What does IS.D.OR.215 say about cooperation on investigations?

The organization shall cooperate on investigations with any other organization that has a significant contribution to the information security of its own activities.

According to IS.D.OR.215, what should the internal reporting scheme and related processes enable the organization to do?

The scheme and processes should enable the organization to: (1) identify information security incidents or vulnerabilities with a potential impact on aviation safety; (2) identify the causes of, and contributing factors to, these incidents and vulnerabilities, and address them as part of the risk management process; (3) ensure an evaluation of all known, relevant information relating to the incidents and vulnerabilities; and (4) ensure the implementation of a method to distribute information internally as necessary.

Can the information security reporting scheme be integrated with other reporting schemes according to IS.D.OR.215?

Yes, the organization may integrate the information security reporting scheme with other reporting schemes it has already implemented.

What are the reporting requirements for contracted organizations according to IS.D.OR.215?

Any contracted organization which may expose the organization to information security risks with a potential impact on aviation safety shall be required to report information security events to the organization. These reports shall be submitted using the procedures established in the specific contractual arrangements and shall be evaluated in accordance with point (b).

IS.D.OR.215 Information security internal reporting scheme

Q: When does Regulation (EU) 2022/1645, related to information security internal reporting scheme, become applicable?

Regulation (EU) 2022/1645, related to information security internal reporting scheme, becomes applicable on 16 October 2025.

Q: What is the purpose of the information security internal reporting scheme according to IS.D.OR.215?

The information security internal reporting scheme is established to enable the collection and evaluation of information security events, including those to be reported pursuant to point IS.D.OR.230.

Navigate / EASA

Ask question Discover more Add to collection

IS.D.OR.215 Information security internal reporting scheme

Regulation (EU) 2022/1645

(a) The organisation shall establish an internal reporting scheme to enable the collection and evaluation of information security events, including those to be reported pursuant to point IS.D.OR.230.

(b) That scheme and the process referred to in point IS.D.OR.220 shall enable the organisation to:

(1) identify which of the events reported pursuant to point (a) are considered information security incidents or vulnerabilities with a potential impact on aviation safety;

(2) identify the causes of, and contributing factors to, the information security incidents and vulnerabilities identified in accordance with point (1), and address them as part of the information security risk management process in accordance with points IS.D.OR.205 and IS.D.OR.220;

(3) ensure an evaluation of all known, relevant information relating to the information security incidents and vulnerabilities identified in accordance with point (1;)

(4) ensure the implementation of a method to distribute internally the information as necessary.

(c) Any contracted organisation which may expose the organisation to information security risks with a potential impact on aviation safety shall be required to report information security events to the organisation. Those reports shall be submitted using the procedures established in the specific contractual arrangements and shall be evaluated in accordance with point (b).

(d) The organisation shall cooperate on investigations with any other organisation that has a significant contribution to the information security of its own activities.

(e) The organisation may integrate that reporting scheme with other reporting schemes it has already implemented.

Details

Source-Title: IS.D.OR.215 Information security internal reporting scheme

Erulesid: ERULES-1963177438-19912 Compare versions

Domain: Information Security (IS)

Applicabilitydate: 16 October 2025

Entryintoforcedate: 16 October 2022

Regulatorysource: Regulation (EU) 2022/1645 Navigate

Regulatorysubject: Part-IS.D.OR

Typeofcontent: DR (Delegated rule)

Origin: EASA

Category: EAR

Details

Related sections: