Cybersecurity is essential for ensuring the safety, security, and efficiency of air transport, as well as the privacy and confidentiality of passengers, crew, and operators. However, cybersecurity also poses significant legal challenges, as different jurisdictions have different regulations, standards, and guidance on how to address cyber threats and incidents.

One of the main sources of cybersecurity law in the aviation sector is the EU directive on security of network and information systems (NIS Directive), which aims to improve cybersecurity in a number of key sectors, including aviation. The NIS Directive requires operators of essential services (OES), such as air carriers, airport managing bodies, or traffic management control operators, to implement appropriate and proportionate measures to prevent and minimize the impact of incidents affecting the security of networks, with a view to ensuring the continuity of services. The NIS Directive also establishes a cooperation mechanism among EU member states and the European Commission to exchange information and best practices on cybersecurity.

However, the implementation of the NIS Directive across EU member states has been uneven and divergent, as each member state has its own criteria for identifying OES, its own national authority for overseeing cybersecurity compliance, and its own penalties for non-compliance. For example, in the UK, the maximum penalty for failing to comply with the NIS Directive is £17 million, whereas in France and Germany, it is €100,000 and €50,000 respectively. Moreover, some member states have not yet fully transposed the NIS Directive into their national legislation, creating legal uncertainty and inconsistency for aviation entities operating across different jurisdictions.

Another source of cybersecurity law in the aviation sector is the International Civil Aviation Organization (ICAO), which is a specialized agency of the United Nations that sets standards and regulations for international civil aviation. ICAO has issued several documents that address cybersecurity issues, such as the Cybersecurity Policy Guidance, which provides recommendations for states and aviation stakeholders on how to develop and implement a national aviation cybersecurity policy framework. ICAO has also developed a Cybersecurity Strategy, which outlines its vision, mission, objectives, and actions for enhancing cybersecurity in civil aviation. Furthermore, ICAO has established a Cybersecurity Action Plan, which defines specific activities and deliverables for achieving the objectives of the Cybersecurity Strategy.

However, ICAO’s documents are not legally binding, but rather serve as guidance and best practices for states and aviation stakeholders to follow voluntarily. Therefore, there may be gaps or inconsistencies between ICAO’s recommendations and the actual implementation of cybersecurity measures by states and aviation entities. Moreover, ICAO’s documents may not cover all aspects or scenarios of cybersecurity in civil aviation, as cyber threats and incidents are constantly evolving and becoming more sophisticated.

Source:
Cybersecurity Policy Guidance
Commission Delegated Regulation