European Commission Just Published Regulation (EU 2023/203) on the Management of Information Security Risks in Aviation

Defining rules for the identification & management of information security risks in aviation organizations & aviation competent authorities.

Over decades a mature process of regulation and practice has been built up to safeguard aviation against the risks it faces, whether those be from mechanical failure, collision, human error, or terrorist attack. As the sector relies more and more on complex and networked electronic information and communication systems, those systems must also be protected against deliberate or accidental compromise of confidentiality, integrity, or availability, which might put them, and the services they provide, at risk.

The Foundation for a Cyber-Resilient Aviation System

The European Commission published Regulation (EU 2023/203) for the management of information security risks with a potential impact on aviation safety for organizations. With this publication, the regulatory framework laying the foundation for a cyber-resilient aviation system has been completed. Implementing Regulation (EU) 2023/203 lays down rules for the identification and management of information security risks in aviation organizations and aviation competent authorities, including EASA. 

Information Security Management System (ISMS)

Part-IS (Annex II) introduces requirements for the identification and management of information security risks that could affect information and communication technology systems and data used for civil aviation purposes. It sets requirements for the detection of information security events, identifying those which are considered information security incidents, and responding to, and recovering from, those information security incidents to a level commensurate with their impact on aviation safety. In order to achieve these objectives, organizations will need to set up, implement and maintain an information security management system (ISMS) in order to ensure the proper management of information security risks that may have an impact on aviation safety.

The 3 Main Axes to Reach Cyber-Resilience

Organizations can outsource functions but not responsibility or accountability. A critical component is ensuring that there are adequate internal resources to exert effective oversight across internal requirements.

Organizations in aviation must set up an information security management system as well as measures in place to detect, react to and recover from information security events.

National aviation authorities will oversee information security.

We see 3 main axes defined in the regulation:

1. Technology: Cyber-Resilience architectures around the information security management system (ISMS) will provide the technical backbone. This includes

• Establishing and managing policies on information security and setting out the overall principles of the organization.

• The identification and reviews of information security risks

• Conducting information security risk treatment measures

• Internal, non-repudiable information security reporting 

2. Human resources:

• The regulation prescribes the establishment of Human Resources in charge of conducting these tasks.

• The teams may consist of internal, external or mixed resources

3. Accountability

• The regulation makes it clear that an internal body in the organization is responsible and accountable. Well defined reporting schemes make sure that actions and structures can be audited

The structure is clearly adjacent or integrated on a higher level into the system monitoring and control infrastructure. ATSEP will be involved on a management or operational level.

Mandatory by 2025

Part-IS provisions will be applicable from October 16, 2025 for organizations in the scope of the delegated act and from February 22, 2026 for all other organizations and competent authorities covered by the implementing act.

SkyRadar’s Cyber-Resilience Training Infrastructure

SkyRadar’s Cyber-Resilience Training Infrastructure is continuously embracing new knowledge, risks and standards which include regulations around cyber security. 

The infrastructure includes many use cases and cyber attack scenarios around information technology as well as ATC and air force infrastructure. 

Modular implementation can consist of: 

• Pedagogical information security management system (CyberISMS) to train cybersecurity in civil and military aviation as required in Regulation (EU) 2023/203. Tasks of the ISMS include:

• Establishing a policy on information security setting out the overall principles of the organization

• Supporting the monitoring, identification and reviews of information security risks

• Conducting information security risk treatment measures remotely (control)

• Providing an information security internal reporting scheme

The solution further integrates relevant tools of the CSIRT Process, including

• • Tools and data to enhance visibility

  • Tools for Security Orchestration, Automation & Response and the generation of intel

• Industrial scalable components for HSM, Key management, digital identity and code signing

• Virtualized hardware such as virtual servers, networks, applications

• Real hardware which includes training radars, transmitters, receivers, UPSs, networks,

• Simulated solutions comprising of various tower and radar designs 

The Cybersecurity lab fully integrates with SkyRadar’s System Monitoring and Control Suite SkySMC, optimized  to cater for the ATSEP-SMC training compliant to EASA's Easy Access Rules for ATM-ANS (Regulation (EU) 2017/373) and ICAO Doc 10057.

SkyRadar provides SkySMC as a complete laboratory in a turn-key approach, or as a service.

Let's talk

Stay tuned to be always the first to learn about new use cases and training solutions in radar qualification (real radars or simulators) for ATSEP.

Or simply talk to us to discuss your training requirements.