FAQ n.142367

Although 'vulnerability' and 'incident' are two distinct concepts, they should be handled similarly and in an integrated manner within an organisation's information security management system (ISMS). This is particularly important with regard to detection (point IS.I.OR.220(a) of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 and point IS.D.OR.220(a) of the Annex (Part-IS.D.OR) to Commission Delegated Regulation (EU) 2022/1645), response (point IS.I.OR.220(b) and point IS.D.OR.220(b)), and reporting obligations with potential impact on aviation safety (points IS.I.OR.215 and IS.D.OR.215 as well as points IS.I.OR.230 and IS.D.OR.230).