Commission Delegated Regulation (EU) 2022_1645 and its Information & Cyber Security Challenges for Part 21 Production and Design Organisations

Sofema Aviation Services (SAS) Considers the key elements of EASA Information & Cyber Security Regulatory Obligations

Introduction

Commission Delegated Regulation (EU) 2022/1645 establishes requirements for managing information security risks with a potential impact on aviation safety.

• It applies to Part 21 Design Organisations (DOs) and Production Organisations (POs), requiring them to implement an Information Security Management System (ISMS) to protect critical systems, data, and processes from cyber threats.

Note Commission Delegated Regulation (EU) 2022_1645 amends Regulation (EU) No 748/2012 by introducing mandatory cybersecurity management requirements into Subparts J (Design Organisations) and G (Production Organisations) of Part 21.

Key Challenges for Part 21 Design and Production Organisations – Implementation of an Information Security Management System (ISMS)

Both DOs and POs must implement and maintain an Information Security Management System (ISMS), which includes:

• Identifying and managing information security risks that may impact aviation safety.
• Establishing incident reporting procedures for both internal and external reporting.
• Ensuring a continuous improvement process for cybersecurity.

Challenges:

• Lack of cybersecurity expertise: Many organisations may not have personnel skilled in information security risk management.
• Integration with existing safety management systems (SMS): Organisations must ensure the ISMS is effectively integrated with their existing safety processes.
• Cost implications: Implementing an ISMS requires investments in training, infrastructure, and compliance monitoring.

Regulatory and Compliance Challenges

• Evolving Regulatory Landscape: Keeping up with evolving EASA, ICAO, and national authority cybersecurity regulations and ensuring compliance.
• Cross-Border Compliance: Managing compliance with multiple regulatory frameworks when operating in different jurisdictions.
• Alignment with EASA NPA 2021-07: Ensuring the ISMS aligns with EASA’s cybersecurity rulemaking proposals and recommendations.
• Supplier and Partner Compliance: Ensuring that suppliers, subcontractors, and partners comply with the organisation’s ISMS standards.

Technical and Implementation Challenges

• Legacy System Vulnerabilities: Older design and production systems may not be designed with cybersecurity in mind, making integration complex.
• Industrial Control System (ICS) Security: Protecting operational technology (OT) and production systems against cyber threats while ensuring system availability.
• Secure Data Management: Ensuring secure handling of design data, drawings, test results, and proprietary information, particularly in a digital supply chain.
• Managing Remote Work Security: Ensuring cybersecurity measures are in place for employees accessing sensitive data remotely.

Organisational and Cultural Challenges

• Resistance to Change: Employees and management may resist new cybersecurity protocols due to perceived complexity or added workload.
• Balancing Security and Productivity: Striking the right balance between stringent cybersecurity controls and maintaining efficiency in design and production workflows.
• Workforce Cybersecurity Awareness: Training employees across all levels, including engineers and production staff, to recognize and mitigate cyber threats.
• Collaboration Between IT and Engineering Teams: Ensuring effective communication between cybersecurity experts and aviation engineers who may not be familiar with ISMS principles.

• Threat Identification and Risk Prioritization: Assessing and prioritizing cybersecurity risks that have the highest impact on aviation safety.
• Detecting Insider Threats: Protecting against intentional or unintentional cyber threats from employees, contractors, or third parties with access to sensitive data.
• Timely Incident Response: Ensuring rapid detection, containment, and response to cybersecurity incidents without disrupting design or production activities.
• Supply Chain Cybersecurity Risks: Managing cybersecurity risks in outsourced design or manufacturing processes, especially with external vendors.

• Cost-Benefit Justification: Demonstrating return on investment (ROI) for cybersecurity measures to justify expenditure to senior management.
• Continuous Monitoring and Auditing: Maintaining an ongoing cybersecurity assessment process that requires resources and expertise.
• Identifying and classifying risks: Design and production organisations need to establish consistent risk assessment methodologies.
• Addressing interconnected threats: Aviation organisations operate in an increasingly digital ecosystem, meaning risks may extend beyond their immediate control (e.g., supplier vulnerabilities, regulatory compliance gaps).
• Risk mitigation strategies: Once risks are identified, organisations must develop mitigation plans without introducing new risks to aviation safety.
• Conducting regular risk assessments to identify:
  • Threats (e.g., cyberattacks, data breaches, software vulnerabilities).
  • Vulnerabilities (e.g., weak passwords, outdated software).
  • Interfaces with other organisations that may expose them to security risks.

Next Steps

Follow this link to our Library to find & download related documents for Free.

Please see Sofema Aviation Services, Sofema Online or email [email protected].

Follow this link for all  Aviation Security and Cyber Security documents.

Tags:

Part 21, Cyber Security, SAS blogs, Production Organisations, Design Organisations, Regulation (EU) 2022_1645, EASA Information, Production Organisations (POs), Design Organisations (DOs), Security Management System (ISMS), Regulatory Landscape, EASA NPA 2021-07