January 08, 2025

sasadmin

Sofema Aviation Services (SAS) www.sassofia.com considers fundamental issues related to the challenge to address cyber security threats within EASA regulated Organisation

Introduction

The NIS2 Directive—Directive (EU) 2022/2555—represents the European Union’s updated legislative framework aimed at achieving a high common level of cybersecurity across all Member States. It replaces the original NIS Directive (2016/1148) and came into force on January 16, 2023. Member States are required to transpose it into national laws by October 17, 2024.

Key Objectives of NIS2

  • Enhance cybersecurity resilience across the EU.
  • Harmonize cybersecurity measures and enforcement across Member States.
  • Improve cooperation and information sharing among national authorities and organizations.
  • Strengthen supply chain security and risk management across critical sectors.
  • Increase accountability by imposing stricter reporting obligations and penalties.

Aviation Scope of the NIS2 Directive

  • Applies to essential entities and important entities in critical sectors, including aviation.
  • Sectors are defined based on their significance to society and the economy.

Cybersecurity Risk Management

Organizations must adopt risk-based cybersecurity measures proportionate to their risks, focusing on:

  • Risk identification and assessment.
  • Prevention, detection, and response to incidents.
  • Recovery and continuity of services after incidents.
  • Physical and environmental security of systems and data.
  • Supply chain risk management, including third-party service providers.

Incident Reporting

  • Entities must report significant cybersecurity incidents:
    1. Initial report within 24 hours of awareness.
    2. A detailed report within 72 hours.
    3. A final report within 1 month with findings and mitigation.

Governance and Accountability

  • Organizations must ensure that senior management oversees cybersecurity strategies.
  • Cybersecurity measures must align with ISO/IEC standards (e.g., ISO 27001) where applicable.
  • Periodic security audits and cybersecurity awareness training for staff are mandatory.

Cooperation and Information Sharing

  • Entities must collaborate with national authorities, including CSIRTs (Computer Security Incident Response Teams).
  • Share threat intelligence and participate in coordinated cybersecurity risk assessments.

Supervision and Penalties

  • Competent authorities may:
    • Conduct supervisory audits and assessments.
    • Enforce compliance with fines or sanctions for violations.
  • Non-compliance can result in administrative fines up to a percentage of annual turnover.

Implications for EASA-Approved Organizations

EASA organizations (e.g., airlines, maintenance, and design organizations) likely fall under essential entities due to their role in transport infrastructure. They must:

  • Implement comprehensive cyber risk management processes.
  • Conduct regular vulnerability assessments and audits.
  • Ensure that critical suppliers and IT providers comply with cybersecurity standards.
  • Report significant cybersecurity incidents promptly.
  • Address risks to physical systems, data integrity, and IT services.

Next Steps

Follow this link to our Library to find & download related documents for Free.

See the following course:  Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days. For comments or questions, please email team@sassofia.com.

Share this with your network:

Tags:

EASA, Maintenance, Risk Management, Cyber Security, SAS blogs, Airlines, EASA Approved, NIS2, EASA regulated Organisation, Aviation Scope, Incident Reporting, ISO/IEC standards, Blog Series