Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 and amending Commission Regulations (EU) No 748/2012 and (EU) No 139/2014

Article 1

Subject matter

This Regulation sets out the requirements to be met by the organisations referred to in Article 2 in order to identify and manage information security risks with potential impact on aviation safety which could affect information and communication technology systems and data used for civil aviation purposes and to detect information security events and identify those which are considered information security incidents with potential impact on aviation safety and respond to, and recover from, those information security incidents.

Article 2

Scope

This Regulation applies to the following organisations:

(a) production organisations and design organisations subject to Subparts G and J of Section A of Annex I (Part 21) to Regulation (EU) No 748/2012, except design and production organisations that are solely involved in the design and/or production of ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012;

(b) aerodrome operators and apron management service providers subject to Annex III ‘Part Organisation Requirements (Part-ADR.OR)’ to Regulation (EU) No 139/2014.

Article 3

Definitions

For the purpose of this Regulation, the following definitions shall apply:

(1) ‘information security’ means the preservation of confidentiality, integrity, authenticity and availability of network and information systems;

(2) ‘information security event’ means an identified occurrence of a system, service or network state indicating a possible breach of the information security policy or failure of information security controls, or a previously unknown situation that can be relevant for information security;

(3) ‘incident’ means any event having an adverse effect on the security of network and information systems as defined in Article 4(7) of Directive (EU) 2016/1148;

(4) ‘information security risk’ means the risk to organisational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event. Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets;

(5) ‘threat’ means a potential violation of information security which exists when there is an entity, circumstance, action or event that could cause harm;

(6) ‘vulnerability’ means a flaw or weakness in an asset or a system, procedures, design, implementation, or information security measures that could be exploited and results in a breach or violation of the information security policy.

Article 4

Requirements arising from other Union legislation

Article 5

Competent authority

The authority responsible for certifying and overseeing compliance with this Regulation shall be:

(a) with regard to organisations referred to in Article 2, point (a), the competent authority designated in accordance with Annex I (Part 21) to Regulation (EU) No 748/2012;

(b) with regard to organisations referred to in Article 2, point (b), the competent authority designated in accordance with Annex III (Part-ADR.OR) to Regulation (EU) No 139/2014.

Article 6

Amendment to Regulation (EU) No 748/2012

Annex I (Part 21) to Regulation (EU) No 748/2012 is amended as follows:

(1) the Table of Contents is amended as follows: (a) the following heading is inserted after heading 21.A.139: ‘21.A.139A Information security management system’; (b) the following heading is inserted after heading 21.A.239: ‘21.A.239A Information security management system’;

(2) the following point 21.A.139A is inserted after point 21.A.139: ‘21.A.139A Information security management system In addition to the production management system required by point 21.A.139, the production organisation shall establish, implement and maintain an information security management system in accordance with Commission Delegated Regulation (EU) 2022/1645 (^*1) in order to ensure the proper management of information security risks which may have an impact on aviation safety.

(3) the following point 21.A.239A is inserted after point 21.A.239: ‘21.A.239A Information security management system In addition to the design management system required by point 21.A.239, the design organisation shall establish, implement and maintain an information security management system in accordance with Commission Delegated Regulation (EU) 2022/1645 in order to ensure the proper management of information security risks which may have an impact on aviation safety.’.

Article 7

Amendment to Regulation (EU) No 139/2014

Annex III (Part-ADR.OR) to Regulation (EU) No 139/2014 is amended as follows:

(1) the following point ADR.OR.D.005A is inserted after point ADR.OR.D.005: ‘ADR.OR.D.005A Information security management system The aerodrome operator shall establish, implement and maintain an information security management system in accordance with Delegated Regulation (EU) 2022/1645 (^*2) in order to ensure the proper management of information security risks which may have an impact on aviation safety.

(2) point ADR.OR.D.007 is replaced by the following: ‘ADR.OR.D.007 Management of aeronautical data and aeronautical information (a) As part of its management system, the aerodrome operator shall implement and maintain a quality management system covering the following activities: (1) its aeronautical data activities; (2) its aeronautical information provision activities. (b) As part of its management system, the aerodrome operator shall establish a security management system to ensure the security of operational data it receives, or produces, or otherwise employs, so that access to that operational data is restricted only to those authorised. (c) The security management system shall define the following elements: (1) the procedures relating to data security risk assessment and mitigation, security monitoring and improvement, security reviews and lesson dissemination; (2) the means designed to detect security breaches and to alert personnel with appropriate security warnings; (3) the means of controlling the effects of security breaches and of identifying recovery action and mitigation procedures to prevent reoccurrence. (d) The aerodrome operator shall ensure the security clearance of its personnel with respect to aeronautical data security. (e) The aspects related to information security shall be managed in accordance with point ADR.OR.D.005A.’;

(3) the following point ADR.OR.F.045A is inserted after point ADR.OR.F.045: ‘ADR.OR.F.045A Information security management system The organisation responsible for the provision of AMS shall establish, implement and maintain an information security management system in accordance with Delegated Regulation (EU) 2022/1645 in order to ensure the proper management of information security risks which may have an impact on aviation safety.’.

Article 8

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 16 October 2025.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

ANNEX

IS.D.OR.100   Scope

This Part establishes the requirements to be met by the organisations referred to in Article 2 of this Regulation.

IS.D.OR.200   Information security management system (ISMS)

(a) In order to achieve the objectives set out in Article 1, the organisation shall set up, implement and maintain an information security management system (ISMS) which ensures that the organisation: (1) establishes a policy on information security setting out the overall principles of the organisation with regard to the potential impact of information security risks on aviation safety; (2) identifies and reviews information security risks in accordance with point IS.D.OR.205; (3) defines and implements information security risk treatment measures in accordance with point IS.D.OR.210; (4) implements an information security internal reporting scheme in accordance with point IS.D.OR.215; (5) defines and implements, in accordance with point IS.D.OR.220, the measures required to detect information security events, identifies those events which are considered incidents with a potential impact on aviation safety, and responds to, and recovers from, those information security incidents; (6) implements the measures that have been notified by the competent authority as an immediate reaction to an information security incident or vulnerability with an impact on aviation safety; (7) takes appropriate action, in accordance with point IS.D.OR.225, to address findings notified by the competent authority; (8) implements an external reporting scheme in accordance with point IS.D.OR.230 in order to enable the competent authority to take appropriate actions; (9) complies with the requirements contained in point IS.D.OR.235 when contracting any part of the activities referred to in point IS.D.OR.200 to other organisations; (10) complies with the personnel requirements laid down in point IS.D.OR.240; (11) complies with the record-keeping requirements laid down in point IS.D.OR.245; (12) monitors compliance of the organisation with the requirements of this Regulation and provides feedback on findings to the accountable manager or, in the case of design organisations, to the head of the design organisation, in order to ensure effective implementation of corrective actions; (13) protects, without prejudice to applicable incident reporting requirements, the confidentiality of any information that the organisation may have received from other organisations, according to its level of sensitivity.

(b) In order to continuously meet the requirements referred to in Article 1, the organisation shall implement a continuous improvement process in accordance with point IS.D.OR.260.

(c) The organisation shall document, in accordance with point IS.D.OR.250, all key processes, procedures, roles and responsibilities required to comply with point IS.D.OR.200(a) and establish a process for amending that documentation. Changes to those processes, procedures, roles and responsibilities shall be managed in accordance with point IS.D.OR.255.

(d) The processes, procedures, roles and responsibilities established by the organisation in order to comply with point IS.D.OR.200(a) shall correspond to the nature and complexity of its activities, based on an assessment of the information security risks inherent to those activities, and may be integrated within other existing management systems already implemented by the organisation.

(e) Without prejudice to the obligation to comply with the reporting requirements contained in Regulation (EU) No 376/2014 of the European Parliament and of the Council (²) and the requirements of point IS.D.OR.200 (a) (13), the organisation may be granted approval by the competent authority not to implement the requirements referred to in points (a) to (d)) and the related requirements contained in points IS.D.OR.205 through IS.D.OR.260, if it demonstrates to the satisfaction of that authority that its activities, facilities and resources, as well as the services it operates, provides, receives and maintains, do not pose any information security risks with a potential impact on aviation safety neither to itself nor to other organisations. The approval shall be based on a documented information security risk assessment carried out by the organisation or a third party in accordance with point IS.D.OR.205 and reviewed and approved by its competent authority. The continued validity of that approval will be reviewed by the competent authority following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.

IS.D.OR.205   Information security risk assessment

(a) The organisation shall identify all of its elements, which could be exposed to information security risks. That shall include: (1) the organisation’s activities, facilities and resources, as well as the services the organisation operates, provides, receives or maintains; (2) the equipment, systems, data and information that contribute to the functioning of the elements listed in point (1).

(b) The organisation shall identify the interfaces that it has with other organisations, and which could result in the mutual exposure to information security risks.

(c) With regard to the elements and interfaces referred to in points (a) and (b), the organisation shall identify the information security risks which may have a potential impact on aviation safety. For each identified risk, the organisation shall: (1) assign a risk level according to a predefined classification established by the organisation; (2) associate each risk and its level with the corresponding element or interface identified in accordance with points (a) and (b). The predefined classification referred to in point (1) shall take into account the potential of occurrence of the threat scenario and the severity of its safety consequences. Based on that classification, and taking into account whether the organisation has a structured and repeatable risk management process for operations, the organisation shall be able to establish whether the risk is acceptable or needs to be treated in accordance with point IS.D.OR.210. In order to facilitate the mutual comparability of risks assessments, the assignment of the risk level pursuant to point (1) shall take into account relevant information acquired in coordination with the organisations referred to in point (b).

(d) The organisation shall review and update the risk assessment carried out in accordance with points (a), (b) and (c) in any of the following situations: (1) there is a change in the elements subject to information security risks; (2) there is a change in the interfaces between the organisation and other organisations, or in the risks communicated by the other organisations; (3) there is a change in the information or knowledge used for the identification, analysis and classification of risks; (4) there are lessons learnt from the analysis of information security incidents.

IS.D.OR.210   Information security risk treatment

(a) The organisation shall develop measures to address unacceptable risks identified in accordance with point IS.D.OR.205, implement them in a timely manner and check their continued effectiveness. Those measures shall enable the organisation to: (1) control the circumstances that contribute to the effective occurrence of the threat scenario; (2) reduce the consequences on aviation safety associated with the materialisation of the threat scenario; (3) avoid the risks. Those measures shall not introduce any new potential unacceptable risks to aviation safety.

(b) The person referred to in point IS.D.OR.240 (a) and (b) and other affected personnel of the organisation shall be informed of the outcome of the risk assessment carried out in accordance with point IS.D.OR.205, the corresponding threat scenarios and the measures to be implemented. The organisation shall also inform organisations with which it has an interface in accordance with point IS.D.OR.205(b) of any risk shared between both organisations.

IS.D.OR.215   Information security internal reporting scheme

(a) The organisation shall establish an internal reporting scheme to enable the collection and evaluation of information security events, including those to be reported pursuant to point IS.D.OR.230.

(b) That scheme and the process referred to in point IS.D.OR.220 shall enable the organisation to: (1) identify which of the events reported pursuant to point (a) are considered information security incidents or vulnerabilities with a potential impact on aviation safety; (2) identify the causes of, and contributing factors to, the information security incidents and vulnerabilities identified in accordance with point (1), and address them as part of the information security risk management process in accordance with points IS.D.OR.205 and IS.D.OR.220; (3) ensure an evaluation of all known, relevant information relating to the information security incidents and vulnerabilities identified in accordance with point (1); (4) ensure the implementation of a method to distribute internally the information as necessary.

(c) Any contracted organisation which may expose the organisation to information security risks with a potential impact on aviation safety shall be required to report information security events to the organisation. Those reports shall be submitted using the procedures established in the specific contractual arrangements and shall be evaluated in accordance with point (b).

(d) The organisation shall cooperate on investigations with any other organisation that has a significant contribution to the information security of its own activities.

(e) The organisation may integrate that reporting scheme with other reporting schemes it has already implemented.

IS.D.OR.220   Information security incidents – detection, response and recovery

(a) Based on the outcome of the risk assessment carried out in accordance with point IS.D.OR.205 and the outcome of the risk treatment performed in accordance with point IS.D.OR.210, the organisation shall implement measures to detect incidents and vulnerabilities that indicate the potential materialisation of unacceptable risks and which may have a potential impact on aviation safety. Those detection measures shall enable the organisation to: (1) identify deviations from predetermined functional performance baselines; (2) trigger warnings to activate proper response measures, in case of any deviation.

(b) The organisation shall implement measures to respond to any event conditions identified in accordance with point (a) that may develop or have developed into an information security incident. Those response measures shall enable the organisation to: (1) initiate the reaction to the warnings referred to in point (a)(2) by activating predefined resources and course of actions; (2) contain the spread of an attack and avoid the full materialisation of a threat scenario; (3) control the failure mode of the affected elements defined in point IS.D.OR.205(a).

(c) The organisation shall implement measures aimed at recovering from information security incidents, including emergency measures, if needed. Those recovery measures shall enable the organisation to: (1) remove the condition that caused the incident, or constrain it to a tolerable level; (2) reach a safe state of the affected elements defined in point IS.D.OR.205(a) within a recovery time previously defined by the organisation.

IS.D.OR.225   Response to findings notified by the competent authority