The regulatory landscape for cyber is quite fragmented, and there are requirements relating to cyber security in a number of existing regulations - although there hasn't been a common terminology adopted. Existing aviation safety and security regulations refer variously to
information security; cyber security; information systems resilience; data integrity; reliability; and many others.
Set out below is information on the regulations applicable for aviation entities in the UK, where CAP1753 is in use to achieve compliance with the various cyber security requirements. The list of regulations set out here is not exhaustive and this webpage is for guidance purposes only and has no legal effect.
We have highlighted what we consider to be the key provisions of each regulation relating to cyber security, but this is not a comprehensive list of relevant requirements. Entities should, as necessary, re-familiarise themselves with their obligations
under the Basic Regulation and relevant Implementing Rules.
Aviation Safety Regulations
EASA Basic Regulation
EASA Basic Regulation (EU) 2018/1139 was published on 4 July
2018 and entered into force on 11 September 2018 and consolidated the scope of
EU competence to cover the full spectrum of the aviation landscape (e.g. air
operations, ATM/ANS, airport operations, aircraft manufacturing and maintenance).
Aerodromes
Annex VII of the Basic Regulation sets out the requirements
for aerodromes in relation to the ongoing provision of safety-related equipment
and maintaining the authenticity and integrity levels of aerodrome data.
European Commission Regulation for Aerodromes (EU) No
139/2014 was published on 12 February 2014 and came into effect on 6th March
2014.
These Regulations, and the supporting EASA Acceptable Means
of Compliance (AMC) and Guidance Material (GM) to Authority, Organisation and
Operations Requirements for Aerodromes, set out requirements relating to cyber
security and information security for all Aerodromes that fall within the scope
of EASA.
ADR.OR.D.007 Management of aeronautical data and
aeronautical information in 139/2014 sets out the requirement for the aerodrome
operator to implement and maintain a quality management system covering its
aeronautical data activities; and its aeronautical information provision
activities. The aerodrome operator is also required to define procedures for
meeting the safety and security management objectives with respect to
aeronautical data activities; and aeronautical information provision
activities.
ADR.OPS.A.010 Data quality requirements in ANNEX
IV of 139/2014 requires that all data relevant to the aerodrome and available
services shall be provided by the aerodrome operator with the required quality
and integrity.
Aeronautical
information
European Commission Regulation (EU) No.73/2010, commonly
known as ‘the ADQ IR’, entered into force on the 26th January 2010, and was
subsequently appended by (EU) No.1029/2014 on the 26 September 2014.
The ADQ IR lays down the requirements on the quality of
aeronautical data and aeronautical information for the Single European Sky
(SES). The Regulation applies to the European air traffic management systems,
their constituents and associated procedures involved in the origination,
production, storage, handling, processing, transfer and distribution of
aeronautical data and aeronautical information.
The overall objective of this Implementing Rule is to
achieve aeronautical information of sufficient quality, accuracy, timeliness
and granularity as a key enabler of the European Air Traffic Management Network
(ATMN); and to ensure the security of aeronautical data and information
received, produced or otherwise employed so that it is it is transmitted by
authorised sources, protected from interference and access to it is restricted
only to those authorised.
Air
Navigation Service Providers (ANSPs)
Commission Implementing Regulation (EU) 2017/373 entered
into EU law on 1 March 2017 and took effect on 2 January 2020, replacing
Commission Implementing Regulations (EU) 1034/2011, 1035/2011 and 482/2008.
The regulation is applicable to all Air Navigation Service
Providers (ANSPs) and lays down common requirements for Air Traffic Management
service providers and the oversight of Air Traffic Management / Air Navigation
Services and other air traffic management network functions. ANSPs are required
to ensure they are able to provide services in a safe, efficient, continuous
and sustainable manner, consistent with any foreseen level of overall demand
for a given airspace.
Under ATM/ANS.OR.D.010 Security management Air
navigation services and air traffic flow management providers and the Network
Manager shall take the necessary measures to protect their systems,
constituents in use and data and prevent compromising the network against
information and cyber security threats which may have an unlawful interference
with the provision of their service.
Aviation Security Regulations
An amendment to the Single Consolidated Direction 1/2021 published on 28 January 2021 by the Department for Transport is due to come into effect on 31 December 2021.
The amendment brings new cybersecurity provisions for aviation into UK law. UK airports and UK air carriers that fall within scope of the National Aviation Security Programme must take the necessary measures to identify and protect their critical information and communication technology systems and data from cyber threats and ensure that relevant personnel receive an appropriate level of vetting and training.
If you are subject to the requirements set out in the Single Consolidated Direction due to your inclusion within the National Aviation Security Programme and require a copy of the amendment, please contact cyber@caa.co.uk.
Network
and Information Systems Regulations 2018
The NIS Directive was adopted by the European Parliament in
July 2016 and came into force in August 2016, it was transposed in to UK law as
the Network and Information Systems Regulations (NIS) in 2018. It is designed
to boost the overall level of security for network and information systems that
support the delivery of essential services, under which a number of aviation
services fall.
The CAA is the Co-Competent Authority for the regulation of
NIS alongside the Department for Transport (DfT) on behalf of the Secretary of
State for Transport. DfT is responsible for NIS policy, NIS enforcement, as
well as for setting the thresholds which both designate an organisation as an
Operator of Essential Service (OES) and for setting the thresholds which
dictate a NIS reportable incident, this is documented within DfT’s
Implementation of the NIS Directive Guidance.