Filters
GM1 IS.AR.225(c) Personnel requirements
ED Decision 2025/015/R
NECESSARY COMPETENCE AND TRAINING PROGRAMME
A training programme should start from the identification of the competence required by the personnel for each role, followed by the identification of the gaps between the existing competence and the required one.
In order to develop the list of competencies, a competent authority may use, as initial guidance, an existing cybersecurity competence framework such as the European e-Competence Framework (e-CF) or the NICE (National Initiative for Cybersecurity Education) based on the NIST Cybersecurity Framework (NIST CSF).
In Appendix II, the main tasks of this Regulation are listed and mapped to the competencies derived from the EU e-CF or, for ease of mapping, to the functions and categories of the NIST CSF. This mapping may be used to establish a baseline to identify the aforementioned competence gaps. However, it should be noticed that existing cybersecurity/information security competence frameworks typically focus primarily on the protection of standard information technologies; therefore, the proposed list of competencies may need to be adapted to the technologies or integrated with and processes used in the organisation.
The bridging of the identified gaps should be seen as the objective of the training programme, which should further include the scope, content, methods of delivery (e.g. classroom training, e-learning, notifications, on-the-job training) and frequency of training that best meet the authority’s needs considering the size, scope, required competencies, and complexity of the organisation.
The competent authority may also identify professional certification schemes that cover a number of necessary competencies; therefore, it may decide to recognise these certifications as sufficient to cover the establishment of proper qualifications and experience for the certified personnel.
Finally, as information security/cybersecurity evolves due to the rise of new threats, the authority should periodically review the adequacy of the training programme.
AMC1 IS.AR.225(d) Personnel requirements
ED Decision 2023/010/R
ACKNOWLEDGEMENT OF RESPONSIBILITIES
Regarding any assigned role and task, the authority should specify all information security responsibilities an employee has in a clear and transparent manner.
As part of this, all personnel performing the activities required under this Regulation should acknowledge, in a traceable and verifiable manner, understanding of the assigned roles and the associated information security responsibilities.
GM1 IS.AR.225(d) Personnel requirements
ED Decision 2023/010/R
ACKNOWLEDGEMENT OF RESPONSIBILITIES
Acknowledgement of receipt such as a valid electronic or wet signature, confirmation email, etc., is a traceable proof of acceptance.
AMC1 IS.AR.225(e) Personnel requirements
ED Decision 2023/010/R
IDENTITY AND TRUSTWORTHINESS
For the personnel who have access to information systems and data subject to the requirements of Part-IS, the identity should be determined on the basis of documentary evidence.
To establish the trustworthiness of such personnel, the competent authority should have a documented process and appropriate criteria to ensure that individuals can be trusted to perform their role.
GM1 IS.AR.225(e) Personnel requirements
ED Decision 2023/010/R
IDENTITY AND TRUSTWORTHINESS
(a)Trustworthiness may be established, for example, by:
(1)prior to employment, a background check carried out in accordance with the applicable rules of Union and national law. This check may include verification of:
(i)education, previous employment and any gaps in the previous years;
(ii)absence of criminal record;
(iii)any other relevant information or intelligence considered relevant to the suitability of a person to work in the expected role;
(2)during employment, monitoring the employee’s commitment and conduct.
Note: The absence of criminal record may be verified by means of a certificate issued by the responsible authority in the Member State in accordance with Regulation (EU) 2016/1191. In the case of prospective foreign employees, the above checks may be carried out on the basis of equivalent certificates issued by the country of origin, such as a ‘certificate of good conduct’.
(b)Furthermore, the process and criteria to establish personnel’s trustworthiness may have to consider whether:
(1)the information systems and data to be accessed have been associated with a high severity of the safety consequences with the risk assessment process under IS.AR.205;
(2)controls or mitigating measures for risk treatment identified during the risk analysis rely on organisational/operational procedures — for instance, correct configuration and administration of information technologies, database operations, information security monitoring, etc.
In such cases, the personnel who have administrator rights or unsupervised and unlimited access to the systems and data mentioned above in (a)(1), or the personnel who applies the measures under above point (b)(2), may be subject to more stringent criteria.
(c)Intelligence and any other relevant information may be gathered by screening and analysing public sources such as social media and websites, within the limits set by relevant national laws and regulations.
(d)Competent authorities may also be subject to Regulation (EU) 2015/1998 that requires successful completion of background checks for personnel in certain roles, as well as a mechanism for the ongoing review of these checks. In such cases the organisation may considered suitable for the establishment of the personnel’s identity and trustworthiness required under Part-IS, in relation to their role, the process and the relevant criteria defined in Regulation (EU) 2015/1998 for standard and enhanced background checks. However, it should be noted that compliance with the provisions for the establishment of identity and trustworthiness under Part-IS does not constitute compliance with the provisions on background checks as defined in Regulation (EU) 2015/1998.
IS.AR.230 Record-keeping
Regulation (EU) 2023/203
(a)The competent authority shall keep records of its information security management activities
(1)The competent authority shall ensure that the following records are archived and traceable:
(i)contracts for activities referred to in point IS.AR.200(a)(5);
(ii)records of the key processes referred to in point IS.AR.200(d);
(iii)records of the risks identified in the risk assessment referred to in point IS.AR.205 along with the associated risk treatment measures referred to in point IS.AR.210;
(iv)records of information security events which may need to be reassessed to reveal undetected information security incidents or vulnerabilities.
(2)The records referred to in point (1)(i) shall be retained at least until 5 years after the contract has been amended or terminated.
(3)The records referred to in point (1)(ii) and (iii) shall be retained at least for a period of 5 years.
(4)The records referred to in point (1)(iv) shall be retained until those information security events have been reassessed in accordance with a periodicity defined in a procedure established by the competent authority.
(b)The competent authority shall keep records of qualification and experience of its own staff involved in information security management activities
(1)The personnel’s qualification and experience records shall be retained for as long as the person works for the competent authority, and for at least 3 years after the person has left the competent authority.
(2)Members of the staff shall, upon their request, be given access to their individual records. In addition, upon their request, the competent authority shall provide them with a copy of their individual records on leaving the competent authority.
(c)The format of the records shall be specified in the competent authority’s procedures.
(d)Records shall be stored in a manner that ensures protection from damage, alteration and theft, with information being identified, when required, according to its security classification level. The competent authority shall ensure that the records are stored using means to ensure integrity, authenticity and authorised access.
GM1 IS.AR.230 Record-keeping
ED Decision 2023/010/R
Records are required to document results achieved or to provide evidence of activities performed. Records become factual when recorded and cannot be modified. Therefore, they are not subject to version control. Even when a new record is produced covering the same issue, the previous record remains valid.
AMC1 IS.AR.230(a)(1)(iv)&(a)(4) Record-keeping
ED Decision 2023/010/R
When complying with the requirements under points (a)(1)(iv) and (a)(4), the competent authority should establish a data retention policy defining procedures to:
(a)manage relevant information security data files;
(b)establish the periodical assessment of their content; and
(c)define the criteria to allow deletion of records of information security events when the objective of requirement (a)(4) has been met.
GM1 IS.AR.230(a)(1)(iv)&(a)(4) Record-keeping
ED Decision 2023/010/R
The objective of the requirement (a)(1)(iv) is to ensure detection of possible indication of information security incidents or vulnerabilities which are not obvious by normal operation (e.g. previously unknown situations), while the objective of the requirement under (a)(4) is to allow the necessary flexibility to control the volume of the stored information security events.
Records of information security events include those events identified within the scope of the detection activities under IS.AR.215(a), as well as other information security data produced by assets that have been identified under IS.AR.205.
A data retention policy clarifies what information should be stored or archived and for how long. Some guidance about data retention can be found in EUROCAE ED-206, Chapter 2.6.
Once a data set completes its retention period, it can be deleted or moved as permanent historical data to a secondary or tertiary storage.
AMC1 IS.AR.230(c)&(d) Record-keeping
ED Decision 2023/010/R
When complying with the requirements under points (c) and (d) for all the records required by points IS.AR.230 (a) and (b), the competent authority should consider the following:
(a)Records should be kept in paper form or in electronic format or a combination of both media. The records should remain accessible whenever needed within a reasonable time and usable throughout the required retention period. The retention period starts when the record has been created.
(b)Records data integrity, availability and authenticity should be protected in consistency with protection of corresponding operational data, and as such, should be within the scope of the ISMS.
(c)Storage systems should be protected against unauthorised access (i.e. data leakage attempts against personal data/modification of records) and thus should have information security measures implemented in consistency with the level of information security risk associated with them.
(d)Once records are not required to be retained anymore, the destruction of records and decommissioning of assets used for their storage should be implemented appropriately.
GM1 IS.AR.230(c)&(d) Record-keeping
ED Decision 2023/010/R
RECORDS ACCESSIBILITY THROUGHOUT THE RETENTION PERIOD
It is recommended to follow best practices for data retention, for data that may need to be restored, backup strategies, such as the use of automated backup tools, segregation or geographic separation of backup storage location(s), and to consider offline backups to prevent ransomware risks. These practices should be considered also when record-keeping is contracted to service providers with distributed resources.
Special attention should be paid to significant hardware and software changes, ensuring that stored digital records remain accessible and readable (e.g. file system, application file format, forward compatible database versions, etc.). Paper-based information needs to be archived in an adequate environment, in which records are protected against degradation factors (e.g. excessive heat, light or humidity).
RECORDS DATA INTEGRITY AND PROTECTION FROM UNAUTHORISED ACCESS
A commonly used method to achieve authenticity and integrity protection is the use of digital signatures at document level. Digital signatures can be added to the document’s file (e.g. PDF) to ensure that a record has not been modified by someone other than its author (integrity) and that the author is who is expected to be (authenticity).
Moreover, to prevent unauthorised access, records can be protected, for example, by implementing a role-based access control (RBAC) approach, or certain records can be password protected at the file level. Commercial applications feature built-in basic password protection functions for their file formats. Access protection can also be achieved by protecting the environment where the individual records are stored (e.g. access protection on databases, file shares, directories, etc.).
IS.AR.235 Continuous improvement
Regulation (EU) 2023/203
(a)The competent authority shall assess, using adequate performance indicators, the effectiveness and maturity of its own ISMS. The assessment shall be performed on a predefined calendar basis defined by the competent authority or following an information security incident.
(b)If deficiencies are found following the assessment carried out in accordance with point (a), the competent authority shall take the necessary improvement measures to ensure that the ISMS continues to comply with the applicable requirements and maintains the information security risks at an acceptable level. In addition, the competent authority shall reassess those elements of the ISMS affected by the adopted measures.
AMC1 IS.AR.235 Continuous improvement
ED Decision 2023/010/R
The continuous improvement process (CIP), as required by IS.AR.200(b), should aim to continuously improve the effectiveness, suitability and adequacy of the ISMS. This should be achieved by a proactive and systematic assessment of the ISMS and all its elements — including its maturity. The assessment should take into account the outcomes and conclusions of other information security and assurance processes including audits, management reviews, evaluation of performance, effectiveness and maturity, as well as the outcomes of the derived corrective actions and corrections.
The steps to be performed should be at least the following:
(a)Identification of improvement opportunities based on the outcomes of the assessment of the ISMS with respect to its suitability, effectiveness, adequacy and, if deemed necessary, efficiency, as well as on any other suggestion for improvement. The assessment should consider performance indicators which reflect its processes and elements and the defined objectives for effectiveness and maturity.
(b)Evaluation of the identified opportunities regarding cost benefit, absence or reduction of undesired effects and achievement of the targeted objectives and intended outcomes.
(c)Proposal on the evaluated improvement opportunities to the management and recommendation of actions to support their review and decision-making.
(d)According to the decision taken under point (c) above, planning, development and implementation of actions and changes to the ISMS, its processes or elements to achieve the improvements.
(e)Evaluation of the effectiveness of the implemented actions and ISMS changes as well as, as applicable, verification that the root cause of identified deficiencies has been eliminated.
The management should assess and review the outcomes of the CIP at planned intervals to ensure the continuing effectiveness, adequacy and suitability of the ISMS, to decide on the prioritisation of the implementation of actions and changes, as well as to revise or set new objectives, or targets for continuous improvement.
GM1 IS.AR.235 Continuous improvement
ED Decision 2025/015/R
Point IS.AR.235 covers assurance processes for the ISMS in a manner that can be considered equivalent to the safety assurance in ICAO Doc 9859 ‘Safety Management Manual (SMM)’, which includes performance monitoring and measurement, management of change and continuous improvement of the SMS.
In this Regulation:
—IS.AR.235(a) addresses, using adequate performance indicators, the effectiveness and maturity assessment of the ISMS;
—IS.AR.235(b) addresses the improvement measures, i.e. corrections and corrective actions, for the deficiencies detected in IS.AR.235(a) and the continuous improvement process.
Similar provisions for continuous improvement are provided for in other information management systems such as ISO/IEC 27001 (see Appendix IV to this document).
The context and risk environment of competent authorities are never static and therefore require a dynamic adaptation, evolution and change of the competent authority’s objectives, architectures, organisational structures and processes to maintain the information security risks at an acceptable level. Consequently, the ISMS should be considered as an evolving and learning part/element of the competent authority which needs to be continuously monitored and improved to ensure alignment with the competent authority’s safety objectives and effectiveness.
The CIP aims to continuously improve the effectiveness, suitability, adequacy and, if deemed necessary, the efficiency of the ISMS. An competent authority may integrate the Part-IS CIP in some other already operated CIP and may apply methods such as Plan-Do-Check-Act (PDCA) Cycle or Define-Measure-Analyse-Improve-Control (DMAIC) (see also GM1 IS.AR.200).
The CIP is based on a proactive and systematic assessment of the ISMS and all its elements including the information security processes and controls driven by the ISMS. The assessment should be carried out against organisational targets for desired levels of performance, effectiveness, and maturity. These targets, besides ensuring the achievement of compliance with the requirements under this Regulation, may also aim to include objectives established by the competent authority’s policy or standards and by management decisions.
The above-mentioned assessment is based on the outcome of performance evaluations, audits, risk and incident processes, as well as already applied corrective actions and corrections. Some factors that should be considered when performing the assessment are the following:
—Adequacy refers to whether the system establishes the disciplines needed to manage information security, e.g. by using broadly accepted industry standards, in a sufficient manner with regard to compliance with the requirements of this Regulation.
—Effectiveness of the ISMS and the effective implementation of processes and controls driven by the ISMS is assessed by analysing whether:
—the information security risks are managed to achieve the safety objectives;
—the intended outcomes of the ISMS are achieved, and the requirements or objectives are met;
—all types of deficiencies, including failures, are managed to fulfil or correctly implement a requirement or control.
—Efficiency of the ISMS refers to the implementation of streamlined processes; however, efficiency improvements should not adversely impact effectiveness.
Identification of improvement opportunities
Improvement opportunities may be identified from the results of the CIP assessment or may be introduced as suggestions from other sources. The identification often involves deviations or corrective actions as well as ineffective processes or controls which are not remediated.
Suggestions for improvements stem from sources including:
—Risk management: the results of regularly conducted risk analyses and the subsequent risk treatment are a primary factor in improving the ISMS, where the risk treatment process involves monitoring of the implemented security measures and evaluating their effectiveness.
—Performance & effectiveness evaluation: conclusions from (key) performance indicators, their measurement, analysis and continued monitoring as well as the result of the assessment of the effectiveness including the outcomes of the subsequently applied corrections and corrective actions
—Evaluation of maturity including the results of the subsequent corrections and corrective actions
—Lessons learned from information security incident detection, handling and response process and a potential treatment of a root cause
—Results of (internal) audits may be used to verify whether the ISMS and controls within the audit scope meet the competent authority’s requirements and to determine where there are potential areas for improvements.
—Review and evaluation by management of the current action plan, setting or revision of the objectives or decision on improvement opportunities and actions
—Competent authority’s suggestion programme (suggestions for improvement), reviews, surveys or assessments with employees or feedback from suppliers or interfacing parties
Any outcome of this process should be documented. The resulting actions may be integrated into an overarching action plan which is centrally consolidated and periodically reviewed according to the relevant policies. The resulting action plan may be further divided into a tactical, short-/mid-term action plan and a strategic, long-term action plan.
AMC1 IS.AR.235(a) Continuous improvement
ED Decision 2023/010/R
(a)ISMS EFFECTIVENESS EVALUATION
When complying with IS.AR.235(a), the competent authority should have a process in place to monitor, measure, evaluate and review the effectiveness of its ISMS that defines:
(1)who monitors, measures, analyses and evaluates the results and takes accountable decisions;
(2)when the above steps should be performed;
(3)which methods for monitoring, measurement, analysis and evaluation are applied to ensure comparable and reproducible results.
The calendar basis of the assessments should be commensurate with the maximum level of risk established under IS.AR.205.
The process to monitor, measure, evaluate and review the effectiveness of its ISMS referred to under AMC1 IS.AR.235(a) should include as a minimum:
(1)the gathering and retention of metrics of the activities, and additional information that could be useful for monitoring purposes;
(2)the analysis of the metrics in order to identify trends and deviations from predefined performance targets.
(b)ISMS MATURITY ASSESSMENT
The competent authority should assess the maturity of its ISMS using a suitable maturity model in order to identify areas for improvement to the ISMS. To do so, the competent authority should:
(1)define or adopt a maturity model which represents a set of important and relevant processes and capabilities that are expected to be implemented and maintained;
(2)for each assessed process or capability, ensure that the model defines criteria against which specific aspects, characteristics and effectiveness should be assessed and evaluated when determining a maturity level;
(3)define for each assessed process or capability its desired target maturity level.
(c)For each assessed information security process or capability contained in the maturity model, the competent authority should:
(1)evaluate and justify the current maturity level;
(2)identify any area for improvement it should make to reach the targeted maturity level;
(3)collect and record the evidence regarding strengths and weaknesses of the implemented ISMS and its evaluated maturity.
GM1 IS.AR.235(a) Continuous improvement
ED Decision 2023/010/R
(a)As general guidance, the elements of the ISMS that should be monitored, measured and evaluated should be, as a minimum:
(1)the risk assessment and treatment process (including risks at the interfaces with other entities);
(2)the management of non-conformities and corrective actions;
(3)the incident and vulnerability management;
(4)the personnel competence management.
(b)Existing maturity models for ISMS maturity evaluation
As general guidance, for the definition or the adoption of a maturity model (MM), the following existing models may be considered:
—Cybersecurity Capability Maturity Model (C2M2), version 1.1: this model was published by the US Department of Energy in 2014. It introduces the notion of Maturity Indicator Levels (MIL) ranging from 0 to 3 and addresses not only performance levels but also performance practices (under Approach Objectives and approach progression) as well as assurance practices (under Management Objectives and institutionalization progression).
—Systems Security Engineering – Capability Maturity Model (SSE-CMM): published by ISO as ISO 21827 in 2008. It focuses on engineering practices, much less on operational practices that are split in 11 ‘Security Base Practices’, and 11 ‘Project and Organizational Base Practices’. It introduces the notion of five Capability Levels, from ‘Performed Informally’ to ‘Continuously Improving’.
—NIST Cybersecurity Framework (NIST CSF), version 1.1: published by NIST in April 2018. Although it is not proposed as a MM, the framework defines four ‘Implementation Tiers’, from ‘Partial’ to ‘Adaptive’, which are a qualitative measure of organisational cybersecurity risk management practices. It focuses on the functionality and repeatability of cybersecurity risk management.
—ATM Cybersecurity Maturity Model, edition 1: published in February 2019 by the EUROCONTROL NM for organisations in the ATM domain. Whilst not being designed for wider application, it can be adapted as necessary. It defines five maturity levels, ranging from ‘Non-existent’ to ‘Adaptive’ inspired by the ‘Tier’ terminology from the NIST CSF. In fact, the model is founded on NIST CSF, together with some elements of ISO/IEC 27001.
The following Table 1 maps the MM mentioned above to a hypothetical five-level MM.
Table 1: Mapping matrix of an existing MM to a hypothetical five-level MM
Mapping to a five-level MM | C2M2 | Eurocontrol NM | ISO 21827 | NIST CSF 1.1 | |
Initial | MIL 0 | Non-Existent | Performed Informally | ||
Defined | MIL 1 (Initial) | Partial | Planned & Tracked | Partial | |
Implemented | MIL 2 (Identified) | Defined | Well defined | Risk-Informed | |
Managed | MIL 3 (Managed) | Assured | Quantitatively Controlled | Repeatable | |
Improved | Adaptive | Continuously Improving | Adaptive |
No specific maturity level is required. However, if and when compliance is achieved, entities will determine which requirements of which models have already been met (mandatory) and can opt to reach a level that is beneficial to the competent authority (voluntary). In the longer term, achieving higher maturity levels may increase the confidence of oversight authorities, which can have an impact upon the level of oversight activities regarding such competent authority.
AMC1 IS.AR.235(b) Continuous improvement
ED Decision 2023/010/R
When a deficiency is identified, the competent authority should react in a timely manner following a defined process leading to a managed status regarding the deficiency, its associated consequences and, if needed, the prevention of its future recurrence or occurrence elsewhere.
Based on an evaluation of the impact and extent of the deficiency and the potential consequences on the ISMS, the process should include as criteria for compliance:
(a)deciding on corrections and their implementation without undue delay in order to limit the impact of the deficiency and deal with its consequences as well as, as applicable, to control or eliminate it;
(b)deciding on the need for, and the implementation of, corrective actions to eliminate the cause(s) of, and contributing factors to, the deficiency based on a root cause analysis and an evaluation of actions remediating the cause aimed at being proportionate to the consequences and impact of the deficiency;
(c)verifying the implemented actions:
(1)to be effective and to result in acceptable residual risks;
(2)not to have unintended side effects leading to other deficiencies, new risks, or an ISMS not aligned with the applicable requirements; as well as
(3)for corrective actions, to effectively remediate or eliminate the root cause;
(d)reporting to and reviewing the identified deficiencies, action plan and results of the action taken with the person identified in IS.AR.225(a) and, as necessary, with other involved or affected roles and parties;
(e)documenting as evidence the detected deficiencies, the planned and implemented corrections and/or corrective actions with deadlines and responsible persons, the management feedback, the outcomes of the process step under point (c) above and, if necessary, the change decisions made for the ISMS itself.
GM1 IS.AR.235(b) Continuous improvement
ED Decision 2023/010/R
The ‘necessary improvement measures’ referred to in IS.AR.235(b) refer to correction or corrective actions to eliminate deficiencies, or actions aimed at improving the effectiveness as well as the maturity of the ISMS.
A process satisfying the criteria defined in AMC1 IS.AR.235 should include the following aspects:
(a)identifying the extent, impact, context and triggers of the deficiency, evaluating it according to some established criteria, analysing potential consequences for the ISMS including a potential existence in other areas;
(b)deciding on corrections and their implementation to immediately limit the impact and manage the consequences of the deficiency as well as, as applicable, to control or eliminate it;
(c)deciding on corrective actions required to eliminate the (root) cause(s) of the deficiency that are proportionate to the consequences;
(d)reassessing the elements of the ISMS which may be affected by the implemented actions to ensure that no further risk is introduced;
(e)verifying the implemented actions referred to in AMC1 IS.AR.235(b);
(f)reporting to and reviewing the outcomes of the process steps with the management (see point (d) of AMC1 IS.AR.235(b));
(g)documenting and evidencing the result of the process steps above (see point (e) of AMC1 IS.AR.235(b)).
Appendix I — Examples of threat scenarios with a potential harmful impact on safety
ED Decision 2023/010/R
The following is a non-exhaustive list of examples of information security threat scenarios with a potential harmful impact on safety that may be considered by authorities and organisations.
Example 1: Aircraft to ATC digital communications
—Threat vector assets/domain
—ATC voice and ground automation systems
—ground communications providers
—air-ground/ground-air RF communications service providers
—aircraft and the assets used for voice and datalink communications
—Non-exhaustive summary of potential threats
—threat (availability): exceeding system performance, saturation of communication channel
—threat (integrity): man-in-the-middle or injection attacks
—threat (confidentiality): passive listening to communication, spying on hardware device
—Summary of threats scenarios and their potential harmful impacts on safety
—Disruption of services prevent ATC communication with a single or multiple aircraft and/or ATC ground system.
—Manipulation of data through a man-in-the-middle attack would present false information to the pilot and/or ATC system with the potential of creating a safety hazard or injection of data to the aircraft or ground systems to disrupt the service and capability.
—There are no specific regulatory requirements for encryption of data or voice for datalink communications; however, for confidentiality purposes, the assets used to provide and deliver the services should be controlled and limited to only those resources that require access to ensure that the services cannot be disrupted and manipulated in any way.
Example 2: Tampered air traffic data
—Threat vector assets/domain
—Internet service provider (ISP)
—ATM services network(s)
—surveillance data
—ATC systems
—Non-exhaustive summary of potential threats
—ISP compromise (confidentiality): An attacker gains unauthorised access to the systems or infrastructure of the ISP providing network services to ATM system.
—data tampering (integrity): Once the ISP is compromised, an attacker could manipulate data in transit. This could involve injecting false data or removing/modifying legitimate data.
—denial of service (availability): an attacker could also potentially disrupt the communication of data entirely, resulting in a denial of service (DoS) to the ATM system.
—malware injection (integrity/availability): An attacker could potentially use the compromised ISP as a launching pad to inject malware into the systems, causing further disruptions or enabling additional attacks.
—Summary of threats scenarios and their potential harmful impacts on safety
—ISP compromise: interception and/or manipulation of sensitive data, impacting the safe management of air traffic.
—data tampering: incorrect situational awareness, potentially resulting in reduced separation between aircrafts, and incorrect air traffic control decisions.
—denial of service: reduction of the ATC’s ability to ensure separation leading to the activation of contingency procedures, including capacity reduction, with the eventual possibility of large areas of airspace being closed.
Example 3: Aircraft operator, CAMOs’ and aircraft maintenance organisations’ software supply chain and ground infrastructure, including equipment used to support aircraft management, operations and maintenance
—Threat vector assets/domain
—aircraft operators’, CAMOs’ and maintenance organisations’ supply chain
—aircraft operator or maintenance internal ground infrastructure used to manage aircraft and operations (hardware/software) and other information technology assets
—information technology assets used to update systems on an aircraft (software and hardware) used for maintenance activities
—Non-exhaustive summary of potential threats
—threat (availability): hardware/software/system disruption
—threat (integrity): compromised hardware/software/system
—threat (confidentiality): compromised hardware/software/system
—Summary of threats scenarios and their potential harmful impacts on safety
—Disruption to the dissemination of meteorological information while the aircraft is airborne, may reduce the ability of the flight crew to avoid potentially hazardous meteorological conditions (e.g. severe storms/fog at night).
—Manipulation of navigation data/database will have the effect that flight plans and navigation displays cannot be trusted.
—Lack of control and access to information such as fleet maintenance programme or flight crew planning affects the ability of organisations to maintain safe operations.
Application of bow-tie analysis to this example
Two coordinated bow-tie analyses of different risk dimensions are combined, as the ultimate interest lies only in the aviation safety consequence.
Information security bow-tie analysis element | Aviation safety bow-tie analysis element |
Information security threats 1) hardware/software vulnerability exploitation: disturbed system function 2) hardware/software vulnerability exploitation: system integrity compromised 3) hardware/software vulnerability exploitation: confidentiality of information processed by system(s) compromised | |
Information security preventive barriers | |
Information security hazards & top events 1) disturbed system functionality (hazard) → disrupted/unreliable system functionality 2) system integrity compromised (hazard) → system function unpredictable 3) information disclosable (hazard) → undetectable information exfiltration | Safety threats 1) disrupted/unreliable system functionality 2) system function unpredictable 3) undetectable information exfiltration |
Information security mitigating barriers | Safety preventive barriers 1) Use of access controls for system administration 2) etc. |
Information security consequences 1) loss of system function (= production system down) 2) loss of system function integrity (= some system function wrong/inoperative) 3) loss of confidentiality of information (= some information can leak) | Safety hazards & top events: 1) loss of system function (hazard) →in operational maintenance system 2) loss of system function integrity (hazard) → systems operate with wrong information 3) loss of information confidentiality (hazard) → confidential maintenance and aircraft internals information leaks |
Safety mitigating barriers 1) use of back-up procedures to prevent faulty maintenance actions 2) use of procedures to secure aircraft software integrity | |
Safety consequences 1) faulty maintenance actions 2) incorrectly completed maintenance actions 3) exfiltration of information allows for identification of vulnerabilities 4) disruption of aircraft systems, unpredictable system function, loss of major aircraft systems (such as engine control) |
Example 4: Design and production organisations’ software, supply chain, design and manufacturing ground infrastructure
—Threat vector assets/domain
—design and production organisations’ supply chain for parts, hardware and software
—design and production organisations’ ground internal infrastructure used to manage software/hardware used in the manufacturing and development of products that will be used by aircraft manufacturers, operators or ATM/ANS ground automation systems (hardware/software) information technology assets
—design and production organisations’ information technology assets used by their customers to update systems on an aircraft (software/hardware) used for maintenance operations or ATM/ANS ground automation systems
—Non-exhaustive summary of potential threats
—threat (availability): systems used to store, transmit and exchange information are rendered unavailable for essential operations through DoS attacks
—threat (integrity): systems used to store, transmit and exchange information are compromised through man-in-the middle attacks
—threat (confidentiality): systems used to store, transmit and exchange information are accessed by insider or external threats
—Summary of threats scenarios and their potential harmful impacts on safety
—Disruption of systems used to store, transmit and exchange information in a manner that would prevent the proper management of the aircraft and its systems and adversely affect the operations of the aircraft
—Systems used to store, transmit and exchange information can no longer be considered trusted. If they are not maintained at a level to ensure that all information exchange, data and software can be considered trusted, both ground and aircraft operations are disrupted.
—Uncontrolled access to systems used to store, transmit and exchange information (including information that is received and exchanged with the supply chain) can provide technical details that could be used to craft more sophisticated attacks targeting safety-critical systems.
Example 5: Training system
—Threat vector assets/domain
—supply chain of all software and hardware that will be used in the training systems or training devices (including flight simulators) used to train pilot or ATM/ANS ground systems personnel
—internal infrastructure used in of all software and hardware that will be used in the design, manufacturing or production of products (hardware or software) that will be used in aircraft or ATM/ANS ground systems
—management of internal operating domains and system of all software and hardware that will be used in the design, manufacturing or production of products (hardware or software) that will be used in aircraft or ATM/ANS ground systems
—Non-exhaustive summary of potential threats
—threat (availability): training systems or training devices are rendered unavailable by means of DoS attacks when they are needed to be used
—threat (integrity): training systems or training devices are compromised through man-in-the middle attacks
—threat (confidentiality): functional models, information and data that are embedded in training systems or training devices are accessed by insider or external threats
—Summary of threats scenarios and their potential harmful impacts on safety
—Disruption of training systems (hardware and software) will have an impact on the organisations’ ability to maintain qualified staff. It would also prevent the aircraft and its systems from being properly operated and affect maintenance operations for ATM/ANS ground systems.
—The training model or the failure modes and associated emergency conditions differ from the real aviation system behaviour and therefore induce inappropriate responses. If the training systems cannot be trusted, this will affect the ability of organisations to maintain sufficiently qualified staff for their operations (pilots, maintenance or ATM/ANS ground personnel who have been exposed to improper training should be re-qualified).
—Lack of control and access to training systems affects the ability of organisations to maintain a training system that is known to be in a trusted state. In addition, uncontrolled access to training systems that embed functional models, information and data can provide technical details that could be used to craft more sophisticated attacks on the training system itself or on the real-world safety-critical system.
Example 6: Airport’s fuel delivery system and associated infrastructure
—Threat vector assets/domain
—ground fuel storage and distribution infrastructure
—digital systems used to control fuel pumping and metering
—supply chain for fuel delivery, including third-party fuel suppliers
—airport information technology assets used for fuel inventory management and scheduling deliveries
—Non-exhaustive summary of potential threats
—threat (availability): disruption of fuel supply or delivery systems
—threat (integrity): tampering with fuel control systems or measurement devices
—threat (confidentiality): unauthorised access to fuel supply and delivery data
—Summary of threats scenarios and their potential harmful impacts on safety
—Disruption to fuel delivery can lead to flight delays or cancellations, causing operational disruptions and potential safety issues if fuel reserves become critically low.
—Tampering with fuel control systems or measurement devices could lead to incorrect fuel loads being delivered to aircraft, impacting aircraft weight and balance calculations, and potentially causing fuel exhaustion incidents.
—Unauthorised access to fuel supply data could allow threat actors to manipulate fuel scheduling or inventory data, potentially causing disruptions to airport operations and fuel availability for aircraft.
Example 7: National competent authority’s NOTAM system and associated infrastructure
—Threat vector assets/domain
—National NOTAM system infrastructure and digital interface
—Supply chain for NOTAM system maintenance and updates
—National competent authority’s IT assets used for NOTAM creation, distribution, and storage
—Non-exhaustive summary of potential threats
—threat (availability): disruption of the NOTAM system or its access
—threat (integrity): tampering with NOTAM data or unauthorised NOTAM creation
—threat (confidentiality): unauthorised access to NOTAM data
—Summary of threats scenarios and their potential harmful impacts on safety
—Disruption to the NOTAM system could prevent the dissemination of critical aeronautical information to pilots and air traffic controllers, potentially leading to safety issues.
—Tampering with NOTAM data or unauthorised creation of NOTAMs could lead to incorrect information being disseminated, potentially resulting in pilots making decisions based on false or misleading data.
—Unauthorised access to NOTAM data could lead to information leakage, potentially revealing sensitive operational information.
Example 8: Aviation authority’s airworthiness directive (AD) system and associated infrastructure
—Threat vector assets/domain
—EASA AD system infrastructure and digital interface
—supply chain for AD system maintenance and updates
—EASA IT assets used for AD creation, distribution, and storage
—Non-exhaustive summary of potential threats
—threat (availability): Disruption of the AD system or its access
—threat (integrity): tampering with AD data or unauthorised AD creation
—threat (confidentiality): unauthorised access to AD data
—Summary of threats and their potential harmful impacts on safety
—Disruption to the AD system could prevent the dissemination of critical airworthiness information to aircraft operators and maintenance organisations, potentially leading to safety issues.
—Tampering with AD data or unauthorised creation of ADs could lead to incorrect information being disseminated, potentially resulting in aircraft operators and maintenance organisations making decisions based on false or misleading data.
—Unauthorised access to AD data could lead to information leakage, potentially revealing sensitive operational information.
Appendix II — Main tasks stemming from the implementation of Part-IS mapped to the EU e-CF and the NIST CSF 2.0
ED Decision 2025/015/R
Part-IS main task | Activity type | Reference | ||
Management, | Part-IS | EU e-CF | NIST CSF 2.0 | |
Competence areas & skills | Functions & categories | |||
Establish and operate an information security management system (ISMS) | Management | IS.AR.200(a) | ISM (E.08) | GV – Govern |
Establish the scope of the ISMS in accordance with Part-IS requirements | Management | IS.AR.205(a) | ISM (E.08) | GV.RM – Risk Management Strategy; |
Implement and maintain an information security policy | Management | IS.AR.200(a)(1) | ISM (E.08) | GV.PO – Policy |
Identify and review information security risks | Management | IS.AR.200(a)(2) | ISM (E.08), Risk Management (E.02) | GV.SC – Cybersecurity Supply Chain Risk Management; |
Implement information security risk treatment measures | Management | IS.AR.200(a)(3) | ISM (E.08), Risk Management (E.02) | ID.RA — Risk Assessment |
Set up measures to detect information security events, identify those that may develop to incidents with a potential impact on aviation safety, and respond to, and recover from, such incidents | Management | IS.AR.200(a)(4) | Incident Management (C.04) | DE – Detect; |
Monitor compliance with this Regulation and report findings to top management | Operational | IS.AR.200(a)(8) | Compliance (E.09) | GV.RR – Roles, Responsibilities and Authorities; |
Protect confidentiality of exchanged information | Operational | IS.AR.200(a)(9) | Information Security Management (E.08) | PR.DS – Data Security; |
Implement and maintain a continuous improvement process to measure the effectiveness and maturity of the ISMS and strive to improve it | Management | IS.AR.200(b) | Information Security Management (E.08) | GV.OV – Oversight; |
Communicate to the Agency changes regarding capability and responsibilities | Operational | IS.AR.200(a)(10) | Risk Management (E.02), ISM (E.08) | GV.OC – Organisational Context (03) |
Share information to assist other competent authorities, agencies and organisations | Operational | IS.AR.200(a)(11) | Risk Management (E.02), ISM (E.08) | ID.RA – Risk Assessment (02); |
Document and maintain all key processes, procedures, roles and responsibilities | Management | IS.AR.200(c) | ISM (E.08), Compliance (E.09) | GV.RR – Roles, Responsibilities and Authorities; |
Identify all elements which could be exposed to information security risks | Management | IS.AR.205(a) | Risk Management (E.02) | ID.AM – Asset Management |
Identify the interfaces with other organisations which could result in exposure to information security risks | Management | IS.AR.205(b) | Risk Management (E.02), | ID.AM – Asset Management; |
Identify information security risks and assign a risk level | Management | IS.AR.205(c) | Risk Management (E.02) | GV.RM – Risk Management Strategy; |
Review and update the risk assessment based on certain criteria | Operational | IS.AR.205(d) | Risk Management (E.02) | GV.RM – Risk Management Strategy; |
Develop and implement measures to address risks and verify their effectiveness | Operational | IS.AR.210(a) | Risk Management (E.02) | GV.RM – Risk Management Strategy; |
Communicate the outcome of the risk assessment to management, other personnel and other organisations sharing an interface | Operational | IS.AR.210(b) | Risk Management (E.02), ISM (E.08) | GV.RM – Risk Management Strategy; |
Implement measures to detect in processes and operations information security events which may have a potential impact on aviation safety | Operational | IS.AR.215(a) | ISM (E.08) | DE.CM – Continuous Monitoring; |
Implement measures to respond to information security events that may cause an information security incident | Operational | IS.AR.215(b) | Incident Management (C.04) | RS.MA – Incident Management; |
Implement measures to recover from information security incidents | Operational | IS.AR.215(c) | Incident Management (C.04) | RC.RP – Incident Recovery Plan Execution; |
Manage risks associated with contracted activities with regard to the management of information security | Management | Supplier Relationship Management (E.10) | GV.SC – Cybersecurity Supply Chain Risk Management | |
Define a person with the authority to establish and maintain the organisational structures, policies, processes, and procedures necessary to implement this Regulation | Management | IS.AR.225(a) | ISM (E.08), Compliance (E.09) | GV.RR – Roles, Responsibilities, and Authorities |
Create and maintain a process to ensure that there is sufficient personnel to perform all activities regarding information security management | Management | IS.AR.225(b) | Personnel Development (D.11) | GV.RR – Roles, Responsibilities, and Authorities |
Create and maintain a process to ensure that the personnel have the necessary competence for activities regarding information security management | Management | IS.AR.225(c) | Personnel Development (D.11) | GV.RR – Roles, Responsibilities, and Authorities; |
Create and maintain a process to ensure that the personnel acknowledge the responsibilities associated with the assigned roles and tasks | Management | IS.AR.225(d) | Personnel Development (D.11) | GV.RR – Roles, Responsibilities, and Authorities |
Verify the identity and trustworthiness of personnel who have access to information systems | Management | IS.AR.225(e) | ISM (E.08) | GV.RR – Roles, Responsibilities, and Authorities; |
Archive, protect and retain records and ensure they are traceable for a specified time | Operational | ISM (E.08), Compliance (E.09) | GV.OV – Oversight; | |
Regularly assess the effectiveness and maturity of the ISMS | Operational | IS.AR.235(a) | ISM (E.08) | GV.OV – Oversight; |
Take actions to improve the ISMS if required. Reassess the ISMS elements affected by the implemented measures. | Operational | IS.AR.235(b) | ISM (E.08) | GV.OV – Oversight; |
Appendix III — Examples of aviation services and interfaces
ED Decision 2025/015/R
AVIATION SERVICES
The following is a non-exhaustive and non-complete list of aviation services that can be used as a basis to identify the scope of risk assessment for the organisation.
—aerodrome & ATM-MET service providers
—aeronautical digital mapping services
—aeronautical information management (AIM) – external, national, regional
—airports
—air traffic control (ATC) – external, superior
—air traffic management (ATM)
—approach (APP) & area control (ACC) Services – ER ACC, APP ACC
—cargo and passenger loading
—civil & state airspace user (AU) operations centres
—communication infrastructure
—flight information services / traffic information services (FIS/TIS) data integrator
—fuel calculation
—navigation infrastructure – ground-based, satellite-based
—non-ATM meteorological (MET) service providers
—mass & balance calculation
—non-aviation users (external)
—regional & sub-regional airspace management (ASM) and air traffic flow & capacity management (ATFCM)
—static aeronautical data services
—sub-regional demand & capacity balancing (DCB) common service providers
—surveillance infrastructure – airport, en-route, terminal manoeuvring area (TMA)
—route planning
—time reference services (external)
—tower (TWR) services
INTERFACES
Below are some examples of data exchange at the interfaces between organisations interacting in different functional chains, which can be used as a basis for identifying the scope of the risk assessment for the organisation.
Note 1: These examples are graphical representations based on the ‘Examples of ecosystem data exchange’ provided in EUROCAE ED-201A, Appendix B - Tables B-14, which can be consulted for further information.
Note 2: Although it is not an organisation, an aircraft has been included in all these examples for the sake of completeness of the description of the data exchange. The aircraft should be considered as an element within the scope of the ISMS of the organisation to which it belongs (typically the airline). Any data exchange between aircraft and other systems within the organisation should take into account existing security measures that may have been evaluated as part of aircraft certification (see also GM1 IS.AR.205(c)).
Figure 1: Interfaces of other organisations with an airline operator
Figure 2: Interfaces of an airline operator with other organisations
Figure 3: Interfaces of other organisations with a maintenance service provider
Figure 4: Interfaces of a maintenance service provider with other organisations