EUR-Lex Regulation 2025/0022

EUR-Lex source

COMMISSION DELEGATED REGULATION (EU) 2025/22

of 19 December 2024

amending Delegated Regulation (EU) 2022/1645 as regards requirements on information security for organisations providing ground handling services

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (1), and in particular Article 39(1)(e) thereof,

Whereas:

(1)

Regulation (EU) 2018/1139 establishes the essential requirements for the safe provision of ground handling services and organisations providing them, as well as requirements for oversight by competent authorities of those organisations and the ground handling services provided at the Union aerodromes within the scope of that Regulation.

(2)

In accordance with the essential requirements set out in Annex VII, point 4.2.1, to Regulation (EU) 2018/1139 and with Commission Delegated Regulation (EU) 2025/20 (2), organisations responsible for the safe provision of ground handling services are to implement and maintain a management system to manage safety risks. Such safety risks may derive also from information security threats. The risks of this nature should be properly addressed by organisations providing GH services. To enable this, the scope of Commission Delegated Regulation (EU) 2022/1645 (3) should be amended to include organisations providing ground handling service.

(3)

Organisations subject to Delegated Regulation (EU) 2022/1645 such as the ground handling organisations and the organisations providing apron management services operate under a declaration regime. This implies that their management system or any of its components do not need to be approved by their competent authorities. The same regime should allow these organisations to apply the information security provisions without being required to have their information security management manual or the process to manage changes approved by the competent authority. The requirements related to these elements should be amended to reflect this exemption for the declaring organisations.

(4)

Organisations covered by this Regulation that are already subject to security requirements arising from Commission Implementing Regulation (EU) 2015/1998 (4) should also comply with the requirements of Annex I (Part IS.D.OR.230 ‘Information security external reporting scheme’) to Delegated Regulation (EU) 2022/1645 as Implementing Regulation (EU) 2015/1998 does not contain any provisions related to external reporting of information security incidents.

(5)

The requirements laid down in this Regulation are based on Opinion No 01/2024 (5), issued by the Agency in accordance with Article 75(2) points (b) and (c) and Article 76(1) of Regulation (EU) 2018/1139.

(6)

In accordance with Article 128(4) of Regulation (EU) 2018/1139, the Commission consulted experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (6).

(7)

In order to provide organisations with sufficient time to ensure compliance with the new rules and procedures introduced by this Regulation, this Regulation should apply from 6 years after the date of entry into force,

HAS ADOPTED THIS REGULATION:

Article 1

Delegated Regulation (EU) 2022/1645 is amended as follows:

(1)

in Article 2(1), the following point (c) is added:

‘(c)

ground handling organisations subject to Commission Delegated Regulation (EU) 2025/20 (*1) that:

(i)

in order to provide the respective services, have to collect, store, analyse or otherwise process data provided by third parties; or

(ii)

provide directly to aircraft operators data that will be used for operational purposes.

(*1)  Commission Delegated Regulation (EU) 2025/20 of 19 December 2024 supplementing Regulation (EU) 2018/1139 of the European Parliament and of the Council by laying down requirements for the safe provision of ground handling services and for organisations providing them (OJ L, 2025/20, 7.3.2025, ELI: http://data.europa.eu/eli/reg_del/2025/20/oj).’;"

(2)

in Article 5(1), the following point (c) is added:

‘(c)

with regard to organisations referred to in Article 2 point (c), the competent authority designated in accordance with the Annex (Part-ARGH) to Commission Implementing Regulation (EU) 2025/23 (*2).

(*2)  Commission Implementing Regulation (EU) 2025/23 of 19 December 2024 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the oversight of ground handling services and organisations providing them (OJ L, 2025/23, 7.3.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/23/oj).’."

Article 2

The Annex to Delegated Regulation (EU) 2022/1645 is amended in accordance with the Annex to this Regulation.

Article 3

1.   This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.   Article 1 shall apply from 27 March 2031.

3.   Article 2 shall apply from 16 October 2025.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 19 December 2024.

For the Commission

The President

Ursula VON DER LEYEN

ANNEX

The Annex to Delegated Regulation (EU) 2022/1645 is amended as follows:

(1)

point IS.D.OR.200(a)(5) is amended as follows:

‘(5)

defines and implements, in accordance with point IS.D.OR.220, the measures required to detect information security events, identifies those events which are considered incidents with a potential impact on aviation safety, and responds to, and recovers from, those information security incidents;’;

(2)

points (b) and (c) of IS.D.OR.250 are amended as follows:

‘(b)

The initial issue of the ISMM shall be approved and a copy shall be retained by the competent authority. An approval shall not be required for declaring organisations. The ISMM shall be amended as necessary to remain an up-to-date description of the ISMS of the organisation. A copy of any amendments to the ISMM shall be provided to the competent authority.

(c)

Amendments to the ISMM shall be managed in a procedure established by the organisation. Any amendments that are not included within the scope of this procedure and any amendments related to the changes referred to in point IS.D. OR.255(b), shall be approved by the competent authority. An approval shall not be required for declaring organisations.’;

(3)

Point IS.D.OR.255 is replaced by the following:

IS.D.OR.255   Changes to the information security management system

(a)

Changes to the ISMS may be managed and notified to the competent authority in a procedure developed by the organisation. This procedure shall be approved by the competent authority, except for declaring organisations.

(b)

With regard to changes to the ISMS not covered by the procedure referred to in point (a), the organisation shall apply for and obtain an approval issued by the competent authority, except for declaring organisations, for which an approval is not required.

With regard to these changes:

(1)

the application shall be submitted before any such change takes place, in order to enable the competent authority to determine continued compliance with this Regulation and to amend, if necessary, the organisation certificate and related terms of approval attached to it;

(2)

the organisation shall make available to the competent authority any information it requests to evaluate the change;

(3)

the change shall be implemented only upon receipt of a formal approval by the competent authority, except for declaring organisations, which may implement the change immediately;

(4)

the organisation shall operate under the conditions prescribed by the competent authority during the implementation of such changes.’.

Analyzing regulation references...