Frequently asked questions and answers on aviation cyber security are published in this section.

Questions related to the practical implementation of the aviation security regulation (EU) 2019/1583

Which aviation operators does the regulation apply to?
Answer:The regulation applies to airport operators, air carriers (AOC organisations) and entities as defined in the national civil aviation security programme. The latter includes known consignors, regulated agents and regulated suppliers as defined in regulation (EC) 300/2008.
How should our organisation get started on implementing the requirements of the regulation?
Answer:The regulation requires that organisations identify and define their information and communications technology systems and data critical to civil aviation and protect them from cyber-attacks which could affect the security of civil aviation. In practice, the organisation should start by describing the method used to identify and assess their systems and data critical to aviation security. Upon request, the organisation must be able to present a documented procedure to the aviation authority. “Identify” is the first measure of information security management (identify, protect, detect, respond, recover).
Does the regulation in question apply to us if we do not have systems critical to aviation security?
Answer: If the organisation does not currently have systems critical to aviation security, the impact of the regulation is minimal. However, the organisation’s operating environment (business activities, partners, system interfaces, etc.) is constantly changing, meaning that the situation may also change in relation to critical systems. The organisation must remain aware of their situation and meet the obligations of the regulation for their critical systems.
We are an ISO 27001 certified company with an information security policy in place. Furthermore, we have general information security guidelines. Does this meet the requirement to identify and protect aviation critical systems and to detect events, respond to them and recover from them, and to verify these actions?
Answer: If the scope of the ISO 27001 certification also covers systems critical for aviation and this can be verified, it acts as a strong starting point for compliance and verification overseen and assessed by the aviation authority. However, the key thing is that the organisation has a described and verifiable process (to identify and protect aviation critical systems and to detect events, respond to them and recover from them) it can present to an external examiner. The process must describe in sufficient detail how the organisation e.g. identifies critical systems. An information security certificate or policy alone is not enough to describe the process.