Cybersecurity

Hello,
Another Cyber regulation popping-up: Cyber Resilience Act: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
Does anyone know what would be the impact on aviation stakeholders (if there is some) ? Or if Part-IS is already covering it somehow ?
Thanks

What guidance is available for small design organisations for Part-IS implementation? We have no direct effect on aircraft security

Hello!
At the November workshop we were introduced to a self-assessment tool to check the level of compliance of our organizations which honestly looked very impressive. Is it published somewhere or is it already available for download?
Thanks and best regards.

Hello and a happy new year to everyone!

I've got a question about how to deal with a new kind of ICAs, affecting every airline operating e-enabled aircraft.

OEMs are providing Aircraft Security Operator Guidance (ASOG) (e.g., Security Handbook or (U)ANSOG) to operators to ensure the safe operation of the aircraft. These documents - or to be more precise: the contained instructions - are categorized as ICAs (Instructions for Continued Airworthiness). Usually, it is the responsibility of CAMO to ensure all ICAs are taken care of.
The topics addressed in, and tasks required by the ASOGs are exceeding the common CAMO scope, reaching into areas of others responsibility (e.g., Flight Ops for Crew Processes and Procedures), IT for Digital Certificate management). The instructions are written, following the form of "The operator shall" or "xyz shall be ensured...".
EUROCAE ED-204A is recommending, operators are having an "Aircraft Information Security Center" (AISC) with trained specialists, "acting as the operator's point of contact for aircraft information security events".

Has anyone any experience or is willing to share his/her thoughts about how this could be implemented? Thinking of actions falling into the area and responsibility of others: Does each such tasks need to be interpreted as "subcontracted continuing airworthiness management tasks" (SCAMT)? Is there any more efficient, but regulatory wise acceptable, way to manage this kind of new type of ICAs?

Thank you very much in advance and with kind regards.

Regarding IS.I.OR.235, I wonder how we should approach cases in which an airline belongs to a corporation or group of companies, and that this parent company is the one that provides them with information security services. Should we understand that these services are being subcontracted to a third party or, on the contrary, understand that they are being provided as their own by the airline, being part of the same group of companies?