Safeguarding sensitive information is paramount in today's aviation landscape. EASA's Part-IS (Information Security) provides a detailed regulatory framework that addresses information security risks to aviation. With the added layer of the upcoming AI Act and broader cybersecurity frameworks, including NIS2 and the Critical Entities Directive (CED), the emergence of AI technologies further solidifies the need for a comprehensive cybersecurity strategy.
In addition to this regulatory landscape, the International Civil Aviation Organization (ICAO) has also introduced cybersecurity obligations, significantly shaping the future of aviation security globally. This brief guide will explore these recent ICAO cybersecurity obligations and how they interface with existing frameworks such as Part-IS, NIS2, and the AI Act while analysing commonalities with ISO standards like ISO 27001 and ISO 27005.
Both ICAO and Part-IS obligations align well with ISO 27001 and ISO 27005 standards. ISO 27001's requirement for systematic risk management through ISMS mirrors the obligations under ICAO's cybersecurity guidelines and Part-IS. Similarly, ISO 27005's structured approach to risk management complements both ICAO's risk-based framework and the continuous monitoring required by Part-IS.
Organisations already compliant with ISO standards are well-positioned to meet the requirements of both ICAO's cybersecurity obligations and Part-IS. However, the increasing use of AI introduces new layers of complexity. AI certification frameworks under the AI Act and EASA's roadmap will require organisations to go beyond traditional risk management, addressing issues specific to AI systems, such as algorithmic bias, data integrity, and the potential for self-evolving systems to introduce new vulnerabilities.
Essential Obligations under Part-IS and ICAO Cybersecurity Framework
Part-IS focuses on Information Security Management Systems (ISMS) within aviation organizations, mandating structured risk management, audits, and continuous monitoring while ensuring that cybersecurity risks do not affect aviation safety.
Meanwhile, ICAO's new cybersecurity framework, primarily guided by Annex 17 (Security) and Annex 19 (Safety Management), expands on these principles. In 2020, ICAO adopted a Cybersecurity Strategy to address increasing cyber threats in civil aviation. This strategy led to the development of ICAO Document 9985 on cybersecurity, which outlines obligations for states and aviation stakeholders to manage cyber risks in alignment with global best practices.
Essential ICAO obligations include:
1. Risk Management Systems:
Like Part-IS, ICAO's framework mandates implementing risk-based approaches to address cybersecurity threats. It requires aviation organizations and states to adopt cybersecurity risk management systems to identify, assess, and mitigate cyber threats across aviation networks.
2. Coordination Between States:
ICAO emphasizes international collaboration and the need for states to coordinate cybersecurity efforts. It encourages information sharing and joint cybersecurity exercises, recognizing the transnational nature of cyber threats.
3. Incident Reporting and Response:
ICAO's obligations include establishing mechanisms for reporting cybersecurity incidents and ensuring swift response protocols. This reporting aligns with requirements found in both Part-IS and NIS2, particularly in the context of critical aviation infrastructure.
4. Regulatory Oversight:
ICAO tasks member states with establishing national oversight bodies to ensure compliance with cybersecurity regulations. States must audit and oversee aviation entities to maintain robust cybersecurity measures.
Let's now review how the ICAO Cybersecurity Obligations interact with Part-IS, NIS2, and the AI Act. ICAO's cybersecurity obligations share common goals with Part-IS, NIS2, and the AI Act but with distinct areas of focus and implementation strategies. Here's how these frameworks look together:
1. Risk-Based Approach:
Both ICAO and EASA's Part-IS mandate a risk-based approach to cybersecurity. ICAO's Document 9985 emphasizes the need for states and organizations to assess risks dynamically, a principle also central to Part-IS. The ISO 27001 and ISO 27005 frameworks, integral to Part-IS's risk management approach, serve as global benchmarks that align well with ICAO's broader, internationally focused cybersecurity requirements.
2. Incident Reporting and Response:
Part-IS and ICAO's framework emphasizes the need for incident reporting and the development of incident response protocols. These frameworks closely align with NIS2, which also mandates timely reporting of cyber incidents to national authorities and establishes standardised response procedures. The integration of AI into aviation, regulated by the AI Act, introduces new variables, such as the real-time learning capabilities of AI systems that must be accounted for in incident response processes. These AI-driven risks, if not controlled, could lead to vulnerabilities, making compliance with the AI Act critical.
3. Audits and Compliance:
Audits play a central role in both ICAO and Part-IS frameworks. Part-IS mandates internal and external audits to verify compliance with its information security obligations, while ICAO expects member states to perform regulatory oversight through national authorities. This auditing structure is similar to the external audits required by ISO 27001 and the evolving requirements of the AI Act, which include mandatory audits for high-risk AI systems.
4. Coordination Between States and Organisations:
ICAO's emphasis on international coordination aligns with broader EU frameworks like NIS2 and Part-IS, where collaboration between national entities and sharing threat intelligence are critical to mitigating cyber threats across borders. The AI Act adds a layer of complexity, as AI-based systems, especially those in autonomous aviation or air traffic management, will require cybersecurity and AI-specific trustworthiness assessments that cut across national borders.
ICAO's cybersecurity obligations intersect with the evolving role of AI in aviation, as described in EASA's AI Roadmap 2.0. AI systems that play a role in air traffic management, predictive maintenance, or autonomous flight introduce new vulnerabilities, such as AI-driven cyber attacks or data manipulation risks. ICAO and EASA's evolving AI certification frameworks must incorporate strict cybersecurity controls to address this. This includes ensuring that AI systems' robustness, explainability, and traceability align with the AI Act since the latter directly obliges cybersecurity and its respective assessment for high-risk AI and robustness and the fact that it has to be equivalent to state-of-the-art technology (SOTA).
ICAO's cybersecurity obligations, EASA's Part-IS, NIS2, and the AI Act represent a comprehensive regulatory landscape to protect aviation from evolving cyber threats. While there is significant overlap between these frameworks, especially in risk management, audits, and incident reporting, the integration of AI adds new layers of complexity that require specialized oversight.
As AI becomes more embedded in aviation, organizations must adapt their cybersecurity strategies to comply with existing obligations and ensure that AI systems are certified, trustworthy, and aligned with global cybersecurity standards. The alignment between ICAO, EASA, and EU-wide regulations such as NIS2 and the AI Act will be vital to creating a resilient aviation sector that can withstand tomorrow's cyber threats.
Citations:
• EASA - Information Security Part-IS, Regulation (EU) 2023/203, Delegated Regulation (EU) 2022/1645 .
• ICAO Cybersecurity Guidelines, ICAO Annex 17 and Annex 19 .
• EASA AI Roadmap 2.0, May 2023 .
Article by Dr Ian Gauci
You may also wish to read: