2024/1109
23.5.2024
COMMISSION IMPLEMENTING REGULATION (EU) 2024/1109
of 10 April 2024
laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council as regards competent authority requirements and administrative procedures for the certification, oversight and enforcement of the continuing airworthiness of certified unmanned aircraft systems, and amending Implementing Regulation (EU) 2023/203
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (1), and in particular Article 62(14) and (15), points (a), (b) and (c) and Article 72(5) thereof,
Whereas:
(1) Pursuant to Article 58(1) of Regulation (EU) 2018/1139 detailed continuing airworthiness requirements for certified unmanned aircraft systems (UAS) operated in the ‘specific’ category and for which an airworthiness certificate has to be obtained, and their components, and for organisations and personnel involved in those activities are laid down in Commission Delegated Regulation (EU) 2024/1107 (2).
(2) To ensure the uniform application of those detailed continuing airworthiness requirements, rules and procedures for the assessment of compliance with those requirements to be applied by the competent authorities should be laid down. Those rules and procedures should reflect the requirements for the competent authorities responsible for the continuing airworthiness of manned aircraft laid down in Commission Regulation (EU) No 1321/2014 (3), but at the same time adapted to the specific UAS framework.
(3) Furthermore, in order to manage safety risks deriving from information security threats it is necessary that the competent authorities responsible for the continuing airworthiness of certified unmanned aircraft and their components apply the requirements for the management of information security risks with a potential impact on aviation safety laid down in Commission Implementing Regulation (EU) 2023/203 (4). Therefore, Implementing Regulation (EU) 2023/203 should be amended to include in its scope also those competent authorities.
(4) It is necessary to provide sufficient time for the competent authorities to ensure compliance with the new rules and procedures for the assessment of compliance of certified UAS with detailed continuing airworthiness requirements, therefore this Regulation should apply from 1 May 2025. However, the requirements for the management of information security risks with a potential impact on aviation safety should be deferred until Implementing Regulation (EU) 2023/203 becomes applicable.
(5) The European Union Aviation Safety Agency assisted the Commission in accordance with Article 75(2), points (b) and (c) and Article 76(1) of Regulation (EU) 2018/1139 and submitted to the Commission the related Opinion No 03/2023 (5) on 31 August 2023.
(6) The measures provided for in this Regulation are in accordance with the opinion of the Committee for the application of common safety rules in the field of civil aviation established by Article 127(1) of Regulation (EU) 2018/1139,
HAS ADOPTED THIS REGULATION:
Article 1
Subject matter and scope
This Regulation establishes the rules and procedures to be applied by the competent authorities for the assessment of compliance with the detailed continuing airworthiness requirements laid down in Delegated Regulation (EU) 2024/1107.
Article 2
Definitions
For the purposes of this Regulation, the following definitions shall apply:
(a) ‘unmanned aircraft system (UAS)’ means an unmanned aircraft, as defined in Article 3(30) of Regulation (EU) 2018/1139, and its control and monitoring unit;
(b) ‘control and monitoring unit (CMU)’ means the equipment to control unmanned aircraft remotely, as defined in Article 3(32) of Regulation (EU) 2018/1139;
(c) ‘component’ means any engine, propeller or part of the unmanned aircraft (UA), or any element of the control and monitoring unit;
(d) ‘continuing airworthiness’ means all of the processes ensuring that, at any time in its operating life, the unmanned aircraft system complies with the applicable airworthiness requirements and is in a condition for safe operation;
(e) ‘maintenance’ means any one or a combination of the following activities: overhaul, repair, inspection, replacement, modification or defect rectification of an unmanned aircraft system or component, with the exception of pre-flight inspection;
(f) ‘organisation’ means a natural person, a legal person or part of a legal person, which may be established at more than one location whether or not within the territory of the Member States;
(g) ‘pre-flight inspection’ means the inspection carried out before flight to ensure that the unmanned aircraft is fit for the intended flight;
(h) ‘principal place of business’ means the head office or the registered office of the undertaking from which the principal financial functions and the operational control of the activities referred to in this Regulation are exercised.
Article 3
Competent authorities
1. A Member State shall designate one or more entities as the competent authority with the necessary powers and allocated responsibilities for the performance of certification, oversight and enforcement tasks in accordance with this Regulation and with Delegated Regulation (EU) 2024/1107.
2. The administration and management systems of the competent authority of a Member State referred to in paragraph 1 and of the Agency shall comply with the requirements set out in the Annex.
3. When a Member State designates more than one entity as competent authority the following requirements shall be complied with:
(a) the areas of competence of each entity shall be clearly defined, in particular in terms of responsibilities and geographic limitations;
(b) coordination shall be established between those entities in order to ensure the effective performance of certification, oversight and enforcement tasks within their respective areas of competence.
4. When it is necessary to perform certification, oversight or enforcement tasks, the competent authority shall be empowered to:
(a) examine the records, data, procedures, and any other material relevant to the performance of certification, oversight or enforcement tasks;
(b) make copies or extracts from such records, data, procedures and other material;
(c) request an oral explanation on-site from any of the personnel of those organisations;
(d) access relevant premises, operating sites or means of transport;
(e) perform audits, investigations, assessments, inspections, including unannounced inspections, in respect of those organisations;
(f) take or initiate enforcement measures as appropriate.
5. The powers referred to in paragraph 4 shall be exercised in compliance with the applicable legal provisions of the relevant Member State.
Article 4
Amendments to Implementing Regulation (EU) 2023/203
Implementing Regulation (EU) 2023/203 is amended as follows:
(1) in Article 2, the following paragraph 3a is inserted:
‘3a. This Regulation also applies to the competent authority designated in accordance with Annex I (Part-AR.UAS) to Commission Implementing Regulation (EU) 2024/1109
(
*1
)
.
(
*1
)
Commission Implementing Regulation (EU) 2024/1109 of 10 April 2024 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council as regards competent authority requirements and administrative procedures for the certification, oversight and enforcement of the continuing airworthiness of certified unmanned aircraft systems, and amending Implementing Regulation (EU) 2023/203 (
OJ L, 2024/1109, 17.5.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/1109/oj
.’;"
(2) in Article 4, paragraph 2 is amended as follows:
‘2. The competent authorities referred to in Article 2(2), (3) and (3a) shall comply with the requirements of Annex I (Part-IS.AR) to this Regulation.’
.
Article 5
Entry into force and applicability
This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
It shall apply from 1 May 2025.
However, points AR.UAS.GEN.125(c), AR.UAS.GEN.135A, AR.UAS.GEN.200(e) and AR.UAS.GEN.205(c) of the Annex shall apply from 22 February 2026.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 10 April 2024.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 212, 22.8.2018, p. 1
, ELI:
http://data.europa.eu/eli/reg/2018/1139/oj
.
(2) Commission Delegated Regulation (EU) 2024/1107 of 13 March 2024 supplementing Regulation (EU) 2018/1139 of the European Parliament and of the Council by laying down detailed rules for the continuing airworthiness of certified unmanned aircraft systems and their components, and on the approval of organisations and personnel involved in these tasks (
OJ L, 2024/1107, 17.5.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1107/oj
).
(3) Commission Regulation (EU) No 1321/2014 of 26 November 2014 on the continuing airworthiness of aircraft and aeronautical products, parts and appliances, and on the approval of organisations and personnel involved in these tasks (
OJ L 362, 17.12.2014, p. 1
, ELI:
http://data.europa.eu/eli/reg/2014/1321/oj
).
(4) Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 (
OJ L 31, 2.2.2023, p. 1
, ELI:
http://data.europa.eu/eli/reg_impl/2023/203/oj
).
(5)
https://www.easa.europa.eu/en/document-library/opinions
ANNEX
UAS CONTINUING AIRWORTHINESS – AUTHORITY REQUIREMENTS
(PART-AR.UAS)
CONTENTS
SUBPART GEN –
GENERAL REQUIREMENTS
AR.UAS.GEN.005
Scope
AR.UAS.GEN.010
Competent authority
AR.UAS.GEN.115
Oversight documentation
AR.UAS.GEN.120
Means of compliance
AR.UAS.GEN.125
Information to the Agency
AR.UAS.GEN.135
Immediate reaction to a safety problem
AR.UAS.GEN.135A
Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
AR.UAS.GEN.200
Management system
AR.UAS.GEN.205
Allocation of tasks
AR.UAS.GEN.210
Changes in the management system
AR.UAS.GEN.220
Record-keeping
AR.UAS.GEN.300
Oversight principles
AR.UAS.GEN.305
Oversight programme – organisations
AR.UAS.GEN.310
Initial certification procedure – organisations
AR.UAS.GEN.330
Changes – organisations
AR.UAS.GEN.350
Findings, corrective actions and observations – organisations
AR.UAS.GEN.351
Findings and corrective actions – UAS
AR.UAS.GEN.355
Suspension, limitation and revocation of a certificate
SUBPART CAW –
AIRWORTHINESS OF UAS
AR.UAS.CAW.005
Scope
AR.UAS.CAW.303
UAS continuing airworthiness monitoring
AR.UAS.CAW.902
Airworthiness review conducted by the competent authority
Appendix –
Part-CAO.UAS certificate – EASA Form 3-CAO.UAS
SUBPART GEN
GENERAL REQUIREMENTS
AR.UAS.GEN.005
Scope
This Annex establishes the conditions for the performance of certification, oversight and enforcement tasks, as well as the administrative and management system requirements to be fulfilled by the competent authority that is responsible for the implementation and enforcement of Delegated Regulation (EU) 2024/1107.
AR.UAS.GEN.010
Competent authority
For the purposes of this Annex, the competent authority shall be:
(a) for the oversight of the continuing airworthiness of individual UA and the issue of airworthiness review certificates (ARCs), the authority designated by the Member State of registry of the UA. That authority shall also be responsible for the oversight of the continuing airworthiness of the CMU to the extent that it applies to the UA registered in that Member State;
(b) for the oversight of an organisation as specified in Delegated Regulation (EU) 2024/1107:
(i) the authority designated by the Member State where that organisation’s principal place of business is located, or by another Member State if the responsibility has been reallocated to that Member State in accordance with Article 64 of Regulation (EU) 2018/1139;
(ii) the Agency if the responsibility of the Member State where that organisation’s principal place of business is located has been reallocated in accordance with Article 64 or Article 65 of Regulation (EU) 2018/1139.
AR.UAS.GEN.115
Oversight documentation
The competent authority shall provide all the legislative acts, standards, rules, technical publications, and related documents to the relevant personnel in order to allow them to perform their tasks and to discharge their responsibilities.
AR.UAS.GEN.120
Means of compliance
(a) The Agency shall develop acceptable means of compliance (AMC) that may be used to establish compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts.
(b) Alternative means of compliance may also be used to establish compliance with this Regulation.
(c) Competent authorities shall inform the Agency of any alternative means of compliance used by organisations under their oversight or by themselves for establishing compliance with this Regulation.
AR.UAS.GEN.125
Information to the Agency
(a) The competent authority of a Member State shall notify the Agency in case of any significant problems with the implementation of Regulation (EU) 2018/1139 and its delegated and implementing acts within 30 days from the time the authority became aware of the problems.
(b) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council (1) and its delegated and implementing acts, the competent authority shall provide the Agency as soon as possible with any safety-significant information stemming from the occurrence reports stored in the national database pursuant to Article 6(6) of Regulation (EU) No 376/2014.
(c) The competent authority of a Member State shall provide the Agency as soon as possible with safety-significant information stemming from information security reports it has received pursuant to point CAO.UAS.102(b) of Annex II (Part-CAO.UAS) to Delegated Regulation (EU) 2024/1107.
AR.UAS.GEN.135
Immediate reaction to a safety problem
(a) Without prejudice to Regulation (EU) No 376/2014 and its delegated and implementing acts, the competent authority shall implement a system to appropriately collect, analyse and disseminate safety information.
(b) The Agency shall implement a system to appropriately analyse any relevant safety information received and, without undue delay, provide the relevant authority of the Member States and the Commission with any information, including recommendations or corrective actions to be taken, that is necessary for them to react in a timely manner to a safety problem involving UAS, UAS components, persons or organisations that are subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.
(c) Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the safety problem.
(d) The competent authority shall immediately notify the measures taken under point (c) to all persons or organisations which need to comply with them in accordance with Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority shall also notify those measures to the Agency and, when combined action is required, to the other Member States concerned.
AR.UAS.GEN.135A
Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
(a) Without prejudice to Regulation (EU) No 376/2014 and its delegated and implementing acts, the competent authority shall implement a system to appropriately collect, analyse and disseminate information related to information security incidents and vulnerabilities with a potential impact on aviation safety reported by organisations. This shall be done in coordination with any other relevant authorities responsible for information security or cybersecurity within a Member State to increase the coordination and compatibility of reporting schemes.
(b) The Agency shall implement a system to appropriately analyse any relevant safety-significant information received in accordance with point AR.UAS.GEN.125(c), and without undue delay provide the Member States and the Commission with any information, including recommendations or corrective actions to be taken, necessary for them to react in a timely manner to an information security incident or vulnerability with a potential impact on aviation safety, involving UAS, UAS components, persons or organisations subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.
(c) Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the potential impact of the information security incident or vulnerability on aviation safety.
(d) The measures taken in accordance with point (c) shall be immediately notified to all persons or organisations that need to comply with them in accordance with Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority of a Member State shall also notify those measures to the Agency and, when combined action is required, to the competent authorities of the other Member States concerned.
AR.UAS.GEN.200
Management system
(a) The competent authority shall establish and maintain a management system, including as a minimum:
(1) documented policies and procedures to describe its organisation, the means and methods for establishing compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts. The procedures shall be kept up to date, and serve as the basic working documents within that competent authority for all its related tasks;
(2) a sufficient number of personnel to perform its tasks and discharge its responsibilities. A system shall be in place to plan the availability of personnel in order to ensure the proper completion of all tasks;
(3) personnel that are qualified to perform their allocated tasks and have the necessary knowledge and experience, and receive initial and recurrent training to ensure continuing competency;
(4) adequate facilities and office accommodation for personnel to perform their allocated tasks;
(5) a function to monitor the compliance of the management system with the relevant requirements, and the adequacy of the procedures, including the establishment of an internal audit process and a safety risk management process; compliance-monitoring shall include a feedback system of audit findings to the senior management of the competent authority to ensure the implementation of corrective actions, as necessary;
(6) a person or group of persons having a responsibility to the senior management of the competent authority for the compliance-monitoring function.
(b) The competent authority shall, for each field of its activity, including the management system, appoint one or more persons with the overall responsibility for the management of the relevant task(s).
(c) The competent authority shall establish procedures for the participation in a mutual exchange of all necessary information and assistance with any other competent authorities concerned, whether from the same Member State or from other Member States, including on the following:
(1) all findings raised and any follow-up actions taken as a result of the oversight of persons and organisations that perform activities in the territory of a Member State, but certified by the competent authority of another Member State or by the Agency;
(2) information stemming from mandatory and voluntary occurrence reporting as required by point CAO.UAS.120 of Annex II (Part-CAO.UAS) to Delegated Regulation (EU) 2024/1107.
(d) The procedures related to the management system and their amendments shall be made available to the Agency for the purpose of standardisation.
(e) In addition to the requirements of point (a), the management system established and maintained by the competent authority shall comply with Annex I (Part-IS.AR) to Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.
AR.UAS.GEN.205
Allocation of tasks
(a) The competent authority may allocate tasks related to the initial certification or the continuing oversight of organisations that are subject to Regulation (EU) 2018/1139 and its delegated and implementing acts to qualified entities. When allocating tasks, the competent authority shall ensure that it has:
(1) put a system in place to initially and continuously assess whether the qualified entity complies with Annex VI to Regulation (EU) 2018/1139; that system and the results of the assessments shall be documented;
(2) established a written agreement with the qualified entity, approved by both parties at the appropriate management level, which stipulates:
(i) the tasks to be performed;
(ii) the declarations, reports and records to be provided;
(iii) the technical conditions to be met when performing such tasks;
(iv) the related liability coverage;
(v) the protection of the information acquired when carrying out such tasks.
(b) The competent authority shall ensure that the internal audit process and the safety risk management process established according to point AR.UAS.GEN.200(a)(5) cover all the certification and continuing oversight tasks performed by the qualified entity on its behalf.
(c) For the certification and oversight of the organisation’s compliance with point CAO.UAS.102 of Annex II (Part-CAO.UAS) to Delegated Regulation (EU) 2024/1107, the competent authority may allocate tasks to qualified entities in accordance with point (a), or to any relevant authority responsible for information security or cybersecurity within the Member State; when allocating tasks, the competent authority shall ensure that:
(1) all aspects related to aviation safety are coordinated and taken into account by the qualified entity or the relevant authority;
(2) the results of the certification and oversight activities performed by the qualified entity or the relevant authority are integrated in the overall certification and oversight files of the organisation;
(3) its own information security management system established in accordance with point AR.UAS.GEN.200(e) covers all the certification and continuing oversight tasks performed on its behalf.
AR.UAS.GEN.210
Changes in the management system
(a) The competent authority shall have a system in place to identify the changes that affect its capability to perform its tasks and discharge its responsibilities as set out in Regulation (EU) 2018/1139 and its delegated and implementing acts. That system shall enable the competent authority to take any action that is necessary to ensure that its management system remains adequate and effective.
(b) The competent authority shall update in a timely manner its management system to reflect any changes to Regulation (EU) 2018/1139 and its delegated and implementing acts so as to ensure its effective implementation.
(c) The competent authority shall notify the Agency of any changes that affect its capability to perform its tasks and discharge its responsibilities as set out in Regulation (EU) 2018/1139 and its delegated and implementing acts.
AR.UAS.GEN.220
Record-keeping
(a) The competent authority shall establish a record-keeping system that allows the adequate storage, accessibility and reliable traceability of:
(1) the management system’s documented policies and procedures;
(2) the training, qualifications and authorisations of its personnel;
(3) the allocation of tasks, covering the elements required by point AR.UAS.GEN.205, as well as the details of tasks allocated;
(4) certification processes and continuing oversight of certified organisations, including:
(i) the application for an organisation certificate;
(ii) the competent authority’s continuing oversight programme, including all the assessments, audits and inspection records;
(iii) the organisation certificate, including any changes to it;
(iv) the oversight programme, listing the dates when audits are due and when audits were carried out;
(v) all formal correspondence;
(vi) recommendations for the issue or continuation of a certificate, details of findings raised and actions taken by the organisations to close those findings, including the date of closure, exemptions, enforcement actions and observations;
(vii) any assessment, audit and inspection report issued by another competent authority pursuant to point AR.UAS.GEN.300(d);
(viii)
all the organisation’s expositions or manuals, and any amendments to them;
(ix) any other documents approved by the competent authority;
(5) with respect to the UAS under the oversight of the competent authority, the UAS oversight process, including:
(i) the UA airworthiness certificate;
(ii) ARCs;
(iii) reports from airworthiness reviews performed by the competent authority itself;
(iv) all relevant correspondence relating to the UAS;
(v) details of any exemption and enforcement action(s);
(vi) any document approved by the competent authority in accordance with this Annex;
(6) documents that support the use of alternative means of compliance;
(7) safety information provided in accordance with point AR.UAS.GEN.125 and follow-up measures;
(8) the use of safeguard and flexibility provisions in accordance with Article 70, Articles 71(1) and 76(4) of Regulation (EU) 2018/1139.
(b) The competent authority shall maintain a list of all the organisation certificates it has issued.
(c) All the records referred to in points (a) and (b) shall be kept for a minimum period of 5 years, subject to applicable data protection law, except for the records referred to in point (a)(5) which shall be retained for 3 years after the unmanned aircraft has been permanently withdrawn from the national register of the Member State.
(d) All the records referred to in points (a) and (b) shall be made available, upon request, to the competent authority of another Member State or to the Agency.
AR.UAS.GEN.300
Oversight principles
(a) The competent authority shall verify:
(1) compliance with the requirements that are applicable to organisations or UAS prior to issuing a certificate, approval or authorisation, as applicable;
(2) continued compliance with the applicable requirements of the organisations it has certified;
(3) continued compliance with the requirements applicable to UAS under its oversight;
(4) the implementation of appropriate safety measures mandated by the competent authority in accordance with points AR.UAS.GEN.135(c) and (d).
(b) This verification shall:
(1) be supported by documentation specifically intended to provide personnel that are responsible for oversight with guidance to perform their functions;
(2) provide the organisations concerned with the results of oversight activities;
(3) be based on assessments, audits, inspections, surveys and, if needed, unannounced inspections;
(4) provide the competent authority with the evidence needed in case further action is required, including the measures set out in points AR.UAS.GEN.350 and AR.UAS.GEN.351.
(c) The competent authority shall establish the scope of the oversight set out in points (a) and (b), taking into account the results of past oversight activities and the safety priorities.
(d) If the facilities of an organisation are located in more than one Member State, the competent authority, as provided for in point AR.UAS.GEN.010, may agree to have the oversight tasks performed by the competent authority(ies) of the Member State(s) where the facilities are located. Any organisation that is subject to such an agreement shall be informed of its existence and of its scope.
(e) For any oversight activity performed at facilities located in a Member State other than the Member State where the organisation has its principal place of business, the competent authority, as provided for in point AR.UAS.GEN.010, shall inform the competent authority of that Member State before performing any on-site audit or inspection of the facilities.
(f) The competent authority shall collect and process any information deemed necessary for performing oversight activities.
AR.UAS.GEN.305
Oversight programme – organisations
(a) The competent authority shall establish and maintain an oversight programme covering the oversight activities required by point AR.UAS.GEN.300.
(b) For organisations that are certified by the competent authority, the oversight programme shall take into account the specific nature of the organisation, the complexity of its activities, the results of past certification or oversight activities, or both, and it shall be based on the assessment of the associated risks. It shall include, within each oversight planning cycle:
(1) assessments, audits and inspections, including, as appropriate:
(i) process audits;
(ii) product audits of a relevant sample of aircraft managed by the organisation or maintenance performed by the organisation, or both, as applicable;
(iii) sampling of the airworthiness reviews performed;
(iv) unannounced inspections;
(2) meetings convened between the accountable manager and the competent authority to ensure that both parties remain informed about all significant issues.
(c) For organisations that are certified by the competent authority, the oversight planning cycle shall not exceed 24 months.
(d) The oversight planning cycle may be shortened if there is evidence that the safety performance of the organisation has decreased.
(e) The oversight programme shall include records of the dates when assessments, audits, inspections and meetings are due, and when assessments, audits, inspections and meetings have been effectively performed.
(f) Upon completion of each oversight planning cycle, the competent authority shall issue a recommendation report on the continuation of the approval, reflecting the results of the oversight.
AR.UAS.GEN.310
Initial certification procedure – organisations
(a) Upon receiving an application from an organisation for the initial issue of a certificate, the competent authority shall verify the organisation’s compliance with the applicable requirements.
(b) A meeting with the accountable manager of the organisation shall be convened at least once during the investigation for initial certification to ensure that that person understands his or her role and accountability.
(c) The competent authority shall record all the findings issued, closure actions, as well as the recommendations for the issue of the certificate.
(d) The competent authority shall confirm to the organisation in writing all the findings raised during the verification. For initial certification, all findings must be corrected to the satisfaction of the competent authority before the certificate is issued.
(e) When satisfied that the organisation complies with the applicable requirements, the competent authority shall:
(1) issue the certificate in accordance with the Appendix to this Annex;
(2) formally approve the organisation manual.
(f) The certificate reference number shall be included on the organisation certificate in a manner specified by the Agency.
(g) The certificate shall be issued for an unlimited duration. The privileges and the scope of the activities that the organisation is approved to conduct, including any limitations as applicable, shall be specified in the terms of approval attached to the certificate.
(h) To enable the organisation to implement changes without prior competent authority approval in accordance with point CAO.UAS.105 of Annex II (Part-CAO.UAS) to Delegated Regulation (EU) 2024/1107, the competent authority shall approve the relevant organisation manual procedure that sets out the scope of such changes and describes how such changes shall be managed and notified to the competent authority.
AR.UAS.GEN.330
Changes – organisations
(a) Upon receiving an application for a change that requires prior approval, the competent authority shall verify the organisation’s compliance with the applicable requirements before issuing the approval.
(b) The competent authority shall establish the conditions under which the organisation may operate during the change, unless the competent authority determines that the organisation certificate needs to be suspended.
(c) When it is satisfied that the organisation complies with the applicable requirements, the competent authority shall approve the change.
(d) Without prejudice to any additional enforcement measures, if the organisation implements changes requiring prior approval without having received the approval of the competent authority in accordance with point (c), the competent authority shall consider the need to suspend, limit or revoke the organisation certificate.
(e) For changes not requiring prior approval, the competent authority shall include the review of such changes in its continuing oversight in accordance with the principles set out in point AR.UAS.GEN.300. If any non-compliance is found, the competent authority shall notify the organisation, request further changes to be made, and act in accordance with point AR.UAS.GEN.350.
AR.UAS.GEN.350
Findings, corrective actions and observations – organisations
(a) The competent authority shall have a system in place to analyse findings for their safety significance.
(b) A level 1 finding shall be issued by the competent authority when any significant non-compliance is detected with the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, with the organisation’s procedures and manuals, or with the organisation certificate including the terms of approval, which lowers safety, or seriously endangers flight safety.
Level 1 findings shall also include:
(1) any failure to grant the competent authority access to the organisation’s facilities referred to in point CAO.UAS.112 of Annex II (Part-CAO.UAS) to Delegated Regulation 2024/1107 during normal operating hours and after two written requests;
(2) obtaining the organisation certificate or maintaining its validity by falsification of the submitted documentary evidence;
(3) any evidence of malpractice or fraudulent use of the organisation certificate;
(4) the lack of an accountable manager.
(c) A level 2 finding shall be issued by the competent authority when any non-compliance is detected with the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, with the organisation’s procedures and manuals, or with the organisation certificate including the terms of approval, which is not classified as a level 1 finding.
(d) When a finding is detected during oversight or by any other means, the competent authority shall, without prejudice to any additional action required by Regulation (EU) 2018/1139 and its delegated and implementing acts, communicate in writing the finding to the organisation and request corrective action to address the non-compliance identified. If a level 1 finding directly relates to an UA or a CMU, the competent authority shall inform the competent authority specified in point AR.UAS.GEN.010(a), if different from the competent authority that raises the finding.
(1) If there are any level 1 findings, the competent authority shall take immediate and appropriate action to prohibit or limit the activities of the organisation concerned and, if appropriate, it shall take action to revoke the certificate, or to suspend or limit it in whole or in part, depending on the extent of the level 1 finding, until successful corrective action has been taken by the organisation.
(2) If there are any level 2 findings, the competent authority shall:
(i) grant the organisation an implementation period for the corrective action plan that is appropriate to the nature of the finding, and that in any case shall initially not be longer than 3 months. The period shall commence from the date of the written communication of the finding to the organisation. At the end of that period, and subject to the nature of the finding, the competent authority may extend the 3-month period;
(ii) assess the corrective action plan proposed by the organisation, and if the assessment concludes that it is sufficient to address the non-compliance, accept it.
(3) If the organisation fails to submit an acceptable corrective action plan, or fails to perform the corrective action within the time period initially accepted or further extended by the competent authority, the finding shall be raised to level 1 and action shall be taken in accordance with point (d)(1).
(4) The competent authority shall record all the findings it has raised or that have been communicated to it in accordance with point (e) and, where applicable, the enforcement measures it has applied, as well as all corrective actions and the dates of the action closure for all the findings.
(e) Without prejudice to any additional enforcement measures, when an authority that performs oversight tasks in accordance with point AR.UAS.GEN.300(d) identifies any non-compliance with the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts by an organisation certified by the competent authority of another Member State or the Agency, it shall inform that competent authority and provide an indication of the level of the finding.
(f) The competent authority may issue observations for any of the following cases that do not require level 1 or level 2 finding:
(1) for any item whose performance has been assessed to be ineffective;
(2) when it has been identified that an item has the potential to cause a non-compliance under points (b) or (c);
(3) when suggestions or improvements are of interest to the overall performance of the organisation.
The observations issued under this point shall be communicated in writing to the organisation and recorded by the competent authority.
AR.UAS.GEN.351
Findings and corrective actions – UAS
(a) The competent authority shall have a system in place to analyse findings for their safety significance.
(b) A level 1 finding is any finding of significant non-compliance of the UAS with the requirements of Annex I (Part-ML.UAS) to Delegated Regulation (EU) 2024/1107, which lowers safety or seriously endangers flight safety.
(c) A level 2 finding is any finding of non-compliance of the UAS with the requirements of Annex I (Part-ML.UAS) to Delegated Regulation (EU) 2024/1107, which is not classified as a level 1 finding.
(d) If during aircraft surveys or by other means evidence is found that shows non-compliance of the UAS with the requirements of Annex I (Part-ML.UAS) to Delegated Regulation (EU) 2024/1107, the competent authority shall:
(1) for level 1 findings, immediately require a corrective action plan including corrections to be taken before further flight, and if appropriate, revoke or suspend the ARC; and
(2) for level 2 findings, require a corrective action plan, as appropriate to the nature of the finding.
AR.UAS.GEN.355
Suspension, limitation and revocation of a certificate
The competent authority shall:
(a) suspend a certificate when it considers that there are reasonable grounds that such action is necessary to prevent a credible threat to unmanned aircraft safety;
(b) suspend, revoke or limit a certificate if such action is required in accordance with point AR.UAS.GEN.350 or point AR.UAS.GEN.351;
(c) suspend or limit, in whole or in part, an organisation certificate if unforeseeable circumstances beyond the control of the competent authority prevent its inspectors from discharging their oversight responsibilities over the oversight planning cycle.
SUBPART CAW
AIRWORTHINESS OF UAS
AR.UAS.CAW.005
Scope
This Subpart establishes the requirements to be fulfilled by the competent authority when performing its tasks and discharging its responsibilities with regard to the oversight of the continuing airworthiness of UAS subject to Delegated Regulation (EU) 2024/1107, and the issue of airworthiness review certificates (ARCs).
AR.UAS.CAW.303
UAS continuing airworthiness monitoring
(a) The competent authority shall develop a survey programme following a risk-based approach to monitor the airworthiness status of the UA fleet on its register, and of their control and monitoring units (CMUs).
(b) The survey programme shall include product surveys of a sample of UA and CMUs, and shall cover all aspects of airworthiness key risk elements.
(c) The product survey shall sample the airworthiness standards achieved, on the basis of the applicable requirements, and identify any findings.
(d) Any findings identified shall be categorised in accordance with point AR.UAS.GEN.351 and confirmed in writing to the person or organisation that is responsible in accordance with point ML.UAS.201 of Annex I (Part-ML.UAS) to Delegated Regulation (EU) 2024/1107.
(e) The competent authority shall record all findings and closure actions.
(f) If during such survey evidence is found that shows non-compliance with this or other Annexes, the finding shall be addressed as specified in the relevant annex.
(g) If so required to ensure appropriate enforcement action, the competent authority shall exchange information on any non-compliance identified in accordance with point (f) with other competent authorities.
AR.UAS.CAW.902
Airworthiness review conducted by the competent authority
(a) When the competent authority performs the airworthiness review and issues the ARC (EASA Form 15d) as set out in Appendix 2 to Annex I (Part-ML.UAS) to Delegated Regulation (EU) 2024/1107, the competent authority shall conduct an airworthiness review in accordance with point ML.UAS.903 of Annex I (Part-ML.UAS) to Delegated Regulation (EU) 2024/1107.
(b) The competent authority shall have airworthiness review staff to conduct airworthiness reviews. Such staff shall comply with all the following requirements:
(1) they have acquired at least 3 years of experience in continuing airworthiness;
(2) they have obtained an aeronautical degree or licence, or equivalent qualification;
(3) they have received appropriate aeronautical-maintenance training;
(4) they hold a position that authorises them to sign on behalf of the competent authority.
Notwithstanding points (b)(1) to (b)(4), the requirement of point (b)(2) may be replaced by 3 years of experience in continuing airworthiness, in addition to the experience already required by point (b)(1).
(c) The competent authority shall maintain a record of all airworthiness review staff, which shall include details of any appropriate qualification held together with a summary of the relevant continuing airworthiness management experience and training.
(d) During the performance of the airworthiness review, the competent authority shall have access to the applicable data such as those specified in points ML.UAS.305 and ML.UAS.401 of Annex I (Part-ML.UAS) to Delegated Regulation (EU) 2024/1107.
(e) Staff that conduct the airworthiness review shall issue an ARC (EASA Form 15d) as set out in Appendix 2 to Annex I (Part-ML.UAS) to Delegated Regulation (EU) 2024/1107, upon the satisfactory completion of the airworthiness review.
(f) Whenever circumstances reveal the existence of a potential safety threat, the competent authority shall conduct the airworthiness review and issue the ARC itself.
(1) Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007 (
OJ L 122, 24.4.2014, p. 18
, ELI:
http://data.europa.eu/eli/reg/2014/376/oj
).
Appendix
Part-CAO.UAS certificate – EASA Form 3-CAO.UAS
(a) Within the approval class(es) and rating(s) established by the competent authority, the scope of work specified in the organisation manual defines the exact limits of the approval. It is therefore essential that the approval class(es) and rating(s) and the organisation’s scope of work match.
(b) An
UAS
rating, in relation to UA or CMU maintenance privileges, means that the Part-CAO.UAS organisation may, in accordance with the scope of work specified in the organisation manual, perform maintenance on the UA, the CMU, or both. Such organisation may also perform maintenance on components (including engines) in accordance with UA or CMU maintenance data or, if agreed by the competent authority, in accordance with component maintenance data, only while such components are fitted to the UA or the CMU. Nevertheless, such organisation may temporarily remove a component for maintenance in order to improve access to that component except when its removal generates the need for additional maintenance that the organisation is not approved to perform. Such removal of a component for maintenance by a UAS-rated maintenance organisation shall be subject to a control procedure specified in the organisation manual.
Under an
UAS
rating, the Part-CAO.UAS organisation may also be approved, in accordance with the scope of work specified in the organisation manual, to install CMUs, to manage UAS continuing airworthiness, to perform airworthiness reviews, and to issue permits to fly.
(c) A
complete engine
rating (turbine, piston, electrical, or other) means that the Part-CAO.UAS organisation may perform maintenance on an uninstalled engine and engine components in accordance with engine maintenance data or, if agreed by the competent authority, in accordance with component maintenance data, only while such components are fitted to the engine. Nevertheless, such engine-rated organisation may temporarily remove a component for maintenance in order to improve access to that component except when its removal generates the need for additional maintenance that the organisation is not approved to perform. An engine-rated organisation may also perform maintenance on an installed engine during UA maintenance subject to a control procedure specified in the organisation manual to be approved by the competent authority.
(d) A
component other than complete engines
rating means that the Part-CAO.UAS organisation may perform maintenance on uninstalled components (excluding complete engines) intended for fitment to the UA, the engine or the CMU. That organisation may also perform maintenance on an installed component (other than complete engines) during UA maintenance, CMU maintenance or at an engine maintenance facility subject to a control procedure specified in the organisation manual to be approved by the competent authority.
(e) A
non-destructive testing
(NDT) rating is a self-contained rating not necessarily related to a specific UA, engine, or other component. The NDT rating is only necessary for a Part-CAO.UAS organisation that performs NDT as a particular task for another organisation. A Part-CAO.UAS organisation approved with an UAS, engine or component rating may perform NDT on products and components it maintains subject to the organisation manual containing NDT procedures, without the need to hold an NDT rating.
|
Page 1 of 2 [MEMBER STATE (*1)] A Member of the European Union (*2) CAO.UAS CERTIFICATE Reference: [MEMBER STATE CODE (*1)].CAO.UAS.[XXXX] Pursuant to Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and to Commission Implementing Regulation (EU) 2024/1109 and Commission Delegated Regulation 2024/1107, and subject to the conditions specified below, the [COMPETENT AUTHORITY OF THE MEMBER STATE (*1)] hereby certifies: [NAME OF APPROVED ORGANISATION AND ADDRESS] as a Part-CAO.UAS organisation in compliance with Annex II (Part-CAO.UAS) to Commission Delegated Regulation (EU) 2024/1107 CONDITIONS:
Date of original issue of the approval certificate: … Date of this revision of the approval certificate: … Revision No: … Signed: … For the competent authority: [COMPETENT AUTHORITY OF THE MEMBER STATE (*1)] |
||||||||||
|
EASA Form 3-CAO.UAS – Issue 1 |
|
|
Page 2 of 2 PART-CAO.UAS ORGANISATION TERMS OF APPROVAL Reference: [MEMBER STATE CODE (*3)].CAO.UAS.XXXX Organisation: [NAME OF APPROVED ORGANISATION AND ADDRESS] |
|
||||||||||||||
|
|
CLASS |
RATING |
PRIVILEGES (*5) |
|
||||||||||||
|
|
UAS (*4) |
UAS (*4) |
|
|
||||||||||||
|
|
COMPONENTS (*4) |
Complete engine (*4) |
|
|
||||||||||||
|
Components other than complete engines (*4) |
||||||||||||||||
|
|
SPECIALISED SERVICES (*4) |
Non-destructive testing (NDT) (*4) |
|
|
||||||||||||
|
|
|
|
||||||||||||||
|
|
List of subcontracted organisation(s) that perform continuing airworthiness tasks |
|
||||||||||||||
|
|
|
|
||||||||||||||
|
|
|
|
||||||||||||||
|
These terms of approval are limited to the UAS, the UAS components, and the activities specified in the ‘Scope of work’ section of the organisation manual. Organisation manual reference: … Date of original issue of the organisation manual: … Date of last approved revision: … Revision No: … Signed: … For the competent authority: [COMPETENT AUTHORITY OF THE MEMBER STATE (*3)] |
||||||||||||||||
|
EASA Form 3-CAO.UAS – Issue 1 |
||||||||||||||||
(
*1
)
Or ‘EASA’, if EASA is the competent authority.
(
*2
)
Delete for non-EU Member States or EASA.
(
*3
)
Or ‘EASA’, if EASA is the competent authority.
(
*4
)
Delete as appropriate if the organisation is not approved.
(
*5
)
Select as appropriate.
ELI: http://data.europa.eu/eli/reg_impl/2024/1109/oj
ISSN 1977-0677 (electronic edition)
Feedback