IS.D.OR.230 Information security external reporting scheme

• Regulation (EU) 2022/1645 found in: Information Security (No 2023/203 and 2022/1645) Part-IS (Jun 2024)

IS.D.OR.230 Information security external reporting scheme Regulation (EU) 2022/1645 (a)     The organisation shall implement an information security reporting system that complies with the requirements laid down in Regulation (EU) No 376/2014 and its delegated and implementing acts if that Regulation is applicable to the organisation. (b)     Without prejudice to the obligations of Regulation (EU) 376/2014, the organisation shall ensure that any information security incident or vulnerability, which may represent a significant risk to aviation safety, is reported to their competent authority. Furthermore: (1)     where such an incident or vulnerability affects an aircraft or associated system or component, the organisation shall also report it to the design approval holder; (2)     where such an incident or vulnerability affects a system or constituent used by the organisation, the organisation shall report it to the organisation responsible for the design of the system or constituent. (c)      The organisation shall report the conditions referred to in point (b) as follows: (1)     a notification shall be submitted to the competent authority and, if applicable, to the design approval holder or to the organisation responsible for the design of the system or constituent, as soon as the condition has been known to the organisation; (2)     a report shall be submitted to the competent authority and, if applicable, to the design approval holder or to the organisation responsible for the design of the system or constituent, as soon as possible, but not exceeding 72 hours from the time the condition has been known to the organisation, unless exceptional circumstances prevent this. The report shall be made in the form defined by the competent authority and shall contain all relevant information about the condition known to the organisation; (3)     a follow-up report shall be submitted to the competent authority and, if applicable, to the design approval holder or to the organisation responsible for the design of the system or constituent, providing details of the actions the organisation has taken or intends to take to recover from the incident and the actions it intends to take to prevent similar information security incidents in the future. The follow-up report shall be submitted as soon as those actions have been identified, and shall be produced in the form defined by the competent authority.