EASA proposes new rules to protect against cyber attacks

Share
The European Union Aviation Safety Agency (EASA) has published an Opinion on Management of Information Security Risks.

The European Union Aviation Safety Agency (EASA) has published an Opinion on Management of Information Security Risks, aimed at safeguarding the entire civil aviation system against potential safety effects caused by cyberattacks.

As information systems become more and more interconnected and are increasingly the target of malicious acts (whether directly or indirectly), the risks of such attacks, events and incidents in civil aviation are constantly increasing. The proposed new rules will make the aviation system more resilient to these information security events.

“Such attacks typically target the weakest link in the chain,” said EASA Executive Director Patrick Ky. “We need to take a holistic view to guard against situations where one weak link can compromise the entire aviation system. This Opinion is an important milestone in mitigating these emerging and growing risks.”

The Opinion defines ways to identify and manage information security risks which could affect communication technology systems and data used for civil aviation purposes, and so in turn have an impact on aviation safety. In particular, it proposes the introduction of an information security management system (ISMS) for the competent authorities – including EASA – and for organizations in all aviation domains and requires them to report incidents and vulnerabilities related to information security.

This ISMS will complement the existing management systems which these organisations and authorities already have in place.

In an indication of its breadth, the scope of organisations covered by the Opinion is listed out as follows: production and design organisations, air operators, maintenance organisations, continuing airworthiness management organisations (CAMOs), training organisations, aero-medical centres, operators of flight simulation training devices (FSTDs), air traffic management/air navigation services (ATM/ANS) providers, U-space service providers and single common information service providers, aerodrome operators and apron management service providers.

The proposed provisions include high-level, performance-based requirements, and will be supported by acceptable means of compliance, guidance material, and industry standards.

The proposed measures should contribute to the creation of a seamless and consistent regulatory framework where the interfaces between security and safety are appropriately covered, and where special attention is paid to avoiding gaps, loopholes and duplications with other information security and cybersecurity requirements, such as those contained in Commission Implementing Regulation (EU) 2015/1998 and in the national requirements stemming from Directive (EU) 2016/1148 (NIS Directive).

The Opinion was developed in close coordination, consultation and discussion with the European Strategic Coordination Platform (ESCP). It will now enter the adoption process of the European Commission.

Share

Featured Articles

How The UK’s AI Plan Will Impact The Cybersecurity Sector

The UK’s £14bn AI investment requires enhanced cybersecurity measures as Kyndryl and Vantage Data Centres prepare for infrastructure expansion

Darktrace to Acquire Cado Security in Cloud Defence Push

AI cybersecurity firm Darktrace expands its cloud investigation capabilities through purchase of Cado Security, following recent acquisition by Thoma Bravo

Sophos MDR Reports 37% Customer Growth in Cybersecurity Push

Managed detection service now protects 26,000 organisations as demand rises for round-the-clock threat monitoring and incident response capabilities

Netskope Data Shows Phishing Success Rate Tripled in 2024

Cyber Security

CrowdStrike Field CTO Warns of Identity-Based Attacks Shift

Cyber Security

Gartner: How to Align Risk Management and Governance in 2025

Operational Security