The regulatory landscape for cyber is quite fragmented, and there are requirements relating to cyber security in a number of existing regulations - although there hasn't been a common terminology adopted. Existing aviation safety and security regulations refer variously to information security; cyber security; information systems resilience; data integrity; reliability; and many others.
Set out below is information on the regulations applicable for aviation entities in the UK, where CAP1753 is in use to achieve compliance with the various cyber security requirements. The list of regulations set out here is not exhaustive and this webpage is for guidance purposes only and has no legal effect.
We have highlighted what we consider to be the key provisions of each regulation relating to cyber security, but this is not a comprehensive list of relevant requirements. Entities should, as necessary, re-familiarise themselves with their obligations under the Basic Regulation and relevant Implementing Rules.
Cyber security in aviation regulations
UK Basic Regulation
EASA Basic Regulation (EU) 2018/1139 was published on 4 July 2018 and entered into force on 11 September 2018 and consolidated the scope of EU competence to cover the full spectrum of the aviation landscape (e.g. air operations, ATM/ANS, airport operations, aircraft manufacturing and maintenance). As per the European Withdrawal Act 2018, this regulation has been retained in UK law. See the CAA’s page on UK Reg (EU) 2018/1139 (the UK Basic Regulation) for the full regulation.
Aerodromes
Annex VII of the Basic Regulation sets out the requirements for aerodromes in relation to the ongoing provision of safety-related equipment and maintaining the authenticity and integrity levels of aerodrome data.
European Commission Regulation for Aerodromes (EU) No 139/2014 was published on 12 February 2014 and came into effect on 6th March 2014.
These Regulations, and the supporting EASA Acceptable Means of Compliance (AMC) and Guidance Material (GM) to Authority, Organisation and Operations Requirements for Aerodromes, set out requirements relating to cyber security and information security for all Aerodromes that fall within the scope of EASA. As per the European Withdrawal Act 2018, this regulation has been retained in UK law. See the CAA’s page on UK Reg (EU) No 139/2014 (The UK Aerodromes Regulation) for the full UK regulation and supporting AMC and GM.
ADR.OR.D.007 Management of aeronautical data and aeronautical information in 139/2014 sets out the requirement for the aerodrome operator to implement and maintain a quality management system covering its aeronautical data activities; and its aeronautical information provision activities. The aerodrome operator is also required to define procedures for meeting the safety and security management objectives with respect to aeronautical data activities; and aeronautical information provision activities.
ADR.OPS.A.010 Data quality requirements in ANNEX IV of 139/2014 requires that all data relevant to the aerodrome and available services shall be provided by the aerodrome operator with the required quality and integrity.
Air Navigation Service Providers (ANSPs)
Commission Implementing Regulation (EU) 2017/373 entered into EU law on 1 March 2017 and took effect on 2 January 2020, replacing Commission Implementing Regulations (EU) 1034/2011, 1035/2011 and 482/2008. As per the European Withdrawal Act 2018, this regulation has been retained in UK law. See the CAA’s page on UK Reg (EU) No 2017/373 (The UK ATM Provision of Services Regulation) for the full UK regulation and supporting AMC and GM.
The regulation is applicable to all Air Navigation Service Providers (ANSPs) and lays down common requirements for Air Traffic Management service providers and the oversight of Air Traffic Management / Air Navigation Services and other air traffic management network functions. ANSPs are required to ensure they are able to provide services in a safe, efficient, continuous and sustainable manner, consistent with any foreseen level of overall demand for a given airspace.
Under ATM/ANS.OR.D.010 Security management Air navigation services and air traffic flow management providers and the Network Manager shall take the necessary measures to protect their systems, constituents in use and data and prevent compromising the network against information and cyber security threats which may have an unlawful interference with the provision of their service.
National Aviation Security Programme (NASP)
An amendment to the Single Consolidated Direction 1/2021 published on 28 January 2021 by the Department for Transport is due to come into effect on 31 December 2021.
The amendment brings new cybersecurity provisions for aviation into UK law. UK airports and UK air carriers that fall within scope of the National Aviation Security Programme must take the necessary measures to identify and protect their critical information and communication technology systems and data from cyber threats and ensure that relevant personnel receive an appropriate level of vetting and training.
If you are subject to the requirements set out in the Single Consolidated Direction due to your inclusion within the National Aviation Security Programme and require a copy of the amendment, please contact cyber@caa.co.uk.
Network and Information Systems (NIS) Regulations 2018
The NIS Directive was adopted by the European Parliament in July 2016 and came into force in August 2016, it was transposed into UK law as the Network and Information Systems Regulations (NIS) in 2018. It is designed to boost the overall level of security for network and information systems that support the delivery of essential services, under which a number of aviation services fall.
The CAA is the Co-Competent Authority for the regulation of NIS alongside the Department for Transport (DfT) on behalf of the Secretary of State for Transport. DfT is responsible for NIS policy, NIS enforcement, as well as for setting the thresholds which both designate an organisation as an Operator of Essential Service (OES) and for setting the thresholds which dictate a NIS reportable incident, this is documented within DfT’s Implementation of the NIS Directive Guidance.
Space Industry Act
The Space Industry Act 2018 (SIA) applies to anyone intending to carry out space activities, sub-orbital activities, and associated activities in the UK. Several statutory instruments have been made under the SIA.
- The Space Industry Regulations 2021 (SIR) which make provision to enable the licensing and regulation of spaceflight activities, spaceports, and range control service
- The Regulator's Licensing Rules (RLR) which support the regulator’s power relating to the granting and renewal of operator, spaceport and range control licences under the SIA
The SIRs and RLRs set out the requirements for cyber security strategies within spaceflight activities. Applicants for all types of operator licence should include a cyber security strategy with their application. The Cyber Security Team is currently developing guidance for applicants.
Information Security Management Systems
Working with the DfT, we are proposing to introduce new regulation to help in the protection of UK aviation from cyber attacks which is based on the same safety drivers as EASA’s 203/2023 and 1644/2022 (known as Part-IS)
This regulation will ensure the UK is not 'left behind' in acknowledging the increasing threat from cyber and the UK aviation industry does not become a target through weaker protection mechanisms than those that exist in other jurisdictions.
The regulation introduces new requirements on aviation organisations for the management of cyber security risks that could impact the safety and security of civil aviation, and will encompass aerodromes, air operations, aircrew, air traffic management, maintenance organisations as well as design and production organisations.
We expect that by introducing this regulation, safety and security will be enhanced through:
- An increased level of safety, protecting civil aviation from information security risks and making it more resilient to information security events and incidents.
- An economic benefit for the organisations, helping to protect against the potential for liability costs and the operational and reputational damage caused by cyber incidents.
The regulation is also required to ensure the UK’s continued compliance with the ICAO Annexes and SARPS (in particular ICAO Annex 17 ch 4.9) and supports the ICAO Aviation Cybersecurity Strategy. It is also linked to the ICAO State Letter for Security and ICAO State Letter for Safety.
The UK ISMS (Information Security Management Systems) regulation consultation which details the proposed regulation has now closed.
We will feedback on the consultation results in due course.
If you have a question or query regarding the consultation, please contact: cyberconsultation@caa.co.uk.
Provide page feedback
Please enter your comments below, or use our usual service contacts if a specific matter requires an answer.
Fields marked with an asterisk (*) are required.