COMMISSION IMPLEMENTING REGULATION (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 - text published in the Official Journal of the European Union

Objective

This Regulation sets out the requirements to be met by the organisations and competent authorities in order to:

• identify and manage information security risks with potential impact on aviation safety;
• detect information security events and identify those which are considered information security incidents with potential impact on aviation safety;
• respond to, and recover from, those information security incidents.

Summary

Applicability

This Regulation applies to:

• Maintenance organizations
• Continuing airworthiness management organisations (CAMOs)
• Air operators
• Approved training organisations (ATOs)
• Aircrew aero-medical centres
• Flight simulation training device (FSTD) operators
• ATCO training organisations
• ATCO aero-medical centres
• Service providers
• U-space service providers and single common information service providers
• Competent authorities, including EASA

Some organizations (e.g. those solely involved in the maintenance of non-complex motor-powered aircraft) are outside the scope of this Regulation.

Requirements for Competent Authorities

The competent authorities are required to:

• set up, implement and maintain an information security management system (ISMS)
• perform information security risk assessment, i.e.
  •  identify the elements of its own organisation which could be exposed to information security risks
  • identify the interfaces with other organizations that could result in the mutual exposure to information security risks
  • identify and assess the information security risks
  • update the risk assessment as necessary
• preform information security risk treatment
• implement measures to detect, respond to and recover from information security incidents
• have sufficient, competent and trustworthy personnel that can perform the activities related to this Regulation
• keep records of its information security management activities and the personnel involved

Requirements for Organizations

The organizations (listed in the Applicability section above, with the exception of competent authorities) are required to:

• set up, implement and maintain an information security management system (ISMS)
• perform information security risk assessment
• preform information security risk treatment
• establish and maintain information security internal reporting scheme
• implement measures to detect, respond to and recover from information security incidents
• in case of findings notified by the competent authority, identify the root cause(s) and implement appropriate corrective actions
• implement an information security reporting system for notifying the competent authority
• have sufficient, competent and trustworthy personnel that can perform the activities related to this Regulation
• keep records of its information security management activities and the personnel involved
• develop an information security management manual (ISMM)
• develop a procedure (to be approved by the competent authority) that governs the management and changes to the ISMS
• assess and improve the ISMS as necessary

Amendments to Other Regulations

This Regulation amends the following Regulations:

• Regulation 1178/2011 (Annex III)
• Regulation 748/2012 (Annex IV)
• Regulation 965/2012 (Annex V)
• Regulation 139/2014 (Annex VI)
• Regulation 1321/2014 (Annex VII)
• Regulation 2015/340 (Annex VIII)
• Regulation 2017/373 (Annex IX)
• Regulation 2021/664 (Article 15)

The changes add provisions for information security risk assessment, information security management and reaction to information security vulnerabilities and incidents.

Entry into Force

The Regulation entered into force in February 2023. It shall apply from 22 February 2026, except as regards the case of the EGNOS air navigation service provider where the applicability date is 01 January 2026.

Regulation 2021/2082 Arrangements for Implementation of ERCS (OJ, 02.02.2023)

Related Regulations

• Regulation 139/2014
• Regulation 2015/340
• Regulation 2017/373
• Regulation 2021/664

Further  Reading

European Commission

• EUR-Lex Portal: Regulation 2023/203 (available in different languages and file formats)