The objective of this Opinion is to efficiently contribute to the protection of the aviation system from information security risks, and to make it more resilient to information security events and incidents. To achieve this objective, this Opinion proposes the introduction of provisions for the identification and management of information security risks which could affect information and communication technology systems and data used for civil aviation purposes, detecting information security events, identifying those which are considered information security incidents, and responding to, and recovering from, those information security incidents to a level commensurate with their impact on aviation safety.

These provisions shall apply to competent authorities and organisations in all aviation domains (i.e. production and design organisations, air operators, maintenance organisations, continuing airworthiness management organisations (CAMOs), training organisations, aero-medical centres, operators of flight simulation training devices (FSTDs), air traffic management/air navigation services (ATM/ANS) providers, U-space service providers and single common information service providers, aerodrome operators and apron management service providers), shall include high-level, performance-based requirements, and shall be supported by acceptable means of compliance (AMC), guidance material (GM), and industry standards.

This Opinion proposes a new Implementing Regulation and a new Delegated Regulation (depending on the specific aviation domains covered) regarding information security management systems for organisations and competent authorities.

In addition, this Opinion proposes amendments to Commission Regulations (EU) No 748/2012, No 1321/2014, 2017/373, 2015/340, No 139/2014, No 1178/2011, No 965/2012 and 2021/664, in order to introduce requirements to comply with the proposed new Implementing and Delegated Regulations described above, and to add the elements necessary for the competent authorities to perform their certification and oversight activities.

NOTE
For the purpose of this Opinion, ‘information security risk’ means the risk to organisational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event. Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets.

Commission Delegated Regulation (EU) 2021/699 of 21 December 2020 amending and correcting Regulation (EU) No 748/2012 as regards the instructions for continued airworthiness, the production of parts to be used during maintenance and the consideration of ageing aircraft aspects during certification, published on 28 April 2021, amends Commission Regulation (EU) No 748/2012 with respect to the following:

• instructions for continued airworthiness (ICAs);
• installation of parts without an EASA Form 1;
• ageing aircraft structures.

The objective of Decision 2021/007/R is to support the implementation of the amendments introduced in Part 21 through Commission Delegated Regulation (EU) 2021/699.

In order to achieve this objective, the Decision issues amendments to the Acceptable Means of Compliance (AMC) and Guidance Material (GM) to Part 21 (Issue 2, Amendment 12) and to AMC-20 (Amendment 22).

Additionally, this Decision issues new GM for affected stakeholders to perform remotely:

• certain audits, or
• certain tasks for the issuance of an EASA Form 1.