Instructions and the Q&A section

Links to the website of the National Cyber Security Centre Finland. The website offers a wide range of useful information.

• National Cyber Security Centre Finland front page
• Instructions and guides for organisations and companies
• The implementation guidance:
• The NIS Directive information security reports and other NIS instructions
• Cybermeter and bulletin
• Information exchange practices for cooperation groups 

Links to websites that provide information about topical information security incidents in aviation and other sectors:

• Eurocontrolin EATM-CERT (European Air Traffic Management Computer Emergency Response Team)
• ECCSA (European Confederation of Search & Selection Associations)

Links to guidance materials of the European Union Aviation Safety Agency EASA and the EU Commission:

• EASA
• EASA
• EASA
• EASA
• EASA
• European Commission  

The website of the UK’s civil aviation authority UK CAA provides guidance materials for aviation organisations. The instructions below are particularly useful, as they offer a unified method for the identification and assessment of critical functions and systems.

The European Union Agency for Network and Information Security (ENISA) is the EU’s centre of expertise on network and information security. The ENISA website provides various guidance materials, and below are some examples that apply to aviation or the transport system:

• ENISA Threat Landscape 2022
• ENISA Transport Threat Landscape
• Threat Landscape for Supply Chain Attacks
• ENISA website in English 

The global development of cyber security in aviation is guided by the Cybersecurity Strategy and Action Plan of the International Civil Aviation Organization ICAO.

• ICAO Cybersecurity Strategy
• ICAO Cybersecurity Action Plan
• ICAO cyber security website

The EU-level development of cyber security in aviation is guided by the EU’S Cybersecurity Strategy, Plan and other theme-related concept papers and roadmaps:

• The EU's Cybersecurity Strategy for the Digital Decade
• The EU Security Union Strategy
• EASA Artificial Intelligence Roadmap 2.0
• EASA Concept Paper First usable guidance for Level 1 machine learning applications - Proposed Issue 01

Documents that guide Finland’s cyber security work on the national level and links to further information:

• Finland’s Cyber Security Strategy 2019 and link to the website of the Security Committee
• Finland’s Cyber Security Strategy’s action plan 2017–2020
• Cyber Security Development Programme
• Finnish Government resolution on improving information security and data protection in the critical sectors of society
• Improving information security and data protection in the critical sectors of society: Working group final report 

Frequently asked questions and answers on aviation cyber security are published in this section. 

Questions related to the practical implementation of the aviation security regulation (EU) 2019/1583

1. Which aviation operators does the regulation apply to?
   Answer:The regulation applies to airport operators, air carriers (AOC organisations) and entities as defined in the national civil aviation security programme. The latter includes known consignors, regulated agents and regulated suppliers as defined in regulation (EC) 300/2008.  
2. How should our organisation get started on implementing the requirements of the regulation?
   Answer:The regulation requires that organisations identify and define their information and communications technology systems and data critical to civil aviation and protect them from cyber-attacks which could affect the security of civil aviation. In practice, the organisation should start by describing the method used to identify and assess their systems and data critical to aviation security. Upon request, the organisation must be able to present a documented procedure to the aviation authority. “Identify” is the first measure of information security management (identify, protect, detect, respond, recover).  
3. Does the regulation in question apply to us if we do not have systems critical to aviation security?
   Answer: If the organisation does not currently have systems critical to aviation security, the impact of the regulation is minimal. However, the organisation’s operating environment (business activities, partners, system interfaces, etc.) is constantly changing, meaning that the situation may also change in relation to critical systems. The organisation must remain aware of their situation and meet the obligations of the regulation for their critical systems.
4. We are an ISO 27001 certified company with an information security policy in place. Furthermore, we have general information security guidelines. Does this meet the requirement to identify and protect aviation critical systems and to detect events, respond to them and recover from them, and to verify these actions?
   Answer: If the scope of the ISO 27001 certification also covers systems critical for aviation and this can be verified, it acts as a strong starting point for compliance and verification overseen and assessed by the aviation authority. However, the key thing is that the organisation has a described and verifiable process (to identify and protect aviation critical systems and to detect events, respond to them and recover from them) it can present to an external examiner. The process must describe in sufficient detail how the organisation e.g. identifies critical systems. An information security certificate or policy alone is not enough to describe the process.