January 23, 2024


Sofema Aviation Services (SAS) www.sassofia.com takes a look at the EASA Regulatory Requirements driven by Commission Implementing Regulation (EU) 2023/203 which presents a detailed framework for enhancing Information Security Management in the European aviation sector.

The Commission Implementing Regulation (EU) 2023/203 sets out a robust framework for managing information security risks in aviation, addressing contemporary challenges through a structured approach.

  • Its focus on risk assessment, incident management, personnel training, and continuous improvement lays the foundation for a resilient aviation security environment.
  • Entities are encouraged to begin preparations early, considering the detailed requirements and the time needed for effective implementation.


The regulation has been promulgated to address the Aviation Information security risks across multiple domains with ultimately potential impacts on aviation safety.

The regulatory requirements cover a wide range of domains within the aviation sector, including aerodromes, maintenance organizations, air operators, training organizations, and air navigation service providers.

Key Requirements and Actions:

  • Establishment of ISMS: Organizations must develop and implement an Information Security Management System, tailored to their operational context.

Risk Assessment and Treatment:

  • Regularly identify and evaluate information security risks.
  • Implement measures to mitigate unacceptable risks.

Incident Management:

  • Develop processes for detecting and responding to information security events.
  • Establish protocols for rapid recovery from incidents.

Personnel Training and Awareness:

The Commission Implementing Regulation (EU) 2023/203 lays out specific training obligations, content, and management strategies to address information security risks with potential impacts on aviation safety.

  • Scope of Training (Article 2): The regulation applies to a wide range of aviation-related organizations, including maintenance organizations, air operators, training organizations, and air traffic management service providers, among others.

Note – also applies to competent authorities responsible for overseeing these organizations.

Training Obligations:

  • Information Security Management System (ISMS) Implementation (Articles 4 and 5): Organizations are required to establish, implement, and maintain an ISMS, which involves training relevant personnel to manage information security risks effectively.
  • Personnel Requirements (Annex I IS.AR.225 and Annex II IS.I.OR.240): The regulation emphasizes the need for trained personnel who are competent and understand their roles and responsibilities in managing information security risks.

Training Content:

  • Information Security Risks Assessment and Treatment (Annex I IS.AR.205, IS.AR.210 and Annex II IS.I.OR.205, IS.I.OR.210): Training should cover the identification and assessment of information security risks, and the development and implementation of risk treatment measures.
  • Incident Detection, Response, and Recovery (Annex I IS.AR.215 and Annex II IS.I.OR.220): Training in detecting information security events, responding to incidents, and recovery measures is crucial.
  • Management and Reporting of Information Security Incidents (Annex II IS.I.OR.215, IS.I.OR.230): Training should include internal and external reporting mechanisms for information security incidents.

Management of Training for Effective Outcomes:

  • Continuous Improvement (Annex I IS.AR.235 and Annex II IS.I.OR.260): Organizations must regularly assess the effectiveness of their ISMS, which includes evaluating the impact of training programs and making necessary improvements.
  • Record-Keeping (Annex I IS.AR.230 and Annex II IS.I.OR.245): Organizations must keep records of training activities, which is essential for tracking progress and identifying areas for improvement.
  • Guidelines and Oversight by Competent Authorities (Article 6 and Annexes): Competent authorities have the responsibility to certify and oversee compliance with the regulation, including training aspects.
  • The regulation aims to ensure a high level of information security within the aviation sector by mandating comprehensive training programs that cover all aspects of information security risk management.

Record-Keeping and Reporting:

  • Maintain detailed records of information security activities and report significant incidents to relevant authorities.

Challenges and Mitigation Strategies:

  • Entities must integrate ISMS with existing management systems, which can be complex.
  • Tailoring the ISMS to diverse organizational contexts can be challenging.

Confidentiality in Information Sharing:

  • Establish secure channels for sharing information while maintaining confidentiality.

Continuous Improvement:

  • Organizations need to continuously monitor, review, and update their ISMS.

Best Practices:

  • Proactive Risk Management: Adopt a proactive approach to identify and mitigate risks.
  • Collaboration and Information Sharing: Foster collaboration across the sector for effective risk management.

Regular Training and Drills:

  • Conduct regular training programs and drills for personnel.

Periodic Audits:

  • Regularly audit the ISMS for compliance and effectiveness.

Timeline for Implementation:

  • The regulation becomes applicable three years after its entry into force, providing organizations ample time for compliance.

Specific Guidance for Entities: (Airports, Operators, Maintenance Organisations, ATC etc)

  • Conduct an initial assessment to understand current security posture and plan for ISMS implementation.
  • Develop an ISMS that aligns with organizational needs and regulatory requirements.
  • Initiate comprehensive training programs for staff at all levels.
  • Develop and test incident response plans.
  • Schedule regular audits to ensure ongoing compliance and identify areas for improvement.

Next Steps

Follow this link to our Library to find & Download related documents for Free.

For Additional information or to enrol for a Cyber Security Training Please see www.sassofia.com www.sofemaonline.com or email team@sassofia.com

Please see the following course available online with www.sofemaonline.com EASA Compliant Organization Cyber Security Responsibilities


air navigation service providers, Air Operators, Aviation Information, aviation security environment, Commission Implementing Regulation (EU) 2023/203, EASA regulatory requirements, European aviation sector., Information Security Management System, Information Security Management System (ISMS), Maintenance organizations, Risk Assessment, SAS blogs