EASA Part 145 Changes Which Impacts the Role of the Competent Authority

Posted by on in Regulatory
  • Font size: Larger Smaller
  • Hits: 311

Sofema Online (SOL) www.sofemaonline.com considers the requirements introduced following the release of Annex VI to ED Decision 2023/010/R ‘AMC and GM to Part-145 — Issue 2, Amendment 6’

Background

According to EASA  - The current European aviation safety regulatory framework contains a series of requirements which are aimed at reducing the likelihood of an accident happening.

>> This combination of requirements allows that even if an error, mistake and/or deficiency happens, it should not create a hazardous situation that could result in an accident or serious incident.

>> Consequently, an accident or serious incident would only happen in the remote random event of several deficiencies happening simultaneously and, by chance, aligning themselves.

>> The concern is that not enough focus may have been put in properly addressing the situation where existing flaws in different areas are aligned on purpose and exploited by individuals with a malicious intent, no longer being a random event.

>> Such a risk is constantly increasing in the civil aviation environment as the current information systems are becoming more and more interconnected.

Introduction To New Requirements

The Annex to Decision 2015/029/R of 17 December 2015 of the Executive Director of the Agency is amended as follows:

AMC1 145.B.135A Immediate reaction to an information security incident or vulnerability with an impact on aviation safety

(a) To appropriately collect and analyse information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should implement means that ensure the necessary confidentiality.

(b) When disseminating information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should properly select the appropriate recipient(s) to prevent the content of a report from being exploited to the detriment of aviation safety, by revealing, for instance, uncorrected vulnerabilities.

GM1 145.B.135A Immediate reaction to an information security incident or vulnerability with an impact on aviation safety When deemed necessary, a two-step mechanism could be used:

>> A report alerting about the information security event or incident and the availability of additional data that would require controlled and confidential distribution. This report should only alert recipients of the urgency and the necessity for organisations and competent authorities to establish further communication through secure means.

>> Therefore, the report should consist of two parts:

>> one limited to mostly public information and

>> one containing the sensitive data that should be restricted to the recipients who need to know. Wherever possible, reports should be based on an agreed taxonomy.

Next Steps

Follow this link to our Library to find & download related documents for Free.

Please see the following course EASA Part 145 – 2023 Regulatory Update for Quality & Safety Personnel – 1 Day or visit www.sassofia.com or email team@sassofia.com

 

Last modified on