The objective of this Decision is to:

• improve the availability and quality of data recorded by flight recorders in order to better support safety investigations of accidents and incidents involving large rotorcraft; and
• reduce the risk of design-related human factors (HFs) errors that may lead or contribute to an accident or incident.

This Decision amends:

• CS-29 to:
  • provide certification specifications (CSs) and acceptable means of compliance (AMC) for flight recorders performing the data link recording function,
  • introduce in the AMC for flight recorder installations new sections explaining what kinds of failures should be addressed by the applicants when developing the instructions for continued airworthiness (ICAs),
  • introduce in AMC 29.1457 a new section explaining how to perform evaluations of cockpit voice recorder (CVR) recordings, and
  • amend CS 29.1457 for CVRs to allow the use of more than four channels;
• CS-27 and CS-29 to introduce specific requirements (i.e. CS 27/29.1302) to ensure that HFs are systematically taken into account during the design and certification process of rotorcraft cockpits.

The amendments related to 29.1457 of CS-29 are expected to increase safety without any significant economic impact, and with no environmental or social impact. They will also support large rotorcraft operators in ensuring the serviceability of flight recorders, streamlining the CS-29 certification process, thereby providing an economic benefit for large rotorcraft operators, CS-29 certification applicants, and EASA.

The amendments related to 27/29.1302 of CS-27 and CS-29 are expected to moderately increase safety, as compliance with the new CSs is expected to reduce the probability of HFs and pilot workload issues leading to an accident or incident.

The objective of this Opinion is to efficiently contribute to the protection of the aviation system from information security risks, and to make it more resilient to information security events and incidents. To achieve this objective, this Opinion proposes the introduction of provisions for the identification and management of information security risks which could affect information and communication technology systems and data used for civil aviation purposes, detecting information security events, identifying those which are considered information security incidents, and responding to, and recovering from, those information security incidents to a level commensurate with their impact on aviation safety.

These provisions shall apply to competent authorities and organisations in all aviation domains (i.e. production and design organisations, air operators, maintenance organisations, continuing airworthiness management organisations (CAMOs), training organisations, aero-medical centres, operators of flight simulation training devices (FSTDs), air traffic management/air navigation services (ATM/ANS) providers, U-space service providers and single common information service providers, aerodrome operators and apron management service providers), shall include high-level, performance-based requirements, and shall be supported by acceptable means of compliance (AMC), guidance material (GM), and industry standards.

This Opinion proposes a new Implementing Regulation and a new Delegated Regulation (depending on the specific aviation domains covered) regarding information security management systems for organisations and competent authorities.

In addition, this Opinion proposes amendments to Commission Regulations (EU) No 748/2012, No 1321/2014, 2017/373, 2015/340, No 139/2014, No 1178/2011, No 965/2012 and 2021/664, in order to introduce requirements to comply with the proposed new Implementing and Delegated Regulations described above, and to add the elements necessary for the competent authorities to perform their certification and oversight activities.

NOTE
For the purpose of this Opinion, ‘information security risk’ means the risk to organisational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event. Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets.