NIS2 and Aviation Operators: Frequently Asked Questions
The EU's NIS2 Directive, transposed into national law across EU member states from October 2024, classifies aviation as critical infrastructure and creates binding cybersecurity and incident reporting obligations for airlines, airports, and ATM providers operating in the EU. NIS2 introduces the most demanding incident reporting timelines in any EU cybersecurity framework, personal liability for senior management, and fines of up to €10 million or 2% of global annual turnover. This FAQ addresses the questions aviation operators most commonly ask about their NIS2 obligations.
NIS2 fines for aviation essential entities can reach €10M or 2% of global annual turnover — with personal management liability introduced for the first time.
NIS2 Scope: Which Aviation Operators Are Covered
NIS2 Annex I classifies aviation as a sector of high criticality. The following aviation entities are in scope as essential entities:
- Air carriers: Airlines operating commercial passenger or cargo services within the EU
- Airport managing bodies: Operators of EU airports above defined size thresholds
- Air traffic management: ANSP providers and ATM service organisations operating in EU airspace
- Airport coordination authorities: Slot coordination bodies in EU member states
- Unmanned aircraft operators: Some large RPAS operators may fall within scope depending on national implementation
NIS2 Incident Reporting: The 24-Hour Requirement
NIS2 introduces a three-tier incident reporting regime more demanding than any previous EU cybersecurity framework:
- Early warning (24 hours): Notify the competent authority within 24 hours of becoming aware of a significant incident — even before full assessment is complete
- Incident notification (72 hours): Provide an incident notification with initial assessment, classification, and indicators of compromise within 72 hours
- Final report (1 month): Deliver a detailed incident report with root cause analysis, impact assessment, and remediation measures within one month
- A "significant incident" triggers reporting: one causing severe operational disruption, financial loss, or affecting other entities — aviation incidents typically meet this threshold
Frequently Asked Questions
Does NIS2 apply to UK aviation operators?
UK aviation operators are not directly subject to NIS2, which is an EU directive. However, UK operators with EU operations, EU subsidiaries, or EU-based regulated entities may be subject to NIS2 through those EU entities. The UK's NIS Regulations 2018 apply to UK OES-designated aviation operators with similar (though less demanding) obligations managed by the CAA. UK operators with EU exposure should assess their NIS2 obligations for their EU entities specifically.
What are the NIS2 minimum security measures for aviation operators?
NIS2 Article 21 requires essential entities to implement: risk analysis and information security policies; incident handling capabilities; business continuity (backup, disaster recovery, crisis management); supply chain security; network and information system security; policies on cryptography and encryption; human resources security; and MFA and secure communications as baseline technical controls. For aviation operators, these map closely to EASA Part-IS ISMS requirements — building a Part-IS compliant ISMS substantially satisfies NIS2 security measure obligations.
What does management personal liability under NIS2 mean for aviation executives?
NIS2 Article 20 requires management bodies of essential entities to approve cybersecurity risk management measures, oversee their implementation, and be personally accountable for compliance. Competent authorities can impose temporary bans from management positions on individuals personally responsible for serious NIS2 failures. Aviation CEOs, Accountable Managers, and other senior officers should ensure they personally understand their organisation's cybersecurity posture, receive regular cybersecurity reporting, and can demonstrate active governance of the security programme.
How is "significant incident" defined for NIS2 aviation reporting purposes?
NIS2 defines a significant incident as one that causes or could cause: severe operational disruption of the service; financial losses for the entity; or significant impact on other natural or legal persons through causing considerable material or non-material damages. For aviation operators, any incident causing meaningful disruption to flight operations, passenger processing, or ATC services would likely meet this threshold. Given aviation's safety-critical nature, competent authorities are expected to apply the threshold broadly in the aviation sector.
What is the fine regime under NIS2 for aviation operators?
For essential entities (airlines, airports, ATM providers meeting size thresholds), NIS2 provides for fines up to €10 million or 2% of global annual turnover — whichever is higher. This applies for serious or repeated failures to implement required security measures or incident reporting obligations. Member states may impose additional administrative measures including binding instructions and orders to implement specific security measures. The fine regime is comparable to GDPR enforcement powers — aviation operators should treat NIS2 compliance with equivalent seriousness.
Assess your NIS2 aviation obligations
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.