Implementing Regulation (EU) 2023/203

Cover Regulation to Implementing Regulation (EU) 2023/203

COMMISSION IMPLEMENTING REGULATION (EU) 2023/203

of 27 October 2022

laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, No 965/2012, No 1178/2011, 2015/340, 2017/373 and 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, No 1321/2014, No 965/2012, No 1178/2011, 2015/340, 2017/373, No 139/2014 and 2021/664 and amending Commission Regulations (EU) No 1178/2011, No 748/2012, No 965/2012, No 139/2014, No 1321/2014, 2015/340, 2017/373 and 2021/664

Regulation (EU) 2023/203

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91(5 OJ L 212, 22.8.2018, p. 1.), and in particular Articles 17(1) point (b), 27(1) point (a), 31(1) point (b), 43(1) point (b), 53(1) point (a) and 62(15) point (c) thereof

Whereas:

(1) In accordance with the essential requirements set out in Annex II, point 3.1(b), to Regulation (EU) 2018/1139, continuing airworthiness management organisations and maintenance organisations are to implement and maintain a management system to manage safety risks.

(2) In addition, in accordance with the essential requirements set out in Annex IV, point 3.3(b) and point 5(b), to Regulation (EU) 2018/1139, pilot training organisations, cabin crew training organisations, aero-medical centres for aircrew and operators of flight simulation training devices are to implement and maintain a management system to manage safety risks.

(3) Moreover, in accordance with the essential requirements set out in Annex V, point 8.1(c), to Regulation (EU) 2018/1139, air operators are to implement and maintain a management system to manage safety risks.

(4) Furthermore, in accordance with the essential requirements set out in Annex VIII, point 5.1(c) and point 5.4(b), to Regulation (EU) 2018/1139, air traffic management and air navigation service providers, U-space service providers and single common information service providers, and training organisations and aero-medical centres for air traffic controllers are to implement and maintain a management system to manage safety risks.

(5) Those safety risks may derive from different sources, such as design and maintenance flaws, human performance aspects, environmental threats and information security threats. Therefore, the management systems implemented by the European Union Aviation Safety Agency (‘the Agency’) and the national competent authorities and organisations referred to in the recitals above, should take into account not only safety risks stemming from random events, but also safety risks deriving from information security threats where existing flaws may be exploited by individuals with a malicious intent. Those information security risks are constantly increasing in the civil aviation environment as the current information systems are becoming more and more interconnected, and increasingly becoming the target of malicious actors.

(6) The risks associated with those information systems are not limited to possible attacks to the cyberspace, but encompass also threats, which may affect processes and procedures as well as the performance of human beings.

(7) A significant number of organisations already use international standards, such as ISO 27001, in order to address the security of digital information and data. Those standards may not fully address all the specificities of civil aviation. Therefore, it is appropriate to set out requirements for the management of information security risks with a potential impact on aviation safety.

(8) It is essential that those requirements cover all aviation domains and their interfaces, since aviation is a highly interconnected system of systems. Therefore, they should apply to all the organisations and competent authorities covered by Regulation (EU) No 748/2012, Regulation (EU) No 1321/2014, Regulation (EU) No 965/2012, Regulation (EU) No 1178/2011, Regulation (EU) 2015/340, Regulation (EU) No 139/2014 and Regulation (EU) 2021/664, also those that are already required to have a management system in accordance with the existing Union aviation safety legislation. However, some organisations should be excluded from the scope of this Regulation in order to ensure appropriate proportionality to the lower information security risks they pose to the aviation system.

(9) The requirements laid down in this Regulation should ensure a consistent implementation across all aviation domains, while creating a minimal impact on the Union aviation safety legislation already applicable to those domains.

(10) The requirements laid down in this Regulation should be without prejudice to information security and cybersecurity requirements laid down in Point 1.7 of the Annex to Commission Implementing Regulation (EU) 2015/1998(6Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security (OJ L 299, 14.11.2015, p. 1).) and in Article 14 of Directive (EU) 2016/1148 of the European Parliament and of the Council(7Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).).

(11) The security requirements laid down in Articles 33 to 43 of Title V “Security of the Programme” of Regulation (EU) 2021/696 of the European Parliament and of the Council8Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU are considered to be equivalent with the requirements laid down in this Regulation, except as regards point IS.I.OR.230 of Annex II to this Regulation which should be complied with.

(12) In order to provide legal certainty, the interpretation of the term ‘information security’ as defined in this Regulation, reflecting its common use in civil aviation globally, should be considered as being consistent with that of the term ‘security of network and information systems’ as defined in Article 4(2) of Directive (EU) 2016/1148. The definition of information security used for the purposes of this Regulation should not be interpreted as divergent from the definition of security of network and information systems laid down in Directive (EU) 2016/1148.

(13) In order to avoid duplication of legal requirements, where organisations covered by this Regulation are already subject to security requirements arising from Union acts referred to in recitals (10) and (11) which are in their effect equivalent to the provisions laid down in this Regulation, compliance with those security requirements should be considered to constitute compliance with the requirements laid down in this Regulation.

(14) Organisations covered by this Regulation that are already subject to security requirements arising from Regulation (EU) 2015/1998 or Regulation (EU) 2021/696, or both, should also comply with the requirements of Annex II (Part IS.I.OR.230 “Information security external reporting scheme”) to this Regulation as neither Regulation contains provisions related to external reporting of information security incidents.

(15) For the sake of completeness, Regulations (EU) No 1178/2011, No 748/2012, No 965/2012, No 139/2014, No 1321/2014, 2015/340, 2017/373 and 2021/664 should be amended in order to introduce the information security management system requirements prescribed in this Regulation together with the management systems set out therein, and to set out the competent authorities’ requirements as regards the oversight of organisations implementing the aforementioned information security management requirements.

(16) In order to provide organisations with sufficient time to ensure compliance with the new rules and procedures, this Regulation should apply 3 years after its entry into force, except for the air navigation service provider of the European Geostationary Navigation Overlay Service (EGNOS) defined in Commission Implementing Regulation (EU) 2017/3739Commission Implementing Regulation (EU) 2017/373 of 1 March 2017 laying down common requirements for providers of air traffic management/air navigation services and other air traffic management network functions and their oversight, repealing Regulation (EC) No 482/2008, Implementing Regulations (EU) No 1034/2011, (EU) No 1035/2011 and (EU) 2016/1377 and amending Regulation (EU) No 677/2011, (OJ L 062 8.3.2017, p. 1), where due to the ongoing security accreditation of the EGNOS system and services in line with Regulation (EU) 2021/696, it should become applicable from 1 January 2026.

(17) The requirements laid down in this Regulation are based on Opinion No 03/2021(10https://www.easa.europa.eu/document-library/opinions), issued by the Agency in accordance with Article 75(2) points (b) and (c) and Article 76(1) of Regulation (EU) 2018/1139.

(18) The requirements laid down in this Regulation are in accordance with the opinion of the Committee for the application of common safety rules in the field of civil aviation established by Article 127 of Regulation (EU) 2018/1139,

HAS ADOPTED THIS REGULATION:

Article 1 – Subject matter

Regulation (EU) 2023/203

This Regulation sets out the requirements to be met by the organisations and competent authorities in order:

(a) to identify and manage information security risks with potential impact on aviation safety which could affect information and communication technology systems and data used for civil aviation purposes,

(b) to detect information security events and identify those which are considered information security incidents with potential impact on aviation safety,

(c) to respond to, and recover from, those information security incidents.

GM1 Article 1 — Subject matter

ED Decision 2023/008/R

When taking measures under this Regulation, affected entities — irrespective of their size — are encouraged to ensure that the measures they take are proportionate to the nature and safety risk of their activities.

Article 2 – Scope

Regulation (EU) 2024/1109

1. This Regulation applies to the following organisations:

(a) maintenance organisations subject to Section A of Annex II (Part-145) to Regulation (EU) No 1321/2014 (11Commission Regulation (EU) No 1321/2014 of 26 November 2014 on the continuing airworthiness of aircraft and aeronautical products, parts and appliances, and on the approval of organisations and personnel involved in these tasks (OJ L 362, 17.12.2014, p. 1).), except those solely involved in the maintenance of aircraft in accordance with Annex Vb (Part-ML) to Regulation (EU) No 1321/2014;

(b) continuing airworthiness management organisations (CAMOs) subject to Section A of Annex Vc (Part-CAMO) to Regulation (EU) No 1321/2014, except those solely involved in the continuing airworthiness management of aircraft in accordance with Annex Vb (Part-ML) to Regulation (EU) No 1321/2014;

(c) air operators subject to Annex III (Part-ORO) to Regulation (EU) No 965/2012(12Commission Regulation (EU) No 965/2012 of 5 October 2012 laying down technical requirements and administrative procedures related to air operations pursuant to Regulation (EC) No 216/2008 of the European Parliament and of the Council (OJ L 296, 25.10.2012, p. 1)), except those solely involved in the operation of any of the following:

(i) an ELA 2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012(13Commission Regulation (EU) No 748/2012 of 3 August 2012 laying down implementing rules for the airworthiness and environmental certification of aircraft and related products, parts and appliances, as well as for the certification of design and production organisations (OJ L 224, 21.8.2012, p. 1).);

(ii) single-engine propeller-driven aeroplanes with a Maximum Operational Passenger Seating Configuration of 5 or less that are not classified as complex motor-powered aircraft, when taking off and landing at the same aerodrome or operating site and operating under Visual Flight Rules (VFR) by day rules;

(iii) single-engine helicopters with a Maximum Operational Passenger Seating Configuration of 5 or less that are not classified as complex motor-powered aircraft, when taking off and landing at the same aerodrome or operating site and operating under VFR by day rules.

(d) approved training organisations (ATOs) subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011(14Commission Regulation (EU) No 1178/2011 of 3 November 2011 laying down technical requirements and administrative procedures related to civil aviation aircrew pursuant to Regulation (EC) No 216/2008 of the European Parliament and of the Council (OJ L 311, 25.11.2011, p. 1).), except those solely involved in training activities of ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012, or solely involved in theoretical training;

(e) aircrew aero-medical centres subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011;

(f) flight simulation training device (FSTD) operators subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011, except those solely involved in the operation of FSTDs for ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012;

(g) air traffic controller training organisations (ATCO TOs) and ATCO aero-medical centres subject to Annex III (Part ATCO.OR) to Regulation (EU) 2015/340(15Commission Regulation (EU) 2015/340 of 20 February 2015 laying down technical requirements and administrative procedures relating to air traffic controllers' licences and certificates pursuant to Regulation (EC) No 216/2008 of the European Parliament and of the Council, amending Commission Implementing Regulation (EU) No 923/2012 and repealing Commission Regulation (EU) No 805/2011 (OJ L 63, 6.3.2015, p. 1).);

(h) organisations subject to Annex III (Part-ATM/ANS.OR) to Regulation (EU) 2017/373 (16Commission Implementing Regulation (EU) 2017/373 of 1 March 2017 laying down common requirements for providers of air traffic management/air navigation services and other air traffic management network functions and their oversight, repealing Regulation (EC) No 482/2008, Implementing Regulations (EU) No 1034/2011, (EU) No 1035/2011 and (EU) 2016/1377 and amending Regulation (EU) No 677/2011 (OJ L 62, 8.3.2017, p. 1).), except the following service providers:

(i) air navigation service providers holding a limited certificate in accordance with point ATM/ANS.OR.A.010 of that Annex;

(ii) flight information service providers declaring their activities in accordance with point ATM/ANS.OR.A.015 of that Annex;

(i) U-space service providers and single common information service providers subject to Regulation (EU) 2021/664(17Commission Implementing Regulation (EU) No 2021/664 of 22 April 2021 on a regulatory framework for the U-space (OJ L 139, 23.4.2021, p. 161).).

(j) approved organisations involved in the design or production of ATM/ANS systems and ATM/ANS constituents subject to Commission Implementing Regulation (EU) 2023/176918Commission Implementing Regulation (EU) 2023/1769 of 12 September 2023 laying down technical requirements and administrative procedures for the approval of organisations involved in the design or production of air traffic management/air navigation services systems and constituents and amending Implementing Regulation (EU) 2023/203 (OJ L 228, XX.9.2023, p. 19)..

2. This Regulation applies to the competent authorities, including the European Union Aviation Safety Agency (‘the Agency’), referred to Article 6 of this Regulation and in Article 5 of Delegated Regulation (EU) 2022/1645.

3. This Regulation also applies to the competent authority responsible for the issuance, continuation, change, suspension or revocation of aircraft maintenance licences in accordance with Annex III (Part-66) to Regulation (EU) No 1321/2014.

3a.  This Regulation also applies to the competent authority designated in accordance with Annex I (Part-AR.UAS) to Commission Implementing Regulation (EU) 2024/110919Commission Implementing Regulation (EU) 2024/1109 of 10 April 2024 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council as regards competent authority requirements and administrative procedures for the certification, oversight and enforcement of the continuing airworthiness of certified unmanned aircraft systems, and amending Implementing Regulation (EU) 2023/203 (OJ L, 2024/1109, 17.5.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/1109/oj)..

4. This Regulation is without prejudice to information security and cybersecurity requirements laid down in point 1.7 of the Annex to Regulation (EU) 2015/1998(20Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security (OJ L 299, 14.11.2015, p. 1).) and in Article 14 of Directive (EU) 2016/1148 of the European Parliament and of the Council(21Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).).

Article 3 – Definitions

Regulation (EU) 2023/203

For the purpose of this Regulation, the following definitions shall apply:

(1) ‘information security’ means the preservation of confidentiality, integrity, authenticity and availability of network and information systems;

(2) ‘information security event’ means an identified occurrence of a system, service or network state indicating a possible breach of the information security policy or failure of information security controls, or a previously unknown situation that can be relevant for information security;

(3) ‘incident’ means any event having an actual adverse effect on the security of network and information systems as defined in Article 4(7) of Directive (EU) 2016/1148;

(4) ‘information security risk’ means the risk to organisational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event. Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets;

(5) ‘threat’ means a potential violation of information security which exists when there is an entity, circumstance, action or event that could cause harm;

(6) ‘vulnerability’ means a flaw or weakness in an asset or a system, procedures, design, implementation, or information security measures that could be exploited and results in a breach or violation of the information security policy.

GM1 Article 3 — Definitions

ED Decision 2023/008/R

For the sake of common understanding, the following is a description of the terms used in the AMC & GM to Part-IS.D.OR of Commission Delegated Regulation (EU) 2022/1645 as well as in the AMC & GM to Part-IS.AR and Part-IS.I.OR of Commission Implementing Regulation (EU) 2023/203:

Assessment

In the context of management system performance monitoring, continuous improvement and oversight, it refers to a planned and documented activity performed by competent personnel to evaluate and analyse the achieved level of performance, effectiveness and maturity, as well as compliance in relation to the organisation’s policy and objectives.

Note: An assessment focuses on required outcomes and the overall performance, looking at the organisation as a whole. The main objective of the assessment is to identify the strengths and weaknesses to drive continuous improvement.

Remark: For ‘risk assessment’, please refer to the definition below.

Attack vector (or attack path)

The path, interface, and actions by which an attacker executes an attack, as defined in EUROCAE ED-202.

Audit

It refers to a systematic, independent, and documented process for obtaining evidence, and evaluating it objectively to determine the extent to which requirements are complied with.

Note: Audits may include inspections.

Competency

It is a combination of individual skills, practical and theoretical knowledge, attitude, training, and experience.

Correction

It is the action to eliminate a detected non-compliance.

Corrective action

It is the action taken to eliminate or mitigate the root cause(s) and prevent the recurrence of an existing detected non-compliance or other undesirable conditions or situations. Proper determination of the root cause(s) is crucial for defining effective corrective actions to prevent reoccurrence.

Deficiency

It is as a deviation from compliance with or a non-fulfilment of any requirement or objectives, either from a regulatory or an organisation’s perspective, either completely or partially.

Experience

It is the fact or state of having been affected by or gained knowledge and skills through observation, participation or doing.

Functional chain

The concept of functional chain dictates that information security risks are shared along organisations due to their respective interfaces, such as supplier-customer relationships. Safety effects caused by information security threats primarily materialise at aircraft level, originating upstream of the aircraft. In the functional chain concept, each organisation assesses its information security risks, which it may not be able to address and hence may expose other organisations to risks. It should pass related information to the immediate partner(s) downstream for well-informed risk management purposes and to ensure that the whole chain is adequately protected, even when no organisation has full visibility or control.

Hazard

It is a condition or an object with the potential to cause or contribute to an aircraft incident or accident.

Information security control

It is a measure that reduces risk.

Intentional unauthorised electronic interaction

It refers to the deliberate act of engaging in electronic activities or communications (e.g. access to, or modification of, computer systems, networks, or data) without proper authorisation or permission and with the intent to disclose sensitive information, modify data, disrupt normal operations, or deny access to legitimate users.

Just culture

It means a culture in which front-line operators or other persons are not punished for actions, omissions or decisions taken by them that are commensurate with their experience and training, but in which gross negligence, wilful violations and destructive acts are not tolerated, as defined in Article 2 of Regulation (EU) No 376/201422.

Knowledge

Content of information needed to perform adequately in the job at an acceptable level, usually obtained through formal education and on-the-job experience. This knowledge is necessary for job performance but is not sufficient on its own.

Management (activity)

In the general organisational context, it refers to the activities aimed at directing, controlling, and continually improving the organisation within appropriate structures. In the context of Commission Delegated Regulation (EU) 2022/1645 and Commission Implementing Regulation (EU) 2023/203 it means, more specifically, the supervision and making of decisions necessary to achieve the organisation’s safety and information security objectives.

Management system

It refers to a set of interrelated or interacting system elements to establish policies, objectives and processes to achieve those objectives, where the system elements include the organisational structure, roles and responsibilities, planning and operations.

Risk assessment

It is an evaluation that is based on engineering and operational judgement and/or analysis methods in order to establish whether the achieved or perceived risk is acceptable.

Risk register

It refers to a physical or digital means of documentation used as a risk management tool that acts as a repository for all identified risks and contains additional information about each risk, such as the nature of the risk, mitigation measures, ownership, status, etc.

Safety

It refers to the state in which risks associated with aviation activities, related to, or in direct support of the operation of aircraft, are reduced and controlled to an acceptable level, as defined in ICAO Annex 19.

Safety risk

It refers to the predicted likelihood and severity of the consequences or outcomes of a hazard.

Note: The term ‘likelihood’ is used instead of the term ‘probability’ to reflect a subjective analysis of the possibility of occurrence rather than a purely statistical assessment.

Article 4 – Requirements for organisations and competent authorities

Regulation (EU) 2024/1109

1. The organisations referred to in Article 2(1) shall comply with the requirements of Annex II (Part-IS.I.OR) to this Regulation.

2. The competent authorities referred to in Article 2(2), (3) and (3a) shall comply with the requirements of Annex I (Part-IS.AR) to this Regulation.

Article 5 – Requirements arising from other Union legislation

Regulation (EU) 2023/203

1. Where an organisation referred to in Article 2(1) complies with security requirements laid down in accordance with Article 14 of Directive (EU) 2016/1148 that are equivalent to the requirements laid down in this Regulation, compliance with those security requirements shall be considered to constitute compliance with the requirements laid down in this Regulation.

2. Where an organisation referred to in Article 2(1) is an operator or an entity referred to in the national civil aviation security programmes of Member States laid down in accordance with Article 10 of Regulation (EC) No 300/2008 of the European Parliament and of the Council23Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002, OJ L 97, 9.4.2008, p. 72, the cybersecurity requirements contained in point 1.7 of the Annex to Regulation (EU) 2015/1998 shall be considered to be equivalent with the requirements laid down in this Regulation, except as regards point IS.I.OR.230 of Annex II to this Regulation that shall be complied with as such.

3. Where the organisation referred to in Article 2(1) is the air navigation service provider of the European Geostationary Navigation Overlay Service (EGNOS) referred to in Regulation (EU) 2021/69624Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU (OJ L 170, 12.5.2021, p. 69)., the security requirements contained in Articles 33 to 43 of Title V of that Regulation are considered to be equivalent with the requirements laid down in this Regulation, except as regards point IS.I.OR.230 of Annex II to this Regulation that shall be complied with as such.

4. The Commission, after consulting the Agency and the Cooperation Group referred to in Article 11 of Directive (EU) 2016/1148, may issue guidelines for the assessment of the equivalence of requirements laid down in this Regulation and Directive (EU) 2016/1148.

Article 6 – Competent authority

Regulation (EU) 2023/1769

1. Without prejudice to the tasks entrusted to the Security Accreditation Board (SAB) referred to in Article 36 of Regulation (EU) 2021/696, the authority responsible for certifying and overseeing compliance with this Regulation shall be:

(a) with regard to organisations referred to in Article 2(1), point (a), the competent authority designated in accordance with Annex II (Part-145) to Regulation (EU) No 1321/2014;

(b) with regard to organisations referred to in Article 2(1), point (b), the competent authority designated in accordance with Annex Vc (Part-CAMO) to Regulation (EU) No 1321/2014;

(c) with regard to organisations referred to in Article 2(1), point (c), the competent authority designated in accordance with Annex III (Part-ORO) to Regulation (EU) No 965/2012;

(d) with regard to organisations referred to in Article 2(1), points (d) to (f), the competent authority designated in accordance with Annex VII (Part-ORA) to Regulation (EU) No 1178/2011;

(e) with regard to organisations referred to in Article 2(1), point (g), the competent authority designated in accordance with Article 6(2) of Regulation (EU) 2015/340;

(f) with regard to organisations referred to in Article 2(1), point (h), the competent authority designated in accordance with Article 4(1) of Regulation (EU) 2017/373;

(g) with regard to organisations referred to in Article 2(1), point (i), the competent authority designated in accordance with Article 14(1) or 14(2), as applicable, of Regulation (EU) 2021/664.

(h) with regard to organisations referred to in Article 2(1), point (j), the competent authority designated in accordance with Article 3(1) of Implementing Regulation (EU) 2023/1769.

2. Member States may, for the purposes of this Regulation, designate an independent and autonomous entity to fulfil the assigned role and responsibilities of the competent authorities referred to in paragraph 1. In that case, coordination measures shall be established between that entity and the competent authorities, as referred to in paragraph 1, to ensure effective oversight of all the requirements to be met by the organisation.

3. The Agency shall cooperate in full compliance with the applicable rules on secrecy, protection of personal data and protection of classified information with the European Union Agency for the Space Programme (EUSPA), and the SAB referred to in Article 36 of Regulation (EU) 2021/696 in order to ensure effective oversight of the requirements applicable to EGNOS air navigation service provider.

Article 7 – Submission of relevant information to NIS competent authorities

Regulation (EU) 2023/203

Competent authorities under this Regulation shall inform, without undue delay, the single point of contact designated in accordance with Article 8 of Directive (EU) 2016/1148 of any relevant information included in notifications submitted pursuant to point IS.I.OR.230 of Annex II to this Regulation and point IS.D.OR.230 of Annex I to Delegated Regulation (EU) 2022/1645 by operators of essential services identified in accordance with Article 5 of Directive (EU) 2016/1148.

Article 8 – Amendment to Regulation (EU) No 1178/2011

Regulation (EU) 2023/203

Annexes VI (Part-ARA) and VII (Part-ORA) to Regulation (EU) No 1178/2011 are amended in accordance with Annex III to this Regulation.

Article 9 – Amendment to Regulation (EU) No 748/2012

Regulation (EU) 2023/203

Annex I (Part 21) to Regulation (EU) No 748/2012 is amended in accordance with Annex IV to this Regulation.

Article 10 – Amendment to Regulation (EU) No 965/2012

Regulation (EU) 2023/203

Annexes II (Part-ARO) and III (Part-ORO) to Regulation (EU) No 965/2012 are amended in accordance with Annex V to this Regulation.

Article 11 – Amendment to Regulation (EU) No 139/2014

Regulation (EU) 2023/203

Annex II (Part-ADR.AR) to Regulation (EU) No 139/2014 is amended in accordance with Annex VI to this Regulation.

Article 12 – Amendment to Regulation (EU) No 1321/2014

Regulation (EU) 2023/203

Annexes II (Part-145), III (Part-66) and Vc (Part-CAMO) to Regulation (EU) No 1321/2014 are amended in accordance with Annex VII to this Regulation.

Article 13 – Amendment to Regulation (EU) 2015/340

Regulation (EU) 2023/203

Annexes II (Part ATCO.AR) and III (Part ATCO.OR) to Regulation (EU) 2015/340 are amended in accordance with Annex VIII to this Regulation.

Article 14 – Amendment to Regulation (EU) 2017/373

Regulation (EU) 2023/203

Annexes II (Part-ATM/ANS.AR) and III (Part-ATM/ANS.OR) to Regulation (EU) 2017/373 are amended in accordance with Annex IX to this Regulation.

Article 15 – Amendment to Regulation (EU) 2021/664

Regulation (EU) 2023/203

For the consolidated version of Regulation (EU) 2021/664, please refer to the Easy Access Rules for U-space (Regulation (EU) 2021/664).

Article 16

Regulation (EU) 2023/203

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 22 February 2026.

However, as regards the case of the EGNOS air navigation service provider subject to Regulation (EU) 2017/373 it shall apply from 1 January 2026.

Regulation (EU) 2023/203

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

For the Commission

The President

Ursula VON DER LEYEN