Kyanite Blue
Compliance & Regulation

NIS2 and Aviation: Critical Infrastructure Obligations for Airlines and Airports

The EU's NIS2 Directive, transposed into national law across EU member states from October 2024, explicitly classifies aviation as critical infrastructure. Airlines above defined size thresholds, airport operators, and air traffic management providers are "essential entities" under NIS2 — subject to binding minimum security requirements, mandatory incident reporting within 24 hours of becoming aware of a significant incident, and potential fines of up to €10 million or 2% of global annual turnover for serious failures. For aviation operators with EU operations, NIS2 compliance is now a legal obligation with real financial consequences.

NIS2 fines for aviation operators can reach €10 million or 2% of global annual turnover — and personal liability for senior managers was introduced for the first time.

Which Aviation Entities Are Covered by NIS2

NIS2 applies to aviation entities operating in the EU. Under Annex I (essential entities), the following aviation organisations are in scope:

  • Air carriers: airlines providing commercial passenger or cargo services with operations in the EU
  • Airport managing bodies: operators of EU airports above defined passenger thresholds
  • Air Traffic Management: ANSP providers and en-route control centres
  • Airport coordination: slot management authorities in EU member states
  • Satellite-based navigation systems: operators of GNSS infrastructure

NIS2 Minimum Security Requirements for Aviation

NIS2 Article 21 requires essential entities to implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. For aviation operators, this translates to:

  • Risk analysis and information security policies documented and reviewed regularly
  • Incident handling — detection, response, and recovery capabilities with defined processes
  • Business continuity: backup management, disaster recovery, and crisis management
  • Supply chain security: security requirements for relationships with direct suppliers and service providers
  • Network and information system security: secure acquisition, development, and maintenance
  • Policies and procedures for cryptography and encryption where appropriate
  • Human resources security: background checks, training, and awareness programmes
  • Multi-factor authentication and secure communications as baseline technical controls

Incident Reporting Timelines Under NIS2

NIS2 introduces a tiered incident reporting regime that is more demanding than the predecessor NIS Directive. Aviation operators must: (1) provide an early warning to the competent authority within 24 hours of becoming aware of a significant incident; (2) submit an incident notification with initial assessment within 72 hours; (3) provide a final report with full analysis within one month. A "significant incident" is one that causes or could cause severe operational disruption or financial loss, or affects other entities. Given the safety-critical nature of aviation, the threshold for "significant" is lower than in many other sectors.

Management Accountability and Personal Liability

NIS2 introduced personal liability for senior management in essential entities for the first time. Article 20 requires management bodies to approve cybersecurity risk management measures and oversee their implementation. If an organisation fails to comply and a significant incident occurs, competent authorities can hold individual managers personally accountable — including temporary bans from management roles in serious cases. Aviation CEOs, Accountable Managers, and Chief Operations Officers should ensure cybersecurity governance is documented at board level.

Frequently Asked Questions

Does NIS2 apply to UK aviation operators?

UK aviation operators are not directly subject to NIS2, which is an EU directive. However, UK operators with EU operations, EU subsidiaries, or EU Air Operator Certificates may be subject to NIS2 through their EU-based entities. The UK's own NIS Regulations 2018 (currently under review for enhancement) apply to UK OES-designated aviation operators and carry similar obligations — managed by the CAA as competent authority.

What is the fine regime under NIS2 for aviation operators?

Essential entities (which includes large airlines, major airports, and ATM providers) face maximum fines of €10 million or 2% of total global annual turnover, whichever is higher. This applies for serious NIS2 violations including failure to implement required security measures, failure to report significant incidents, or obstruction of supervisory activities. National competent authorities have discretion in applying fines and may issue improvement notices before financial penalties.

How does NIS2 interact with EASA Part-IS for aviation?

NIS2 and EASA Part-IS both require Information Security Management Systems for aviation operators, but they are separate frameworks with different regulatory backstops. Part-IS is enforced through the aviation safety certification system (AOC, Part-145, etc.). NIS2 is enforced through NIS competent authorities (which vary by member state). Aviation operators subject to both must demonstrate compliance to both regulators — though the underlying security controls substantially overlap, and a well-implemented ISMS can satisfy both.

Get a NIS2 aviation readiness assessment

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides