Regulation (EU) 2023/1769
This Annex establishes the requirements for the administration and management systems of the Agency for the certification, oversight and enforcement tasks of design or production organisations when the Agency exercises its tasks and responsibilities.
DPO.AR.A.010 Immediate reaction to a safety, security and interoperability problem
Regulation (EU) 2023/1769
(a) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council (10Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007 (OJ L 122, 24.4.2014, p. 18).), and the delegated and implementing acts adopted on the basis thereof, the Agency shall implement a system to appropriately collect, analyse, and disseminate safety, security and interoperability information.
(b) Upon receiving the information referred to in point (a), the Agency shall take appropriate measures to address any identified safety, security, or interoperability problem, including the issuing of ATM/ANS equipment directives in accordance with point ATM/ANS.EQMT.AR.A.030 of Annex I to Delegated Regulation (EU) 2023/1768.
(c) The measures taken under point (b) shall immediately be notified to the organisation concerned, who is obliged to comply with them, in accordance with point DPO.OR.A.035. The competent authorities of the ATM/ANS providers concerned shall also be notified.
DPO.AR.A.015 Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
Regulation (EU) 2023/1769
(a) The Agency shall implement a system to appropriately collect, analyse, and disseminate information related to information security incidents and vulnerabilities with a potential impact on aviation safety that are reported by organisations. This shall be done in coordination with any other relevant authorities responsible for information security or cybersecurity within the Member State to increase the coordination and compatibility of reporting schemes.
(b) Upon receiving the information referred to in point (a), the Agency shall take adequate measures to address the potential impact on aviation safety of the information security incident or vulnerability.
(c) Measures taken in accordance with point (b) shall immediately be notified to all persons or organisations that shall comply with them under Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on its basis. The Agency shall also notify those measures to the competent authorities of the Member States concerned.