Cyber security regulation

EASA Basic Regulation (EU) 2018/1139 was published on 4 July 2018 and entered into force on 11 September 2018 and consolidated the scope of EU competence to cover the full spectrum of the aviation landscape (e.g. air operations, ATM/ANS, airport operations, aircraft manufacturing and maintenance). As per the European Withdrawal Act 2018, this regulation has been retained in UK law. See the CAA’s page on UK Reg (EU) 2018/1139 (the UK Basic Regulation) for the full regulation.

Annex VII of the Basic Regulation sets out the requirements for aerodromes in relation to the ongoing provision of safety-related equipment and maintaining the authenticity and integrity levels of aerodrome data.

European Commission Regulation for Aerodromes (EU) No 139/2014 was published on 12 February 2014 and came into effect on 6th March 2014.

These Regulations, and the supporting EASA Acceptable Means of Compliance (AMC) and Guidance Material (GM) to Authority, Organisation and Operations Requirements for Aerodromes, set out requirements relating to cyber security and information security for all Aerodromes that fall within the scope of EASA. As per the European Withdrawal Act 2018, this regulation has been retained in UK law. See the CAA’s page on UK Reg (EU) No 139/2014 (The UK Aerodromes Regulation) for the full UK regulation and supporting AMC and GM.

ADR.OR.D.007 Management of aeronautical data and aeronautical information in 139/2014 sets out the requirement for the aerodrome operator to implement and maintain a quality management system covering its aeronautical data activities; and its aeronautical information provision activities. The aerodrome operator is also required to define procedures for meeting the safety and security management objectives with respect to aeronautical data activities; and aeronautical information provision activities.

ADR.OPS.A.010 Data quality requirements in ANNEX IV of 139/2014 requires that all data relevant to the aerodrome and available services shall be provided by the aerodrome operator with the required quality and integrity.

Commission Implementing Regulation (EU) 2017/373 entered into EU law on 1 March 2017 and took effect on 2 January 2020, replacing Commission Implementing Regulations (EU) 1034/2011, 1035/2011 and 482/2008. As per the European Withdrawal Act 2018, this regulation has been retained in UK law. See the CAA’s page on UK Reg (EU) No 2017/373 (The UK ATM Provision of Services Regulation) for the full UK regulation and supporting AMC and GM.

The regulation is applicable to all Air Navigation Service Providers (ANSPs) and lays down common requirements for Air Traffic Management service providers and the oversight of Air Traffic Management / Air Navigation Services and other air traffic management network functions. ANSPs are required to ensure they are able to provide services in a safe, efficient, continuous and sustainable manner, consistent with any foreseen level of overall demand for a given airspace.

Under ATM/ANS.OR.D.010 Security management Air navigation services and air traffic flow management providers and the Network Manager shall take the necessary measures to protect their systems, constituents in use and data and prevent compromising the network against information and cyber security threats which may have an unlawful interference with the provision of their service.

An amendment to the Single Consolidated Direction 1/2021 published on 28 January 2021 by the Department for Transport is due to come into effect on 31 December 2021.

The amendment brings new cybersecurity provisions for aviation into UK law. UK airports and UK air carriers that fall within scope of the National Aviation Security Programme must take the necessary measures to identify and protect their critical information and communication technology systems and data from cyber threats and ensure that relevant personnel receive an appropriate level of vetting and training.

If you are subject to the requirements set out in the Single Consolidated Direction due to your inclusion within the National Aviation Security Programme and require a copy of the amendment, please contact cyber@caa.co.uk.

The NIS Directive was adopted by the European Parliament in July 2016 and came into force in August 2016, it was transposed into UK law as the Network and Information Systems Regulations (NIS) in 2018. It is designed to boost the overall level of security for network and information systems that support the delivery of essential services, under which a number of aviation services fall.

The CAA is the Co-Competent Authority for the regulation of NIS alongside the Department for Transport (DfT) on behalf of the Secretary of State for Transport. DfT is responsible for NIS policy, NIS enforcement, as well as for setting the thresholds which both designate an organisation as an Operator of Essential Service (OES) and for setting the thresholds which dictate a NIS reportable incident, this is documented within DfT’s Implementation of the NIS Directive Guidance.

The Space Industry Act 2018 (SIA) applies to anyone intending to carry out space activities, sub-orbital activities, and associated activities in the UK. Several statutory instruments have been made under the SIA.

• The Space Industry Regulations 2021 (SIR) which make provision to enable the licensing and regulation of spaceflight activities, spaceports, and range control service
• The Regulator's Licensing Rules (RLR) which support the regulator’s power relating to the granting and renewal of operator, spaceport and range control licences under the SIA

The SIRs and RLRs set out the requirements for cyber security strategies within spaceflight activities. Applicants for all types of operator licence should include a cyber security strategy with their application. The Cyber Security Team is currently developing guidance for applicants.

Working with the DfT, we are proposing to introduce new regulation to help in the protection of UK aviation from cyber attacks which is based on the same safety drivers as EASA’s 203/2023 and 1644/2022 (known as Part-IS)

This regulation will ensure the UK is not 'left behind' in acknowledging the increasing threat from cyber and the UK aviation industry does not become a target through weaker protection mechanisms than those that exist in other jurisdictions.

The regulation introduces new requirements on aviation organisations for the management of cyber security risks that could impact the safety and security of civil aviation, and will encompass aerodromes, air operations, aircrew, air traffic management, maintenance organisations as well as design and production organisations.

We expect that by introducing this regulation, safety and security will be enhanced through:

• An increased level of safety, protecting civil aviation from information security risks and making it more resilient to information security events and incidents.
• An economic benefit for the organisations, helping to protect against the potential for liability costs and the operational and reputational damage caused by cyber incidents.

The regulation is also required to ensure the UK’s continued compliance with the ICAO Annexes and SARPS (in particular ICAO Annex 17 ch 4.9) and supports the ICAO Aviation Cybersecurity Strategy. It is also linked to the ICAO State Letter for Security and ICAO State Letter for Safety.

The CAA Cyber Team works across capability areas, including airworthiness, flight operations, aerodromes, air traffic management, aviation security and space to ensure cyber resilience, safety, and security of the aerospace sector. This includes supporting oversight and enforcement of safety, security, resilience and space regulations designed to protect critical aerospace systems and data from cyber threats.

To address non-compliance, the Cyber Team will work collaboratively with the relevant SARG, AvSec, DfT and Space teams to encourage appropriate self-initiated remedial action by industry and where required, leverage existing CAA enforcement approaches to escalate. Details of which are contained within: Cyber Security Enforcement Policy.