Cyber Turbulence in the Skies: EU Is Strengthening Defenses
Provided by Liliana Rodrigues-Kaps with Arnecke Sibeth Dabelstein
In September 2025, several major European airports suffered significant disruption due to a cyber-attack on a third-party IT service provider. The automated check-in and baggage drop systems were unavailable, forcing manual processes, flight delays and cancellations (e.g., Brussels and Berlin cancelled dozens of flights). The disruption highlighted the vulnerability of the aviation supply chain, particularly where multiple operators rely on shared digital platforms.
European regulators are advancing efforts to harmonize aviation safety and security oversight, with major updates from European Union Aviation Safety Agency (EASA), the European Commission, and the International Civil Aviation Organization (ICAO). These developments will affect airlines, airports, and service providers across Europe and beyond.
It is clear that the aviation sector is facing a new emphasis on risk-based security by European regulators.
EASA’s safety & security framework (Part-IS) has been expanded to include:
- enhanced supervisory oversight of operational security functions
- structured risk assessments and consistent compliance-monitoring across EU Member States
- a proactive focus on essential safety as well as cybersecurity vulnerabilities.
These initiatives reflect the EU’s objective of harmonizing safety and security under an integrated management system.
ICAO & EU directives: Aligning Core Safety Principles
Revisions to ICAO Annex 17 (Security) and Annex 19 (Safety Management) are being implemented in Europe, and EASA is issuing new Guidance Material (GM) and Acceptable Means of Compliance (AMC) to ensure harmonized national interpretations.
At the same time, the upcoming EU civil-aviation directive and implementing regulations (e.g., the Civil Aviation Directive and related Commission Implementing Regulation) are expected to further extend the obligations of operators and competent authorities.
Security Management Systems & Internal Oversight
A significant change is the mandatory integration of Security Management Systems (SeMS) within operators’ compliance structures. Key points:
- operators must establish dedicated security governance frameworks
- cyber-resilience assessments must form part of the regular oversight cycle
- internal supervisory functions must ensure ongoing conformity with EU-wide standards.
This signals the EU’s growing focus on linking cybersecurity, physical protection, and operational safety into one compliance regime.
With these regulatory and threat-landscape changes, aviation organizations must adopt a risk-based, data-driven approach to compliance. Key action items:
- review and update internal safety/security policies and governance frameworks
- ensure management systems are aligned with the new EASA AMC/GM guidance
- conduct vendor-risk assessments and strengthen supply-chain resilience
- prepare for heightened oversight and auditing under EASA’s 2025–26 strategic plan.
L2b Aviation Lawyers monitor these developments closely and are ready to assist clients in adapting governance, compliance structures, and contracts to the evolving EU & international aviation standards.