We use necessary cookies to make our website work. We'd also like to use optional analytics cookies to help us improve it.
For more information, please read our cookie policy.

UK – EU Transition, and UK Civil Aviation Regulations

To access current UK civil aviation regulations, including AMC and GM, CAA regulatory documents, please use this link to UK Regulation. Please note, if you use information and guidance under the Headings, the references to EU regulations or EU websites in our guidance will not be an accurate information or description of your obligations under UK law. These pages are undergoing reviews and updates.

Our approach to cyber security oversight, the Cyber Security Oversight Process for Aviation, is laid out in CAP 1753 and it consists of six key steps:

  1. Engagement
  2. Critical systems scoping
  3. Cyber self-assessment for aviation
  4. ASSURE Cyber Audit
  5. Provisional Statement of Assurance; and
  6. Final Statement of Assurance and Certificate of Compliance

The applicability of each step will be discussed and agreed with an aviation organisation during the initial engagement step and determined based on several factors including; the assessment of cyber security risk, aviation organisation complexity, and regulatory requirements.

We will contact regulated aviation organisations listing the applicable cyber security regulations and describing which of the six keys steps will need to be completed and by when. If you have not yet been contacted but would like to engage, please contact us.

Cyber security oversight will also be incorporated into our existing Performance Based Oversight (PBO) processes.

Information handling

We are aware that some information relating to cyber security oversight may be sensitive.

Before submitting sensitive cyber security information to the Civil Aviation Authority (CAA) please contact us. You will receive secure Information Handling Instructions to ensure commensurate protections are established based on the sensitivity of the information in question.

Critical systems scoping

It is important that systems (including networks, information technology - IT and operational technology - OT) which are critical to an aviation organisation are within scope of cyber security oversight. Guidance on identifying critical systems has been produced and is available in CAP 1849.

The guidance given in CAP 1849 provides a recommended method to identify critical systems through performing a functional decomposition from the aviation organisations' key aviation functions. Our scoping template helps aviation organisations to document their identified critical systems and critical suppliers.

Once an aviation organisation has identified its' critical systems it can assess them against the Cyber Assessment Framework (CAF) for Aviation to get an understanding of the cyber security posture of their organisation and critical systems.

Cyber assessment framework (CAF) for aviation

The Cyber Assessment Framework (CAF) is an outcome-focused assessment against fourteen principles and four objectives, it was developed by the National Cyber Security Centre (NCSC) to meet the following requirements:

  • Provide a suitable framework to assist in carrying out cyber resilience assessments;
  • maintain the outcome-focused approach of the NCSC cyber security and resilience principles and discourage assessments being carried out as tick-box exercises;
  • be compatible with the use of appropriate existing cyber security guidance and standards;
  • enable the identification of effective cyber security and resilience improvement activities;
  • be extensible to accommodate sector-specific elements as may be required;
  • enable the setting of meaningful target security levels for organisations to achieve, possibly reflecting a regulator view of appropriate and proportionate security; and
  • be as straightforward and cost-effective to apply as possible.

The NCSC’s core CAF v3.0 has been adapted to create the CAA’s CAF for Aviation which has been designed specifically for aviation.

Completing the CAF for Aviation

Guidance on completion of the CAF for Aviation can be found in CAP 1850. This also includes informative cyber security references (or relevant standards) against each of the fourteen principles as well as examples of the types of evidence that we would expect to support the self-assessment.

The CAA intends to use the CAF for Aviation to oversee aviation organisations' management of cyber security risks and the information received will be incorporated into our Performance Based Oversight (PBO) and Performance Based Regulation (PBR) processes.


We have created an accredited third-party cyber security audit model (ASSURE). 'Third parties' refers to ASSURE Cyber Suppliers that are subject to a rigorous and continuous accreditation process under the ASSURE Scheme which is now delivered by CREST and IASME.

Each in scope aviation organisation, when deemed applicable by the CAA, will need to procure an ASSURE Cyber Audit from an accredited ASSURE Cyber Supplier via either CREST’s ASSURE platform or IASME’s ASSURE webpage. This audit will be performed by ASSURE Cyber Professionals who have been accredited to conduct audits on behalf of the ASSURE Cyber Supplier.

ASSURE Cyber Professionals are each accredited in one or more, of the following three specialisms (all specialisms must be present for an ASSURE Cyber Audit):

  • Cyber Audit & Risk Management;
  • Technical Cyber Security Expert; and/or
  • Industrial Control Systems/Operational Technology Expert.


The CAA ASSURE scheme has been developed in partnership with CREST and IASME.

Both CREST and IASME use accredited and quality assured cyber suppliers.

There is further guidance on the ASSURE accreditation process and conducting ASSURE Cyber Audit for both CREST and IASME. The CAA ASSURE CREST implementation guide and the IASME implementation guide provides an overview of the CAA’s ASSURE Scheme.


Latest from UK Civil Aviation Authority

  1. Shaping up to be a busy 2022 for UK CAA’s General Aviation Unit
  2. CAA launches consultation on environmental effects of first UK space launch from Cornwall
  3. Farnborough 2022: Sir Stephen Hillier - Where next for aviation and aerospace

View all latest news