Legislation on aviation cyber security

The safety of information systems refers to the maintenance of the confidentiality, integrity and availability of data contained in the systems or produced by them. Aviation cyber security is a whole consisting of the necessary information systems used in the aviation system, the data they contain and the use of said data. It also covers the processing and transfer of necessary data within and between organisations, and the activities of those using said data. In its most mundane form, this covers e.g. pilots’ flight preparation and navigation information or passenger information in different systems. 

Cyber security legislation on aviation safety, security and societal resilience that applies to Traficom and aviation organisations includes the following:

• EASA Basic Regulation and statutes adopted under it
  • The Commission Delegated Regulation (EU) 2022/1645 published on 26 September 2022 
  • The Commission Implementing Regulation (EU) 2023/203 published on 2nd February 2023
  • See more details from the part EASA Basic Regulation and statutes adopted under it in this web page.
• Commission Implementing Regulation (EU) 2015/1998 laying down detailed measures for the implementation of the common basic standards on aviation security
• Commission Implementing Regulation (EU) 2019/1583 amending Implementing Regulation (EU) 2015/1998 laying down detailed measures for the implementation of the common basic standards on aviation security, as regards cybersecurity measures
• Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (so-called Network and Information Security Directive, i.e. the NIS Directive as well as 27th December published updated NIS Directive (EU) 2022/2555. See more details from the part Aviation cyber security regulation related to societal resilience in this web page.
• Sections 128a and 128b of the Aviation Act, national implementation of the currently applicable NIS Directive (2016/1148).

Aviation cyber security regulations are continuously developing. Traficom communicates actively on the development and obligations of regulations. Ultimately, however, it is the responsibility of each organisation to keep up to date with valid regulation and anticipate known changes.

In addition to EU regulation, more international standards on aviation cyber security in terms of the aviation system is currently being drafted on the global level, coordinated mainly by the ICAO CySeCP (Cybersecurity Panel) and TFP (Trust Framework Panel).

The aviation authority recommends that, in addition to valid applicable legislation, aviation organisations proactively monitor and utilise good practices applicable and relevant to cyber security management. More information is available on the Instructions and the Q&A section page.

EASA Basic Regulation and statutes adopted under it

The first statute published on 26 September 2022 was laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 and amending Commission Regulations (EU) No 748/2012 and (EU) No 139/2014. 

published on 2nd February 2023 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by:

• Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340,
• Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664,
• and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014,
• Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340,
• Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664.

The regulations will become applicable after the 3 years transitional period starting from the publication date. Aviation authorities and aviation organisations falling within the scope of the regulations must meet their requirements after the transitional period.

13.7.2023 EASA published the Acceptable Means of Compliance (AMC) and Guidance Material (GM) for Part IS. Traficom participated in the AMC and GM work led by EASA in working groups of the ESCP (European Strategic Coordination Platform). The working groups also included representatives of aviation stakeholders and associations of aviation organisations.

On 31 October 2023, EASA published First Easy Access Rules for Information Security. It includes, in a compiled and easy-to-use format, Part-IS Regulations (EU) 2023/203 and (EU) 2022/1645, as well as their AMC and GM material. On June 12, 2024,  EASA published the revision for The Easy Access Rules for Information Security. 

Traficom is currently part of EASA's Part-IS Implementation Task Force, which is preparing to put Part-IS regulation into practice.

Below are the published regulations of the Part-IS (Information Security) regulatory work:

In terms of aviation security, the cyber security regulation is included in Commission Implementing Regulation (EU) 2015/1998. The regulation has been updated. The updated Commission Implementing Regulation (EU) 2019/1583 (amending Implementing Regulation (EU) 2015/1998 laying down detailed measures for the implementation of the common basic standards on aviation security, as regards cybersecurity measures ) became applicable on 31 December 2021. 

Which aviation operators and service providers does the updated regulation 2019/1583 apply to?

The requirements apply to airport operators, air carriers and entities as defined in the national civil aviation security programme.

Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (so-called Network and Information Security Directive, i.e. the NIS Directive) covers a wide range of fields in society. The NIS Directive aims to ensure the continuity of operations in essential services, guarantee societal security, and increase trust in digital services. As regards aviation, the current NIS Directive only applies to some aviation operators and service providers: providers of air navigation services and operators of such airports that are significant for the functioning of the society. 

Tällä hetkellä sovellettava NIS-direktiivi on implementoitu kansalliseen lainsäädäntöön iImailulain pykälillä 128a§ (Velvollisuus huolehtia viestintäverkkoihin ja tietojärjestelmiin kohdistuvien riskien hallinnasta) ja 128b§ (Tietoturvapoikkeamista ilmoittaminen). 

NIS Directive has been updated. The updated directive (NIS 2)  was published on 27th December 2022. The directive will enter into force on the 20th day from its publication. Member States have 21 months from the directive entering into force to implement the regulations into their national legislation. The national implementation of the directive has progressed within the framework of a project initiated by the Ministry of Transport and Communications. On 3 October 2023, the Ministry of Transport and Communications published a request for a statement on the draft government proposal to implement the Cybersecurity Directive (NIS2), the link to the request here. After the consultation phase, on 23 May 2024, the Government presented a new Cybersecurity Act to Parliament. Link to LVM's press release . Link to the Government's proposal .

The updated NIS Directive (EU) 2022/2555 to be applied nationally during 2024 will both expand the scope of application and increase requirements. In terms of aviation, the AVSEC regulation and Part IS have different objectives (aviation safety and aviation security) than the NIS Directive (societal resilience). AVSEC and Part-IS, in particular, have a more extensive scope of application and are at least as extensive in their cyber security management requirements. By complying with the obligations of specific aviation regulation (AVSEC and Part IS), an aviation operators and service providers largely meet the requirements of the updated NIS Directive at the same time. Like any other regulation, NIS contains obligations on the aviation authority’s own cyber security management.

Cyber security is included in the airworthiness requirements of aviation products (e.g. aircraft), parts and components. ED Decision 2020/006/R was published in June 2020. Its objective is to mitigate the potential effects of cyber security threats on aviation safety. The decision complemented and strengthened the airworthiness requirements and related AMC (Acceptable Means of Compliance) and GM (Guidance Material) materials on obligations related to cyber security.
The European Union Aviation Safety Agency EASA website contains more detailed information and the requirements themselves. You can access the website from this link.