We use necessary cookies to make our website work. We'd also like to use optional analytics cookies to help us improve it.
For more information, please read our cookie policy.

UK – EU Transition, and UK Civil Aviation Regulations

To access current UK civil aviation regulations, including AMC and GM, CAA regulatory documents, please use this link to UK Regulation. Please note, if you use information and guidance under the Headings below, the references to EU regulations or EU websites in our guidance will not be an accurate information or description of your obligations under UK law. These pages are undergoing reviews and updates.

The CAA Cyber Security Oversight Team was established to provide effective oversight of the UK aviation industry’s management of cyber security risk, to support aviation safety, security and economic resilience.  It has been developed to meet UK, European and International aviation regulatory obligations for cyber security.

We have created a cyber security regulatory framework that enables industry to demonstrate that appropriate risk management and mitigations are operating and effective.

Our cyber security oversight process is described in CAP 1753.

Our vision

“To have a proportionate and effective approach to cyber security oversight that enables aviation to manage its cyber security risks without compromising aviation safety, security or resilience.

To stay up-to-date and positively influence cyber security within aviation to support the UK’s National Cyber Security Strategy.”

Our work

Reporting a Cyber Security Incident

Urgent aviation cyber security incidents that impact aviation safety or security shall be reported via the channels below:

For safety: Occurrence reporting | Civil Aviation Authority (caa.co.uk)

For security: TSOC@dft.gov.uk  TSOC 24/7 number: (020 7944 3111 / 3777)

Operators of Essential Services (regulated under NIS)

In addition to seeking advice from NCSC, Operators of Essential Services (OES) shall report cyber security incidents that meet the mandatory reporting thresholds to DfT’s Cyber Compliance Team at NISIncidents@dft.gov.uk (using the form in Annex F of the link below) no later than 72 hours after the OES is aware that a notifiable incident has occurred.

Implementation of the NIS directive: DfT guidance version 1.1 (publishing.service.gov.uk)

All Aviation Organisations

The CAA advise that severe cyber security incidents are initially reported to the NCSC via https://report.ncsc.gov.uk/.

For less severe cyber security incidents, the NCSC advise reporting via the Action Fraud website.

Voluntary Reporting

We strongly encourage the voluntary reporting of cyber incidents to both the CAA Cyber Security Oversight Team at cyber@caa.co.uk and the DfT Cyber Compliance Team at CYBER@dft.gov.uk

Useful links

Provide page feedback

Please enter your comments below, or use our usual service contacts if a specific matter requires an answer.

Fields marked with an asterisk (*) are required.