We use necessary cookies to make our website work. We'd also like to use optional cookies to understand how you use it, and to help us improve it.

For more information, please read our cookie policy.

UK Civil Aviation Regulations

These are published by the CAA on our UK Regulations pages. EU Regulations and EASA Access Guides published by EASA no longer apply in the UK. Our website and publications are being reviewed to update all references. Any references to EU law and EASA Access guides should be disregarded and where applicable the equivalent UK versions referred to instead.

The information on this page details what we asked, what you said and what we're doing with the results in regard to the Cyber Security Oversight Survey undertaken in 2022.

We asked

The Cyber Security Oversight Team conducted a survey of all Cyber Security Responsible Managers to ask for views via email on the CAA Cyber security oversight process for aviation (CAP1753) and the Cyber Assessment Framework (CAF) for Aviation Guidance (CAP1850).

The survey aimed to establish how the approach was influencing cyber security within civil aviation and to identify any improvement suggestions that entities would like the team to make.

You said

Responses to this survey reflected challenges faced by industry entities.

You told us that you had significant difficulty in navigating the Cyber Assessment Framework (CAF), and that the CAF itself was not appropriate for all organisations.

The feedback did not just relate to Information Technology itself, it extended to the training and capabilities of teams, with a need to increase specific industry capabilities, including growth of the avionics and Air Traffic Management (ATM).

Several comments related to a lack of engagement and communications with industry and urged the team to do more.

Overall, there was strong support on the principles and the need to implement cyber security standards for aviation. You told us that you felt that the team contributed positively towards cyber security in aviation.

We did

The CAF (under CAP 1753 process) is the instrument that the CAA uses to establish initial Cyber Security Oversight, identifying priority areas in the form of corrective action plans against the CAF. The initial CAF audit and critical system scoping exercises were extremely valuable to establish the initial baseline position across industry.

Our experts have also worked with colleagues at National Cyber Security Centre (NCSC) to define a CAF Foundational Elements framework, which is suitable for smaller organisations who may not have the in-house cyber expertise to effectively navigate the CAF.

Regarding engagement, the CAA Cyber Oversight Team run the Cyber Security Industry Working Group (CSIWG), which is a multi-stakeholder group formed of UK aviation industry, government, CAA Aerospace Cyber Security, other relevant CAA teams and invited ASSURE Cyber Suppliers.

We will aim to make the industry ready for any new regulation being implemented and will work in collaboration with industry to attempt that this happens moving forward.

Working alongside the Airport Operators Association (AOA), we have established ongoing dialogue to work through issues relating to meeting requirements for cyber security.

During 2023 we also introduced a regular newsletter and we will look to continue this to keep entities informed on developments within the team.