Powers and recital

• Regulation (EU) 2023/203 found in: EAR for Information Security_download

(8) It is essential that th o se requirements cover all aviation domains and their interfaces , since aviation is a highly interconnected system of systems. Therefore, they should apply to all the organisations and competent authorities covered by Regulation (EU) No 748/2012, Regulation (EU) No 1321/2014, Regulation (EU) No 965/2012, Regulation (EU) No 1178/2011, Regulation (EU) 2015/340 , Regulation (EU) No 139/2014 and Regulation (EU) 2021/664 , also those that are already required to have a management system in accordance with the existing Union aviation safety legislation . However, some organisations should be excluded from the scope of this Regulation in order to ensure appropriate proportionality to the lower information security risks they pose to the aviation system . (9) The requirements laid down in this Regulation should ensure a consistent implementation across all aviation domains, while creating a minimal impact on the Union aviation safety legislation already applicable to those domains. (10) The requirements laid down in this Regulation should be without prejudice to information security and cybersecurity requirements laid down in Point 1.7 of the Annex to Commission Implementing Regulation (EU) 2015/1998 ( ) and in Article 14 of Directive (EU) 2016/1148 of the European Parliament and of the Council ( ) . (11) The security requirements laid down in Articles 33 to 43 of Title V “Security o f t he Programme” of Regulation (EU) 2021/696 of the European Parliament and of the Council are considered to be equivalent with the requirements laid down in this Regulation, except as regards point IS.I.OR.230 of Annex II to this Regulation which should be complied with . (12) In order to provide legal certainty , the interpretation of the term ‘information security’ as defined in this Regulation , reflecting its common use in civil aviation globally, should be considered as being consistent with that of the term ‘security of network and information systems’ as defined in Article 4(2) of Directive (EU) 2016/1148. T he definition o f information security used for the purposes of this Regulation should not be interpreted as divergent from the definition of security of network and information systems laid down in Directive (EU) 2016/1148 . (13) In order to avoid duplication of legal requirements, w here organisations covered by this Regulation are already subject to security requirements arising from Union acts referred to in recital s (10) and ( 11 ) which are in their effect equivalent to the provisions laid down in this Regulation , compliance with those security requirements should be considered to constitute compliance with the requirements laid down in this Regulation . (14) Organisations covered by this Regulation that are already subject to security requirements arising from Regulation (EU) 2015/1998 or Regulation (EU) 2021/696 , or both, should also comply with the requirements of Annex II (Part IS.I.OR.230 “Information security external reporting scheme”) to this Regulation as neither Regulation contain s provisions related to external reporting of information security incidents . (15) For the sake of completeness, Regulations (EU) No 1178/2011, No 748/2012, No 965/2012, No 139/2014, No 1321/2014, 2015/340, 2017/373 and 2021/664 should be amended in order to introduce the information security management system requirements prescribed in this Regulation together with the management systems set out therein , and to set out the competent authorities ’ requirements as regards the oversight of organisations implementi ng the aforementioned information security management requirements. Regulation (EU) 2023/203 THE EUROPEAN COMMISSION, Having regard to the Treaty on the Functioning of the European Union, Having regard to Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 ( ) , and in particular Articles 17(1 ) point (b) , 27(1) point (a) , 31(1) point (b) , 43(1) point (b) , 53(1) point (a) and 62 (15) point (c) thereof Whereas: (1) In accordance with the e ssential r equirements set out in Annex II , point 3.1(b), to Regulation (EU) 2018/1139, continuing airworthiness management organisations and maintenance organisations are to implement and maintain a management system to manage safety risks . (2) In addition, in accordance with the essential requirements set out in Annex IV , point 3.3(b) and point 5(b) , to Regulation (EU) 2018/1139, pilot training organisations, cabin crew training organisations, aero-medical centres for aircrew and operators of flight simulation training devices are to implement and maintain a management system to manage safety risks. (3) Moreover , in accordance with the essential requirements set out in Annex V , point 8.1(c), to Regulation (EU) 2018/1139, air operators are to implement and maintain a management system to manage safety risks. (4) Furthermore, in accordance with the essential requirements set out in Annex VIII , point 5.1(c) and point 5.4(b) , to Regulation (EU) 2018/1139, air traffic management and air navigation service providers, U-space service providers and single common information service providers , and training organisations and aero-medical centres for air traffic co ntrollers are to implement and maintain a management system to manage safety risks. (5) Th ose safety risks may derive from different sources, such as design and maintenance flaws , human performance aspects , environmental threats and information security threats. Therefore , t he management systems implemented by the European Union Aviation Safety Agency ( ‘the Agency ’ ) and the national competent authorities and organisations referred to in the recitals above , should take into account not only safety risks stemming from random events, but also safety risks deriving from information security threats where existing flaws may be exploited by individuals with a malicious intent. Th ose information security risk s are constantly increasing in the civil aviation environment as the current information systems are becoming more and more interconnected, and increasingly becoming the target of malicious actors. (6) The risks associated with th o se information systems are not limited to possible attacks to the cyberspace, but encompass also threats , which may affect processes and procedures as well as the performance of human beings. (7) A significant number of organisations already use international standards, such as ISO 27001, in order to address the security of digital information and data. Th o se standards may not fully address all the specificities of civil aviation. Therefore, it is appropriate to set out requirements for the management of information security risks with a potential impact on aviation safety . (16) In order to provide organisations with sufficient time to ensure compliance with the new rules and procedures , this Regulation should apply 3 years after its entry into force, except for the air navigation service provider of the European Geostationary Navigation Overlay Service ( EGNOS ) defined in Commission Implementing Regulation (EU) 2017/373 , where due to the ongoing security accreditation of the EGNOS system and services in line with Regulation (EU) 2021/696 , it should become applicable from 1 January 202 6. (17) The requirements laid down in this Regulation are based on Opinion No 03 /2021 ( ) , issued by the Agency in accordance with Article 75(2) points (b) and (c) and Article 76(1) of Regulation (EU) 2018/1139. (18) The requirements laid down in this Regulation are in accordance with the opinion of the Committee for the application of common safety rules in the field of civil aviation established by Article 127 of Regulation (EU) 2018/1139 , HAS ADOPTED THIS REGULATION: