top of page

The EU cybersecurity regulations for civil aviation and what they mean for airlines, airports & co.

Aviation organisations, authorities and their assets are an integral part of aviation products and associated technologies, includes people, processes and other intangible assets and must be protected against information security risks that may potentially impact safety.

Therefore, new requirements, referred to as Part-IS ("Information Security"), have been created to set requirements for organisations and authorities across the aviation sector for the management of information security risks with potential impact on aviation safety.


Cybersecurity is a must in international aviation
Airports, airlines and other stakeholders should familiarise themselves with the new provisions in good time

The new European regulations on this - Delegated Regulation (EU) 2022/1645 and Implementing Regulation (EU) 2023/203 - cover the identification and management of information security risks that could affect information and communication technology systems and data used for civil aviation purposes. They further cover the detection of information security incidents, the identification of incidents considered as information security incidents and the response to such incidents. Finally, they regulate the restoration of an appropriate level of safety.

From when and for whom do the new cybersecurity regulations apply?

The Part-IS requirements apply from 16 October 2025 to the following organisations (with certain exceptions):

  • aerodrome operators and apron management service providers

  • production organisations and design organisations

The Part-IS prequirements apply to all other organisations and authorities (with certain exceptions) from 22 February 2026:

  • airlines

  • maintenance organisations

  • continuing Airworthiness Management Organisations (CAMO)

  • approved Training Organisations (ATO)

  • aircrew aero-medical centres

  • flight simulation training device operators

  • air traffic controller training organisations (ATCO TO) and ATCO aero-medical centres

  • air navigation service providers

  • U-Space service providers

  • The respective competent authorities (in Austria four aviation authorities have been established, whereby in the scope of the relevant regulation the Supreme Civil Aviation Authority (Ministry of Transport) and Austro Control would be significant), including EASA

Content of the requirements

The central requirement for the organisations and authorities subject to regulations and an essential element of the Cybersecurity Regulations is the establishment of an information security management system (ISMS). Such a system should be able to detect security incidents, protect against them, respond to them appropriately and restore integrity after an incident.


In particular, it requires - in analogy to existing aviation-specific management systems - the definition of responsibilities and accountabilities and the appointment of an accountable manager; the identification and review of information security risks; the assessment of the information security risk; the corresponding development of measures; competent and trained personnel; as well as a monitoring function regarding compliance with the requirements. The Cybersecurity Regulations also provide for the establishment of an internal and external reporting system and the creation of an ISM manual.

It is possible to integrate the ISMS into other already existing management systems (e.g. safety management system, security management system).

Requirements already arising from other Union legislation (Regulation 300/2008 and NIS Directive)

The Cybersecurity Regulations provide that where an organisation is an operator or entity referred to in Member States’ national aviation security programmes under Article 10 of Regulation (EC) No 300/2008 on common rules in the field of civil aviation security, the cybersecurity requirements set out in point 1.7 of the Annex to Implementing Regulation (EU) 2015/1998 shall be considered equivalent to the requirements of the Cybersecurity Regulations (with the exception of the points on external reporting systems of the Part-IS).


Regulation (EC) 300/2008 and the associated implementing provisions of Regulation (EU) 2015/1998 contain the basic rules that must be complied with throughout the European Union to protect against terrorist attacks; these rules apply to airports, airlines and a number of other companies.


Finally, under the Cybersecurity Regulations, compliance with the security requirements set out in Article 14 of Directive (EU) 2016/1148 (“NIS Directive”), which are equivalent to the requirements of these Regulations, is deemed to be compliance with the requirements.


The NIS Directive introduces specific security requirements and reporting obligations for operators of essential services in certain sectors of the economy to promote a culture of risk management and ensure that the most serious security incidents are reported. The NIS Directive is implemented in Austria by the “NIS Act” and the “Network and Information Systems Security Regulation”.


Therefore, due to their importance for the maintenance of public transport in the transport sector of interest here, subsector air transport, essential services are the follwing:

  • The carriage of passengers in commercial air transport by an air carrier that carries more than 33% of the passengers handled annually at an airport that handles more than ten million passengers annually;

  • in the field of airport operations, flight handling, in particular passenger handling and baggage handling, as well as the operation of security systems, at an airport handling more than ten million passengers per year;

  • in the field of air traffic control

- air navigation services provided by facilities which are responsible for air navigation services as a sovereign task of the Federal Government under the Aviation Act (“LFG”);

- aerodrome control services at an airport that handles more than ten million passengers a year.

As a result, there are currently three operators of essential services for the air transport sub-sector in Austria: Austrian Airlines AG, Flughafen Wien AG and Austro Control GmbH.


Attorney Aviation Law


Dr. Simon Harald Baier LL.M. advises on all issues of aviation law and business law.

Comments


bottom of page