Commission Implementing Regulation (EU) 2023/1769 of 12 September 2023 laying dow... (32023R1769)
EU - Rechtsakte: 07 Transport policy

COMMISSION IMPLEMENTING REGULATION (EU) 2023/1769

of 12 September 2023

laying down technical requirements and administrative procedures for the approval of organisations involved in the design or production of air traffic management/air navigation services systems and constituents and amending Implementing Regulation (EU) 2023/203

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (1), and in particular Article 43(1) and Article 62(15), point (c) thereof,
Whereas:
(1) Taking into account the objectives and principles set out in Articles 1 and 4 to Regulation (EU) 2018/1139, and in particular the nature and risk of the activity concerned, organisations involved in the design or production of air traffic management/air navigation service (ATM/ANS) systems and ATM/ANS constituents, should be required to hold a certificate.
(2) In order to ensure the uniform implementation of and compliance with the essential requirements referred to in Article 40 of Regulation (EU) 2018/1139, for the provision of ATM/ANS this Regulation should lay down rules and procedures for issuing, maintaining, amending, limiting, suspending or revoking the certificates for organisations involved in the design or production of ATM/ANS systems and ATM/ANS constituents, as well as the privileges and responsibilities of the holders of certificates.
(3) The conformity assessment of ATM/ANS equipment laid down in Commission Delegated Regulation (EU) 2023/1768 (2) depends on the nature and the risk of the ATM/ANS service, or on the functionality of a particular ATM/ANS equipment and is based on the existing methodologies and best practices. That Regulation establishes three different types of conformity assessment, in particular: a certification by the Agency of certain ATM/ANS equipment; a declaration by an approved organisation involved in the design or production of ATM/ANS equipment; and a statement of compliance by the ATM/ANS provider or by an approved organisation involved in the design or production of ATM/ANS equipment.
(4) The typical life cycle of ATM/ANS equipment consists of various phases: design, production, installation, operation, maintenance, and decommission. The ATM/ANS provider is usually responsible for some of those phases, while for other phases the organisations involved in the design or production of ATM/ANS equipment are responsible. Therefore, common requirements should be established for the approval and oversight of organisations involved in the design or production of certain ATM/ANS equipment used in the provision of ATM/ANS, in particular those referred to in point 3.1 of Annex VIII to Regulation (EU) 2018/1139.
(5) The European Union Aviation Safety Agency (‘the Agency’) is responsible for all competent authority tasks related to certificates and declarations for ATM/ANS systems and ATM/ANS constituents (‘ATM/ANS equipment’), including oversight and enforcement. To ensure consistency and risk-based assessment and, amongst others, to avoid duplication and administrative burdens, as well as to promote effectiveness in certification and oversight processes, those oversight and enforcement functions should be exercised by the Agency. For the purpose of certification or review of declarations of ATM/ANS equipment, it is necessary that the Agency also oversees the processes established by design and production organisations, including, where necessary, the certification of those organisations. Therefore, the Agency should be responsible for the approval of the organisations involved in the design or production of ATM/ANS equipment and at the same time for the attestation of ATM/ANS equipment.
(6) The competency of the Agency to certify design or production organisations should allow also for a non-discriminatory and harmonised approach towards all design or production organisations applying for a certificate under this Regulation. ATM/ANS equipment put on the market in the Union can be used in all Member States and for all kind of services, no matter whether it is used by ATM/ANS providers active in one or more Member States. It is not possible to categorise the organisations involved in the design and production based on their future catalogue of equipment to be used on a local or Union level. The same principle is to be observed when the Agency is allocating certification and oversight tasks.
(7) In accordance with Article 29(2), point (a), of Regulation (EU) 2021/696 (3) of the European Parliament and of the Council, the European Union Agency for the Space Programme (EUSPA) has been entrusted with the task of managing the exploitation of the European Geostationary Navigation Overlay Service (EGNOS), as provided for in Article 44 of that Regulation. The exploitation of EGNOS covers, amongst other actions, the support to certification and standardisation activities. EUSPA does not perform alone all the tasks relating to the exploitation of EGNOS and instead relies on the expertise of other entities, in particular the European Space Agency (ESA), on activities related to system evolution, design and development of parts of the ground segment. Hence EUSPA should be considered as equivalent to a design or production organisation in the context of this Regulation.
(8) According to the roles and responsibilities defined in Regulation (EU) 2021/696 for EUSPA and ESA, there is not one unique entity responsible for the design of the EGNOS system and its equipment and therefore there is not a single Design and Production Organisation that could be approved by EASA.
(9) Consequently, the specificities of the set-up for the design of the EGNOS system require specific means for the demonstration of compliance with the essential requirements laid down in Regulation (EU) 2018/1139, taking into account that EGNOS is a multimodal service, which should also comply with relevant regulatory requirements for other sectors.
(10) Both agencies should cooperate to assure compliance of the EGNOS system with the relevant ICAO standards so that respective arrangements ensure a level of safety and interoperability equivalent to that resulting from the full application of the requirements for design and production in this Regulation. The cooperation will also include the consultation of EUSPA in the development of detailed specifications.
(11) This Regulation has taken due account of the content of the ATM Master Plan and technological capabilities contained in it.
(12) The Agency has prepared draft implementing rules and submitted them to the Commission with Opinion No 01/2023 in accordance with Article 75(2), points (b) and (c), and Article 76(1) of Regulation (EU) 2018/1139.
(13) In order to make optimal use of existing resources and expertise, the Agency may seek administrative support when executing its certification, oversight and enforcement tasks under this Regulation from national competent authorities. This administrative support should not constitute any delegation of powers or responsibilities of tasks.
(14) In order to include design or production organisations of ATM/ANS equipment in the scope of the management of information security risks with a potential impact on aviation safety Implementing Regulation (EU) 2023/203 should be amended.
(15) The measures provided for in this Regulation are in accordance with the opinion of the Committee referred to in Article 127(1) of Regulation (EU) 2018/1139.
HAS ADOPTED THIS REGULATION:

Article 1

Subject matter

This Regulation lays down technical requirements and administrative procedures for the approval of organisations involved in the designor production of ATM/ANS systems and ATM/ANS constituents subject to certification in accordance with Article 4 of Delegated Regulation (EU) 2023/1768 or declaration of design compliance in accordance with Article 5 of that Regulation.

Article 2

Definitions

For the purpose of this Regulation the following definitions apply:
(1) ‘ATM/ANS equipment’ means ATM/ANS constituents as defined by Article 3(6) of Regulation (EU) 2018/1139 and ATM/ANS systems as defined by Article 3(7) of that Regulation, excluding airborne constituents, which are subject to Commission Regulation (EU) No 748/2012 (4);
(2) ‘ATM/ANS equipment directive’ means a document issued by the Agency which mandates actions to be performed by ATM/ANS providers on ATM/ANS equipment to address an unsafe and/or insecure condition that has been identified and restore the performance and interoperability of that ATM/ANS equipment when evidence shows that the safety, security, performance or interoperability of that particular equipment may otherwise be compromised.

Article 3

Competent authority requirements

1.   For the purposes of this Regulation, the competent authority responsible for the issue of approvals to organisations involved in the design or production of ATM/ANS equipment and for the oversight and enforcement in respect of those organisations, shall be the Agency.
2.   The Agency shall fulfil the detailed requirements laid down in Annex I (Part-DPO.AR) when conducting certification, investigations, inspections, audits and other monitoring activities necessary to ensure the effective oversight of organisations involved in the design or production of ATM/ANS equipment subject to this Regulation. The Agency may seek administrative support from national competent authorities for the performance of its tasks related to certification, oversight and enforcement when executing its functions under this Regulation.

Article 4

Organisations involved in the design, or production of ATM/ANS equipment

1.   An organisation involved in the design or production of ATM/ANS equipment subject to certification in accordance with Article 4 of Delegated Regulation (EU) 2023/1768 or declaration of design compliance in accordance with Article 5 of that Regulation shall demonstrate its capability as a design or production organisation for ATM/ANS equipment in accordance with Annex II (Part-DPO.OR).
2.   Organisations involved in the design or production of the ATM/ANS equipment of the European Geostationary Navigation Overlay Service (EGNOS) shall be deemed to comply with the requirements of Annex II to this Regulation by demonstrating their compliance with Regulation (EU) 2021/696 and with the management, design and quality standards applicable to EGNOS under that Regulation. Such organisations shall not be required to be approved by the Agency.
The European Union Agency for the Space Programme shall ensure in its role of a design or production organisation that the other organisations involved in the design or production of the equipment of EGNOS follow design and production processes resulting in the level of safety and interoperability equivalent to Annex II (Part-DPO.OR).

Article 5

Amendments to Implementing Regulation (EU) 2023/203 (5)

Implementing Regulation (EU) 2023/203 is amended as follows:
(1) in Article 2(1), the following point (j) is added:
‘(j)
approved organisations involved in the design or production of ATM/ANS systems and ATM/ANS constituents subject to Commission Implementing Regulation (EU) 2023/1769
 (
*1
)
.
(
*1
)
  Commission Implementing Regulation (EU) 2023/1769 of 12 September 2023 laying down technical requirements and administrative procedures for the approval of organisations involved in the design or production of air traffic management/air navigation services systems and constituents and amending Implementing Regulation (EU) 2023/203 (OJ L 228, XX.9.2023, p. 19).’ "
(2) in Article 6(1), the following point (h) is added:
‘(h)
with regard to organisations referred to in Article 2(1), point (j), the competent authority designated in accordance with Article 3(1) of Implementing Regulation (EU) 2023/1769.’.

Article 6

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 12 September 2023.
For the Commission
The President
Ursula VON DER LEYEN
(1)  
OJ L 212, 22.08.2018, p. 1
.
(2)  Commission Delegated Regulation (EU) 2023/1768 of 14 July 2023 laying down detailed rules for the certification and declaration of air traffic management/air navigation services systems and air traffic management/air navigation services constituents (see page 1 of this Official Journal).
(3)  Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU (
OJ L 170, 12.5.2021, p. 69
).
(4)  Commission Regulation (EU) No 748/2012 of 3 August 2012 laying down implementing rules for the airworthiness and environmental certification of aircraft and related products, parts and appliances, as well as for the certification of design and production organisations (
OJ L 224, 21.8.2012, p. 1
).
(5)  Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) No 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) No 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) No 2021/664 (
OJ L 31, 2.2.2023, p. 1
).

ANNEX I

REQUIREMENTS FOR THE AGENCY

(Part-DPO.AR)

SUBPART A   GENERAL REQUIREMENTS (DPO.AR.A)

DPO.AR.A.001

   

Scope

This Annex establishes the requirements for the administration and management systems of the Agency for the certification, oversight and enforcement tasks of design or production organisations when the Agency exercises its tasks and responsibilities.

DPO.AR.A.010

   

Immediate reaction to a safety, security and interoperability problem

(a) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council (1), and the delegated and implementing acts adopted on the basis thereof, the Agency shall implement a system to appropriately collect, analyse, and disseminate safety, security and interoperability information.
(b) Upon receiving the information referred to in point (a), the Agency shall take appropriate measures to address any identified safety, security, or interoperability problem, including the issuing of ATM/ANS equipment directives in accordance with point ATM/ANS.EQMT.AR.A.030 of Annex I to Delegated Regulation (EU) 2023/1768.
(c) The measures taken under point (b) shall immediately be notified to the organisation concerned, who is obliged to comply with them, in accordance with point DPO.OR.A.035. The competent authorities of the ATM/ANS providers concerned shall also be notified.

DPO.AR.A.015

   

Immediate reaction to an information security incident or vulnerability with an impact on aviation safety

(a) The Agency shall implement a system to appropriately collect, analyse, and disseminate information related to information security incidents and vulnerabilities with a potential impact on aviation safety that are reported by organisations. This shall be done in coordination with any other relevant authorities responsible for information security or cybersecurity within the Member State to increase the coordination and compatibility of reporting schemes.
(b) Upon receiving the information referred to in point (a), the Agency shall take adequate measures to address the potential impact on aviation safety of the information security incident or vulnerability.
(c) Measures taken in accordance with point (b) shall immediately be notified to all persons or organisations that shall comply with them under Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on its basis. The Agency shall also notify those measures to the competent authorities of the Member States concerned.

SUBPART B   MANAGEMENT (DPO.AR.B)

DPO.AR.B.001

   

Management system

(a) The Agency shall establish and maintain a management system, including, as a minimum, the following elements:
(1) documented policies and procedures to describe its organisation, means and methods to establish compliance with Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on their bases, as necessary, for the exercise of its certification, oversight and enforcement tasks; the procedures shall be kept up to date and serve as the basic working documents within the Agency for all related tasks;
(2) a sufficient number of personnel to perform its tasks and discharge its responsibilities under this Regulation; a system shall be in place to plan the availability of personnel in order to ensure the proper completion of all related tasks;
(3) personnel that are qualified to perform their allocated tasks and have the necessary knowledge and experience, and have received initial and recurrent training to ensure their continuing competence;
(4) adequate facilities and offices to perform the allocated tasks;
(5) a function to monitor the compliance of the management system with the relevant requirements and the adequacy of the procedures, including the establishment of an internal audit process and a safety risk management process; the compliance-monitoring function shall include a system to provide feedback about audit findings to the senior management of the Agency to ensure the implementation of corrective actions as necessary;
(6) a person or group of persons ultimately responsible to the senior management of the Agency for the compliance-monitoring function.
(b) The Agency shall, for each field of activity included in the management system, appoint one or more persons with the overall responsibility for the management of the relevant task(s).
(c) The Agency shall establish procedures for its participation in a mutual exchange of all the necessary information with any other competent authority(ies) referred to in Article 4 of Commission Implementing Regulation (EU) 2017/373 (2) and provide them with assistance or request assistance from them, including any information that stems from mandatory and voluntary occurrence reporting as required by point DPO.OR.A.045.
(d) The management system established and maintained by the Agency shall comply with Annex I (Part-IS.AR) of Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.

DPO.AR.B.010

   

Changes in the management system

(a) The Agency shall have a system in place to identify those changes that affect its capability to perform its tasks and discharge its responsibilities as set out in Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on the basis thereof. That system shall enable the Agency to take action, as appropriate, to ensure that the management system remains adequate and effective.
(b) The Agency shall update its management system to reflect any changes to Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on the basis thereof, in a timely manner, so as to ensure the effective implementation of its management system.

DPO.AR.B.015

   

Record-keeping

(a) The Agency shall establish and maintain a record-keeping system that provides for adequate storage, accessibility, and reliable traceability of:
(1) the management system’s documented policies and procedures;
(2) the training, qualifications, and authorisation of personnel as required by point DPO.AR.B.001 (a)(3);
(3) the allocation of tasks, covering the elements required by point ATM/ANS.EQMT.AR.A.020 of Annex I to Delegated Regulation (EU) 2023/1768, as well as the details of the allocated tasks;
(4) the approval process as regards organisations involved in the design or production of ATM/ANS equipment, the certification process, and the registration of declarations of design compliance for ATM/ANS equipment and the continuing oversight, including:
(i) applications for the issue of approvals;
(ii) approvals issued to organisations involved in the design or production of ATM/ANS equipment, including the associated privileges and any changes to them;
(iii) ATM/ANS equipment certificates issued, including any changes to them that it has issued;
(iv) all valid declarations of design compliance of ATM/ANS equipment that it has registered;
(v) the Agency’s continuing oversight programme, including all assessment, audit and inspection records;
(vi) a copy of the oversight programme listing the dates when audits are due and when audits were carried out;
(vii) copies of all formal correspondence;
(viii)
recommendations for the issue or continuation of a certificate or continuation of the registration of a declaration, details of findings, and actions taken by the organisations to close them, including the date of closure of each item, enforcement actions, and observations;
(ix) any assessment, audit or inspection report;
(x) copies of all organisation handbooks, procedures and processes or manuals and amendments to them;
(xi) copies of any other documents approved by the Agency;
(5) the notification and evaluation of the alternative means of compliance proposed by organisations involved in the design or production of ATM/ANS equipment and the assessment of these alternative means of compliance;
(6) safety information, ATM/ANS equipment directives, and follow-up measures;
(7) the use of flexibility provisions pursuant to Article 76(4) of Regulation (EU) 2018/1139.
(b) The Agency shall maintain a list of all the certificates it has issued and of any declarations it has registered.
(c) All the records referred to in points (a) and (b) shall be stored in a manner that ensures protection against damage, alteration and theft and kept for a minimum period of five years after the approvals and certificates cease to be valid or the declarations are withdrawn, subject to the applicable data protection law.

SUBPART C   CERTIFICATION, OVERSIGHT, AND ENFORCEMENT (DPO.AR.C)

DPO.AR.C.001

   

Issue of approvals to organisations involved in the design or production of ATM/ANS equipment

(a) Upon receiving an application for the issue of an approval to an organisation involved in the design or production of ATM/ANS equipment, the Agency shall verify the organisation’s compliance with the requirements laid down in Annexes II and III of Delegated Regulation (EU) 2023/1768 and in Annex II to this Regulation.
(b) The Agency may request any audits, inspections or assessments it finds necessary before issuing the approval with all the relevant information set out in Appendix 1 to this Annex.
(c) The approval shall be issued for an unlimited duration. The privileges as regards the activities the organisation is approved to conduct shall be specified in the conditions attached to the approval.
(1) With regard to an organisation involved in the design of ATM/ANS equipment, the conditions shall specify the type of design work and the categories of ATM/ANS equipment for which the organisation holds an approval, and the privileges the organisation is approved to exercise.
(2) With regard to an organisation involved in the production of ATM/ANS equipment, the conditions shall specify the scope of work and the ATM/ANS equipment or the equipment categories, or both, for which the approval holder is entitled to exercise the privileges.
(d) The approval shall not be issued where a level 1 finding referred to in DPO.AR.C.015 remains open. In exceptional circumstances, finding(s) other than level 1 shall be assessed and mitigated as necessary by the organisation and a corrective action plan for closing the finding(s) shall be approved by the Agency prior to the issue of the approval.
(e) Each change to the approval and to its conditions shall be approved by the Agency.

DPO.AR.C.005

   

Oversight programme

(a) The Agency shall establish and update annually an oversight programme taking into account the specific nature of the organisations it oversees, the complexity of their activities, and the results of past certification or oversight activities, and shall base it on the assessment of the associated risks. The oversight programme shall include audits, which shall:
(1) cover all the areas of potential concern, with a focus on those areas where problems have been identified in the past;
(2) cover all the organisations, certificates and declarations under the Agency’s oversight;
(3) cover the means implemented by the organisations to ensure the competence of their personnel;
(4) ensure that audits are conducted in a manner commensurate with the level of the risk posed by the organisation’s activities;
(5) ensure that for organisations under its supervision, an oversight planning cycle not exceeding 24 months is applied.
The oversight planning cycle may be reduced if there is evidence that the safety performance of the organisation has decreased.
The oversight planning cycle may be extended to a maximum of 36 months if the Agency has established that during the previous 24 months:
(i) the organisation has continuously demonstrated compliance with the change management requirements under point DPO.OR.B.005;
(ii) no level 1 findings referred to in DPO.AR.C.015 have been issued;
(iii) all corrective actions referred to in DPO.AR.C.015 have been implemented within the time period accepted or extended by the Agency as defined in point DPO.AR.C.015.
If, in addition to points (i), (ii) and (iii), the organisation has established an effective continuous reporting system to the Agency as regards its regulatory compliance, which has been approved, the oversight planning cycle may be extended to a maximum of 48 months;
(6) ensure the follow-up of the implementation of corrective actions referred to in DPO.AR.C.015;
(7) be subject to consultation with the organisations concerned and thereafter its notification;
(8) indicate the planned intervals of the inspections of the different sites, if necessary.
(b) The Agency may decide to modify the objectives and the scope of the preplanned audits, including documentary reviews and additional audits, wherever that need arises.
(c) The Agency shall decide which arrangements, elements, physical locations, and activities are to be audited within a specified time frame.
(d) Audit observations and findings issued in accordance with point DPO.AR.C.015 shall be documented.
(e) The findings shall be supported by evidence and identified in terms of applicable requirements and their implementation arrangements against which the audit has been conducted.
(f) An audit report, including the details of findings and observations, shall be prepared and communicated to the organisation concerned.

DPO.AR.C.010

   

Changes to the information security management system

(a) For changes managed and notified to the Agency in accordance with the procedure set out in point IS.I.OR.255(a) of Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203, the Agency shall include the review of such changes in its continuing oversight programme in accordance with the principles laid down in point DPO.AR.C.005 of this Annex. If any non-compliance is found, the Agency shall notify the organisation thereof, request further changes and act in accordance with point DPO.AR.C.015 of this Annex.
(b) With regard to other changes requiring an application for approval in accordance with point IS.I.OR.255(b) of Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203:
(1) upon receiving the application for the change, the Agency shall check the organisation’s compliance with the applicable requirements before issuing the approval;
(2) the Agency shall establish the conditions under which the organisation may operate during the implementation of the change;
(3) if it is satisfied that the organisation complies with the applicable requirements, the Agency shall approve the change.

DPO.AR.C.015

   

Findings, corrective actions, and enforcement measures

(a) When the Agency, during investigation, oversight or by any other means, identifies any non-compliance with the applicable requirements of this Regulation of a procedure or manual required by this Regulation, or of a certificate or declaration issued in accordance with this Regulation, it shall, without prejudice to any additional action required by Regulation (EU) 2018/1139, raise a finding.
(b) The Agency shall have a system in place to:
(1) analyse findings for their safety and interoperability significance;
(2) identify appropriate enforcement measures, including the suspension or revocation of approvals and certificates;
(3) issue directives on the basis of the risk posed by the organisation’s non-compliance.
(c) A level 1 finding shall be raised by the Agency when it identifies any significant non-compliance with the ATM/ANS certification basis as per point ATM/ANS.EQMT.AR.B.001 of Annex I to Delegated Regulation (EU) 2023/1768 that may lead to uncontrolled non-compliance and to a potential unwanted condition.
Level 1 findings shall include but are not limited to:
(1) the promulgation of operational procedures which introduce a significant risk to the organisation’s activities;
(2) the obtainment or maintenance of the validity of the organisation’s approval through the submission of falsified documentary evidence;
(3) evidence of malpractice or fraudulent use of the organisation’s approval;
(4) the lack of an accountable manager.
(d) A level 2 finding shall be raised by the Agency where non-compliance with any of the following is identified:
(i) with the applicable requirements of Regulation (EU) 2018/1139;
(ii) with the delegated and implementing acts adopted on the basis of Regulation (EU) 2018/1139;
(iii) with the procedures and manuals required by Regulation (EU) 2018/1139; or
(iv) with the approval issued in accordance with Regulation (EU) 2018/1139,
which is not classified as a level 1 finding.
(e) Where a finding is raised, the Agency shall, without prejudice to any additional action required by Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on its basis, communicate the finding in writing to the organisation concerned and require it to take corrective action to address the non-compliance(s) identified.
(1) In the case of level 1 findings, the Agency shall immediately take appropriate enforcement measures and may, if appropriate, limit, suspend or revoke in whole or in part the approval until successful corrective action has been taken by the organisation.
(2) In the case of level 2 findings, the Agency shall:
(i) grant the organisation a corrective action implementation period, as part of an action plan, appropriate to the nature of the finding;
(ii) assess the corrective action and implementation plan proposed by the organisation, and, if the assessment concludes that they are sufficient to address the non-compliance(s), accept them.
(3) In the case of level 2 findings, where the organisation fails to submit a corrective action plan that is acceptable to the Agency in the light of the finding, or where the organisation fails to perform the corrective action within the period of time accepted or extended by the Agency, the finding may be raised to a level 1 finding and action shall be taken in accordance with point (e)(1).
(f) For those cases where level 1 and level 2 findings are not required, the Agency may issue observations.
(g) The Agency shall:
(1) suspend a certificate if it considers that there are reasonable grounds that such action is necessary to prevent a credible threat to the safety, security, performance or interoperability of ATM/ANS equipment;
(2) issue an ATM/ANS equipment directive under the conditions of point ATM/ANS.EQMT.AR.A.030 of Annex I to Delegated Regulation (EU) 2023/1768;
(3) suspend, revoke or limit a certificate if such action is required in accordance with point (c);
(4) take immediate and appropriate action that is necessary to limit or prohibit the activities of an organisation or a natural or legal person if it considers that there are reasonable grounds that such action is necessary to prevent a credible threat to ATM/ANS equipment;
(5) register a declaration of design compliance only after all the findings from the initial oversight investigation have been resolved;
(6) temporarily or permanently deregister a declaration of design compliance if it considers that there are reasonable grounds that such action is necessary to prevent a credible threat to the safety, security, performance or interoperability of ATM/ANS equipment;
(7) take any further enforcement measures which are necessary to ensure that any non-compliance with the essential requirements of Annex VIII and, if applicable, Annex VII to Regulation (EU) 2018/1139 and with this Annex, is rectified and, where necessary, mitigate its consequences.
(h) Upon taking enforcement measures in accordance with point (g), the Agency shall notify them to the addressee, state the reasons for them, and inform the addressee of its right to appeal.
(1)  Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007 (
OJ L 122, 24.4.2014, p. 18
).
(2)  Commission Implementing Regulation (EU) 2017/373 of 1 March 2017 laying down common requirements for providers of air traffic management/air navigation services and other air traffic management network functions and their oversight, repealing Regulation (EC) No 482/2008, Implementing Regulations (EU) No 1034/2011, (EU) No 1035/2011 and (EU) 2016/1377 and amending Regulation (EU) No 677/2011 (
OJ L 62, 8.3.2017, p. 1
).

Appendix 1

SPECIFICATIONS OF THE APPROVAL OF AN ORGANISATION INVOLVED IN THE DESIGN OR PRODUCTION OF ATM/ANS EQUIPMENT

The approval shall specify:
(a) the Agency as the competent authority that issues the approval;
(b) the applicant’s name and postal address;
(c) the applicant’s scope of work;
(d) the location where the activities are to be performed;
(e) the associated privileges for which the applicant has been approved;
(f) a statement of the applicant’s conformity and compliance with the applicable requirements;
(g) the date of issue and the validity of the approval;
(h) the additional conditions or limitations attached to it.

ANNEX II

REQUIREMENTS FOR ORGANISATIONS INVOLVED IN THE DESIGN OR PRODUCTION OF ATM/ANS EQUIPMENT

(Part-DPO.OR)

SUBPART A   GENERAL REQUIREMENTS (DPO.OR.A)

DPO.OR.A.001

   

Scope

This Annex establishes the common requirements as regards the rights and obligations of an applicant for, and a holder of, an organisation approval for the design or production of ATM/ANS equipment.

DPO.OR.A.005

   

Eligibility

Any natural or legal person who has demonstrated, or is set to demonstrate, their capability to design or produce ATM/ANS equipment in accordance with point DPO.OR.A.010, may apply for a design or production organisation approval under the conditions laid down in this Annex.

DPO.OR.A.010

   

Application for a design or production organisation approval and demonstration of capability

(a) An application for a design or production organisation approval shall be made in a form and manner established by the Agency.
(b) In order to obtain an approval, an organisation involved in the design or production of ATM/ANS equipment shall comply with the requirements set out in this Regulation where those requirements are applicable to the design or production of ATM/ANS systems and ATM/ANS constituents that the organisation performs or intends to perform.

DPO.OR.A.015

   

Organisation exposition

(a) An organisation involved in the design or production of ATM/ANS equipment shall establish and maintain an organisation exposition, which provides the following information:
(1) a statement signed by the accountable manager confirming that the organisation exposition and any associated manuals, which define the organisation’s compliance with the requirements will be complied with at all times;
(2) the title(s) and name(s) of the key manager(s) as referred to in point DPO.OR.B.020;
(3) the duties and responsibilities of the manager(s), including matters for which they may deal directly with the Agency on behalf of the organisation;
(4) an organisational chart showing lines of responsibility and accountability of the managers throughout the organisation, including a direct accountability of the accountable manager;
(5) a general description of the organisation’s manpower resources;
(6) a general description of the facilities located at each location specified in the organisation’s approval;
(7) a general description of the organisation’s scope of work relevant to the terms of approval;
(8) the procedure(s) for the verification and demonstration that the design of ATM/ANS equipment, or changes to it, complies with the applicable detailed specifications and requirements as established by Delegated Regulation (EU) 2023/1768 and has no unsafe or insecure features, as applicable;
(9) the procedure for the preparation and maintenance of the technical data and records, for each model of each piece of ATM/ANS equipment for which a certificate or declaration of design compliance has been issued in accordance with Delegated Regulation (EU) 2023/1768, as applicable;
(10) the procedure(s) for the notification of organisational changes to the Agency;
(11) the amendment procedure for the organisation’s exposition;
(12) a description, direct or by cross reference, of the organisation’s management system and procedure(s);
(13) a description, direct or by cross reference, of the contractors’ management and procedure(s) of supervision referred to in point DPO.OR.B.015 of this Annex.
(b) The organisation exposition shall be amended as necessary to remain an up-to-date description of the organisation, and a copy of it, including its amendments, shall be supplied to the Agency.
(c) An application for a change approval referred to in point DPO.OR.B.005 of this Annex shall be based on the submission of the proposed changes to the organisation exposition.

DPO.OR.A.025

   

Duration, continued validity and privileges of an organisation approval

(a) An organisation’s approval shall remain valid for an unlimited period of time provided that:
(1) the organisation remains compliant with Regulation (EU) 2018/1139 and the delegated and implementing acts adopted on its basis;
(2) the approval has not been surrendered by the organisation or suspended or revoked by the Agency.
(b) Upon revocation or surrender of the approval, if issued in a paper format, it shall be returned to the Agency without delay.
(c) The holder of an organisation approval shall be entitled, within the scope of its terms of approval and under the relevant procedures of the design management system:
(1) to classify changes to an ATM/ANS equipment as ‘major’ or ‘minor’;
(2) to approve minor changes to an ATM/ANS equipment certificate(s) and/or declaration(s) issued under Delegated Regulation (EU) 2023/1768;
(3) to approve certain major changes to an ATM/ANS equipment certificate issued under Delegated Regulation (EU) 2023/1768;
(4) to issue declarations of design compliance of ATM/ANS equipment pursuant to Article 5 of Delegated Regulation (EU) 2023/1768; and
(5) to issue statements of compliance of ATM/ANS equipment pursuant to Article 6 of Delegated Regulation (EU) 2023/1768.

DPO.OR.A.030

   

Facilitation and cooperation

(a) An organisation involved in the design or production of ATM/ANS equipment shall facilitate the inspections and audits performed by the Agency or by a qualified entity that acts on its behalf, and it shall cooperate as necessary for the efficient and effective exercise of the powers of the Agency.
(b) An organisation involved in the design or production of ATM/ANS equipment shall cooperate with and support the ATM/ANS providers using its ATM/ANS equipment in their compliance demonstration process to the competent authorities concerned.

DPO.OR.A.035

   

Findings and corrective actions

Following the receipt of the notification of findings from the Agency, the organisation involved in the design or production of ATM/ANS equipment shall:
(a) identify the root cause of the non-compliance;
(b) define a corrective action plan;
(c) demonstrate the implementation of the corrective action to the satisfaction of the Agency within the time period proposed and approved by the Agency, as defined in point (e)(2) of point DPO.AR.C.015.

DPO.OR.A.040

   

Immediate reaction to a safety, security and interoperability problem

An organisation involved in the design or production of ATM/ANS equipment shall implement any safety and security measures, including ATM/ANS equipment directives, taken by the Agency in accordance with points DPO.AR.A.010 and DPO.AR.A.015.

DPO.OR.A.045

   

Failures, malfunctions, and defects

(a) The holder of an approval issued in accordance with this Regulation shall:
(1) establish and maintain a system for collecting, investigating and analysing reports of and information on failures, malfunctions, defects or other occurrences which have caused or might cause adverse effects on the continuing compliance of the ATM/ANS equipment with the applicable requirements;
(2) inform all known users of the ATM/ANS equipment concerned and, on request, any person mandated under other associated regulations, about the system established in accordance with point (1) and about how to provide such reports of and information on failures, malfunctions, defects or other occurrences.
(b) For organisations that have their principal place of business in a Member State, the system established in accordance with point (a)(1) shall include provisions for occurrence reporting and follow-up that meet the requirements of Regulations (EU) No 376/2014 and (EU) No 2018/1139 and the delegated and implementing acts adopted on their basis.
(c) The approval holder shall report to the Agency any failure, malfunction, defect or other occurrence of which it is aware, and which has resulted or may result in an unsafe, insecure, or under-performing condition.
(d) For approval holders that do not have their principal place of business in a Member State, reports shall be made in a form and manner established by the Agency, as soon as practicable and in any case submitted not later than 72 hours after the person or organisation has become aware of the particular occurrence, unless exceptional circumstances prevent this.
(e) The approval holder shall investigate an occurrence that has been reported under point (c), including the deficiencies that have led to that occurrence, and report to the Agency the results of its investigation and any action it intends to take or proposes to take to correct these deficiencies.

DPO.OR.A.050

   

Approval transferability

An organisation approval is not transferable, except as a result of a change in the ownership of the organisation.

SUBPART B   MANAGEMENT (DPO.OR.B)

DPO.OR.B.001

   

Management system

(a) An organisation involved in the design or production of ATM/ANS equipment shall implement and maintain a management system that includes the following:
(1) clearly defined lines of responsibility and accountability throughout its organisation, including direct accountability of the accountable manager;
(2) a description of the overall philosophy and principles of the organisation, collectively constituting a policy, signed by the accountable manager;
(3) the means to verify the performance of the organisation in the light of the performance indicators and performance targets of the management system;
(4) a process to identify changes within the organisation and the context in which it operates, which may affect established processes, procedures and products and, where necessary, change the management system to accommodate those changes;
(5) a process to identify the scope of changes to the ATM/ANS equipment and the associated risk;
(6) a process to review the management system, identify the causes of substandard performance of the management system, determine the implications of such substandard performance, and eliminate or mitigate such causes;
(7) a process to ensure that the personnel of the organisation are trained and competent to perform their duties in a safe, efficient, continuous and sustainable manner; in this context, the organisation shall establish policies for the recruitment and training of its personnel;
(8) a formal means for communication which ensures that all personnel of the organisation are fully aware of the management system that allows critical information to be communicated and that makes it possible to explain why particular actions are taken and why procedures are introduced or changed;
(9) as regards design activities, procedures for:
(i) the design of ATM/ANS equipment, and for changes to its design;
(ii) the assurance that the design of ATM/ANS equipment, or the changes to its design, comply with the applicable specifications, including independent checking function of the demonstration of compliance on the basis of which the organisation submits compliance statements and associated documentation to the Agency;
(iii) the verification of the acceptability of the elements of the ATM/ANS equipment designed, or the tasks performed, by the contracted organisations referred to in point DPO.OR.B.015;
(iv) the assurance that staff involved in the design of ATM/ANS equipment are of sufficient numbers and are trained and competent, and have been authorised to discharge their allocated responsibilities;
(v) close and efficient coordination between departments and within departments;
(10) as regards production activities, procedures for:
(i) the issue and approval of documents, or changes to them;
(ii) assessment audits and the control of contracted organisations referred to in point DPO.OR.B.015;
(iii) verifying that incoming materials and equipment, including the supply of new items or items used by ATM/ANS equipment buyers, are as specified in the applicable design data;
(iv) verifying that ATM/ANS equipment conforms to the applicable design data;
(v) identification and traceability;
(vi) organisation processes;
(vii) inspection and testing;
(viii)
calibration of tools and test equipment;
(ix) the control of non-conforming items;
(x) the coordination with the applicant for, or holder of, the design approval;
(xi) the completion and retention of records of work carried out;
(xii) the issue of release documents;
(xiii)
the handling, storage and packing of ATM/ANS equipment.
(b) An organisation involved in the design or production of ATM/ANS equipment shall document all key management system processes, including a process for making personnel aware of their responsibilities, and the procedure for amending those processes.
(c) An organisation involved in the design or production of ATM/ANS equipment shall establish a function within its management system to monitor its compliance with the applicable requirements and the adequacy of the established procedures. Compliance monitoring shall include a feedback system of findings to the accountable manager to ensure the effective implementation of corrective actions, as necessary.
(d) The management system shall be proportionate to the size of the organisation involved in the design or production of ATM/ANS equipment and the complexity of its activities, taking into account the hazards and associated risks inherent in those activities.
(e) In addition to the management system referred to in point (a), the organisation involved in the design or production of ATM/ANS equipment shall establish, implement and maintain an information security management system in accordance with Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.

DPO.OR.B.005

   

Change management

(a) Following the issue of an organisation’s approval, any change to the management system that is significant shall be approved by the Agency before being implemented unless such a change is notified and managed in accordance with a procedure approved by the Agency. The organisation shall submit to the Agency an application for approval demonstrating continuous compliance with the applicable requirements.
(b) Each change to ATM/ANS equipment shall be notified to and approved by the Agency before being implemented unless such a change is managed in accordance with a change management procedure approved by the Agency. This change management procedure shall define the classification of the changes to the ATM/ANS equipment and describe how such changes will be notified and managed.

DPO.OR.B.010

   

Facility requirements

An organisation involved in the design or production of ATM/ANS equipment shall ensure that its facilities and equipment, including testing facilities and equipment, are adequate and suitable to perform and manage all its tasks and activities in accordance with the applicable requirements.

DPO.OR.B.015

   

Contracted activities

(a) Contracted activities include all those activities that are within the scope of the organisation’s activities, in accordance with the terms of the certificate, which are performed by other organisations either themselves certified to carry out such activities or, if not certified, working under such an organisation’s supervision. An organisation involved in the design or production of ATM/ANS equipment shall ensure that when it contracts any part of its activities to, or when it purchases any part of its activities from, external organisations, the contracted or purchased activity, as applicable, conforms with the applicable requirements.
(b) When an organisation involved in the design or production of ATM/ANS equipment contracts any part of its activities to an organisation that is not itself certified in accordance with this Regulation to carry out such activities, it shall ensure that the contracted organisation works under its supervision. An organisation involved in the design or production of ATM/ANS equipment shall ensure that the Agency is given access to the contracted organisation to determine its continued compliance with the applicable requirements of this Regulation.

DPO.OR.B.020

   

Personnel requirements

(a) An organisation involved in the design or production of ATM/ANS equipment shall appoint an accountable manager who has the authority to ensure that all activities may be financed and carried out in accordance with the applicable requirements of this Regulation. The accountable manager shall be responsible for establishing and maintaining an effective management system.
(b) The authority, duties, and responsibilities of the nominated post-holders, in particular management personnel in charge of safety, quality, security, finance and human-resources, shall also be defined.

DPO.OR.B.025

   

Record-keeping

(a) An organisation involved in the design or production of ATM/ANS equipment shall establish a record-keeping system that allows for the adequate storage of records and the reliable traceability of all its activities, covering in particular all the elements indicated in point DPO.OR.B.001.
(b) The format and the retention period of the records referred to in point (a) shall be specified in the organisation’s management system procedures.
(c) Records shall be stored in a manner that ensures their protection against damage, alteration, and theft.
(d) An organisation involved in the design or production of ATM/ANS equipment shall maintain a register of the ATM/ANS equipment deployed.

SUBPART C   TECHNICAL REQUIREMENTS (DPO.OR.C)

DPO.OR.C.001

   

Organisations involved in the design or production of ATM/ANS equipment

(a) An applicant for, and a holder of, a design or production organisation approval for ATM/ANS equipment shall be entitled, as applicable, to any of the following:
(1) hold or apply to be issued a certificate for the design of ATM/ANS equipment;
(2) issue a declaration of design compliance for ATM/ANS equipment;
(3) issue a statement of compliance for ATM/ANS equipment, upon request of an ATM/ANS provider.
(b) As regards design activities, an organisation involved in the design or production of ATM/ANS equipment shall:
(1) issue a declaration of design compliance for the ATM/ANS equipment, as applicable;
(2) issue data and information, including instructions, under its responsibility within the scope of its terms of approval as established by the Agency;
(3) prepare and maintain, for each model of each piece for which an ATM/ANS equipment declaration has been issued, an up-to-date file of complete technical data and records.
(c) As regards production activities, an organisation involved in the design or production of ATM/ANS equipment shall:
(1) manufacture each article ensuring that the completed ATM/ANS equipment conforms to its design data and is safe for installation;
(2) prepare and maintain, for each model of each piece for which an ATM/ANS equipment declaration has been issued, an up-to-date file of complete technical data and records;
(3) prepare, maintain and update the master copies of all manuals required by the applicable declaration specifications for the particular equipment;
(4) make available to the users of the ATM/ANS equipment, and to the Agency on request, those instructions for continued suitability necessary for the use and maintenance of the ATM/ANS equipment, and changes to those instructions;
(5) mark each article;
(6) continue to comply with the applicable requirements laid down in this Regulation.
(d) In addition to point (c), an organisation involved in the production of ATM/ANS equipment shall be entitled, within the scope of its terms of approval, to determine that each completed ATM/ANS equipment conforms with the applicable design data and is in a condition for safe operation before issuing an EASA release form stating that the ATM/ANS equipment has been produced in accordance with the applicable requirements of this Regulation and with the applicable design data.
(e) The EASA release form referred to in point (d) for each ATM/ANS equipment manufactured shall contain at least the following information:
(1) a description of the ATM/ANS equipment;
(2) the part number of the ATM/ANS equipment;
(3) the serial number of the ATM/ANS equipment;
(4) a statement that the ATM/ANS equipment has been manufactured in conformity with the applicable design data and is in a condition for safe operation;
(5) a reference to the certificate or declaration of design compliance.

DPO.OR.C.005

   

Coordination

An organisation involved in the design or production of ATM/ANS equipment shall ensure:
(a) the satisfactory coordination, with the appropriate arrangements, between design and production activities, as appropriate;
(b) the satisfactory coordination with and proper support to the relevant ATM/ANS providers and aviation undertaking(s) as regards the continued suitability of the ATM/ANS equipment, as applicable.

DPO.OR.C.010

   

ATM/ANS equipment directives

When the Agency issues an ATM/ANS equipment directive, pursuant to point ATM/ANS.EQMT.CERT.065 of Annex II to Delegated Regulation (EU) 2023/1768, the organisation involved in the design or production of ATM/ANS equipment shall:
(a) propose an appropriate corrective action and submit it together with details to the Agency for approval;
(b) following the approval by the Agency of the proposal referred to in point (a), make available to all known users or owners of ATM/ANS equipment appropriate descriptive data and accomplishment instructions and, on request, to any person required to comply with the ATM/ANS equipment directive.
Markierungen
Leseansicht