✈️NIS2 for Air Transport — deadlines, obligations, fines

NIS2 Art. 21(2) imposes the ten minimum measures (a-j) — risk analysis, incident handling, continuity, supply-chain security, MFA, cryptography, training, effectiveness assessment — an all-hazards approach aligned with European and international standards, including ISO/IEC 27001 and ISO/IEC 27002 [C3]. On the aviation side, Part-IS overlays specific requirements: an Information Security Management System (ISMS) with risk assessment (IS.I.OR.205), risk treatment (IS.I.OR.210), detection and response (IS.I.OR.220), an Information Security Management Manual (ISMM) and 5-year retention of records [C7]. The management body approves and oversees implementation (NIS2 Art. 20) and can be held liable for breaches [C15]. For Romanian airport operators, AACR (the Romanian Civil Aviation Authority) monitors Part-IS compliance, in cooperation with DNSC on the cybersecurity-training side (Modules 27 and 28 of PNPSAC, the National Civil Aviation Security Training Programme) [C18].

For an aviation entity covered simultaneously by NIS2 and Part-IS, the same event can trigger two parallel reporting flows. NIS2 Art. 23: early warning to the CSIRT (DNSC) within 24 hours of awareness, incident notification within 72 hours, final report within one month [C4]. Part-IS IS.I.OR.230: notification to the competent authority (AACR for Romanian entities) within 72 hours of an incident with aviation-safety impact, plus follow-up reports [C7]. In addition, Reg. (EC) 300/2008 and ICAO Annex 17 require reporting of acts of unlawful interference, including cyber, through aviation-security channels (in Romania: the Ministry of Transport + AACR) [C12][C13]. An airport CISO needs a single runbook that feeds, in parallel, the DNSC form + the AACR form + reporting to EATM-CERT EUROCONTROL where the incident affects ATM [C14].

The aviation industry runs on deep supply chains: avionics, onboard software, ATM systems, check-in software (vMUSE, Altea), bag-drop platforms, PSS (Passenger Service Systems), MRO maintenance systems. Recent incidents confirm the supply-chain blast radius: Collins Aerospace ransomware (September 2025) stopped check-in at Heathrow, Brussels and Berlin Brandenburg, forcing manual processing for hours [I1]; SITA in 2021 exposed data for 4.5 million Air India passengers [I3]; LockBit at Boeing in 2023 leaked 50 GB of parts and distribution data [I2]. NIS2 Art. 21(2)(d) requires assessment of critical suppliers, contractual clauses and continuous monitoring [C3]. For Part-IS, the operator remains responsible even when it delegates ICT/ISMS functions — IS.I.OR.235 [C7]. Practical recommendation: SBOM for avionics and airport software, contractual notification clauses <24h, exit strategy for hyperscalers and PSS providers.

Aviation runs 24/7, with zero margin for downtime in ATM and limited margin in airport operations. NIS2 Art. 21(2)(c) requires business continuity, backup management and crisis management [C3]. ICAO Doc 10213 (Global Cyber Risk Considerations) and the EUROCONTROL Cybersecurity Strategy assume that attacks will happen — the focus is on reducing the magnitude and duration of impact [C13][C14]. For ANSPs (ROMATSA), EATM-CERT collects and distributes cyber intelligence, coordinates a pan-European response, and supports national CERTs [C14]. The Air Serbia 2025 lesson: the absence of security logs prevented determination of the exact time of intrusion; continuity plans that have not been exercised on a real runbook do not work under pressure [I6]. Documented RTO/RPO per critical function (ATC, surveillance, communications, check-in, bag drop, AODB, BHS), with annual testing as a minimum.

NIS2 Art. 20 requires the management body to approve risk-management measures, to oversee implementation, and may be held liable for breaches; Member States may impose temporary prohibitions on exercising managerial functions for essential entities [C15]. In Romania, OUG 155/2024 transposed these provisions [C6]. Part-IS adds the 'accountable manager' figure — the person with authority to ensure resources and the security policy [C7]. Aviation-specific: AACR, in consultation with DNSC, sets the content of Module 27 (Cybersecurity awareness training) and Module 28 (Specific cybersecurity training) of PNPSAC (the National Civil Aviation Security Training Programme) [C18]. For essential entities, mandatory periodic training for personnel with access to critical systems (control tower, AODB, BHS, airport security systems, MRO systems).

Type: Ransomware (claimed by the Everest group) against the check-in and bag drop system

Impact: Attack started on 19 September 2025; ENISA officially confirmed it as ransomware. Hundreds of flights cancelled and major delays, the airports reverted to manual processing. Brussels asked for the cancellation of nearly half its flights in a single day; Heathrow operated close to normal through contingencies. The UK NCA arrested a suspect in West Sussex under the Computer Misuse Act.

Lesson: A single ICT vendor on a critical operational function = a single point of failure across multiple airports. NIS2 Art. 21(2)(d) and Part-IS supply chain (IS.I.OR.235) require concentration assessment, rapid-notification clauses and tested manual-bypass plans.

Type: LockBit ransomware, exploiting CVE-2023-4966 (CitrixBleed)

Impact: Listed on the LockBit leak site on 28 October 2023; Boeing confirmed the intrusion on 2 November 2023; on 10 November 2023 LockBit dumped about 50 GB of data after negotiations failed. Impact on the aircraft-parts supply chain.

Lesson: Patch management on known vulnerabilities (Citrix Bleed had a fix from 10 October 2023). NIS2 Art. 21(2)(e) and Part-IS IS.I.OR.205 require timely vulnerability handling, with critical scope (production, internet-exposed systems) prioritised.

Type: Cyberattack described as 'highly sophisticated but limited', identified on 24 February 2021

Impact: Air India confirmed 4.5 million passengers affected, with data from the period 26 August 2011 to 3 February 2021: name, date of birth, passport, ticket, frequent flyer status. SITA has more than 2,500 aviation customers across 200+ countries. Air India only published its statement naming SITA on 15 May 2021 — a communication delay of five weeks.

Lesson: A PSS vendor = a single point of failure for dozens of airlines. NIS2 Art. 23 requires notification to the CSIRT within 24h/72h; the five-week Air India delay would today cumulate both NIS2 and GDPR (Art. 33) sanctions.

Type: Hacktivist DDoS by KillNet / Anonymous Sudan / Anonymous Russia

Impact: February 2023: public websites of German airports taken down, with no impact on flights or operational systems. April 2023: a "100-hour EUROCONTROL marathon" announced by KillNet; internal and external communications affected for 2,000 staff who moved to commercial channels; air-traffic safety unaffected. Similar cases in the United States (October 2022) and Germany (January 2023).

Lesson: Pro-Russian hacktivist DDoS = a recurring vector against public-facing transport sites. Anti-DDoS at the edge, WAF for public applications, segregation of public networks from operational networks — minimum requirements under NIS2 Art. 21(2)(a) and (e).

Type: Cyberattack involving Active Directory compromise

Impact: An internal memo of 10 July 2025 delayed the distribution of June 2025 payslips; salaries were paid but the PDFs were inaccessible. On 14 July 2025, the internal team had not managed to eradicate access; the absence of security logs prevented determination of the exact time of intrusion, estimated to the early days of July 2025. High risk of personal-data compromise.

Lesson: Logs and telemetry on AD = a precondition for investigation. NIS2 Art. 21(2)(a) (risk analysis) and (i) (monitoring) require centralised logging with sufficient retention. If you cannot answer "when did the attacker get in?", you cannot meet Art. 23 (early warning within 24 hours).

Reg. Delegat (UE) 2022/1645 (Part-IS Delegated) · Directly applicable from 16 October 2025; does not require national transposition [C8]

For design and production organisations (Part-21) and aerodrome operators (Part-ADR), plus apron management service providers. For CN Aeroporturi Bucuresti, AIBC Cluj, AITS Timisoara and Iasi Airport — Part-IS Delegated becomes the main technical framework on aviation ISMS.

Reg. Impl. (UE) 2023/203 (Part-IS Implementing) · Directly applicable from 22 February 2026; does not require national transposition [C7]

For Part-145 (maintenance), Part-CAMO, Part-ORO (air carriers, although the AOC itself is excluded), Part-ATCO (controller training), Part-ATM/ANS (ROMATSA), ATO (training) organisations. Mandatory ISMM, 5-year record retention, 72h reporting to AACR for safety-impacting events. Romaero (Part-145) and the MRO arm of TAROM fall within scope.

Reg. (CE) 300/2008 — aviation security (anti-unlawful interference) · Applicable from 11 March 2008; national programmes in Romania via PNSAC + PNPSAC [C12]

The baseline framework for the protection of civil aviation against acts of unlawful interference, including cyber (through subsequent amendments). In Romania: the National Civil Aviation Security Programme (PNSAC) + the National Training Programme (PNPSAC), run by the Ministry of Transport and AACR. The cyber modules 27 and 28 are consulted with DNSC.

Reg. (UE) 2018/1139 — EASA Basic Regulation · Directly applicable from September 2018 [C11]

EASA's basic regulation, under which all the Part-* sub-regulations (Part-145, Part-CAMO, Part-ORO, Part-ATCO, Part-ATM/ANS, Part-ADR, Part-21) plus Part-IS are issued. For any Romanian aviation entity, technical compliance runs through this regulation + sub-acts.

ICAO Annex 17 — Security (Safeguarding Civil Aviation Against Acts of Unlawful Interference) · International SARPs; implemented in the EU via Reg. (EC) 300/2008; in Romania via AACR [C13]

Standard 4.9.1 and Doc 8973 Chapter 18 cover cyber threats explicitly. Doc 10213 (Global Cyber Risk Considerations) provides guidance on cyber risk analysis in aviation. ICAO + EASA + EUROCONTROL form the coordination triangle for ANSPs and airports in the EU.