The regulatory landscape for cyber is quite
fragmented, and there are requirements relating to cyber security in a number
of existing regulations - although there hasn't been a common terminology
adopted. Existing aviation safety and security regulations refer variously to
information security; cyber security; information systems resilience; data
integrity; reliability; and many others.
Set out below is
information on the regulations applicable for aviation entities in the UK,
where CAP1753 is in use to achieve compliance with the various cyber security
requirements. The list of regulations set out here is not exhaustive and this
webpage is for guidance purposes only and has no legal effect.
We have highlighted
what we consider to be the key provisions of each regulation relating to cyber
security, but this is not a comprehensive list of relevant requirements.
Entities should, as necessary, re-familiarise themselves with their obligations
under the Basic Regulation and relevant Implementing Rules.
Network and Information Systems Regulations
2018
The NIS Directive was
adopted by the European Parliament in July 2016 and came into force in August
2016, it was transposed in to UK law as the Network and Information
Systems Regulations (NIS) in
2018. It is designed to boost the overall level of security for network and
information systems that support the delivery of essential services, under
which a number of aviation services fall.
The CAA is the
Co-Competent Authority for the regulation of NIS alongside the Department for
Transport (DfT) on behalf of the Secretary of State for Transport. DfT is
responsible for NIS policy, NIS enforcement, as well as for setting the
thresholds which both designate an organisation as an Operator of Essential
Service (OES) and for setting the thresholds which dictate a NIS reportable
incident, this is documented within DfT’s
Implementation of the NIS Directive Guidance.
Aviation Safety Regulations
EASA Basic Regulation
EASA Basic Regulation (EU) 2018/1139
was published on 4 July 2018 and entered into force on 11 September 2018 and consolidated
the scope of EU competence to cover the full spectrum of the aviation landscape
(e.g. air operations, ATM/ANS, airport operations, aircraft manufacturing and
maintenance).
Aerodromes
Annex VII of the Basic
Regulation sets out the requirements for aerodromes in relation to the ongoing
provision of safety-related equipment and maintaining the authenticity and
integrity levels of aerodrome data.
European Commission
Regulation for Aerodromes (EU) No 139/2014
was published on 12 February 2014 and came into effect on 6th March 2014.
These Regulations,
and the supporting EASA Acceptable
Means of Compliance (AMC) and Guidance Material (GM) to Authority,
Organisation and Operations Requirements for Aerodromes, set out requirements
relating to cyber security and information security for all Aerodromes that
fall within the scope of EASA.
ADR.OR.D.007
Management of aeronautical data and aeronautical information in 139/2014 sets out
the requirement for the aerodrome operator to implement and maintain a quality
management system covering its aeronautical data activities; and its
aeronautical information provision activities. The aerodrome operator is also
required to define procedures for meeting the safety and security management
objectives with respect to aeronautical data activities; and aeronautical
information provision activities.
ADR.OPS.A.010
Data quality requirements in ANNEX IV of 139/2014 requires that all
data relevant to the aerodrome and available services shall be provided by the
aerodrome operator with the required quality and integrity.
Aeronautical
information
European Commission
Regulation (EU) No.73/2010,
commonly known as ‘the ADQ IR’, entered into force on the 26th January 2010,
and was subsequently appended by (EU) No.1029/2014
on the 26 September 2014.
The ADQ IR lays down
the requirements on the quality of aeronautical data and aeronautical
information for the Single European Sky (SES). The Regulation applies to the
European air traffic management systems, their constituents and associated
procedures involved in the origination, production, storage, handling,
processing, transfer and distribution of aeronautical data and aeronautical
information.
The overall objective
of this Implementing Rule is to achieve aeronautical information of sufficient
quality, accuracy, timeliness and granularity as a key enabler of the European
Air Traffic Management Network (ATMN); and to ensure the security of
aeronautical data and information received, produced or otherwise employed so
that it is it is transmitted by authorised sources, protected from interference
and access to it is restricted only to those authorised.
Air
Navigation Service Providers (ANSPs)
Commission
Implementing Regulation (EU) 2017/373
entered into EU law on 1 March 2017 and took effect on
2 January 2020, replacing Commission Implementing Regulations (EU)
1034/2011, 1035/2011 and 482/2008.
The regulation is
applicable to all Air Navigation Service Providers (ANSPs) and lays down common
requirements for Air Traffic Management service providers and the oversight of
Air Traffic Management / Air Navigation Services and other air traffic
management network functions. ANSPs are required to ensure they are able to
provide services in a safe, efficient, continuous and sustainable manner,
consistent with any foreseen level of overall demand for a given airspace.
Under ATM/ANS.OR.D.010
Security management Air navigation services and air traffic flow
management providers and the Network Manager shall take the necessary measures
to protect their systems, constituents in use and data and prevent compromising
the network against information and cyber security threats which may have an
unlawful interference with the provision of their service.
Aviation Security Regulations
Commission Implementing Regulation (EU)
2019/1583 amending Commission Implementing Regulation (EU)
2015/1998 of EC300
was published by the European Commission on 25 September and was due to come
into force on 31 December 2020.
The amendment will add to the existing
measures for the implementation of common basic standards on aviation security
to include further measures with regard to cyber security. The amendment lays
down common requirements for Member States and entities as defined in the
National Aviation Security Programme. The requirements ensure entities that
fall within scope take the necessary measures to identify and protect their
critical information and communication technology systems and data from cyber
threats.