If the competent authority identified in Article 6(1) of Implementing Regulation (EU) 2023/203 decides to allocate certain tasks related to oversight under Part-IS to a qualified entity, which entity has to comply with Part-IS?
If the competent authority identified in Article 6(1) of Implementing Regulation (EU) 2023/203 decides to allocate certain tasks related to oversight under Part-IS to a qualified entity, which entity has to comply with Part-IS?
Answer
Delegation to a qualified entity refers to specific oversight tasks resulting from the authority requirements (e.g. for authorities designated in accordance with Annex II (Part-145) to Commission Regulation (EU) No 1321/2014, see point 145.B.205). The authority requirements of Part-IS shall be met by the competent authority designated in the implementing rule for the domain (which is identical to the one referred to in Article 6(1), if the delegation under Article 6(2) is not exercised by the Member State).
Where the competent authority delegates certification or oversight tasks, its information security management manual (ISMM) shall also cover the activity delegated to the qualified entity (e.g. for Part-145, see point 145.B.205(c)(3)).
Last updated
22/08/2025