Kiri

Dokumendiregister	Transpordiamet
Viit	3.3-6/25/4068-1
Registreeritud	13.03.2025
Sünkroonitud	14.03.2025
Liik	Sissetulev kiri
Funktsioon	3.3 Sise- ja väliskommunikatsiooni korraldamine
Sari	3.3-6 Teabenõuded, märgukirjad ja selgitustaotlused
Toimik	3.3-6/2025
Juurdepääsupiirang	Avalik
Juurdepääsupiirang
Adressaat	DIAMOND SKY OÜ
Saabumis/saatmisviis	DIAMOND SKY OÜ
Vastutaja	Rainer Must (Users, Lennundusteenistus, Ohutus ja juhtimissüsteemi osakond)
Originaal	Ava uues aknas

Failid

E-kiri.eml

image001.png

image002.png

image003.png

image004.png

image005.png

image006.png

image007.png

E-kiri.eml

Meie 12.03.2025

Teie 13.01.2025

Lp Rainer Must

Palun Transpordiameti poolset tõlgendust määruste EU 2023/203 ja EU 2015/1998 rakendamisest.

Määruse teksti lugedes, kui ettevõte täidab määrust 2015/1998 loetakse määruse 2023/203 eesmärk täidetuks?

Seega, julgestuskäsiraamatus toodud ettevõtte protseduurid mis on ühtsed ja rakendatavad nii lennuettevõtjale (operaator) kui ka jätkuvat lennukõlblikkust korraldavale organisatsioonile (CAMO) siis loetakse määrus 2023/203 täidetuks mõlema jaoks?

Väljavõtted määrustest:

Commission Implementing Regulation (EU) 2023/203

Article 5

Requirements arising from other Union legislation

1. Where an organisation referred to in Article 2(1) complies with security requirements laid down in accordance with Article 14 of Directive (EU) 2016/1148 that are equivalent to the requirements laid down in this Regulation, compliance with those security requirements shall be considered to constitute compliance with the requirements laid down in this Regulation.

2. Where an organisation referred to in Article 2(1) is an operator or an entity referred to in the national civil aviation security programmes of Member States laid down in accordance with Article 10 of Regulation (EC) No 300/2008 of the European Parliament and of the Council ( 3 ), the cybersecurity requirements contained in point 1.7 of the Annex to Implementing Regulation (EU) 2015/1998 shall be considered to be equivalent with the requirements laid down in this Regulation, except as regards point IS.I.OR.230 of Annex II to this Regulation that shall be complied with as such.

3. Where the organisation referred to in Article 2(1) is the air navigation service provider of the European Geostationary Navigation Overlay Service (EGNOS) referred to in Regulation (EU) 2021/696, the security requirements contained in Articles 33 to 43 of Title V of that Regulation are considered to be equivalent with the requirements laid down in this Regulation, except as regards point IS.I.OR.230 of Annex II to this Regulation that shall be complied with as such.

4. The Commission, after consulting the Agency and the Cooperation Group referred to in Article 11 of Directive (EU) 2016/1148, may issue guidelines for the assessment of the equivalence of requirements laid down in this Regulation and Directive (EU) 2016/1148.

IS.I.OR.230

IS.I.OR.230 Information security external reporting scheme

The organisation shall implement an information security reporting system that complies with the requirements laid down in Regulation (EU) No 376/2014 and its delegated and implementing acts if that Regulation is applicable to the organisation.

(b) Without prejudice to the obligations of Regulation (EU) No 376/2014, the organisation shall ensure that any information security incident or vulnerability, which may represent a significant risk to aviation safety, is reported to their competent authority. Furthermore:

Where such an incident or vulnerability affects an aircraft or associated system or component, the organisation shall also report it to the design approval holder;

(2) Where such an incident or vulnerability affects a system or constituent used by the organisation, the organisation shall report it to the organisation responsible for the design of the system or constituent.

(c)

The organisation shall report the conditions referred to in point (b) as follows:

(1)

a notification shall be submitted to the competent authority and, if applicable, to the design approval holder or to the organisation responsible for the design of the system or constituent, as soon as the condition has been known to the organisation;

(2)

a report shall be submitted to the competent authority and, if applicable, to the design approval holder or to the organisation responsible for the design of the system or constituent, as soon as possible, but not exceeding 72 hours from the time the condition has been known to the organisation, unless exceptional circumstances prevent this.

The report shall be made in the form defined by the competent authority and shall contain all relevant information about the condition known to the organisation;

(3)

a follow-up report shall be submitted to the competent authority and, if applicable, to the design approval holder or to the organisation responsible for the design of the system or constituent, providing details of the actions the organisation has taken or intends to take to recover from the incident and the actions it intends to take to prevent similar information security incidents in the future.

The follow-up report shall be submitted as soon as those actions have been identified, and shall be produced in the form defined by the competent authority.

Commission Implementing Regulation (EU) 2015/1998

1.7 IDENTIFICATION AND PROTECTION OF CIVIL AVIATION CRITICAL INFORMATION AND COMMUNICATION TECHNOLOGY SYSTEMS AND DATA FROM CYBER THREATS

1.7.1

The appropriate authority shall ensure that airport operators, air carriers and entities as defined in the national civil aviation security programme identify and protect their critical information and communications technology systems and data from cyber-attacks which could affect the security of civil aviation.

1.7.2

Airport operators, air carriers and entities shall identify in their security programme, or any relevant document cross-referenced in the security programme, the critical information and communications technology systems and data described in 1.7.1.

The security programme, or any relevant document cross-referenced in the security programme shall detail the measures to ensure the protection from, detection of, response to and recovery from cyber-attacks, as described in 1.7.1.

1.7.3

The detailed measures to protect such systems and data from unlawful interference shall be identified, developed and implemented in accordance with a risk assessment carried out by the airport operator, air carrier or entity as appropriate.

1.7.4

Where a specific authority or agency is competent for measures related to cyber threats within a single Member State, this authority or agency may be designated as competent for the coordination and/or monitoring of the cyber-related provisions in this Regulation.

1.7.5

Where airport operators, air carriers and entities as defined in the national civil aviation security programme are subjected to separate cybersecurity requirements arising from other EU or national legislation, the appropriate authority may replace compliance with the requirements of this regulation by compliance with the elements contained in the other EU or national legislation. The appropriate authority shall coordinate with any other relevant competent authorities to ensure coordinated or compatible oversight regimes.

Lugupidamisega / Best regards,

Rene Panksep

+372 53402219

[email protected]

www.diamond-sky.aero

logo

Diamond Sky OÜ
VAT: EE101732125 | REG: 12439103
AOC EE-021 | OL 030
ICAO: DMS Diamond

Confidentiality notice – this communication may contain privileged or confidential information. If you are not the intended recipient or received this communication by error, please notify the sender and delete the message without copying, forwarding and/or disclosing it.