Cybersecurity law in the aviation sector

Introduction

The EU directive on security of network and information systems (NIS Directive) is in part aimed at improving cybersecurity in a number of key sectors and this includes aviation. EU member states were required to implement the NIS Directive into national legislation by May 9, 2018. Some have done so, whereas others are still going through the implementation process. What is clear is that there is a significant divergence in approach as to how it is being implemented.

With the spate of recent incidents heightening the industry’s focus on the resilience of network and information systems, it is important that aviation entities take time to understand their obligations and the penalties for non-compliance.

Below, we review how the NIS Directive has been implemented in the UK, France and Germany. To provide wider context, we conclude with a short comparative analysis of the current state of US aviation cybersecurity regulation.

The NIS Directive and the aviation sector

In drafting the NIS Directive, European legislators targeted industry sectors in which the disruption could be severe if network security was compromised – including those sectors in which disruption could threaten economic stability and societal well-being.

Aviation is one such sector and the NIS Directive requires key organisations known as “operators of essential services” (OES), to maintain a certain level of network security that takes into account the changing risk and threat landscape.

Specifically, OESs are under an obligation to implement appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of networks, with a view to ensuring the continuity of services. What this means will vary by sector and the NIS Directive leaves the responsibility for scoping this to individual member states.

One of the overarching aims of the NIS Directive was to create harmonised and efficient network security across EU member states in the targeted sectors. This has been achieved to some extent, but the following highlights important points of divergence which aviation entities operating across more than one EU member state may need to be aware of. One of many points of divergence is on the issue of penalties imposed in each member state for non-compliance – these are significant, for example, when comparing the UK to France and Germany.

Implementation of the NIS Directive across EU member states

In the aviation sector, who is an OES?

This depends on the criteria set out in the implementing legislation in each member state.

Under the NIS Directive, a public or private aviation entity of a certain type, i.e. air carriers, airport managing bodies or traffic management control operators, should be an OES if

• they provide an essential service required to maintain critical societal and/or economic activities
• such service is dependent on network and information systems
• an incident would have significant disruptive impact on that service. In determining whether the disruption is likely to be judged ‘significant’ in the event of an incident, EU member states should take into account
• the number of users relying on the service
• the dependency of other sectors on the service
• market share of the entity
• geographical spread
• the importance of the provision of that service.

UK

The UK implemented the Network and Information Systems Regulations (UK NIS) on May 10, 2018.

Under the UK NIS, the following public-facing UK aviation entities will be OESs

• an owner or manager of an aerodrome with annual terminal passenger numbers greater than 10 million
• an air traffic service provider which has been granted an en route air traffic licence by the Secretary of State or Civil Aviation Authority, or has annual terminal passenger numbers greater than 10 million
• an air carrier flying more than 30 per cent of annual terminal passengers at any UK airport which has more than 10 million terminal passengers a year or more than 1 million total annual terminal passengers across all UK airports.

Relevant authorities may judge a UK aviation entity to be an OES, even if it does not meet the above criteria, if an incident involving the entity could cause a significant disruptive effect. The test for a “significant disruptive effect” under the UK NIS is whether the incident impacts economic stability and societal well-being, the factors highlighted by European legislators when drafting the Directive.

France

The NIS Directive has been partially transposed into French national law by virtue of The French NIS Directive Implementation Act of February 27, 2018 and Decree No. 2018-384 of May 25, 2018 (French NIS).

As with the UK NIS, the French NIS identifies specific categories of services including air carriers, airport managers, air navigation services, aircraft maintenance companies and operators of passenger flow management systems.

However, compared to the UK NIS, the French NIS does not specify thresholds to determine whether an entity is an OES. Rather it relies on a looser test which deems that a French aviation entity is an OES if it

• provides at least one service mentioned in the regulations (which for air carriers, would include passenger transport, check-in, boarding and operations)
• has network and information systems that are necessary to provide that entity’s service
• could be subject to an incident affecting their network and information systems that causes “serious consequences” to the provision of service taking in account the factors mentioned in the NIS Directive.

Germany

The NIS Directive was implemented into German national law by virtue of the Implementation Act of June 29, 2017 (German NIS), which was an amendment to the Act on the Federal Office for Information Security of August 14, 2009.

Under the German NIS, the test whether a German aviation entity will be an OES is simply whether an organisation in the transport industry provides services to more than 500,000 citizens per annum.

Enforcement

Under the NIS Directive, each member state is required to designate

• one or more national authorities to oversee the enforcement of the directive on OESs at a national level
• a national single point of contact to liaise with other member states ensuring national and international consistency of the NIS Directive
• one or more computer security incidence response teams (CSIRT) to assist with risk mitigation and incident handling.

The designated national authorities are required to ensure that: each member state is enforcing the NIS Directive in accordance with its objectives; incident reporting is consistent; and general issues are raised, resolved and harmonised across jurisdictions.

The NIS Directive requires that in the event of certain significant incidents involving an OES, the OES will need to notify the national authority or CSIRT “without undue delay”. This has been interpreted in varying ways across different member states.

The authority or CSIRT is required to notify other member states if the incident impacts them and to inform the public if and when appropriate.

Some member states have taken a sector-specific approach, meaning that an OES in the aviation sector will report incidents to a body familiar with the risks and challenges of the sector. Conversely, some jurisdictions have opted for a sector-agnostic approach, with one authority having responsibility for all incidents regardless of sector.

UK

Under the UK NIS, the designated authorities responsible for ensuring NIS Directive compliance are the Civil Aviation Authority (CAA) and Department for Transport (DfT), acting jointly. The National Cyber Security Centre is the single point of contact and is also the CSIRT.

In the event of an incident, an OES must first notify the CAA and DfT who in turn are required to notify the National Cyber Security Centre acting as the CSIRT.

Notification to the CAA and DfT of any incident which has a significant impact on the continuity of the essential service which that OES provides must be made without undue delay and in any event no later than 72 hours after the operator is aware that a NIS incident has occurred.

France

Under the French NIS, one authority is both the single point of contact and the CSIRT and that is the National Agency for the Security of Information Systems (ANSSI). Sector-specific authorities have not been appointed.

The reporting timeframe is somewhat vaguer under the French NIS than under the UK NIS. The reporting of a security incident to the ANSSI is to be done “as soon as the OES becomes aware [of an incident]”.

Germany

Under the German NIS, the Federal Office for Information Security (FOIS) acts as the central authority for all roles relating to the NIS Directive.

Incident reporting requirements are more specific and risk averse than French and UK NIS Directives, requiring immediate reporting to the FOIS of an incident affecting the functionality of a critical service.

What penalties can be imposed for non-compliance?

The NIS Directive states that national authorities have the ability to impose penalties in order to deter OESs from falling below the technical and organisational standards required. The NIS Directive requires penalties to be effective, proportionate and dissuasive. While this has been achieved in some member states, it is questionable whether this is the case in all.

UK

Under UK NIS, a range of penalty thresholds exist and, depending on the severity of the incident and its implications, a penalty can be imposed of up to £17 million.

France

Compared to the UK, the French NIS takes a more lenient approach in terms of the quantum of penalty that can be imposed, ranging from EUR100,000 to EUR125,000 and commentators have questioned whether the upper limit is sufficient to meet the requirement for penalties to be effective, proportionate and dissuasive. The French legislation does however introduce the potential for criminal liability to be imposed on directors.

Germany

Under the German NIS, fines can range from EUR50,000 to EUR100,000. Whether this achieves the stated aim of an effective, proportionate and dissuasive penalties regime is again questionable.

So do we have a harmonised regime in Europe?

We have a harmonised regime in one sense and that is that most member states have cybersecurity laws aimed at key industry sectors including aviation. There is however considerable divergence in what that means between member states.

This situation presents a governance and compliance issue for any OES that operates across more than one member state. It is important that organisations in the aviation sector understand whether they are or may be OESs and what the varying implications of this will be. This analysis should be done bearing in mind the various thresholds and designations across member states, particularly as organisations grow or expand their operations.

How does all of this measure up against the US position?

At present there is no US equivalent to the NIS Directive that imposes specific cybersecurity standards on companies in the aviation sector.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework, a voluntary framework to assist organizations responsible for critical infrastructure services to manage cybersecurity risk, is influential in the aviation sector but is not mandatory.

In addition, the FAA Reauthorization Act of 2018, which was passed in October 2018, requires the Federal Aviation Administration (FAA) to: (1) where appropriate, revise FAA regulations to address cybersecurity issues affecting aircraft avionics systems; and (2) initiate a review of the FAA’s strategic cybersecurity plan.

However, no comprehensive cybersecurity regulations of a similar type to the NIS Directive appear to be on the horizon.

Legalflyer August 2019