 27005 and ISO/IEC 31000 as well as NIST SP 800-30. Competent authorities may also wish to consider aviation-specific guidance as defined in the risk management chapter of the latest version of EUROCAE ED-201A and, as appropriate to the specific operating environment, in the chapters of EUROCAE ED-204A, EUROCAE ED-205A and EUROCAE ED-206 covering risk management.

ED Decision 2023/010/R

When conducting an information security risk assessment, the competent authority should ensure that all relevant aviation safety elements are identified and included in the ISMS scope as per IS.AR.200 and related AMC.

A means to comply with the requirement in point IS.AR.205(a) is to perform a preliminary high-level risk assessment or impact assessment, carried out in accordance with a documented methodology and following precise criteria for the inclusion in and exclusion from the ISMS scope of the elements listed in IS.AR.205(a).

ED Decision 2023/010/R

SCOPE AND BOUNDARIES IDENTIFICATION

The competent authority should develop clear and comprehensive understanding of its aviation activities and services, the related processes and associated information systems, and the relevant data flows and information exchanges that define the scope of the ISMS and the boundaries for risk assessment. Therefore, the competent authority should develop corresponding documentation on resources and dependencies related to computing, networking and contracted services which have the potential to affect the information security and safety of the functions, services or capabilities within the scope of the risk assessment.

The following non-exhaustive list provides examples of items that may be considered for the identification of the aforementioned scope and boundaries. The level of detail of the analysis can be an iterative process, with the effort commensurate with the expected level of risk. As stated above, the purpose is to establish understanding of all relevant assets, resources and dependencies that are directly a part of the functions, services and capabilities through the following activities:

(a)Identification of operational inputs and outputs relevant to the functions, services and capabilities of the authority; these can be related to:

—internal or external sources;

—internal or external leased or managed services, or other dependencies;

(b)Identification of all relevant assets (i.e. hardware, software, network and computing resources) used to create, process, transmit, store or receive the aforementioned operational inputs and outputs;

(c)Identification of the operating environments (e.g. office, public access area, access-controlled room, etc.) and locations for all relevant assets;

(d)For each asset included in the scope, identification of the specific methods, processes and resources that will be used to manage, operate and maintain each asset throughout its life cycle, including:

—internal or contracted resources;

—contracted companies remotely managing the assets (i.e. provider of managed services).

ED Decision 2023/010/R

The competent authority should, as part of the information security risk assessment, identify the interfaces it has with other parties such as service providers, supply chains and other third parties, based on the exchange of data and information and the assets used for that exchange, which could lead to a situation where information security risks, as a result of mutual exposure, may either:

—increase aviation safety risks faced by other parties; and/or

—increase aviation safety risks faced by the organisation.

ED Decision 2023/010/R

RISK INFORMATION SHARING

Interfacing parties should share information with each other about the potential exposure to information security risks by following, for instance, the approach detailed in EUROCAE ED-201A Appendix B — B.1, B.2 and B.3. The purpose of this exchange of information is to enable the parties to establish a matching mapping for the services identified under IS.AR.205(a), including information and data flows, in order to:

(a)illustrate (e.g. through a functional diagram) the relationships of logical and physical paths connecting the different parts involved;

(b)clearly identify all assets (i.e. hardware, software, network and computing resources) that will be used in the exchange;

(c)identify all functions, activities and processes, including their respective information and data, which will be created, transmitted, processed, received and stored, and associate those with the responsible party which provides or performs those functions, activities and processes;

(d)determine for these paths, constituting the so-called functional chains, the role of the interfacing party as a producer, processor, dispatcher, or consumer of the information or data involved;

(e)determine whether one interfacing party acts as an originator or receiver of a flow across such path.

TWO CATEGORIES OF INTERFACING ORGANISATIONS

There are two categories of interfacing organisations: those that are subject to Regulation (EU) 2023/203 or Regulation (EU) 2022/1645, and those that are not.

Where the competent authority has interfaces with an organisation that is subject to Regulation (EU) 2023/203 or Regulation (EU) 2022/1645, each entity:

—is responsible for the identification of the interfaces that its own organisation has with other organisations, and which could result in the mutual exposure to information security risks. The entity may benefit from the sharing of risk information as this exchange allows for a more accurate assessment of those risks.

—remains accountable for the proper management of the information security risks within the scope of its own ISMS.

In all other cases, the competent authority is accountable for the proper management of the information security risks that may arise from its exposure to the interfacing entity. Where these risks need to be treated, the competent authority always has the option of implementing mitigating measures and controls within its own boundaries. In the specific case where the interfacing entity is a supplier, the competent authority may decide to manage the risks through contractual arrangements and require the supplier to implement mitigating measures and controls within its own organisation.

ED Decision 2023/010/R

EXAMPLES OF AVIATION SERVICES

Examples of aviation services that may be considered when determining the ISMS scope and interfaces are provided in Appendix III.

ED Decision 2023/010/R

The competent authority should use a risk management framework that includes a methodology for assigning risks with a risk level and establishing criteria for determining risk acceptance or further treatment.

The competent authority should provide documented evidence of assessment of risks which have a potential impact on aviation safety including the level of risks. The competent authority should associate each risk with the relevant elements and interfaces identified under IS.AR.205 (a) and (b), and document whether the risk is acceptable or requires further treatment.

The competent authority should provide the assurance that the risk assessment process is carried out with the necessary rigour and discipline by documenting the process and its robustness. By doing so, the competent authority should consider:

(a)reproducibility of the assessment’s inputs and results;

(b)repeatability of the assessment over time in a way that the results of the different prior assessments can be compared to determine the changes;

(c)the gathering of inputs that are relevant and valid, in particular:

(1)the information that allows the determination of the safety consequences;

(2)the information that allows the determination of the potential of occurrence of the threat scenario;

(d)iterative refinement over time allowing for more fine-grained threat scenarios as inputs to become available, with the aim of reducing uncertainty regarding threats, vulnerabilities, effectiveness of existing controls, and dependencies on external entities, in particular by:

(1)refining initial high-level threat scenarios with greater detail and specificity as more data is gathered;

(2)refining data on known vulnerabilities by continuously updating information about their exploitability and the associated consequences;

(3)reviewing the effectiveness of existing controls, and consider newly available controls;

(4)refining the understanding of the dependencies on external entities and their implications for the competent authority’s risk profile.

ED Decision 2023/010/R

RISK ASSESSMENT

The risk classification levels for potential of occurrence of the threat scenario and severity of the safety consequences listed below may be applied; however, this does not prevent the competent authority from developing additional intermediate categories if it deems this necessary for risk assessments. The competent authority should specify and document the applied, entity-specific classification levels with an accurate qualitative or quantitative definition in terms of a range or interval of numerical values in order to enable a sufficiently calibrated, consistent estimation, evaluation and communication within the competent authority or with the interfacing entities. The potential of occurrence of the threat scenario may be expressed as an interval of likelihoods including the duration of the observation. Supporting documentation and methods can be found in EUROCAE ED-203A, Chapter 3.6 which references the evaluation of the potential of occurrence of the threat scenario in the Security Risk Assessment of EUROCAE ED-202A.

Note 1: The phrase ‘duration of the observation’ refers to the time period during which a threat scenario is observed or monitored. It is essential in determining the likelihood of the threat scenario occurring, since the probability of occurrence may vary depending on the length of the observation period.

Note 2: EUROCAE ED-202A and EUROCAE ED-203A were originally developed for aircraft information security risk assessment, but the generic principles developed in those documents can be adapted to other frameworks when deemed useful by the authority.

In order to facilitate the mutual comparability of risks assessment methodologies between interfacing entities, the competent authority may associate the assessment of the potential of occurrence of the threat scenario with one of the following categories:

—High potential of occurrence: the threat scenario is likely to occur. The attack related to the threat scenario is feasible and similar threat scenarios have occurred many times in the past.

—Medium potential of occurrence: the threat scenario is unlikely to occur. The attack related to the threat scenario is possible and a similar threat scenario may have occurred in the past.

—Low potential of occurrence: the threat scenario is very unlikely to occur. The materialisation of the threat scenario is theoretically possible; however, it is not known to have occurred.

The evaluation of the potential of occurrence of the threat scenario may be based on the following aspects:

Protection (as defined in EUROCAE ED-203A)

—Security measures and architecture that deny access to assets: the degree to which an asset is open to access from compromised systems

—Access to security measures: the degree to which a security measure prevents access/attack to itself from compromised systems

—Failure of mechanism: the degree to which the known implementation of a security measure will fail to prevent an attack

—Detection methods or procedures to recognise the attack and appropriately respond to reduce the potential of occurrence of the threat scenario

Exposure reduction (as defined in EUROCAE ED-203A)

—Conditions under which an external access connection can be used by a user or attacker

—Limits on the functionality of an external access connection

—Organisational policies that control the time-to-feasibility for developing attack tools specific to the product

—Vulnerability management including intelligence, scanning, treatment and retesting aimed to discover, detect and treat reported or detected vulnerabilities in a fast, risk-prioritised manner with high assurance in order to reduce the attack surface

—Reduction of the severity of a successful attack (i.e. through a redundant system that can maintain the continuity of service in case of a denial of service of a system critical for aviation safety)

Attack attempt (as defined in EUROCAE ED-203A)

—The capability of the attackers which is determined by the resources and expertise required for their attack

The capability of the attackers can be assessed through several ways, for instance:

—information from computer emergency response teams (CERTs) / computer security incident response teams (CSIRTs), information sharing and analysis centres (ISACs);

—analyses of past activities, tactics, techniques and procedures (TTPs) and success rate of attacks.

For the same reason, the competent authority may associate the outcome of the evaluation of the severity of the safety consequences with one of the following categories:

—High severity: those immediate or delayed scenarios that can cause or contribute to an unsafe condition where an unsafe condition means an occurrence associated with the operation of an aircraft in which:

—a person is fatally or seriously injured;

—the aircraft sustains damage or structural failure;

—the aircraft is either missing or completely inaccessible;

—Moderate severity: those immediate or delayed scenarios that can cause or contribute to safety incidents where an incident means any occurrence other than an accident, associated with the operation of an aircraft, which affects or could affect the safety of operations;

—Low severity: those immediate or delayed scenarios that can cause or contribute to negligible safety consequences.

Examples for high, moderate, and low severity can be found in EUROCAE ED-201A, Appendix B for products, ATM systems and airspace.

If the competent authority cannot determine the safety effect, the assessment should identify assumptions from the risk-sharing information at interfaces with other organisations along the functional chain, leading up to the safety effect.

Some of those assumptions can be granted with the certification of products: where assets are subject to product certification from other aviation regulations addressing product information security, the organisation performing the risk assessment may consider the perimeter of the product certification as already covered. This should be acceptable under the condition that this certification is up to date and that the instructions provided by the OEM to maintain the certification validity are implemented by the organisation.

Additional information can also be found in Regulation (EU) 2015/1018 on mandatory reporting of occurrences. Further examples of impact severity classifications for aviation domains can be found in EUROCAE ED-201A, Appendix B — Tables B-5, B-6 and B-7.

Risk acceptance criteria

Risk acceptance criteria are critical and should be developed, specified and documented. The criteria may define multiple thresholds, with a desired target risk level, but allowing also for the person identified in IS.AR.225(a) to accept risks above this level under defined circumstances and conditions.

In order to facilitate the mutual comparability of risk assessments between interfacing entities, the competent authority should classify the risks in the following categories:

—unacceptable risk;

—conditionally acceptable risk;

—acceptable risk.

For what concerns the conditional acceptance of risks, the criteria for acceptance should take into account how long a risk is expected to exist (temporary or short-term activity or exposure), or may include requirements for the commitment of future treatments to reduce the risk at an acceptable level within a defined time duration, and show how the risk will be managed over time through the authority’s risk governance processes.

Moreover, risks should be conditionally accepted only under the condition that the competent authority demonstrates the presence of a comprehensive risk management structure that includes risk assessment, risk treatment and risk monitoring processes for operations. The risk management should consider the variability and consistency of threat likelihood, vulnerability, existing controls, external dependencies, and safety impact. This is typically achieved when the competent authority reaches a higher level of maturity that is representative of functionality and repeatability of information security risk management — see GM1 IS.AR.235(a).

The following Figure 1 depicts a risk acceptance matrix based on the aforementioned categories that can be used by interfacing organisations for mutual comparability.

Figure 1: Example of a risk acceptance matrix for comparison purposes

* The potential of occurrence of the threat scenario is reassessed in a timely manner (refer to IS.AR.205(d)) and monitored to ensure that it remains low and that if the risk materialises, it is early detected and dealt with.

A comprehensive risk management structure typically entails the following aspects and processes:

—a repeatable and reproduceable risk assessment. If the risk factors are considered fairly uncertain and within some wide value range or not sufficiently precise, further iterations of the risk assessment are performed involving additionally gathered or detailed information and a more in-depth assessment in order to reduce uncertainty and increase precision;

—a thorough review of those risks proposed to be conditionally acceptable that is performed by the person identified in IS.AR.225(a) who may impose additional conditions for the risk retention, including risk treatment measure and the timeline for its implementation;

—strict monitoring of the key risk indicators that includes a defined, reliable detection of the potentially evolving risk materialisation;

—an incident response scheme is in place with reactive measures that are triggered by detection mechanisms in order to immediately contain the consequences, in particular, for risk scenarios involving a high severity level.

Note: As detailed in NIST SP-800 Rev.1, repeatability refers to the ability to repeat the assessment in the future, in a manner that is consistent with and hence comparable to prior assessments —enabling the organisation to identify trends. Therefore, a risk assessment process can be classified as ‘repeatable’ when under similar conditions an entity or a person delivers consistent results.

As detailed in NIST SP-800 Rev.1, reproducibility refers to the ability of different experts to produce the same results from the same data. Therefore, a risk assessment process can be classified as ‘reproducible’ when another entity or person, given the same inputs, assumptions, information security context and threat environment can replicate the same steps and reach the same conclusions.

Threat scenario identification

A threat scenario is one of the possible ways a threat could materialise. Typically, a threat scenario describes a potential attack targeting one or more vulnerabilities of assets, as well as processes.

The purpose of the threat scenario identification under this Regulation is to develop a list of scenarios that may lead to an information security threat having an impact on aviation safety.

A threat scenario, in general, is characterised by the following:

—a threat source of the information security attack;

—an attack vector and a path through the organisation up to the asset;

—the information security controls that would mitigate the attack;

—the consequence of the attack including the affected safety aspects.

Threat scenario identification guidance can be found in EUROCAE ED-202A, Chapter 3.4. This is not the only source where guidance can be found, and the competent authority may refer to different guidance more appropriate for their application.

Additional methods to identify relevant threat scenarios

When conducting this analysis, both information security and safety aspects should be coordinated throughout the process to ensure mutual understanding of the threat preventive measures and mitigating measures being applied. In the following Figure 2 the interactions between information security and aviation safety are depicted through a ‘bow-tie’ diagram that highlights the links between risk controls and the underlying management system.

Figure 2: Interactions between information security and aviation safety risk management areas

Note: A preventive barrier or measure is a proactive action or control implemented to reduce the likelihood of a risk, hazard, or threat materialising, while a mitigating measure is an action or control designed to reduce the severity or impact of an undesired event, would it occur.

Examples of threat scenarios

Threat catalogues may provide guidance and elements for the elaboration of threat scenarios that are relevant for the organisation. References can be found in ARINC 811 – Att. 3 – Tables 3-7 and 3-8 for the threat catalogue examples and other threat catalogue examples as they are provided by EU institutions — for example, the ENISA threat taxonomy. However, this is not an exhaustive list of examples, and the identification of threat scenarios should therefore not be limited to those examples only. In addition, other relevant resources containing information on information security threats and the information security threat landscape should be consulted to support the risk assessment process with relevant inputs.

A set of examples of threat scenarios can be found in Appendix I.

ED Decision 2023/010/R

The competent authority should take into account the following criteria when establishing compliance with the objectives contained in point IS.AR.205(d):

(a)The risk assessment performed under points IS.AR.205 (a), (b) and (c) should be reviewed at regular intervals to identify and account for relevant changes. The periodicity at which potential changes have to be evaluated should be determined by the authority performing the assessment considering the criticality of the assets within the scope of the risk assessment, levels of residual risk of the assets within the scope of the risk assessment and any contractual or regulatory requirements. A higher criticality or level of risk will require more frequent review.

(b)The periodicity of risk assessment reviews should be documented by the competent authority and include the justification, date of approval and information about the risk owner.

ED Decision 2023/010/R

The criteria to consider for the frequency of the risk assessment review may be the risk level as well as the criticality and complexity of the assets concerned. The objective of a risk assessment review is to trigger the revaluation of risks, their likelihood and impact in case of relevant changes. One possible way is to have a tiered approach to risk assessment, with a higher-level risk assessment being used for the identification of changes. The higher-level risk assessment could allow the identification of the detailed risks that should be reviewed in a next step. Risk assessments should be subject to regular reviews to:

(a)allow for continuous improvement of the quality of risk assessment;

(b)ensure efficiency and effectiveness of risk controls and mitigating measures in both their design and operation;

(c)review plans and actions for risk treatment;

(d)identify any organisational change which may require a review of the priorities as well as of the treatment of risks;

(e)maintain an overview of the complete risk picture; and

(f)identify any emerging risks.

Risk assessment reviews should involve the risk owners, project teams and other stakeholders as applicable. Evidence of risk assessment review should be documented and should include:

—evidence of approval of the review by the designated risk owner; and

—the rationale behind or basis for the risk owner’s approval of the review.

Such evidence may comprise, but is not limited to:

—reports which constitute a form of documentation to track information security risks potentially impacting an organisation;

—the documentation of the information security risk assessment;

—exerts from a business or security risk registry.

The periodicity of risk assessment reviews should be documented by the authority in information security manuals, processes or procedures and should align with wider change management activities and management reviews of information security. Further guidance on criteria and frequency of risk assessment review can be found in EUROCAE ED-201A Chapter 4, as well as in EUROCAE ED-205A, Chapter 3.2 (for ATMS/ANS).

ED Decision 2023/010/R

The following are examples of changes that should be identified during the risk assessment review as they may trigger an update of the risk assessments:

(a)there is a change in the elements subject to information security risks as identified in IS.AR.205(a); a change in the elements will include:

—additions to, or removals from, the scope of the risk assessment of individual elements;

—changes to design or configuration of elements within the scope of the risk assessment that have the potential to alter the risk assessment outcomes; or

—changes to values, which would potentially trigger changes to impact levels, of elements within the scope of the risk assessment;

(b)there is a change in the interfaces between the authority and other parties with which the authority shares information security risks or relies upon to mitigate information security risks (e.g. supply chains, service providers, cloud providers and customers), as identified in IS.AR.205(b), or between the system within the scope of the risk assessment and any other interconnected systems, or in the risks notified to the authority by other parties, as identified in IS.AR.205(b), or owners or managers of the other systems including:

—establishment of new interfaces;

—removal of existing interfaces;

—changes to existing interfaces that would have the potential to alter the risk assessment outcomes.

Note: Some organisational or system interconnections may be with entities that are not within the scope of this Regulation as defined in Article 2 and therefore are not subject to the requirements of Part-IS. Where this is the case, these entities should be informed of their responsibility to report such changes as listed above, through contractual arrangements and reporting requirements between the affected entities on a case-by-case basis and where applicable;

(c)there is a change in the information or knowledge used for the identification, analysis and classification of risks including:

—changes to threats and their values or addition of new threats that have not previously been assessed;

—changes to vulnerabilities or addition of new vulnerabilities that have not previously been assessed;

—changes in impacts or consequences of assessed threats or vulnerabilities;

—changes in aggregation of risks that may result in unacceptable levels of risks;

—changes or improvements in the risk management process, risk assessment approach and related activities;

—changes or improvements in the treatments of risks;

—changes in the criteria used to determine acceptance and treatments of risks;

(d)there are lessons learned from the analysis of information security incidents including:

—understanding why and how incidents have occurred; and

—reviewing all types of incidents including those due to external factors, technical reasons or human errors (inadvertent behaviour). For human intentional acts, a distinction can be made between malign and benign actions.

Regulation (EU) 2023/203

(a)The competent authority shall develop measures to address unacceptable risks identified in accordance with point IS.AR.205, shall implement them in a timely manner and shall check their continued effectiveness. Those measures shall enable the competent authority to:

(1)control the circumstances that contribute to the effective occurrence of the threat scenario;

(2)reduce the consequences to aviation safety associated with the materialisation of the threat scenario;

(3)avoid the risks.

Those measures shall not introduce any new potential unacceptable risks to aviation safety.

(b)The person referred to in point IS.AR.225(a) and other affected personnel of the competent authority shall be informed of the outcome of the risk assessment carried out in accordance with point IS.AR.205, the corresponding threat scenarios and the measures to be implemented.

The competent authority shall also inform organisations with which it has an interface in accordance with point IS.AR.205(b) of any risk shared between competent authority and the organisation.

ED Decision 2023/010/R

Unacceptable risks identified in accordance with point IS.I.OR.205 require a risk treatment process that may lead to the introduction of information security measures, often referred to as information security controls.

For each identified risk, the competent authority should define the specific risk treatment measures, methods or resources that will be used over the life cycle of each asset to:

—manage risk reduction;

—monitor and maintain each asset;

—update and fulfil activities for configuration management;

—manage supply chain;

—manage contracted services or service provider.

The review of risk treatment measures should include life cycle considerations which are introduced by equipment, procedures and personnel.

A risk treatment plan as an outcome of the risk management process should include a prioritisation of risks, the corresponding information on the objectives and means for risk treatment to reach an acceptable level of risk, as well as agreed timelines specifying by when responsible personnel should have implemented the risk treatment measures. The timelines for the implementation of a risk treatment measure should be agreed by the personnel responsible for the implementation and should be communicated to and accepted by the person identified in IS.AR.225(a).

Any subsequent implementation delay, together with its cause, reason, rationale or necessity, should be documented in the risk treatment plan, for risks that may lead to an unsafe condition. The delay is also subject to the acceptance by the person identified in IS.AR.225(a). The identified person may condition such acceptance on the implementation or availability of compensating controls or reactive measures to monitor, early detect and timely respond to the materialisation of the risk in treatment. In order to timely respond, the incident response team may be informed to trigger their preparedness.

The risk treatment plan can act as a means of communication with the Agency to demonstrate effective treatment of unacceptable risks. Similarly, this plan can be utilised to communicate to interfacing organisations how shared risks are controlled.

In accordance with IS.AR.205(d), a regular or conditional review of the risk assessment is necessary, and this includes the review of the risk treatment measures developed under IS.AR.210(a) to identify whether they are still effective or they require adaptations.

In addition, the competent authority should also consider the potential impact on the effectiveness of risk treatment measures where a shared information security risk may arise as a result of the interaction between interfacing entities (see IS.AR.220 and related AMC).

ED Decision 2023/010/R

(a)The risk treatment process should reach at least one of the objectives listed under IS.AR.210(a).

(b)When establishing compliance with the objectives under points IS.AR.210(a)(1) and IS.AR.210(a)(2), the competent authority should take into account that:

(1)the measures developed under these points should be implemented according to a risk treatment plan with defined, risk-based priorities, objectives and agreed timelines and owners;

(2)life cycle considerations should be identified and associated to ensure continuous effectiveness of the information security measures including exchange of data with other entities;

(3)it should review and update the risk assessment, according to IS.AR.205(d), to evaluate whether the measures developed under these points introduce new unacceptable risks or modify existing risks into a way that they become unacceptable.

(c)Risk treatment should be documented and recorded, for example, in a risk registry, even if the risk has been avoided.

Regulation (EU) 2023/203

(a)Based on the outcome of the risk assessment carried out in accordance with point IS.AR.205 and the outcome of the risk treatment performed in accordance with point IS.AR.210, the competent authority shall implement measures to detect events that indicate the potential materialisation of unacceptable risks and which may have a potential impact on aviation safety. Those detection measures shall enable the competent authority to:

(1)identify deviations from predetermined functional performance baselines;

(2)trigger warnings to activate proper response measures, in case of any deviation.

(b)The competent authority shall implement measures to respond to any event conditions identified in accordance with point (a) that may develop or have developed into an information security incident. Those response measures shall enable the competent authority to:

(1)initiate the reaction of its own organisation to the warnings referred to in point (a)(2) by activating predefined resources and course of actions;

(2)contain the spread of an attack and avoid the full materialisation of a threat scenario;

(3)control the failure mode of the affected elements defined in point IS.AR.205(a).

(c)The competent authority shall implement measures aimed at recovering from information security incidents, including emergency measures, if needed. Those recovery measures shall enable the competent authority to:

(1)remove the condition that caused the incident, or constrain it to a tolerable level;

(2)restore a safe state of the affected elements defined in point IS.AR.205(a) within a recovery time previously defined by its own organisation.

ED Decision 2023/010/R

Without prejudice to the definition of ‘information security event’ in Article 3 of Regulation (EU) 2023/203, those events that indicate the potential materialisation of unacceptable risks include both occurrences (i.e. anything that causes harm or has the potential to cause harm) and discovery of vulnerabilities. In fact, information security risks are associated with the potential that threats will exploit vulnerabilities, therefore the discovery of an exploitable vulnerability is an information security event.

In light of this, in the context of this Regulation:

—detection activities required under IS.AR.215(a) include vulnerability discovery;

—response activities required under IS.AR.215(b) include vulnerability management.

ED Decision 2023/010/R

DETECTION

When complying with the requirement in IS.AR.215(a), the competent authority should define and implement a strategy to detect information security incidents which may have a potential impact on safety.

This should be done in a way to ensure that at least the detection strategy is able to cover all known information security threats to their assets that may materialise in a safety hazard having an unacceptable consequence.

DETECTION STRATEGY

In order to determine the scope of the event detection, the competent authority should:

(a)identify a list of threat scenarios from the risks identified under IS.AR.205;

(b)identify, as a minimum, those assets that, if compromised, contribute to the scenario(s) that may materialise in an unsafe condition. For this identification of the assets, the measures introduced under IS.AR.210 should also be considered.

Note: The contribution of an asset to the threat scenario and the materialisation of an unsafe condition should be assessed also by considering the whole functional chain. In some cases, the asset may be at the end of a functional chain and if it is compromised, the effect on safety is direct and may be immediate; conversely, if the asset is far from the end of a functional chain and it is compromised, the effect should propagate and may be delayed.

ED Decision 2023/010/R

DETECTION STRATEGY

When developing the detection strategy, for those items within the scope of event detection, the competent authority should define the conditions that trigger a process that, for example, would require personnel intervention and further analysis. These conditions on the items may be defined using elements from the:

(a)expected functional baseline: engage in the identification of deviations from the expected functional operation of the system (excluding information security functions/controls);

(b)expected information security baseline: engage in the identification of deviations from the expected information security operation of information security controls.

These conditions should consider both abnormal behaviour and substantial deviations from the baselines and relevant correlation of multiple independent events.

Further guidance on the objectives for the establishment of a detection strategy can be found in EUROCAE ED-206, Chapter 4.

ED Decision 2023/010/R

(a)INCIDENTS

The competent authority should take into account the following aspects when establishing compliance with the objectives contained in point IS.AR.215(b) relative to incidents:

(1)Preparation of procedures and delineation of roles and responsibilities to respond in a timely, effective and orderly manner to any relevant information security incidents.

(2)The response procedure should:

(i)consider the warnings, unitary or combined, from IS.AR.215(a)(2), and assess their potential impacts on aviationsafety;

(ii)establish, in accordance with IS.AR.215(b)(2), a containment strategy for each asset category considering the potential worst-case effect and the mission constraints, and provide criteria indicating when the incident is contained;

(iii)define, in accordance with IS.AR.215(b)(3), the acceptable impact on safety and information security of each asset in scope when they fail due to the materialisation of a threat scenario.

(3)The response time should be commensurate with the impact level assessed in (2)(iii).

(4)The response measures implemented under IS.AR.215(b) should be based on the response procedure referred to in the above point (a)(2) and they should, in particular, consider the following:

(i)the maximum acceptable safety level degradation of the assets within the scope of the incident;

(ii)the actions, such as resistance, containment, deception and control of the possible ways systems can fail, which will contribute to achieving the acceptable safety level degradation identified in point (i) while minimising impact on operations;

(iii)the resources required to implement the actions specified in point (ii).

(5)The response time and the measures should take into account the potential immediate negative impact on safety if the measure is taken before it has been fully verified that it would not cause additional immediate safety impacts.

(b)VULNERABILITIES

The competent authority should take into account the following aspects when establishing compliance with the objectives contained in point IS.AR.215(b) relative to vulnerabilities:

(1)Establishment of a vulnerability management strategy defining procedures, roles and responsibilities to respond in a timely, effective and orderly manner to any detected relevant vulnerabilities.

(2)The response measures implemented under point IS.AR.215(b) should be based on the maximum acceptable risk of the items within the scope of the vulnerability, considering the worst-case scenario of the vulnerability being exploited.

(3)The response time should be commensurate with the pre-triage done on the warnings and with the assessment of the potential impact of the vulnerability, if it is exploited.

ED Decision 2023/010/R

An attack is considered contained (i.e. it is not spreading any further) when the boundaries of the incident have been identified and the threat does not propagate beyond these boundaries. Further guidance can be found in EUROCAE ED-206 – Chapter 5.

The term ‘warning’ as used in IS.AR.215 should be understood as an alert that would require timely awareness and response from the information security events management team.

In the context of information security response, ‘deception’ refers to a range of techniques that aim to mislead potential attackers or malicious users, thereby protecting the system and its data. Deception techniques, such as honeypots or breadcrumb trails, are designed to confuse, slow down, or divert attackers, increasing their cost and risk while providing defenders with valuable time and intelligence.

Guidance regarding the vulnerability management strategy can be found in EUROCAE ED-206, Chapter 3.4 — Vulnerability management considerations. This is not the only source where guidance can be found, and the organisation may refer to different guidance more appropriate for their application.

ED Decision 2023/010/R

When complying with the requirement in IS.AR.215(c), the competent authority should develop an incident recovery procedure including at least the following:

(a)a list of those assets that enable safe operations, as well as the dependencies among them, constituting the scope of the recovery;

(b)a description of the process with the necessary priority actions to be executed for a return to a safe and secure state for the assets within the scope of the recovery;

(c)the resources required to execute the actions defined in point (b) to ensure that these resources are readily available after an incident has occurred;

(d)the objectives for recovery time that should be set in relation to the safety criticality of the assets within the scope of the recovery.

ED Decision 2023/010/R

RECOVERY OBJECTIVES AND TIMING

Point IS.AR.215(b) addresses event conditions which may develop or have developed into information security incidents, that may have a potential impact on aviation safety, and require response and recovery measures to be in place to ensure that operational safety remains above a minimum acceptable level.

The level of operations and safety may be interrelated, so in some cases when the level of operations is compromised by an information security incident and drops, the level of safety does the same. This is, for instance, the case of air traffic control; if air traffic services are reduced or became unreliable, the safety of flights is reduced too.

However, in other cases the relation between the level of operations and safety may be the inverse, or they may be decoupled, so when an incident occurs and the level of operations drops, the level of safety is preserved. One example is the compromise of the software loading process on board the aircraft. In this case, a detected incident followed by the decision to interrupt the software loading operations would preserve the existing level of safety.

The following Figure 1 depicts a conceptual framework that may be considered for the definition of the response and recovery objectives, including the recovery time. It represents, in the worst-case scenario, how the expected level of operational safety (safety level) for a process or an activity may vary over time when an information security incident occurs. In this scenario, the safety level is first reduced by the incident and then it degrades as long as the time passes. The figure also shows the expected effect that mitigating measures and controls should have, respectively: in containing the operational safety drop as soon as an incident occurs, and in improving the recovery, i.e. the return to the expected safety level.

Figure 1: Conceptual framework for the definition of the response and recovery objectives

As mentioned, there might be different relations between the level of operations and safety that would lead to a different representation of the above figure. In certain cases, an incident may have a delayed effect on the safety level (e.g. a compromised development environment) as depicted in Figure 2, or it may have no impact if properly controlled, as in the case of the compromised software loading process mentioned before, which is depicted in Figure 3.

Moreover, it should be noticed that there might be different ways the same incident can be dealt with since there are several factors that may affect safety.

In practical terms, the objectives for recovery time under AMC1 IS.AR.215(c) may be expressed as a list of resources and services to be restored by order of priority, within the scope of the recovery. Guidance about objectives for recovery time can be found in EUROCAE ED-206, Chapter 7.3.5.

ED Decision 2023/010/R

A recovery procedure or recovery plan should describe incident recovery actions and the internal or external resources that are involved (e.g. staff, IT, buildings, providers). Guidance about incident recovery plan can be found in ED 206, Chapter 7 – Recover.

The resources required to apply the recovery measures should be available in order to implement the recovery actions in a timely manner after an incident has occurred. Those resources may be internally available or provided by contracted organisations as provided for in IS.AR.220. The contracting of recovery activities should be established before an incident occurs (proactive) and the contract should include provisions for the contracted party to react in a timely manner.

The return to a safe and secure state may initially require emergency measures, which are actions that are initiated based on the best information available at the time, before complete understanding of the situation is achieved and these measures can potentially degrade the level of service or functionalities. The return to a safe and secure state should be evaluated against the initial risk assessment and may only temporarily differ from the normal operational conditions. However, any increase of residual risk and the duration of this risk increase, i.e. due to the implementation of emergency measures, should be documented and accepted at the right level of accountability.

The recovery activities mentioned here may also be the outcome of the response to incidents for which the authority has received information that requires the implementation of adequate measures in order to react to information security incidents or vulnerabilities with a potential impact on aviation safety.

In such context the authority may not have a process or a recovery plan covering the specific occurrence. Therefore, the definition from the authority of a specific recovery plan is usually required.

Regulation (EU) 2023/203

The competent authority shall ensure that when contracting any part of the activities referred to in point IS.AR.200 to other organisations, the contracted activities comply with the requirements of this Regulation and the contracted organisation works under its oversight. The competent authority shall ensure that the risks associated with the contracted activities are appropriately managed.

ED Decision 2023/010/R

(a)OVERSIGHT OF THE CONTRACTED ORGANISATION

In order to exercise oversight of the contracted organisation, the competent authority should have:

(1)a process to ensure compliance with the provisions regarding contracted activities contained in this Regulation;

(2)a structured process to follow the expected execution of the contract that includes:

(i)definition and agreement of the scope of the activities;

(ii)definition of the roles and responsibilities of the parties (i.e. competent authority and contracted organisation);

(iii)definition and review of KPIs;

(iv)reaction to deviation from contractual obligations;

(v)performance of compliance audits, according to predefined scope and objectives, with the aim of evaluating operational and associated assurance activities;

(vi)provision of feedback on the result of the compliance audits both within the competent authority and to the contracted organisation, and response to findings. The feedback on the outcome of the compliance audits within the competent authority should reach the person of the competent authority as identified in IS.AR.225(a) to ensure proper monitoring of the response to findings (i.e. implementation of corrective actions) or, if deemed necessary, termination of the contract.

Note: The right of the competent authority to conduct compliance audits of the contracted organisation should be included in the contract between the parties.

(b)MANAGEMENT OF THE RISKS ASSOCIATED WITH THE CONTRACTED ACTIVITIES

In order to properly manage the risks associated with the contracted activities, the competent authority should meet the following criteria:

(1)A prior assessment of the suppliers is conducted before outsourcing any information security management activities. The assessment should evaluate suppliers’ competencies, sustainability as well as qualifications in relation to the activities to be contracted.

(2)There is an assessment of the risks associated with the provision of the contracted activities that has been agreed between the competent authority and the contracted organisation.

(3)The competent authority establishes and maintains appropriate information security communication channels with the contracted organisation.

ED Decision 2023/010/R

Competent authorities may decide to outsource certain activities to suppliers, both for their own operational needs and for the purpose of complying with this Regulation (information security management activities). Activities contracted for operational needs may fall within the scope of Part-IS and therefore the relevant information security risks have to be managed in accordance with the requirements in points IS.AR.205 and IS.AR.210. Instead, information security management activities are subject to the specific provisions of IS.AR.220 because matters relating to these activities can have a major impact on the competent authority.

Therefore the objectives of point IS.AR.220 are:

(a)to protect critical and sensitive information and assets when being handled by organisations contracted for the provision of information security management activities (including organisations in the supply chain) at either their facilities or the competent authority facilities, or when being transmitted between the competent authority and contracted organisations, or being remotely accessed by contracted organisations;

(b)to prevent information security risks from being introduced through products and services developed or provided by the contracted organisations to the competent authority, in the frame of the provision of information security management activities;

(c)to ensure that information security risks are managed throughout all the stages of the relation with the contracted organisations.

ED Decision 2023/010/R

(a)The contracting of information security management activities is a means to allocate tasks from the competent authority to third parties (contracted organisations). The competent authority remains responsible for the oversight of the contracted organisation(s) and accountable for compliance with this Regulation.

(b)A contract could take the form of a written agreement, letter of agreement, service letter agreement, memorandum of understanding, etc. as appropriate for the contracted activities. 

ED Decision 2023/010/R

EXAMPLES

The following Table 1 provides some examples of information security management activities that may be contracted in relation to the provisions referred to as in IS.AR.200.

Table 1: Examples of information security management activities that may be contracted

ED Decision 2023/010/R

PRIOR ASSESSMENT

The purpose of the prior assessment is to evaluate suppliers’ competencies, sustainability as well as qualifications in relation to the information security activities to be contracted. This prior assessment may need to be carried out taking into account other legal requirements or procurement procedures that apply to the competent authority, and may therefore be carried out in different ways, such as:

(a)in case of public bids, inclusion of eligibility requirements in the procurement documents for the potential suppliers;

(b)review of the information security certifications granted by external and impartial auditors to the potential suppliers;

(c)review of self-assessment questionnaires compiled by the potential suppliers.

RISK ASSESSMENT ASSOCIATED WITH THE PROVISION OF THE CONTRACTED ACTIVITIES

The risk assessment should take into account the maturity level of the contracted organisation, and should consider the following:

(a)identification and assessment of critical and sensitive information and assets that may be shared with, or provided by, external suppliers;

(b)identification of the information security requirements of the authority that are applicable to the contracted organisation;

(c)evaluation, by means of a supplier assessment, of the ability of the contracted organisation (both existing and new contracted organisations) to meet the information security requirements of the authority;

(d)assessment of risks that may be introduced by the contracted organisation.

This agreed risk assessment should also consider the roles and responsibilities of the parties (i.e. competent authority and contracted organisation) as well as their interfaces.

ED Decision 2023/010/R

AUDIT OF CONTRACTED ORGANISATIONS

The following aspects should be considered by the authority when auditing a supplier contracted to perform information security management activities:

—the scope of the audit as well as the objective should be limited to processes, resources (i.e. contracted organisation personnel, systems/equipment, networks) and data used for the execution of Part-IS contracted activities;

—compliance and/or implementation audits should be done at the authority’s discretion;

—findings identified during an audit should be addressed through a remediation plan with a time frame to be validated by the authority.

Regulation (EU) 2023/203

The competent authority shall:

(a)have a person who has the authority to establish and maintain the organisational structures, policies, processes, and procedures necessary to implement this Regulation.

This person shall:

(1)have authority to fully access the resources necessary for the competent authority to perform all the tasks required by this Regulation;

(2)possess the delegation of power required to perform the assigned duties;

(b)have a process in place to ensure that they have sufficient personnel on duty to perform the activities covered by this Annex;

(c)have a process in place to ensure that the personnel referred to in point (b) have the necessary competence to perform their tasks;

(d)have a process in place to ensure that personnel acknowledge the responsibilities associated with the assigned roles and tasks;

(e)ensure that the identity and trustworthiness of the personnel who have access to information systems and data subject to the requirements of this Regulation are appropriately established.

ED Decision 2023/010/R

The objectives of the requirements contained in point IS.AR.225 are:

(a)to ensure that an effective organisational structure is in place in order to comply with the requirements of this Regulation;

(b)to provide trust to other organisations with whom they share risks.

ED Decision 2023/010/R

The person referred to in point IS.AR.225(a) is normally intended to be a manager in the authority who, by virtue of his or her position, has overall responsibility for information security management and has sufficient authority to plan and allocate the relevant budgetary resources and initiatives in accordance with the financial control model of the Member State. This person is not necessarily required to be knowledgeable on technical matters; however, he or she should be aware of the overarching objectives of this Regulation and its implications for the authority. The authority should make sure that this person has direct access to the highest-ranking executive in the authority and has the necessary funding allocation for the activities under this Regulation.

ED Decision 2023/010/R

The person referred to in point IS.AR.225 (a) should be capable of managing the authority’s information security strategy and its implementation to ensure the achievement of the objectives described in Article 1. According to the European Cybersecurity Skills Framework (ECSF) published by ENISA in September 2022, this person may be described for instance as: (Chief) Information Security Officer, Cybersecurity Programme Director or Information Security Manager. However, it should be noticed that these descriptions and the related skills do not consider the aviation safety perspective that is required in Article 1.

ED Decision 2023/010/R

SUFFICIENT PERSONNEL

To determine the sufficiency of the personnel, the following elements should be taken into consideration:

(a)the organisational structures, policies, processes and procedures subject to information security management;

(b)the amount of coordination required with other organisations, contractors and suppliers;

(c)the level of risk associated with the activities performed by the authority.

ED Decision 2023/010/R

SUFFICIENT PERSONNEL

For the purpose of this Regulation, personnel refers to the combination of the personnel directly employed by the authority, as well as the personnel contracted as specified in IS.AR.220.

The activities reported in Appendix II, on the main tasks stemming from the implementation of Part-IS, should be considered when establishing the organisational structure necessary to comply with the requirements of this Regulation.

ED Decision 2023/010/R

NECESSARY COMPETENCE

(a)To determine the competence needed by the personnel performing the activities, the following elements should be taken into consideration:

(1)work roles and the associated tasks;

(2)required knowledge, skills and abilities.

(b)As part of the process to ensure that personnel maintain the necessary competence, the Member State, or the competent authority on its behalf, should:

(1)assess the personnel qualifications and experience with respect to the required competence for the assigned work roles to identify gaps;

(2)align the personnel qualifications and experience to the expected competence to fulfil their roles by organising adequate learning programmes for existing members of personnel, by recruiting new resources, or by a combination thereof;

(3)maintain the personnel competence during the time they are assigned to the work role.