A new framework for civil aviation Cyber Security
Extensive technological dependence and interconnectivity in aviation have made cybersecurity a fundamental pillar of air and operational safety. Recognizing this reality, the European Union has introduced Regulation 2022/1645 as a key framework for EU aviation security, set to take effect on October 16, 2025.
The proposed guidelines apply to airport operators and apron management service providers (PDS, in English), ensuring that they integrate robust cybersecurity practices to prevent disruptions and interruptions that could compromise aviation operations.
This approach is designed to address the evolving cyber threat landscape, where cyberattacks targeting critical infrastructure—such as airports and air traffic communication networks—have become an increasing concern.
The EU mandates comprehensive security controls and practices to enhance cyber resilience, detect cyber threats, and mitigate aviation risks.
The importance of Cyber Security in aviation
In an industry where safety has always been the top priority, is Cyber Security truly treated with the same level of urgency as physical and operational security? As aviation systems become more interconnected, do traditional safety cultures need to evolve to fully integrate cybersecurity into all aspects of operations?
It is important to highlight that organizations involved in critical aviation functions have direct implications for cybersecurity. They are required to adopt enhanced information security management practices to protect against cyber incidents and address the cyber risks associated with digital transformation and emerging, disruptive innovations within the aviation sector.
Regulatory requirements have expanded beyond traditional physical security concerns to encompass cyber risk assessments, cyber resilience planning, and mandatory cyber incident reporting.
The regulation establishes a cyber risk-based approach to Cyber Security controls, aligning them with aviation security objectives, corporate dynamics, operational complexity, and industry-specific challenges. From my experience, the regulation aligns well with established methodologies in cyber risk assessments, vulnerability management, threat intelligence and hunting, incident management, and business continuity.
■ Given the complexity and evolving nature of malicious actors, compliance should not be seen as an isolated effort. Instead, it should be seen as an ongoing process of monitoring, adaptation, and continuous improvement. Various standards can help meet regulatory requirements, such as ISO 27001 and NIST CSF 2.0. However, it is essential to consider both the substance and specificity of the aviation sector’s requirements.
Adaptation and continuous compliance efforts
To ensure adaptation and compliance, strong commitment, accountability, and leadership in both governance and Cyber Security strategies are essential. It is crucial to appoint cybersecurity officers, establish clear lines of responsibility, and integrate security into risk-focused governance frameworks.
Compliance mechanisms play a vital role, including regular audits, security assessments, and adherence to maturity models. Maintaining detailed Cyber Security policies and, most importantly, compliance evidence will be indispensable.
The regulation also addresses cyber incident reporting, which can be compared to the NIS2 directive, which is more specific regarding early warning deadlines—requiring notification within 24 hours and an initial update within 72 hours. With the implementation of Regulation 2022/1645, provisions must be harmonised. Effectively managing cyber incidents is essential to minimize operational disruptions and prevent cascading effects that could impact multiple aviation stakeholders.
■ These guidelines align with the European Union Aviation Safety Agency (EASA) provisions, ensuring coherence between regulatory compliance and operational security measures. EASA’s guidelines emphasize cyber risk-based approaches to cyber resilience, sectoral collaboration and cooperation, and cyber threat intelligence sharing.
Regulation 2022/1645 requires organizations to develop, implement, and maintain an Information Security Management System (ISMS) to enhance their cybersecurity capabilities.
Supply chain security and Cyber Security investment
A key aspect of the regulation is the importance of supply chain security. The regulation explicitly addresses contractual and third-party processes. It is critical to recognize that many cyber incidents originate from various sources. Third parties are not exempt from these threats—particularly regarding vulnerabilities that arise when organizations lack proper visibility into a supplier’s infrastructure beyond the provided service. Cyberadversaries exploit these weak points.
Under the new regulation, organizations must conduct cyber risk assessments of their supply chains. This is to ensure that third parties adhere to evidence-based Cyber Security practices to maintain compliance. Key measures such as audits, mandatory cybersecurity controls in contracts, and continuous third-party monitoring will be essential in due diligence processes for safeguarding the aviation supply chain.
Cybersecurity is not just about financials and regulatory compliance. The regulation underscores the necessity of investing in infrastructure, cybersecurity architecture, workforce training, and cyber risk management to strengthen cyber resilience.
■ While cybersecurity investments may pose significant costs, they are critical to preventing or mitigating potentially catastrophic incidents. Therefore, organizations must reassess their cybersecurity strategies and find a balance between compliance costs and operational efficiency. This is done by prioritizing sustainable, adaptive, and strategic Cyber Security investments.
Impact and penalties for non-compliance
Non-compliance can lead to various legal and financial consequences. For example, NIS2 clearly defines financial penalties and other sanctions. While Regulation 2022/1645 does not explicitly outline sanctions, the aviation sector remains subject to other regulatory frameworks, which could result in penalties arising from overlapping regulations.
Additionally, organizations must consider the reputational impact of a cybersecurity breach in aviation. This could lead to loss of customer trust, financial instability, and increased scrutiny from regulatory bodies.
From a methodical perspective—both in terms of substance and implementation—Regulation 2022/1645 aims to develop practical capabilities for proactivity, foresight, and anticipation, contributing to the continuous strengthening of cybersecurity, cyber resilience, and cyber risk management.
■ Under NIS2, regulatory authorities have the power to impose fines, restrict operations, and enforce corrective measures on organizations that fail to meet cybersecurity requirements.
Conclusion
Looking ahead, this marks a significant shift in Cyber Security governance within the aviation sector. All stakeholders must remain agile to adapt to emerging cyber trends. This includes ensuring regulatory compliance and proactively preparing for future changes that will shape the industry's cyber resilience landscape.
Geopolitical tensions, increasing cybercriminal activity, and rapid technological advancements underscore the urgency of a secure and resilient aviation ecosystem.
Therefore, the proactive adoption of this regulation is imperative. It not only enhances cybersecurity posture but also contributes to the broader objective of ensuring safe aviation operations for the future.
■ Access the Commission Delegated Regulation (EU) 2022/1645 of July 14, 2022 →