Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down r... (32023R0203)
INHALT
Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664
- COMMISSION IMPLEMENTING REGULATION (EU) 2023/203
- of 27 October 2022
- laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664
- Article 1
- Subject matter
- Article 2
- Scope
- Article 3
- Definitions
- Article 4
- Requirements for organisations and competent authorities
- Article 5
- Requirements arising from other Union legislation
- Article 6
- Competent authority
- Article 7
- Submission of relevant information to NIS competent authorities
- Article 8
- Amendment to Regulation (EU) No 1178/2011
- Article 9
- Amendment to Regulation (EU) No 748/2012
- Article 10
- Amendment to Regulation (EU) No 965/2012
- Article 11
- Amendment to Regulation (EU) No 139/2014
- Article 12
- Amendment to Regulation (EU) No 1321/2014
- Article 13
- Amendment to Regulation (EU) 2015/340
- Article 14
- Amendment to Implementing Regulation (EU) 2017/373
- Article 15
- Amendment to Implementing Regulation (EU) 2021/664
- Article 16
- ANNEX I
- INFORMATION SECURITY – AUTHORITY REQUIREMENTS
- [PART-IS.AR]
- IS.AR.100 Scope
- IS.AR.200 Information security management system (ISMS)
- IS.AR.205 Information security risk assessment
- IS.AR.210 Information security risk treatment
- IS.AR.215 Information security incidents – detection, response and recovery
- IS.AR.220 Contracting of information security management activities
- IS.AR.225 Personnel requirements
- IS.AR.230 Record-keeping
- IS.AR.235 Continuous improvement
- ANNEX II
- INFORMATION SECURITY – ORGANISATION REQUIREMENTS
- [PART-IS.I.OR]
- IS.I.OR.100 Scope
- IS.I.OR.200 Information security management system (ISMS)
- IS.I.OR.205 Information security risk assessment
- IS.I.OR.210 Information security risk treatment
- IS.I.OR.215 Information security internal reporting scheme
- IS.I.OR.220 Information security incidents – detection, response and recovery
- IS.I.OR.225 Response to findings notified by the competent authority
- IS.I.OR.230 Information security external reporting scheme
- IS.I.OR.235 Contracting of information security management activities
- IS.I.OR.240 Personnel requirements
- IS.I.OR.245 Record-keeping
- IS.I.OR.250 Information security management manual (ISMM)
- IS.I.OR.255 Changes to the information security management system
- IS.I.OR.260 Continuous improvement
- ANNEX III
- ANNEX IV
- ANNEX V
- ‘
- ARO.GEN.135A
- Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
- ‘
- ARO.GEN.205
- Allocation of tasks
- ’;
- ‘
- ARO.GEN.330A
- Changes to the information security management system
- ‘
- ORO.GEN.200A
- Information security management system
- ANNEX VI
- ANNEX VII
- ‘145.A.200A
- Information security management system
- ‘145.B.135A
- Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
- ‘145.B.205
- Allocation of tasks
- ’;
- ‘145.B.330A
- Changes to the information security management system
- ‘66.B.15
- Information security management system
- ‘CAMO.A.200A
- Information security management system
- ‘CAMO.B.135A
- Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
- ‘CAMO.B.205
- Allocation of tasks
- ’;
- ‘CAMO.B.330A
- Changes to the information security management system
- ANNEX VIII
- ‘
- ATCO.AR.A.025A
- Immediate reaction to an information security incident or vulnerability with an impact on aviation safety
- ‘
- ATCO.AR.B.005
- Allocation of tasks
- ’;
- ‘
- ATCO.AR.E.010A
- Changes to the information security management system
- ‘
- ATCO.OR.C.001A
- Information security management system
- ANNEX IX
Feedback