DPO.AR.C.001 Issue of approvals to organisations involved in the design or production of ATM/ANS equipment
Regulation (EU) 2023/1769
(a) Upon receiving an application for the issue of an approval to an organisation involved in the design or production of ATM/ANS equipment, the Agency shall verify the organisation’s compliance with the requirements laid down in Annexes II and III of Delegated Regulation (EU) 2023/1768 and in Annex II to this Regulation.
(b) The Agency may request any audits, inspections or assessments it finds necessary before issuing the approval with all the relevant information set out in Appendix 1 to this Annex.
(c) The approval shall be issued for an unlimited duration. The privileges as regards the activities the organisation is approved to conduct shall be specified in the conditions attached to the approval.
(1) With regard to an organisation involved in the design of ATM/ANS equipment, the conditions shall specify the type of design work and the categories of ATM/ANS equipment for which the organisation holds an approval, and the privileges the organisation is approved to exercise.
(2) With regard to an organisation involved in the production of ATM/ANS equipment, the conditions shall specify the scope of work and the ATM/ANS equipment or the equipment categories, or both, for which the approval holder is entitled to exercise the privileges.
(d) The approval shall not be issued where a level 1 finding referred to in DPO.AR.C.015 remains open. In exceptional circumstances, finding(s) other than level 1 shall be assessed and mitigated as necessary by the organisation and a corrective action plan for closing the finding(s) shall be approved by the Agency prior to the issue of the approval.
(e) Each change to the approval and to its conditions shall be approved by the Agency.
DPO.AR.C.005 Oversight programme
Regulation (EU) 2023/1769
(a) The Agency shall establish and update annually an oversight programme taking into account the specific nature of the organisations it oversees, the complexity of their activities, and the results of past certification or oversight activities, and shall base it on the assessment of the associated risks. The oversight programme shall include audits, which shall:
(1) cover all the areas of potential concern, with a focus on those areas where problems have been identified in the past;
(2) cover all the organisations, certificates and declarations under the Agency’s oversight;
(3) cover the means implemented by the organisations to ensure the competence of their personnel;
(4) ensure that audits are conducted in a manner commensurate with the level of the risk posed by the organisation’s activities;
(5) ensure that for organisations under its supervision, an oversight planning cycle not exceeding 24 months is applied.
The oversight planning cycle may be reduced if there is evidence that the safety performance of the organisation has decreased.
The oversight planning cycle may be extended to a maximum of 36 months if the Agency has established that during the previous 24 months:
(i) the organisation has continuously demonstrated compliance with the change management requirements under point DPO.OR.B.005;
(ii) no level 1 findings referred to in DPO.AR.C.015 have been issued;
(iii) all corrective actions referred to in DPO.AR.C.015 have been implemented within the time period accepted or extended by the Agency as defined in point DPO.AR.C.015.
If, in addition to points (i), (ii) and (iii), the organisation has established an effective continuous reporting system to the Agency as regards its regulatory compliance, which has been approved, the oversight planning cycle may be extended to a maximum of 48 months;
(6) ensure the follow-up of the implementation of corrective actions referred to in DPO.AR.C.015;
(7) be subject to consultation with the organisations concerned and thereafter its notification;
(8) indicate the planned intervals of the inspections of the different sites, if necessary.
(b) The Agency may decide to modify the objectives and the scope of the preplanned audits, including documentary reviews and additional audits, wherever that need arises.
(c) The Agency shall decide which arrangements, elements, physical locations, and activities are to be audited within a specified time frame.
(d) Audit observations and findings issued in accordance with point DPO.AR.C.015 shall be documented.
(e) The findings shall be supported by evidence and identified in terms of applicable requirements and their implementation arrangements against which the audit has been conducted.
(f) An audit report, including the details of findings and observations, shall be prepared and communicated to the organisation concerned.
DPO.AR.C.010 Changes to the information security management system
Regulation (EU) 2023/1769
(a) For changes managed and notified to the Agency in accordance with the procedure set out in point IS.I.OR.255(a) of Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203, the Agency shall include the review of such changes in its continuing oversight programme in accordance with the principles laid down in point DPO.AR.C.005 of this Annex. If any non-compliance is found, the Agency shall notify the organisation thereof, request further changes and act in accordance with point DPO.AR.C.015 of this Annex.
(b) With regard to other changes requiring an application for approval in accordance with point IS.I.OR.255(b) of Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203:
(1) upon receiving the application for the change, the Agency shall check the organisation’s compliance with the applicable requirements before issuing the approval;
(2) the Agency shall establish the conditions under which the organisation may operate during the implementation of the change;
(3) if it is satisfied that the organisation complies with the applicable requirements, the Agency shall approve the change.
DPO.AR.C.015 Findings, corrective actions, and enforcement measures
(a) When the Agency, during investigation, oversight or by any other means, identifies any non-compliance with the applicable requirements of this Regulation of a procedure or manual required by this Regulation, or of a certificate or declaration issued in accordance with this Regulation, it shall, without prejudice to any additional action required by Regulation (EU) 2018/1139, raise a finding.
(b) The Agency shall have a system in place to:
(1) analyse findings for their safety and interoperability significance;
(2) identify appropriate enforcement measures, including the suspension or revocation of approvals and certificates;
(3) issue directives on the basis of the risk posed by the organisation’s non-compliance.
(c) A level 1 finding shall be raised by the Agency when it identifies any significant non-compliance with the ATM/ANS certification basis as per point ATM/ANS.EQMT.AR.B.001 of Annex I to Delegated Regulation (EU) 2023/1768 that may lead to uncontrolled non-compliance and to a potential unwanted condition.
Level 1 findings shall include but are not limited to:
(1) the promulgation of operational procedures which introduce a significant risk to the organisation’s activities;
(2) the obtainment or maintenance of the validity of the organisation’s approval through the submission of falsified documentary evidence;
(3) evidence of malpractice or fraudulent use of the organisation’s approval;
(4) the lack of an accountable manager.
(d) A level 2 finding shall be raised by the Agency where non-compliance with any of the following is identified:
(i) with the applicable requirements of Regulation (EU) 2018/1139;
(ii) with the delegated and implementing acts adopted on the basis of Regulation (EU) 2018/1139;
(iii) with the procedures and manuals required by Regulation (EU) 2018/1139; or
(iv) with the approval issued in accordance with Regulation (EU) 2018/1139, which is not classified as a level 1 finding.
(e) Where a finding is raised, the Agency shall, without prejudice to any additional action required by Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on its basis, communicate the finding in writing to the organisation concerned and require it to take corrective action to address the non-compliance(s) identified.
(1) In the case of level 1 findings, the Agency shall immediately take appropriate enforcement measures and may, if appropriate, limit, suspend or revoke in whole or in part the approval until successful corrective action has been taken by the organisation.
(2) In the case of level 2 findings, the Agency shall:
(i) grant the organisation a corrective action implementation period, as part of an action plan, appropriate to the nature of the finding;
(ii) assess the corrective action and implementation plan proposed by the organisation, and, if the assessment concludes that they are sufficient to address the non-compliance(s), accept them.
(3) In the case of level 2 findings, where the organisation fails to submit a corrective action plan that is acceptable to the Agency in the light of the finding, or where the organisation fails to perform the corrective action within the period of time accepted or extended by the Agency, the finding may be raised to a level 1 finding and action shall be taken in accordance with point (e)(1).
(f) For those cases where level 1 and level 2 findings are not required, the Agency may issue observations.
(g) The Agency shall:
(1) suspend a certificate if it considers that there are reasonable grounds that such action is necessary to prevent a credible threat to the safety, security, performance or interoperability of ATM/ANS equipment;
(2) issue an ATM/ANS equipment directive under the conditions of point ATM/ANS.EQMT.AR.A.030 of Annex I to Delegated Regulation (EU) 2023/1768;
(3) suspend, revoke or limit a certificate if such action is required in accordance with point (c);
(4) take immediate and appropriate action that is necessary to limit or prohibit the activities of an organisation or a natural or legal person if it considers that there are reasonable grounds that such action is necessary to prevent a credible threat to ATM/ANS equipment;
(5) register a declaration of design compliance only after all the findings from the initial oversight investigation have been resolved;
(6) temporarily or permanently deregister a declaration of design compliance if it considers that there are reasonable grounds that such action is necessary to prevent a credible threat to the safety, security, performance or interoperability of ATM/ANS equipment;
(7) take any further enforcement measures which are necessary to ensure that any non-compliance with the essential requirements of Annex VIII and, if applicable, Annex VII to Regulation (EU) 2018/1139 and with this Annex, is rectified and, where necessary, mitigate its consequences.
(h) Upon taking enforcement measures in accordance with point (g), the Agency shall notify them to the addressee, state the reasons for them, and inform the addressee of its right to appeal.
Appendix 1 - SPECIFICATIONS OF THE APPROVAL OF AN ORGANISATION INVOLVED IN THE DESIGN OR PRODUCTION OF ATM/ANS EQUIPMENT
Regulation (EU) 2023/1769
The approval shall specify:
(a) the Agency as the competent authority that issues the approval;
(b) the applicant’s name and postal address;
(c) the applicant’s scope of work;
(d) the location where the activities are to be performed;
(e) the associated privileges for which the applicant has been approved;
(f) a statement of the applicant’s conformity and compliance with the applicable requirements;
(g) the date of issue and the validity of the approval;
(h) the additional conditions or limitations attached to it.