ASD's view on cyber security in aviation

ASD has expressed concerns over the applicability to aviation manufacturing of the EU’s latest Network and Information Security (NIS2) Directives. NIS2 aims to establish a common level of network and infrastructure security across the Member States. However, ASD argues that it adds unnecessary complexity and costs without significantly improving cyber security.

ASD believes that the existing framework, Part IS (EU 2022/1645 applicable to Production Organisations and EU 2023/203 applicable to competent authorities of Production Organisations), already provides robust cyber security measures. The association suggests considering EU 2022/1645 Part IS as a lex specialis to EU 2022/2555 NIS2. The application of NIS2 would increase the administrative burden by adding an additional authority for each Member State where production sites exist. ASD emphasises that Part IS is more comprehensive and extensive than NIS2 for critical entities.

ASD argues that the existing Part IS requirements, which mandate an Information Security Management System (ISMS), exceed the requirements for Important Entities in NIS2 and are proportionate for the size and complexity of an aviation organisation. Therefore, ASD considers Part IS to be the most effective and comprehensive sector-specific legislation to protect against threats to aviation safety and the economy of the European Union.