The regulatory landscape for cyber is quite fragmented, and there are requirements relating to cyber security in a number of existing regulations - although there hasn't been a common terminology adopted. Existing aviation safety and security regulations refer variously to information security; cyber security; information systems resilience; data integrity; reliability; and many others.
Set out below is information on the regulations applicable for aviation entities in the UK, where CAP1753 is in use to achieve compliance with the various cyber security requirements. The list of regulations set out here is not exhaustive and this webpage is for guidance purposes only and has no legal effect.
We have highlighted what we consider to be the key provisions of each regulation relating to cyber security, but this is not a comprehensive list of relevant requirements. Entities should, as necessary, re-familiarise themselves with their obligations under the Basic Regulation and relevant Implementing Rules.
Aviation Safety Regulations
EASA Basic Regulation
EASA Basic Regulation (EU) 2018/1139 was published on 4 July 2018 and entered into force on 11 September 2018 and consolidated the scope of EU competence to cover the full spectrum of the aviation landscape (e.g. air operations, ATM/ANS, airport operations, aircraft manufacturing and maintenance).
Annex VII of the Basic Regulation sets out the requirements for aerodromes in relation to the ongoing provision of safety-related equipment and maintaining the authenticity and integrity levels of aerodrome data.
European Commission Regulation for Aerodromes (EU) No 139/2014 was published on 12 February 2014 and came into effect on 6th March 2014.
These Regulations, and the supporting EASA Acceptable Means of Compliance (AMC) and Guidance Material (GM) to Authority, Organisation and Operations Requirements for Aerodromes, set out requirements relating to cyber security and information security for all Aerodromes that fall within the scope of EASA.
ADR.OR.D.007 Management of aeronautical data and aeronautical information in 139/2014 sets out the requirement for the aerodrome operator to implement and maintain a quality management system covering its aeronautical data activities; and its aeronautical information provision activities. The aerodrome operator is also required to define procedures for meeting the safety and security management objectives with respect to aeronautical data activities; and aeronautical information provision activities.
ADR.OPS.A.010 Data quality requirements in ANNEX IV of 139/2014 requires that all data relevant to the aerodrome and available services shall be provided by the aerodrome operator with the required quality and integrity.
European Commission Regulation (EU) No.73/2010, commonly known as ‘the ADQ IR’, entered into force on the 26th January 2010, and was subsequently appended by (EU) No.1029/2014 on the 26 September 2014.
The ADQ IR lays down the requirements on the quality of aeronautical data and aeronautical information for the Single European Sky (SES). The Regulation applies to the European air traffic management systems, their constituents and associated procedures involved in the origination, production, storage, handling, processing, transfer and distribution of aeronautical data and aeronautical information.
The overall objective of this Implementing Rule is to achieve aeronautical information of sufficient quality, accuracy, timeliness and granularity as a key enabler of the European Air Traffic Management Network (ATMN); and to ensure the security of aeronautical data and information received, produced or otherwise employed so that it is it is transmitted by authorised sources, protected from interference and access to it is restricted only to those authorised.
Air Navigation Service Providers (ANSPs)
Commission Implementing Regulation (EU) 2017/373 entered into EU law on 1 March 2017 and took effect on 2 January 2020, replacing Commission Implementing Regulations (EU) 1034/2011, 1035/2011 and 482/2008.
The regulation is applicable to all Air Navigation Service Providers (ANSPs) and lays down common requirements for Air Traffic Management service providers and the oversight of Air Traffic Management / Air Navigation Services and other air traffic management network functions. ANSPs are required to ensure they are able to provide services in a safe, efficient, continuous and sustainable manner, consistent with any foreseen level of overall demand for a given airspace.
Under ATM/ANS.OR.D.010 Security management Air navigation services and air traffic flow management providers and the Network Manager shall take the necessary measures to protect their systems, constituents in use and data and prevent compromising the network against information and cyber security threats which may have an unlawful interference with the provision of their service.
Aviation Security Regulations
An amendment to the Single Consolidated Direction 1/2021 published on 28 January 2021 by the Department for Transport is due to come into effect on 31 December 2021.
The amendment brings new cybersecurity provisions for aviation into UK law. UK airports and UK air carriers that fall within scope of the National Aviation Security Programme must take the necessary measures to identify and protect their critical information and communication technology systems and data from cyber threats and ensure that relevant personnel receive an appropriate level of vetting and training.
If you are subject to the requirements set out in the Single Consolidated Direction due to your inclusion within the National Aviation Security Programme and require a copy of the amendment, please contact firstname.lastname@example.org.
Network and Information Systems Regulations 2018
The NIS Directive was adopted by the European Parliament in July 2016 and came into force in August 2016, it was transposed in to UK law as the Network and Information Systems Regulations (NIS) in 2018. It is designed to boost the overall level of security for network and information systems that support the delivery of essential services, under which a number of aviation services fall.
The CAA is the Co-Competent Authority for the regulation of NIS alongside the Department for Transport (DfT) on behalf of the Secretary of State for Transport. DfT is responsible for NIS policy, NIS enforcement, as well as for setting the thresholds which both designate an organisation as an Operator of Essential Service (OES) and for setting the thresholds which dictate a NIS reportable incident, this is documented within DfT’s Implementation of the NIS Directive Guidance.