Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664

Article 1

Subject matter

This Regulation sets out the requirements to be met by the organisations and competent authorities in order:

(a) to identify and manage information security risks with potential impact on aviation safety which could affect information and communication technology systems and data used for civil aviation purposes,

(b) to detect information security events and identify those which are considered information security incidents with potential impact on aviation safety,

(c) to respond to, and recover from, those information security incidents.

Article 2

Scope

This Regulation applies to the following organisations:

(a) maintenance organisations subject to Section A of Annex II (Part-145) to Regulation (EU) No 1321/2014, except those solely involved in the maintenance of aircraft in accordance with Annex Vb (Part-ML) to Regulation (EU) No 1321/2014;

(b) continuing airworthiness management organisations (CAMOs) subject to Section A of Annex Vc (Part-CAMO) to Regulation (EU) No 1321/2014, except those solely involved in the continuing airworthiness management of aircraft in accordance with Annex Vb (Part-ML) to Regulation (EU) No 1321/2014;

(c) air operators subject to Annex III (Part-ORO) to Regulation (EU) No 965/2012, except those solely involved in the operation of any of the following: (i) an ELA 2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012; (ii) single-engine propeller-driven aeroplanes with a Maximum Operational Passenger Seating Configuration of 5 or less that are not classified as complex motor-powered aircraft, when taking off and landing at the same aerodrome or operating site and operating under Visual Flight Rules (VFR) by day rules; (iii) single-engine helicopters with a Maximum Operational Passenger Seating Configuration of 5 or less that are not classified as complex motor-powered aircraft, when taking off and landing at the same aerodrome or operating site and operating under VFR by day rules.

(d) approved training organisations (ATOs) subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011, except those solely involved in training activities of ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012, or solely involved in theoretical training;

(e) aircrew aero-medical centres subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011;

(f) flight simulation training device (FSTD) operators subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011, except those solely involved in the operation of FSTDs for ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012;

(g) air traffic controller training organisations (ATCO TOs) and ATCO aero-medical centres subject to Annex III (Part ATCO.OR) to Regulation (EU) 2015/340;

(h) organisations subject to Annex III (Part-ATM/ANS.OR) to Implementing Regulation (EU) 2017/373, except the following service providers: (i) air navigation service providers holding a limited certificate in accordance with point ATM/ANS.OR.A.010 of that Annex; (ii) flight information service providers declaring their activities in accordance with point ATM/ANS.OR.A.015 of that Annex;

(i) U-space service providers and single common information service providers subject to Implementing Regulation (EU) 2021/664;

(j) approved organisations involved in the design or production of ATM/ANS systems and ATM/ANS constituents subject to Commission Implementing Regulation (EU) 2023/1769 (¹).

Article 3

Definitions

For the purpose of this Regulation, the following definitions shall apply:

(1) ‘information security’ means the preservation of confidentiality, integrity, authenticity and availability of network and information systems;

(2) ‘information security event’ means an identified occurrence of a system, service or network state indicating a possible breach of the information security policy or failure of information security controls, or a previously unknown situation that can be relevant for information security;

(3) ‘incident’ means any event having an actual adverse effect on the security of network and information systems as defined in Article 4(7) of Directive (EU) 2016/1148;

(4) ‘information security risk’ means the risk to organisational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event. Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets;

(5) ‘threat’ means a potential violation of information security which exists when there is an entity, circumstance, action or event that could cause harm;

(6) ‘vulnerability’ means a flaw or weakness in an asset or a system, procedures, design, implementation, or information security measures that could be exploited and results in a breach or violation of the information security policy.

Article 4

Requirements for organisations and competent authorities

Article 5

Requirements arising from other Union legislation

Article 6

Competent authority

Without prejudice to the tasks entrusted to the Security Accreditation Board (SAB) referred to in Article 36 of Regulation (EU) 2021/696, the authority responsible for certifying and overseeing compliance with this Regulation shall be:

(a) with regard to organisations referred to in Article 2(1), point (a), the competent authority designated in accordance with Annex II (Part-145) to Regulation (EU) No 1321/2014;

(b) with regard to organisations referred to in Article 2(1), point (b), the competent authority designated in accordance with Annex Vc (Part-CAMO) to Regulation (EU) No 1321/2014;

(c) with regard to organisations referred to in Article 2(1), point (c), the competent authority designated in accordance with Annex III (Part-ORO) to Regulation (EU) No 965/2012;

(d) with regard to organisations referred to in Article 2(1), points (d) to (f), the competent authority designated in accordance with Annex VII (Part-ORA) to Regulation (EU) No 1178/2011;

(e) with regard to organisations referred to in Article 2(1), point (g), the competent authority designated in accordance with Article 6(2) of Regulation (EU) 2015/340;

(f) with regard to organisations referred to in Article 2(1), point (h), the competent authority designated in accordance with Article 4(1) of Implementing Regulation (EU) 2017/373;

(g) with regard to organisations referred to in Article 2(1), point (i), the competent authority designated in accordance with Article 14(1) or 14(2), as applicable, of Implementing Regulation (EU) 2021/664;

(h) with regard to organisations referred to in Article 2(1), point (j), the competent authority designated in accordance with Article 3(1) of Implementing Regulation (EU) 2023/1769.

Article 7

Submission of relevant information to NIS competent authorities

Competent authorities under this Regulation shall inform, without undue delay, the single point of contact designated in accordance with Article 8 of Directive (EU) 2016/1148 of any relevant information included in notifications submitted pursuant to point IS.I.OR.230 of Annex II to this Regulation and point IS.D.OR.230 of Annex I to Delegated Regulation (EU) 2022/1645 by operators of essential services identified in accordance with Article 5 of Directive (EU) 2016/1148.

Article 8

Amendment to Regulation (EU) No 1178/2011

Annexes VI (Part-ARA) and VII (Part-ORA) to Regulation (EU) No 1178/2011 are amended in accordance with Annex III to this Regulation.

Article 9

Amendment to Regulation (EU) No 748/2012

Annex I (Part 21) to Regulation (EU) No 748/2012 is amended in accordance with Annex IV to this Regulation.

Article 10

Amendment to Regulation (EU) No 965/2012

Annexes II (Part-ARO) and III (Part-ORO) to Regulation (EU) No 965/2012 are amended in accordance with Annex V to this Regulation.

Article 11

Amendment to Regulation (EU) No 139/2014

Annex II (Part-ADR.AR) to Regulation (EU) No 139/2014 is amended in accordance with Annex VI to this Regulation.

Article 12

Amendment to Regulation (EU) No 1321/2014

Annexes II (Part-145), III (Part-66) and Vc (Part-CAMO) to Regulation (EU) No 1321/2014 are amended in accordance with Annex VII to this Regulation.

Article 13

Amendment to Regulation (EU) 2015/340

Annexes II (Part ATCO.AR) and III (Part ATCO.OR) to Regulation (EU) 2015/340 are amended in accordance with Annex VIII to this Regulation.

Article 14

Amendment to Implementing Regulation (EU) 2017/373

Annexes II (Part-ATM/ANS.AR) and III (Part-ATM/ANS.OR) to Implementing Regulation (EU) 2017/373 are amended in accordance with Annex IX to this Regulation.

Article 15

Amendment to Implementing Regulation (EU) 2021/664

Implementing Regulation (EU) 2021/664 is amended as follows:

(1) in Article 15(1), point(f) is replaced by the following: ‘(f) implement and maintain a security management system in accordance with point ATM/ANS.OR.D.010 in Subpart D of Annex III to Implementing Regulation (EU) 2017/373 and an information security management system in accordance with Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203;’;

(2) in Article 18, the following point (l) is added: ‘(l) establish, implement and maintain an information security management system in accordance with Annex I (Part-IS.AR) to Implementing Regulation (EU) 2023/203.’.

Article 16

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 22 February 2026.

However, as regards the case of the EGNOS air navigation service provider subject to Implementing Regulation (EU) 2017/373 it shall apply from 1 January 2026.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

ANNEX I

INFORMATION SECURITY – AUTHORITY REQUIREMENTS

[PART-IS.AR]

IS.AR.100 Scope

This Part establishes the management requirements to be met by the competent authorities referred to in Article 2(2) of this Regulation.

The requirements to be met by those competent authorities for the performance of their certification, oversight and enforcement activities are contained in the Regulations referred to in Article 2(1) of this Regulation and in Article 2 of Delegated Regulation (EU) 2022/1645.

IS.AR.200 Information security management system (ISMS)

(a) In order to achieve the objectives set out in Article 1, the competent authority shall set up, implement and maintain an information security management system (ISMS) which ensures that the competent authority: (1) establishes a policy on information security setting out the overall principles of the competent authority with regard to the potential impact of information security risks on aviation safety; (2) identifies and reviews information security risks in accordance with point IS.AR.205; (3) defines and implements information security risk treatment measures in accordance with point IS.AR.210; (4) defines and implements, in accordance with point IS.AR.215, the measures required to detect information security events, identifies those which are considered incidents with a potential impact on aviation safety, and responds to, and recovers from, those information security incidents; (5) complies with the requirements contained in point IS.AR.220 when contracting any part of the activities described in point IS.AR.200 to other organisations; (6) complies with the personnel requirements contained in point IS.AR.225; (7) complies with the record-keeping requirements contained in point IS.AR.230; (8) monitors compliance of its own organisation with the requirements of this Regulation and provides feedback on findings to the person referred to in point IS.AR.225 (a) to ensure effective implementation of corrective actions; (9) protects the confidentiality of any information that the competent authority may have related to organisations subject to its oversight and the information received through the organisation’s external reporting schemes established in accordance with point IS.I.OR.230 of Annex II (Part-IS.I.OR) to this Regulation and point IS.D.OR.230 of the Annex (Part-IS.D.OR) to Delegated Regulation (EU) 2022/1645; (10) notifies the Agency of changes that affect the capacity of the competent authority to perform its tasks and discharge its responsibilities as defined in this Regulation; (11) defines and implements procedures to share, as appropriate and in a practical and timely manner, relevant information to assist other competent authorities and agencies, as well as organisations subject to this Regulation, to conduct effective security risk assessments relating to their activities.

(b) In order to continuously meet the requirements referred to in Article 1, the competent authority shall implement a continuous improvement process in accordance with point IS.AR.235.

(c) The competent authority shall document all key processes, procedures, roles and responsibilities required to comply with point IS.AR.200(a) and establish a process for amending this documentation.

(d) The processes, procedures, roles and responsibilities established by the competent authority in order to comply with point IS.AR.200(a) shall correspond to the nature and complexity of its activities, based on an assessment of the information security risks inherent to those activities, and may be integrated within other existing management systems already implemented by the competent authority.

IS.AR.205 Information security risk assessment

(a) The competent authority shall identify all the elements of its own organisation which could be exposed to information security risks. This shall include: (1) the competent authority’s activities, facilities and resources, and the services the competent authority operates, provides, receives or maintains; (2) the equipment, systems, data and information that contribute to the functioning of the elements referred to in point (1)

(b) The competent authority shall identify the interfaces that its own organisation has with other organisations, and which could result in the mutual exposure to information security risks.

(c) For the elements and interfaces referred to in points (a) and (b), the competent authority shall identify the information security risks which may have a potential impact on aviation safety. For each identified risk, the competent authority shall: (1) assign a risk level according to a predefined classification established by the competent authority; (2) associate each risk and its level with the corresponding element or interface identified in accordance with points (a) and (b). The predefined classification referred to in point (1) shall take into account the potential of occurrence of the threat scenario and the severity of its safety consequences. Through this classification, and taking into account whether the competent authority has a structured and repeatable risk management process for operations, the competent authority shall be able to establish whether the risk is acceptable or needs to be treated in accordance with point IS.AR.210. In order to facilitate the mutual comparability of risks assessments, the assignment of the risk level per point (1) shall take into account relevant information acquired in coordination with the organisations referred to in point (b).

(d) The competent authority shall review and update the risk assessment carried out in accordance with points (a), (b) and (c) in any of the following cases: (1) there is a change in the elements subject to information security risks; (2) there is a change in the interfaces between the competent authority’s organisation and other organisations, or in the risks communicated by the other organisations; (3) there is a change in the information or knowledge used for the identification, analysis and classification of risks; (4) there are lessons learnt from the analysis of information security incidents.

IS.AR.210 Information security risk treatment

(a) The competent authority shall develop measures to address unacceptable risks identified in accordance with point IS.AR.205, shall implement them in a timely manner and shall check their continued effectiveness. Those measures shall enable the competent authority to: (1) control the circumstances that contribute to the effective occurrence of the threat scenario; (2) reduce the consequences to aviation safety associated with the materialisation of the threat scenario; (3) avoid the risks. Those measures shall not introduce any new potential unacceptable risks to aviation safety.

(b) The person referred to in point IS.AR.225 (a) and other affected personnel of the competent authority shall be informed of the outcome of the risk assessment carried out in accordance with point IS.AR.205, the corresponding threat scenarios and the measures to be implemented. The competent authority shall also inform organisations with which it has an interface in accordance with point IS.AR.205 (b) of any risk shared between competent authority and the organisation.

IS.AR.215 Information security incidents – detection, response and recovery

(a) Based on the outcome of the risk assessment carried out in accordance with point IS.AR.205 and the outcome of the risk treatment performed in accordance with point IS.AR.210, the competent authority shall implement measures to detect events that indicate the potential materialisation of unacceptable risks and which may have a potential impact on aviation safety. Those detection measures shall enable the competent authority to: (1) identify deviations from predetermined functional performance baselines; (2) trigger warnings to activate proper response measures, in case of any deviation.

(b) The competent authority shall implement measures to respond to any event conditions identified in accordance with point (a) that may develop or have developed into an information security incident. Those response measures shall enable the competent authority to: (1) initiate the reaction of its own organisation to the warnings referred to in point (a)(2) by activating predefined resources and course of actions; (2) contain the spread of an attack and avoid the full materialisation of a threat scenario; (3) control the failure mode of the affected elements defined in point IS.AR.205(a).

(c) The competent authority shall implement measures aimed at recovering from information security incidents, including emergency measures, if needed. Those recovery measures shall enable the competent authority to: (1) remove the condition that caused the incident, or constrain it to a tolerable level; (2) restore a safe state of the affected elements defined in point IS.AR.205(a) within a recovery time previously defined by its own organisation.

IS.AR.220 Contracting of information security management activities