Aviation Cyber Incident Reporting: FAQs for UK and EU Operators
Aviation cyber incident reporting is more complex than in most sectors. A single significant incident may trigger reporting obligations to the CAA under NIS Regulations, to the ICO under UK GDPR, to EASA or your National Aviation Authority under Part-IS, to the NCSC as critical national infrastructure, and potentially to law enforcement via the NCA or police. Missing a reporting deadline — particularly the ICO's 72-hour personal data breach notification — carries its own regulatory risk on top of the underlying incident. This FAQ addresses the most common questions aviation operators ask about incident reporting obligations.
A single aviation cyber incident can trigger simultaneous reporting obligations to the CAA, ICO, EASA/NAA, and NCSC — with the ICO's 72-hour deadline running from the moment you become aware.
UK Aviation Incident Reporting Framework
UK aviation operators face incident reporting obligations under multiple frameworks:
- CAA NIS reporting: OES-designated operators must report significant incidents affecting essential services to the CAA as competent authority
- ICO GDPR reporting: Any notifiable personal data breach must be reported to the ICO within 72 hours — covers passenger data, staff data, and any other personal data affected
- NCSC notification: Significant attacks on critical national infrastructure should be reported to NCSC — for airports and ANSPs, this is expected for major incidents
- Police/NCA: Criminal cyber incidents should be reported to Action Fraud and potentially the National Crime Agency for critical infrastructure attacks
- Cyber insurance: Policy notification requirements are contractual — typically 24–72 hours, check your specific policy
What Constitutes a "Significant Incident" for CAA NIS Reporting
The CAA as NIS competent authority for UK aviation expects notification of incidents that:
- Cause or could cause severe disruption to the provision of essential services (flight operations, ATC, airport processing)
- Affect safety-critical systems — ATC, baggage, security screening, aircraft systems
- Result in significant operational disruption measurable in grounded flights, delayed passengers, or service withdrawal
- Involve compromise of systems holding sensitive aviation security information
- Result in personal data breach affecting significant numbers of individuals
Frequently Asked Questions
When does the 72-hour ICO reporting clock start for aviation data breaches?
The ICO's 72-hour clock starts when the organisation becomes aware that a notifiable breach has occurred — not when the breach itself happened. "Awareness" means the organisation (not just an individual) has sufficient information to determine that a notifiable breach has likely occurred. In practice, this typically means when your IT or security team confirms to management that personal data has been compromised. Late notification to the ICO is itself a GDPR breach — if you cannot complete a full report within 72 hours, submit an initial notification with what you know and follow up with more detail.
Do all aviation cyber incidents need to be reported to the CAA?
No — only significant incidents meeting the NIS threshold require CAA notification. Small-scale incidents that are contained without operational impact do not typically require regulatory notification. However, all incidents — including those not requiring external notification — should be logged in your internal incident register. The CAA may ask for your incident register during oversight visits. An empty register is implausible and suggests incidents are not being recorded. Good practice is to report more rather than less to the CAA when in doubt.
What should an aviation operator include in an initial CAA NIS incident notification?
Initial NIS notification does not need to be complete — it should be timely. Include: incident type (ransomware, data breach, system disruption); when it was detected and when it started; which systems are affected; whether operational services are impacted; initial containment measures taken; and contact details for the incident response team. Follow up with additional information as the investigation progresses. The CAA expects to be kept informed throughout a significant incident, not just notified at the start and end.
Is there a requirement to notify passengers affected by an aviation data breach?
Under UK GDPR Article 34, if a personal data breach is likely to result in high risk to affected individuals — financial harm, identity theft, discrimination, or other serious harm — the individuals must be notified without undue delay. For aviation breaches, this typically applies when payment card data, passport numbers, or special category data (health information, biometrics) is compromised. The notification must describe the nature of the breach, the likely consequences, and the measures taken to address it. Passenger notification is in addition to ICO reporting — both obligations may apply simultaneously.
What reporting is required under EASA Part-IS?
EASA Part-IS requires operators to report information security incidents that may affect aviation safety to their National Aviation Authority. The regulation focuses on safety-affecting incidents rather than all security events. The specific reporting procedures, timelines, and formats are established by NAA guidance — operators should review their NAA's published Part-IS reporting procedures. For UK operators, the CAA is developing Part-IS-aligned reporting guidance. In practice, any significant incident affecting operational systems should be considered for Part-IS notification alongside NIS and ICO obligations.
Get incident response planning support
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.