We use necessary cookies to make our website work. We'd also like to use optional cookies to understand how you use it, and to help us improve it.

For more information, please read our cookie policy.

UK Civil Aviation Regulations

These are published by the CAA on our UK Regulations pages. EU Regulations and EASA Access Guides published by EASA no longer apply in the UK. Our website and publications are being reviewed to update all references. Any references to EU law and EASA Access guides should be disregarded and where applicable the equivalent UK versions referred to instead.

Urgent reporting

Urgent aviation cyber security incidents that impact aviation safety or security shall be reported via the channels below:

Operators of Essential Services (regulated under NIS)

Operators of Essential Services (OES) should report all incidents that meet the mandatory reporting thresholds to the Department for Transport (DfT) Cyber Compliance Team at: NISIncidents@dft.gov.uk (using the form in Annex F of the link below) no later than 72 hours after the OES is aware that a notifiable incident has occurred.

OES are reminded that NIS incidents include both cyber and non-cyber related disruption, and are defined in the regulation as: "any incident which has a significant impact on the continuity of the essential service which that OES provides". For more information, including the thresholds that determine the significance, please refer to the document: Implementing the Network and Information Systems Directive in the transport sector - GOV.UK (www.gov.uk)

For advice and support in handing cyber related incidents, OES are encouraged to contact the NCSC using the form: Report a Cyber Incident - Report a Cyber Incident - NCSC. Please note that contacting the NCSC does not satisfy the mandatory requirement for NIS reporting as set out in the regulations.

All aviation organisations

The CAA advise that severe cyber security incidents are initially reported to the NCSC via https://report.ncsc.gov.uk/

For less severe cyber security incidents, the NCSC advise reporting via the Action Fraud website.

Voluntary reporting

We strongly encourage the voluntary reporting of cyber incidents to both the CAA Cyber Security Oversight Specialist in the Cyber Security Team at cyber@caa.co.uk and to the DfT Cyber Compliance Team at CYBER@dft.gov.uk