Sofema Aviation Services (SAS) takes a view on the role of the EASA Cyber Security Framework to address Stakeholder Needs, Legal Basis, and Policies for Collaboration and Information Sharing.
Introduction – Stakeholder Needs
Stakeholders in the aviation ecosystem include airlines, airports, air navigation service providers (ANSPs), manufacturers, maintenance organizations, and authorities.
Their needs within the EASA Cyber Security focus on:
Risk Management
- Identifying Threats: Stakeholders need tools and processes to identify vulnerabilities and anticipate cyber threats that could disrupt aviation safety.
- Mitigating Risks: Implementing robust controls, monitoring systems, and incident response plans to mitigate risks.
Regulatory Compliance
- Meeting EASA regulations and ensuring alignment with ICAO Annex 17 and emerging cyber security requirements.
- Harmonization with EU Regulations like the NIS 2 Directive and GDPR.
Information Protection
- Protecting sensitive operational and personal data while ensuring data integrity, availability, and confidentiality.
Coordination and Collaboration
- Ensuring effective communication between stakeholders to share threat intelligence and best practices.
Resource Management
- Allocating sufficient human, financial, and technological resources to build cyber-resilient systems.
Business Continuity
- Ensuring minimal disruption to operations during a cyber incident.
Legal Basis
The legal foundation for cyber security in aviation comes from several interconnected regulations and directives:
EASA Regulation (EU) 2019/947 & 2022/1645
- EASA plays a key role in integrating cyber security into aviation safety by issuing rules and guidance material to protect civil aviation operations.
NIS 2 Directive (EU Directive on Network and Information Security)
- This framework establishes measures for a high common level of cyber security across critical infrastructure sectors, including aviation.
- Stakeholders must:
- Identify critical systems.
- Report incidents within specified timelines.
- Adopt cyber risk management practices.
GDPR (General Data Protection Regulation)
- Legal obligations for stakeholders to ensure the confidentiality and protection of personal data collected and processed in aviation systems.
ICAO Requirements
- Annex 17 – Security: Outlines cyber security measures to address unlawful interference in civil aviation operations.
- Annex 19 – Safety Management: Promotes a framework that integrates cyber security into the safety management systems (SMS).
National Regulations
- Member states enforce cyber security measures at the local level, aligned with EASA and European Commission directives.
Policies for Collaboration and Information Sharing
Collaboration and information sharing are critical for managing cyber risks effectively across the interconnected aviation ecosystem. Policies include:
- Threat Intelligence Sharing
- Establishing mechanisms for stakeholders to report and share cyber threats, vulnerabilities, and mitigation measures securely and in real time.
- EASA encourages participation in platforms such as ECCSA (European Centre for Cyber Security in Aviation).
- Incident Reporting
- Mandatory reporting of cyber incidents to national authorities, in alignment with EASA AMC (Acceptable Means of Compliance).
- Clear timelines and structured processes for reporting incidents to foster transparency.
- Trust Frameworks
- Developing a culture of trust where stakeholders feel confident sharing sensitive cyber information without fear of liability or reputational damage.
- Cross-Sector Collaboration
- Policies that allow for coordination with other critical sectors like energy, communications, and transport to manage systemic cyber risks.
- Public-Private Partnerships
- Encouraging cooperation between aviation industry stakeholders, national authorities, and the EU Agency for Cyber Security (ENISA).
- Harmonized Standards
- Adoption of ISO/IEC 27001 (Information Security Management Systems) and EUROCAE ED-205 for aviation-specific cyber security guidance.
Next Steps
- Follow this link to our Library to find & download related documents for Free.
- See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days
for comments or questions please email team@sassofia.com
Tags:
EASA Cyber Security, EUROCAE ED-205, EU Agency for Cyber Security (ENISA), EASA AMC (Acceptable Means of Compliance), ECCSA (European Centre for Cyber Security in Aviation), NIS 2 Directive, EASA Regulation (EU) 2019/947 & 2022/1645, Identifying Threats, Legal Basis, Stakeholder Needs, Cyber Security, ICAO Annex 17, BlogSeries, EU regulations, mitigating risks., GDPR, cyber threats, ICAO Annex 19, SAS blogs
