21.B.10 Oversight documentation
Regulation (EU) 2022/203
The competent authority shall provide all the legislative acts, standards, rules, technical publications and related documents to the relevant personnel in order to allow them to perform their tasks and to discharge their responsibilities.
21.B.15 Information to the Agency
Regulation (EU) 2022/203
(a) The competent authority of the Member State shall notify the Agency in case of any significant problems with the implementation of Regulation (EU) 2018/1139 and its delegated and implementing acts within 30 days from the time the competent authority became aware of the problem.
(b) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council and its delegated and implementing acts, the competent authority of the Member State shall provide the Agency as soon as possible with any safety-significant information stemming from the occurrence reports stored in the national database pursuant to Article 6(6) of Regulation (EU) No 376/2014.
(c) The competent authority of the Member State shall provide the Agency as soon as possible with safety- significant information stemming from the information security reports it has received pursuant to point IS.D.OR.230 of the Annex (Part‑IS.D.OR) to Delegated Regulation (EU) 2022/1645.
[point (c) is applicable from 22 February 2026 – Regulation (EU) 2023/203]
AMC1 21.B.15(b) Information to the Agency
ED Decision 2022/021/R
AIRWORTHINESS DIRECTIVES
When the competent authority of a Member State receives an airworthiness directive from the competent authority of a non-Member State, that airworthiness directive should be transferred to EASA for dissemination in accordance with Article 76 of Regulation (EU) 2018/1139.
AMC2 21.B.15(b) Information to the Agency
ED Decision 2022/021/R
EXCHANGE OF SAFETY-SIGNIFICANT INFORMATION WITH EASA
Each competent authority should appoint a coordinator to act as the contact point for the exchange of safety-significant information between the competent authority and EASA.
GM1 21.B.15(b) Information to the Agency
ED Decision 2022/021/R
MEANING OF SAFETY-SIGNIFICANT INFORMATION THAT STEMS FROM OCCURRENCE REPORTS
Safety-significant information that stems from occurrence reports means:
(a) a conclusive safety analysis that summarises individual occurrence data and provides an in‑depth analysis of a safety issue, and that may be relevant for EASA’s safety action planning; and
(b) individual occurrence data for the cases in which EASA is the competent authority and which fulfils the reporting criteria of GM3 21.B.15(b).
GM2 21.B.15(b) Information to the Agency
ED Decision 2022/021/R
RECOMMENDED CONTENT FOR CONCLUSIVE SAFETY ANALYSES
A conclusive safety analysis should contain the following:
(a) a detailed description of the safety issue, including the scenario in which the safety issue takes place; and
(b) an indication of the stakeholders that are affected by the safety issue, including types of operations and organisations;
and, as appropriate:
(c) a risk assessment that establishes the severity and probability of all the possible consequences of the safety issue;
(d) information about the existing safety barriers that the aviation system has in place to prevent the likely consequences of the safety issue from occurring;
(e) any mitigating action that is already in place or developed to deal with the safety issue;
(f) recommendations for future action to control the risk; and
(g) any other element that the competent authority considers essential for EASA to properly assess the safety issue.
GM3 21.B.15(b) Information to the Agency
ED Decision 2022/021/R
OCCURRENCES IN WHICH EASA IS THE COMPETENT AUTHORITY
Occurrences that are related to organisations or products that are certified by EASA should be notified to EASA if:
(a) the occurrence is defined as a reportable occurrence in accordance with the applicable regulation;
(b) the organisation that is responsible for addressing the occurrence is certified by EASA; and
(c) the competent authority of the Member State comes to the conclusion that:
(1) the organisation that is certified by EASA to which the occurrence relates was not informed of the occurrence; or
(2) the occurrence was not properly addressed or was left unattended by the organisation that is certified by EASA.
Such occurrence data should be reported in a format that is compatible with the European Coordination Centre for Accident and Incident Reporting Systems (ECCAIRS) and should provide all the relevant information for its assessment and analysis, including necessary additional files in the form of attachments.
21.B.20 Immediate reaction to a safety problem
Regulation (EU) 2022/203
(a) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council and its delegated and implementing acts, the competent authority shall implement a system to appropriately collect, analyse and disseminate safety information.
(b) The Agency shall implement a system to appropriately analyse any relevant safety information received and, without undue delay, provide the relevant authority of the Member States and the Commission with any information, including recommendations or corrective actions to be taken, that is necessary for them to react in a timely manner to a safety problem involving products, parts, appliances, persons or organisations that are subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.
(c) Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the safety problem.
(d) The competent authority shall immediately notify measures taken under point (c) to all persons or organisations which need to comply with them under Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority of the Member State shall also notify those measures to the Agency and, when combined action is required, to the other Member States concerned.
21.B.20A Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
Regulation (EU) 2023/203
(a) The competent authority shall implement a system to appropriately collect, analyse, and disseminate information related to information security incidents and vulnerabilities with a potential impact on aviation safety that are reported by organisations. This shall be done in coordination with any other relevant authorities responsible for information security or cybersecurity within the Member State to increase the coordination and compatibility of reporting schemes.
(b) The Agency shall implement a system to appropriately analyse any relevant safety-significant information received in accordance with point 21.B.15(c), and without undue delay provide the Member States and the Commission with any information, including recommendations or corrective actions to be taken, necessary for them to react in a timely manner to an information security incident or vulnerability with a potential impact on aviation safety involving products, parts, non-installed equipment, persons or organisations subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.
(c) Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the potential impact on aviation safety of the information security incident or vulnerability.
(d) Measures taken in accordance with point (c) shall immediately be notified to all persons or organisations that shall comply with them under Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority of the Member State shall also notify those measures to the Agency and, when combined action is required, the competent authorities of the other Member States concerned.
[applicable from 22 February 2026 – Regulation (EU) 2023/203]
AMC1 21.B.20A Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
ED Decision 2023/010/R
(a) To appropriately collect and analyse information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should implement means that ensure the necessary confidentiality.
(b) When disseminating information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should properly select the appropriate recipient(s) to prevent the content of a report from being exploited to the detriment of aviation safety, by revealing, for instance, uncorrected vulnerabilities.
GM1 21.B.20A Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
ED Decision 2023/010/R
When deemed necessary, a two-step mechanism could be used: a report alerting about the information security event or incident and the availability of additional data that would require controlled and confidential distribution. This report should only alert recipients of the urgency and the necessity for organisations and competent authorities to establish further communication through secure means.
Therefore, the report should consist of two parts: one limited to mostly public information and one containing the sensitive data that should be restricted to the recipients who need to know. Wherever possible, reports should be based on an agreed taxonomy.
[applicable from 22 February 2026 – ED Decision 2023/10/R]
Regulation (EU) 2022/203
(a) The competent authority shall establish and maintain a management system, including as a minimum:
1. documented policies and procedures to describe its organisation, the means and methods for establishing compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts. The procedures shall be kept up to date, and serve as the basic working documents within that competent authority for all its related tasks;
2. a sufficient number of personnel to perform its tasks and discharge its responsibilities. A system shall be in place to plan the availability of personnel in order to ensure the proper completion of all tasks;
3. personnel that are qualified to perform their allocated tasks and that have the necessary knowledge and experience, and receive initial and recurrent training to ensure continuing competency;
4. adequate facilities and office accommodation for personnel to perform their allocated tasks;
5. a function to monitor the compliance of the management system with the relevant requirements, and the adequacy of the procedures, including the establishment of an internal audit process and a safety risk management process. Compliance monitoring shall include a feedback system of audit findings to the senior management of the competent authority to ensure the implementation of corrective actions as necessary;
6. a person or group of persons having a responsibility to the senior management of the competent authority for the compliance monitoring function.
(b) The competent authority shall, for each field of activity, including the management system, appoint one or more persons with the overall responsibility for the management of the relevant task(s).
(c) The competent authority shall establish procedures for the participation in a mutual exchange of all necessary information and assistance with any other competent authorities concerned, whether from the same Member State or from other Member States, including on:
1. all findings raised and any follow-up actions taken as a result of the oversight of persons and organisations that carry out activities in the territory of a Member State, but certified by the competent authority of another Member State or by the Agency;
2. information stemming from mandatory and voluntary occurrence reporting as required by 21.A.3A.
(d) A copy of the procedures related to the management system of the competent authority of the Member State and their amendments shall be made available to the Agency for the purpose of standardisation.
(e) In addition to the requirements contained in point (a), the management system established and maintained by the competent authority shall comply with Annex I (Part‑IS.AR) to Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.
[point (e) is applicable from 22 February 2026 – Regulation (EU) 2023/203]
AMC1 21.B.25 Management system
ED Decision 2023/014/R
GENERAL
(a) The competent authority should be organised in such a way that:
(1) there is specific and effective management authority in the conduct of all relevant activities;
(2) the functions and processes described in the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, AMC, CSs, and GM are be properly implemented;
(3) the competent authority’s policy, organisation and operating procedures for the implementation of the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, AMC, CSs, and GM are properly documented and applied;
(4) all the competent authority’s personnel who are involved in the related activities are provided with training where necessary;
(5) specific and effective provision is made for communicating and interfacing as necessary with EASA and other competent authorities; and
(6) all the functions related to implementing the applicable requirements are adequately described.
(b) A general policy in respect of the activities related to the applicable requirements of Regulation (EU) 2018/1139 and the delegated and implementing acts activities should be developed, promoted and implemented by the manager at the highest appropriate level; for example the manager at the top of the functional area of the competent authority that is responsible for such activities.
(1) Appropriate steps should be taken to ensure that the policy is known and understood by all the personnel involved, and all the necessary steps should be taken to implement and maintain the policy.
(2) The general policy should, in particular, take into account:
(a) the provisions of Regulation (EU) 2018/1139
(b) the provisions of the applicable delegated and implementing acts, AMC, CSs, and GM;
(c) the needs of industry; and
(d) the needs of EASA and of the competent authority.
(3) The policy should define specific objectives for the key elements of the competent authority organisation and processes for implementating the related activities, including the corresponding control procedures and the measurement of the achieved standard.
AMC2 21.B.25 Management system
ED Decision 2023/014/R
ORGANISATIONAL STRUCTURE
(a) In deciding upon the required organisational structure, the competent authority should review:
(1) the number of certificates, approvals, authorisations and letters of agreements to be issued;
(2) the number, complexity and sizes of the Part 21 organisations under its oversight obligations;
(3) the possible use of qualified entities and of the resources of the competent authority of other Member States to fulfil the continuing oversight obligations;
(4) the complexity of the aviation industry, taking into consideration the diversity of the products and parts; and
(5) the potential growth of activities in the field of civil aviation.
(b) The competent authority should retain effective control of the important surveillance functions and not delegate them in such a way that Part 21 organisations, in effect, regulate themselves in airworthiness matters.
(c) The set-up of the organisational structure should ensure that the various tasks and obligations of the competent authority do not solely rely on individuals. The continuous and undisturbed fulfilment of these tasks and obligations of the competent authority should also be guaranteed in cases of illness, accidents or leave of individual employees.
ED Decision 2023/014/R
GENERAL – RELEVANT ACTIVITIES
For the purpose of the AMC and GM to point 21.B.25, the activities referred to are those activities related to the certification and surveillance of design or production organisations.
AMC1 21.B.25(a)(1) Management system
ED Decision 2023/014/R
DOCUMENTED POLICIES AND PROCEDURES
(a) The various elements of the organisation involved with the activities related to Regulation (EU) 2018/1139 and its delegated and implementing acts should be documented in order to establish a reference source for the establishment and maintenance of this organisation.
(b) The documented procedures should be established in a way that facilitates their use. They should be clearly identified, kept up to date and made readily available to all the personnel involved in the related activities.
(c) The documented procedures should cover, as a minimum, all of the following aspects:
(1) policies and objectives;
(2) the organisational structure;
(3) responsibilities and the associated authority;
(4) processes and procedures;
(5) internal and external interfaces;
(6) internal control procedures;
(7) the training of personnel;
(8) cross-references to associated documents; and
(9) assistance from other competent authorities or EASA (where required).
(d) It is likely that the information may be held in more than one document or series of documents, and suitable cross-referencing should be provided. For example, the organisational structure and the job descriptions are not usually in the same documentation as the detailed working procedures. In such cases, it is recommended that the documented procedures should include an index of cross-references to all such other related information, and the related documentation should be readily available when required.
GM1 21.B.25(a)(2) Management system
ED Decision 2023/014/R
SUFFICIENT PERSONNEL
(a) This GM on the determination of the required personnel is limited to the performance of certification and oversight tasks, excluding any personnel who are required to perform tasks that are subject to any national regulatory requirements.
(b) The elements to be considered when determining who are the required personnel and when planning their availability may be divided into quantitative and qualitative elements:
(1) Quantitative elements
(i) the estimated number of initial certificates to be issued;
(ii) the number of organisations to be certified by the competent authority;
(iii) the estimated number of subcontracted organisations used by certified organisations.
(2) Qualitative elements
(i) the size, nature, and complexity of the activities of certified organisations, taking into account:
(A) the privileges of each organisation;
(B) the types of approval and the scopes of approval;
(C) possible certification to industry standards;
(D) the number of personnel; and
(E) the organisational structure and the existence of subsidiaries;
(ii) the safety priorities identified;
(iii) the results of past oversight activities, including audits, inspections and reviews, in terms of risks and regulatory compliance, taking into account:
(A) the number and the levels of findings;
(B) the time frame for the implementation of corrective actions;
(C) the maturity of the management systems implemented by organisations, and their ability to effectively manage safety risks; and
(iv) the size and complexity of the Member States’ aviation industry, and the potential growth of activities in the field of civil aviation, which may be an indication of the number of new applications, and changes to existing certificates to be expected.
(c) Based on existing data from previous oversight planning cycles, and taking into account the situation within the Member State’s aviation industry, the competent authority may estimate:
(1) the standard working time required for processing applications for new certificates, approvals, authorisations or letters of agreement;
(2) the number of new certificates, approvals, authorisations or letters of agreement to be issued for each planning period; and
(3) the number of changes to existing certificates, approvals, authorisations or letters of agreement to be processed for each planning period.
(d) In line with the competent authority’s oversight policy, the following planning data should be determined:
(1) the standard number of audits to be performed per oversight planning cycle;
(2) the standard duration of each audit;
(3) the standard working time for audit preparation, on-site audit, reporting, and follow-up per inspector;
(4) the standard number of unannounced inspections to be performed;
(6) the standard duration of inspections, including preparation, reporting, and follow-up per inspector; and
(7) the minimum number and the required qualifications of the inspectors for each audit/inspection.
(f) The use of a spreadsheet application is recommended to process the data defined under (c) and (d), to assist in determining the total number of working hours/days per oversight planning cycle required for certification, oversight and enforcement activities. This application could also serve as a basis for implementing a system for planning the availability of personnel.
(g) The number of working hours/days per planning period for each qualified inspector that may be allocated for certification, oversight and enforcement activities should be determined, taking into account:
(1) purely administrative tasks not directly related to certification and oversight;
(2) training;
(3) participation in other projects;
(4) planned absences; and
(5) the need to include a reserve for unplanned tasks or unforeseeable events.
(h) The determination of working time available for certification, oversight and enforcement activities should also consider, if applicable:
(1) the use of qualified entities;
(2) cooperation with other competent authorities for approvals that involve more than one Member State; and
(3) oversight activities under a bilateral aviation safety agreement.
(i) Based on the elements listed above, the competent authority should be able to:
(1) monitor the dates when audits and inspections are due, and when they were carried out;
(2) implement a system to plan the availability of personnel; and
(3) identify possible gaps between the number and the qualifications of personnel and the required volume of certification and oversight.
Care should be taken to keep planning data up to date in line with changes in the underlying planning assumptions, with a particular focus on risk-based oversight principles.
AMC1 21.B.25(a)(3) Management system
ED Decision 2023/014/R
QUALIFICATIONS AND TRAINING — GENERAL
(a) It is essential for the competent authority to have the full capability to adequately assess the compliance and performance of an organisation by ensuring that the whole range of activities is assessed by appropriately qualified personnel.
(b) For each inspector, the competent authority should:
(1) define the competencies required to perform the allocated certification and oversight tasks;
(2) define the associated minimum qualifications that are required;
(3) establish initial and recurrent training programmes in order to maintain and to enhance the competency of inspectors at the level that is necessary to perform the allocated tasks; and
(4) ensure that the training provided meets the established standards, and is regularly reviewed and updated as necessary.
(c) The competent authority should ensure that training is provided by qualified trainers with appropriate training skills.
AMC2 21.B.25(a)(3) Management system
ED Decision 2023/014/R
QUALIFICATIONS AND TRAINING — INSPECTORS
(a) Competent authority inspectors should have:
(1) practical experience and expertise in the application of aviation safety standards and safe operating practices;
(2) comprehensive knowledge of:
(i) relevant parts of Regulation (EU) 2018/1139 and its delegated and implementing acts and the related AMC, CSs and GM;
(ii) the competent authority’s procedures;
(iii) the rights and obligations of an inspector;
(iv) safety management systems based on the EU management system requirements and ICAO Annex 19, and compliance monitoring;
(v) design or production standards, as applicable;
(vi) design-related or production-related human factors and human performance principles, as appropriate;
(3) training on auditing techniques and assessing and evaluating management systems and safety risk management processes;
(4) 5 years of relevant work experience to be allowed to work without supervision as an inspector. This may include experience gained during training to obtain the qualifications described in point (a)(5) below; and
(5) a relevant engineering degree with additional education. ‘Relevant engineering degree’ means an engineering degree from aeronautical, mechanical, electrical, electronic, avionics or other studies relevant to the design and production of aircraft/aircraft components.
(b) In addition to technical competency, inspectors should have a high degree of integrity, be impartial in carrying out their tasks, be tactful, and have a good understanding of human nature.
(c) A programme for recurrent training should be developed that ensures that the inspectors remain competent to perform their allocated tasks. As a general policy, it is not desirable for the inspectors to obtain technical qualifications from those entities that are under their direct regulatory oversight.
AMC3 21.B.25(a)(3) Management system
ED Decision 2023/014/R
INITIAL AND RECURRENT TRAINING — INSPECTORS
(a) Initial training programme
The initial training programme for inspectors should include, to an extent appropriate to their role, current knowledge, experience and skills in at least the following:
(1) aviation legislation, organisation, and structure;
(2) the Chicago Convention, the relevant ICAO Annexes and Documents;
(3) Regulation (EU) No 376/2014 on the reporting, analysis and follow-up of occurrences in civil aviation;
(4) overview of Regulation (EU) 2018/1139 and its delegated and implementing acts and the related AMC, CSs, and GM;
(5) Regulation (EU) No 748/2012 as well as any other applicable requirements;
(6) management systems, including the assessment of the effectiveness of a management system, in particular hazard identification and risk assessment, and non-punitive reporting techniques in the context of the implementation of a ‘just culture’;
(7) auditing techniques;
(8) procedures of the competent authority that are relevant to the inspectors’ tasks;
(9) human factors principles;
(10) the rights and obligations of inspecting personnel of the competent authority;
(11) on-the-job training relevant to the inspector’s tasks;
(12) technical training that is appropriate to the role and tasks of the inspector, in particular for those areas that require approvals.
NOTE: The duration of the on-the-job training should take into account the scope and complexity of the inspector’s tasks. The competent authority should assess whether the required competency has been achieved before an inspector is authorised to perform a task without supervision.
(b) Recurrent training programme
Once qualified, the inspector should undergo training periodically, as well as whenever it is deemed necessary by the competent authority, in order to remain competent to perform the allocated tasks. The recurrent training programme for inspectors should include, as appropriate to their role, at least the following topics:
(1) changes in aviation legislation, the operational environment and technologies;
(2) procedures of the competent authority that are relevant to the inspector’s tasks;
(3) technical training that is appropriate to the role and tasks of the inspector; and
(4) results from past oversight.
(c) Assessments of an inspector’s competency should take place at regular intervals that do not exceed 3 years. The results of these assessments, as well as any actions taken following these assessments, should be recorded.
AMC1 21.B.25(a)(5) Management system
ED Decision 2023/014/R
SAFETY RISK MANAGEMENT PROCESS
(a) The safety risk management process required by point (a)(5) of point 21.B.25 should be documented. The following should be defined in the related documentation:
(1) means for hazard identification and the related data sources, taking into account data that comes from other competent authorities with which the competent authority interfaces in the State or from the competent authorities of other Member States;
(2) risk management steps including:
(i) analysis (in terms of the probability and the severity of the consequences of hazards and occurrences);
(ii) assessment (in terms of tolerability); and
(iii) control (in terms of mitigation) of risks to an acceptable level;
(3) who holds the responsibilities for hazard identification and risk management;
(4) who holds the responsibility for the follow-up of risk mitigation actions;
(5) the levels of management who have the authority to make decisions regarding the tolerability of risks;
(6) means to assess the effectiveness of risk mitigation actions; and
(7) the link with the compliance monitoring function.
(b) To demonstrate that the safety risk management process is operational, competent authorities should be able to provide evidence that:
(1) the persons involved in internal safety risk management activities are properly trained;
(2) hazards that could impact the authority’s capabilities to perform its tasks and discharge its responsibilities have been identified, and the related risk assessment is documented;
(3) regular meetings take place at appropriate levels of management of the competent authority to discuss the risks identified and to decide on the risk tolerability and possible risk mitigations;
(4) in addition to the initial hazard identification exercise, the risk management process is triggered as a minimum whenever changes occur that may affect the competent authority’s capability to perform any of the tasks required by Part 21;
(5) a record of the actions taken to mitigate risks is maintained, showing the status of each action and the owner of the action;
(6) there is follow-up on the implementation of all risk mitigation actions;
(7) risk mitigation actions are assessed for their effectiveness;
(8) the results of risk assessments are periodically reviewed to check whether they remain relevant.
GM1 21.B.25(a)(5) Management system
ED Decision 2023/014/R
SAFETY RISK MANAGEMENT PROCESS
The purpose of safety risk management as part of the management system framework for competent authorities is to ensure the effectiveness of the management system. As for any organisation, hazard identification and risk management are expected to contribute to effective decision-making, to guide resource allocation and contribute to organisational success.
The safety risk management process required by point 21.B.25 is intended to address the safety risks that are directly related to the competent authority’s organisation and processes, and which may affect its capability to perform its tasks and discharge its responsibilities. This process is not intended to be a substitute for the State safety risk management SARPs defined in ICAO Annex 19, Chapter 3. This does not mean, however, that the competent authority may not use information and data that is obtained through its State Safety Programme (SSP), including oversight data and information, for the purpose of safety risk management as part of its management system.
The safety risk management process is also to be applied to the management of changes (point 21.B.35), which is intended to ensure that the management system remains effective whenever changes occur.
AMC1 21.B.25(d) Management system
ED Decision 2023/014/R
PROCEDURES AVAILABLE TO EASA
(a) Copies of the procedures related to the management system of the competent authority of the Member State, and their amendments, that should be made available to EASA for the purpose of standardisation, should provide at least the following information:
(1) the competent authority’s organisational structure for the continuing oversight functions that it undertakes, with a description of the main processes. This information should demonstrate the allocation of responsibilities within the competent authority, and that the competent authority is capable of carrying out the full range of tasks regarding the size and complexity of the Member State’s aviation industry. It should also consider the overall proficiency and the scope of authorisation of the competent authority’s personnel;
(2) for personnel who are involved in oversight activities, the minimum required professional qualification and amount of experience, and the principles that guide their appointment (e.g. assessment);
(3) how the following are carried out: assessments of applications and evaluations of compliance; the issuance of certificates, approvals, authorisations and letters of agreement; continuing oversight activities; the follow-up of findings; enforcement measures; and the resolution of safety concerns;
(4) the principles used to manage exemptions and derogations;
(5) the processes that are in place to distribute applicable safety information for timely reaction to a safety problem;
(6) the criteria for planning continuing oversight activities (i.e. an oversight programme), including the management of interfaces when conducting continuing oversight activities;
(7) an outline of the initial training of newly recruited oversight personnel (taking future activities into account), and the basic framework for the recurrent training of oversight personnel.
(b) As part of the continuous monitoring of a competent authority, EASA may request details of the working methods used, in addition to a copy of the procedures of the competent authority’s management system (and any amendments). These additional details are the procedures and related guidance material that describe the working methods for the personnel of the competent authority who conduct oversight activities.
(c) Information related to the competent authority’s management system may be submitted in an electronic format.
21.B.30 Allocation of tasks to qualified entities [applicable until 21 February 2026] / 21.B.30 Allocation of tasks [applicable from 22 February 2026 – Regulation (EU) 2023/203]
Regulation (EU) 2022/203
(a) The competent authority may allocate tasks related to the initial certification or to the continuing oversight of products and parts, as well as of natural or legal persons subject to Regulation (EU) 2018/1139 and its delegated and implementing acts to qualified entities. When allocating tasks, the competent authority shall ensure that it has:
1. put a system in place to initially and continuously assess whether the qualified entity complies with Annex VI to Regulation (EU) 2018/1139. That system and the results of the assessments shall be documented;
2. established a written agreement with the qualified entity, approved by both parties at the appropriate management level, which stipulates:
(i) the tasks to be performed;
(ii) the declarations, reports and records to be provided;
(iii) the technical conditions to be met when performing such tasks;
(iv) the related liability coverage;
(v) the protection given to the information acquired when carrying out such tasks.
(b) The competent authority shall ensure that the internal audit process and safety risk management process established pursuant to point 21.B.25(a)(5) cover all the certification and continuing oversight tasks performed by the qualified entity on its behalf.
(c) For the certification and oversight of the organisation’s compliance with points 21.A.139A and 21.A.239A, the competent authority may allocate tasks to qualified entities in accordance with point (a), or to any relevant authority responsible for information security or cybersecurity within the Member State. When allocating tasks, the competent authority shall ensure that:
(1) all aspects related to aviation safety are coordinated and taken into account by the qualified entity or relevant authority;
(2) the results of the certification and oversight activities performed by the qualified entity or relevant authority are integrated in the overall certification and oversight files of the organisation;
(3) its own information security management system established in accordance with point 21.B.25(e) covers all the certification and continuing oversight tasks performed on its behalf.
[point (c) is applicable from 22 February 2026 – Regulation (EU) 2023/203]
GM1 21.B.30 Allocation of tasks to qualified entities
ED Decision 2023/014/R
CERTIFICATION TASKS
The tasks that may be performed by a qualified entity on behalf of the competent authority include those that are related to the initial certification and the continuing oversight of persons and organisations as defined in Part 21.
21.B.35 Changes in the management system
Regulation (EU) 2022/203
(a) The competent authority shall have a system in place to identify the changes that affect its capability to perform its tasks and discharge its responsibilities as defined in Regulation (EU) 2018/1139 and its delegated and implementing acts. That system shall enable the competent authority to take action necessary to ensure that its management system remains adequate and effective.
(b) The competent authority shall update in a timely manner its management system to reflect any changes to Regulation (EU) 2018/1139 and its delegated and implementing acts so as to ensure its effective implementation.
(c) The competent authority of the Member State shall notify the Agency of any changes affecting its capability to perform its tasks and discharge its responsibilities as provided for in Regulation (EU) 2018/1139 and its delegated and implementing acts.
Regulation (EU) 2022/203
(a) The competent authority shall establish a record-keeping system that allows the adequate storage, accessibility and reliable traceability of:
1. the management system’s documented policies and procedures;
2. the training, qualifications and authorisation of its personnel;
3. the allocation of tasks, covering the elements required by point 21.B.30, as well as the details of tasks allocated;
4. certification processes and continuing oversight of certified organisations, including:
(i) the application for a certificate, approval, authorisation and letter of agreement;
(ii) the competent authority’s continuing oversight programme, including all the assessments, audits and inspection records;
(iii) the certificates, approvals, authorisations and letters of agreement issued, including any changes to them;
(iv) a copy of the oversight programme, listing the dates when audits are due and when audits were carried out;
(v) copies of all formal correspondence;
(vi) recommendations for the issue or continuation of a certificate, an approval authorisation or a letter of agreement, detail of findings and actions taken by the organisations to close those findings, including the date of closure, enforcement actions and observations;
(vii) any assessment, audit and inspection report issued by another competent authority pursuant to points 21.B.120(d), 21.B.221(c) or 21.B.431(c);
(viii) copies of all the organisation expositions, handbooks or manuals, and of any amendments to them;
(ix) copies of any other documents approved by the competent authority;
5. Statements of Conformity (EASA Form 52, see Appendix VIII) and Authorised Release Certificates (EASA Form 1, see Appendix I) that it has validated for organisations that produce products, parts or appliances without a production organisation approval certificate according to Subpart F of Section A of this Annex.
(b) The competent authority shall include in the record-keeping:
1. documents supporting the use of alternative means of compliance
2. safety information in accordance with point 21.B.15 and follow-up measures;
3. the use of safeguard and flexibility provisions in accordance with Articles 70, 71(1) and 76(4) of Regulation (EU) 2018/1139.
(c) The competent authority shall maintain a list of all the certificates, approvals, authorisations and letters of agreement it has issued.
(d) All the records referred to in points (a), (b) and (c) shall be kept for a minimum period of 5 years, subject to applicable data protection law.
(e) All the records referred to in points (a), (b) and (c) shall be made available, upon request, to a competent authorities of another Member State or to the Agency.
ED Decision 2023/014/R
DATA RELATED TO DESIGN APPROVALS
This GM specifies the administrative documents to be kept for the various kinds of design approvals. It does not repeat the requirements for design approvals holders to keep records (ref.: point 21.A.55).
(a) Type-certificate
(1) Copy of the TC
(2) Copy of the TCDS
(3) Environmental protection approval data
(4) Documents defining the type-certification basis including information to justify special conditions, equivalent safety findings and exemptions (Certification Review Items or equivalent)
(5) List of approved modifications,
(6) List of the competent authority’s approved publications (Flight Manual, Repair Manual, Airworthiness Limitations, Certification Maintenance Requirements)
(7) Airworthiness directives
(8) Master Minimum Equipment List
(9) Maintenance Review Board Report
(b) Supplemental type certificate
(1) Copy the STC
(2) Environmental protection approval data
(3) Documents defining the certification basis including information to justify special conditions, equivalent safety findings and exemptions (Certification Review Items or equivalent)
(4) List of the competent authority’s approved documents
(5) Airworthiness directives
(c) JTSO Authorisation
(1) Copy of ETSO authorisation letter
(2) Copy of Declaration of Design and Performance
(3) Statement of compliance with applicable standards
(4) Airworthiness directives
(d) Other part or appliance approvals
(1) Copy of the approval letter,
(2) Copy of the Declaration of Design and Performance or equivalent
(3) Statement of compliance with applicable standards
(4) Airworthiness directives
(e) Changes from non TC or STC holders
(1) Modification approval sheet, or equivalent document
(2) Documents required by point 21.A.5, or equivalent national requirement
Note: Not applicable to design approvals issued under a DOA privilege, for which record-keeping is under the DOA holder responsibility.
(f) Repair design approvals
(1) Repair approval sheet
(2) Documents listed in point 21.A.5
Note: Not applicable to repair designs approved under a DOA privilege, for which record-keeping is under the DOA holder responsibility.
AMC1 21.B.55(a) Record-keeping
ED Decision 2022/021/R
GENERAL
(a) The record-keeping system should ensure that all the records are accessible within a reasonable time whenever they are needed. Those records should be organised in a manner that ensures their traceability and retrievability throughout the required retention period.
(b) All the records that contain sensitive data on applicants or organisations should be stored in a secure manner with controlled access, to ensure their confidentiality.
(c) The records should be kept in paper form, or in an electronic format, or a combination of both. Records that are stored on microfilm or optical discs are also acceptable. The records should remain legible and accessible throughout the required retention period. The retention period starts when the record is created.
(d) Paper record systems should use robust material that can withstand normal handling and filing. Computer record systems should have at least one backup system that should be updated within 24 hours of any new entry. Computer record systems should include safeguards to prevent unauthorised personnel from altering the data.
(e) All the computer hardware that is used to ensure the backup of data should be stored in a different location from the one that contains the working data and in an environment that ensures that the data remains in a good condition. When hardware or software changes take place, special care should be taken that all the necessary data continues to be accessible throughout at least the full period that is specified in point 21.B.55(d).
AMC1 21.B.55(a)(1) and (a)(2) Record-keeping
ED Decision 2022/021/R
COMPETENT AUTHORITY MANAGEMENT SYSTEM
The records that are related to the competent authority’s management system should include, as a minimum, and as applicable:
(a) the documented policies and procedures;
(b) the personnel files of the competent authority personnel, with the supporting documents related to their training and qualifications;
(c) the results of the competent authority’s internal audits and safety risk management processes, including audit findings, as well as any corrective, preventive, and risk mitigation action; and
(d) the contracts that are established with the qualified entities that perform certification or oversight tasks on behalf of the competent authority.
ED Decision 2022/021/R
TRACEABILITY OF RELEASE CERTIFICATES
The record-keeping of those EASA Forms 52 and 1 that are validated by the competent authority should allow the verification of that validation by the parties concerned, including the recipients of the release certificates.
21.B.65 Suspension, limitation and revocation
Regulation (EU) 2022/203
The competent authority shall:
(a) suspend a certificate, approval, permit to fly, authorisation or letter of agreement when it considers that there are reasonable grounds that such action is necessary to prevent a credible threat to aircraft safety;
(b) suspend, revoke or limit a certificate, approval, permit to fly, authorisation or letter of agreement if such action is required pursuant to points 21.B.125, 21.B.225 or 21.B.433;
(c) suspend or revoke a certificate of airworthiness or a noise certificate upon evidence that some of the conditions specified in points 21.A.181(a) or 21.A.211(a) are not met;
(d) suspend or limit in whole or in part a certificate, approval, permit to fly, authorisation or letter of agreement if unforeseeable circumstances outside the control of the competent authority prevent its inspectors from discharging their oversight responsibilities over the oversight planning cycle.
GM1 21.B.65 Suspension, limitation and revocation
ED Decision 2023/014/R
DEFINTIONS
(a) SUSPENSION
A suspension is a temporary withdrawal of all the privileges of an organisation’s approval. No activities that invoke the approval can be made while the suspension is in force. Approval privileges may be reinstated when the circumstances that caused the suspension are corrected and the organisation can once again demonstrate full compliance with the requirements.
(b) LIMITATION
A limitation is an amendment to the certificate, approval, authorisation or letter of agreement that partially limits the privileges of the organisation .
(c) REVOCATION
A revocation is a permanent cancellation of the whole of an approval. All the rights and privileges of the organisation under the approval are withdrawn, and, after revocation, the organisation cannot perform activities that invoke the approval, and must remove all references to the approval from its company documentation.
GM2 21.B.65 Suspension, limitation and revocation
ED Decision 2023/014/R
LINK BETWEEN FINDINGS AND SUSPENSION OR LIMITATION OR REVOCATION
The level 1 findings are those which may lead, if not properly addressed, to suspension, limitation or revocation of the approval. If appropriate, these negative decisions on the approval may be taken immediately, or after the organisation fails to comply within the time period agreed by the competent authority.
The type of the negative decision — i.e. suspension, limitation or revocation — should depend upon the contents and the extent of the level 1 finding. Normally, a limitation or a suspension should be considered first.