21.B.25 Management system

(a)     The competent authority shall establish and maintain a management system, including as a minimum:

1.       documented policies and procedures to describe its organisation, the means and methods for establishing compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts. The procedures shall be kept up to date, and serve as the basic working documents within that competent authority for all its related tasks;

2.       a sufficient number of personnel to perform its tasks and discharge its responsibilities. A system shall be in place to plan the availability of personnel in order to ensure the proper completion of all tasks;

3.       personnel that are qualified to perform their allocated tasks and that have the necessary knowledge and experience, and receive initial and recurrent training to ensure continuing competency;

4.       adequate facilities and office accommodation for personnel to perform their allocated tasks;

5.       a function to monitor the compliance of the management system with the relevant requirements, and the adequacy of the procedures, including the establishment of an internal audit process and a safety risk management process. Compliance monitoring shall include a feedback system of audit findings to the senior management of the competent authority to ensure the implementation of corrective actions as necessary;

6.       a person or group of persons having a responsibility to the senior management of the competent authority for the compliance monitoring function.

(b)     The competent authority shall, for each field of activity, including the management system, appoint one or more persons with the overall responsibility for the management of the relevant task(s).

(c)      The competent authority shall establish procedures for the participation in a mutual exchange of all necessary information and assistance with any other competent authorities concerned, whether from the same Member State or from other Member States, including on:

1.       all findings raised and any follow-up actions taken as a result of the oversight of persons and organisations that carry out activities in the territory of a Member State, but certified by the competent authority of another Member State or by the Agency;

2.       information stemming from mandatory and voluntary occurrence reporting as required by 21.A.3A.

(d)     A copy of the procedures related to the management system of the competent authority of the Member State and their amendments shall be made available to the Agency for the purpose of standardisation.

(e)     In addition to the requirements contained in point (a), the management system established and maintained by the competent authority shall comply with Annex I (Part‑IS.AR) to Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.

[point (e) is applicable from 22 February 2026 – Regulation (EU) 2023/203]