Considerations Related to the Requirements of Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 – Information Security

Posted by on in Regulatory
  • Font size: Larger Smaller
  • Hits: 771

Sofema Online (SOL) www.sofemaonline.com – considers the specific requirements driven by EU 2023/203 (Information Security and Cyber Risks)

Introduction & Background

» Continuing airworthiness management organisations and maintenance organisations are to implement and maintain a management system to manage safety risks. (ref Annex II, point 3.1(b), to Regulation (EU) 2018/1139)
» Pilot training organisations, cabin crew training organisations, aero-medical centres for aircrew and operators of flight simulation training devices are to implement and maintain a management system to manage safety risks. (ref Annex IV, point 3.3(b) and point 5(b), to Regulation (EU) 2018/1139
» Air Operators are to implement and maintain a management system to manage safety risks. (Ref Annex V, point 8.1(c), to Regulation (EU) 2018/1139, air operators are to implement and maintain a management system to manage safety risks.)

Air traffic management and air navigation service providers, U-space service providers and single common information service providers, and training organisations and aero-medical centres for air traffic controllers are to implement and maintain a management system to manage safety risks. (Ref Annex VIII, point 5.1(c) and point 5.4(b), to Regulation (EU) 2018/1139)

Sources of Safety Risks include Information Security Threats

» Those safety risks may derive from different sources, such as design and maintenance flaws, human performance aspects, environmental threats and information security threats.
» Therefore, the management systems implemented by the European Union Aviation Safety Agency (‘the Agency’) and the national competent authorities and organisations referred to above, should take into account

o Not only safety risks stemming from random events
o Also safety risks deriving from information security threats where existing flaws may be exploited by individuals with malicious intent.

Information Security Risks

Information security risks are constantly increasing in the civil aviation environment as the current information systems are becoming more and more interconnected, and increasingly becoming the target of malicious actors.

» The risks associated with those information systems are not limited to possible attacks to cyberspace but encompass also threats, which may affect processes and procedures as well as the performance of human beings.

Perceived Shortfall in Standard ISO 27001 information security management system

ISO 27001, formally known as ISO/IEC 27001:2022, is an information security standard created by the International Organization for Standardization (ISO), which provides a framework and guidelines for establishing, implementing and managing an information security management system (ISMS).

» A significant number of organisations already use international standards, such as ISO 27001, in order to address the security of digital information and data.

o Those standards may not fully address all the specificities of civil aviation. Therefore, it is appropriate to set out requirements for the management of information security risks with a potential impact on aviation safety.

» It is essential that those requirements cover all aviation domains and their interfaces since aviation is a highly interconnected system of systems. Therefore, they should apply to all the organisations and competent authorities covered by Commission Regulations

- (EU) No 748/2012
- EU) No 1321/2014
- (EU) No 965/2012
- (EU) No 1178/2011
- (EU) 2015/340
- (EU) No 139/2014

» Commission Implementing Regulation (EU) 2021/664 (unmanned aircraft systems (‘UAS’) 
» Also, those that are already required to have a management system in accordance with the existing Union aviation safety legislation. However, some organisations should be excluded from the scope of this Regulation in order to ensure appropriate proportionality to the lower information security risks they pose to the aviation system.

Required Actions – Implementation Due 22nd Feb 2026

Establish, implement and maintain an information security management system in accordance with Annex I (Part-IS.AR) to Implementing Regulation (EU) 2023/203.

IS.I.OR.100 Scope - This Part establishes the requirements to be met by the organisations referred to in Article 2(1) of this Regulation.

IS.I.OR.200 - Information security management system (ISMS)

(a) In order to achieve the objectives set out in Article 1, the organisation shall set up, implement and maintain an information security management system (ISMS) which ensures that the organisation:

» establishes a policy on information security setting out the overall principles of the organisation with regard to the potential impact of information security risks on aviation safety;
» identifies and reviews information security risks in accordance with point IS.I.OR.205;
» defines and implements information security risk treatment measures in accordance with point IS.I.OR.210;
» implements an information security internal reporting scheme in accordance with point IS.I.OR.215;
» defines and implements, in accordance with point IS.I.OR.220, the measures required to detect information security events, identifies those events which are considered incidents with a potential impact on aviation safety except as permitted by point IS.I.OR.205(e), and responds to, and recovers from, those information security incidents;
» implements the measures that have been notified by the competent authority as an immediate reaction to an information security incident or vulnerability with an impact on aviation safety;
» takes appropriate action, in accordance with point IS.I.OR.225, to address findings notified by the competent authority;
» implements an external reporting scheme in accordance with point IS.I.OR.230 in order to enable the competent authority to take appropriate actions;
» complies with the requirements contained in point IS.I.OR.235 when contracting any part of the activities referred to in point IS.I.OR.200 to other organisations;
» complies with the personnel requirements laid down in point IS.I.OR.240;
» complies with the record-keeping requirements laid down in point IS.I.OR.245;
» monitors compliance of the organisation with the requirements of this Regulation and provides feedback on findings to the accountable manager to ensure effective implementation of corrective actions;
» protects, without prejudice to applicable incident reporting requirements, the confidentiality of any information that the organisation may have received from other organisations, according to its level of sensitivity.

(b) In order to continuously meet the requirements referred to in Article 1, the organisation shall implement a continuous improvement process in accordance with point IS.I.OR.260.

(c) The organisation shall document, in accordance with point IS.I.OR.250, all key processes, procedures, roles and responsibilities required to comply with point IS.I.OR.200(a), and shall establish a process for amending that documentation. Changes to those processes, procedures, roles and responsibilities shall be managed in accordance with point IS.I.OR.255.

Note - those processes, procedures, roles and responsibilities shall be managed in accordance with point IS.I.OR.255.

(d) The processes, procedures, roles and responsibilities established by the organisation in order to comply with point IS.I.OR.200(a) shall correspond to the nature and complexity of its activities, based on an assessment of the information security risks inherent to those activities, and may be integrated within other existing management systems already implemented by the organisation.

Potential For Dispensation

(e) Without prejudice to the obligation to comply with the reporting requirements laid down in Regulation (EU) No 376/2014 and the requirements laid down in point IS.I.OR.200 (a)(13), the organisation may be approved by the competent authority not to implement the requirements referred to in points (a) to (d) and the related requirements contained in points IS.I.OR.205 through IS.I.OR.260, if it demonstrates to the satisfaction of that authority that its activities, facilities and resources, as well as the services it operates, provides, receives and maintains, do not pose any information security risks with a potential impact on aviation safety neither to itself nor to other organisations.

The approval shall be based on a documented information security risk assessment carried out by the organisation or a third party in accordance with point IS.I.OR.205 and reviewed and approved by its competent authority.

The continued validity of that approval will be reviewed by the competent authority following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.

Next Steps

Sofema Aviation Services www.sassofia.com and Sofema Online www.sofemaonline.com provide Part 21 Aviation Safety Management System Training as Classroom, Webinar & Online courses – for additional information please email team@sassofia.com

Last modified on