The aviation industry is a critical component of global transportation. It is a complex, interconnected ‘system of systems’ consisting of infrastructures or systems such as ATMs, ground services, telecommunications, etc., all interlinked and interdependent and thus highly susceptible to cyber incidents.

A cyber incident in the aviation industry could lead to widespread flight cancellations, delays and disruptions, potentially causing significant economic losses and compromising passenger safety. In May 2017, the WannaCry ransomware attack affected numerous international organisations worldwide, including those in the aviation sector.

Eurocontrol (a pan-European civil-military organisation supporting European aviation) published a report in July 2021 entitled, Airlines under attack: Faced with a rising tide of cybercrime, is our industry resilient enough to cope? This report, based on extensive research and industry insights, highlighted that:

Aviation faces a ransomware attack every week, and the cost of ransomware mitigation measures alone is expected to cost global companies over €20 billion annually. And the ‘Big 3’ attacks used to target airlines are fake websites, data theft and phishing.

The above-mentioned figures from 2021, in all likelihood, must have increased in magnitude, given that according to Resilinc (a global supply chain mapping and monitoring leader), cyberattacks in the aviation sector rose by 24 per cent worldwide in the first half of 2023. This alarming trend could have severe implications for the aviation industry, making it imperative to strengthen cybersecurity measures and incident-response plans.

As technology evolves and sectors become more digitalised, the convergence of aviation law and cybersecurity law has become increasingly significant. Both domains are critical in ensuring safety, security and resilience. Both aviation and cybersecurity laws emphasise preventive measures, risk management and rapid response to incidents. They are committed to creating safe and secure environments in the skies and/or the digital realm.

Aviation law, at its core, is dedicated to ensuring the safety and security of air travel. This includes regulations on aircraft operations, air traffic control, and passenger safety, characterised by stringent regulatory oversight, with bodies like the International Civil Aviation Organisation (ICAO) and the European Aviation Safety Agency (EASA) playing pivotal roles in coordinating as well as setting and enforcing safety standards globally and regionally.

The importance of addressing cybersecurity in civil aviation was specifically highlighted by the adoption of three ICAO Assembly resolutions: Resolution A39-19, Addressing Cybersecurity in Civil Aviation, of 2016, superseded in 2019 by Resolution A40-10, Addressing Cybersecurity in Civil Aviation, and Resolution A41-19, Addressing Cybersecurity in Civil Aviation, in 2022.

The European Union Agency for Cybersecurity (ENISA) also plays a vital role. ENISA has diligently worked on aviation cybersecurity to enhance the security and resilience of European air transport. ENISA actively works towards increasing the cybersecurity capabilities and the overall cyber resilience of the Aviation Sector.

Existing EU laws establish standard rules in civil aviation, including Regulation (EC) No 216/2008 and EASA Regulation (EU) No 376/2014, which addresses the reporting, analysis and follow-up of occurrences in civil aviation. Regulation (EU) 2018/1139 also updates EASA’s mandate, enhancing its role in aviation safety and security, including cybersecurity.

It is important to note that the EU Cybersecurity Act is also relevant. This act enforces the mandate of ENISA, introduces harmonised definitions for cybersecurity and cyber threats, and establishes cyber certification standards. Other applicable laws include the Security of Network and Information Systems Directive (NIS) and the forthcoming NIS2. These directives mandate vulnerability breach notifications, outline penalties and administrative regimes, and introduce direct liability for management bodies under NIS2.

The General Data Protection Regulation (GDPR) also applies to the aviation industry. Beyond data protection by design principles, it addresses data protection breaches.

The recently ratified EU AI Act is also significant if AI is used. It captures specific AI systems used in aviation, especially those embedded in products listed in Annex 1. This act imposes both ex-ante and ex-post obligations, including cybersecurity and robustness. The Act also potentially applies to high-risk (stand-alone) use cases listed in Annex III, given that aviation is also considered part of the critical infrastructure under the Critical Entities Directive (CER). This classification includes air carriers, airport management bodies and operators providing air traffic control services.

The potential prejudice and exposure on aviation players is not exclusively regulatory. There is also reputation damage, and direct claims and legal action from clients and customers. Compliance and risk mitigation, here is not a simple tick-the-box exercise.

The aviation sector must embrace a more comprehensive cybersecurity culture while planning a more coherent framework for its operations to be secure and resilient by design, utilising robust governance, risk, and compliance frameworks with robust and secure communication protocols which also support cooperation and information sharing on vulnerabilities and threats.

Ian Gauci is the managing partner of GTG, a technology-focused corporate and commercial law firm which has been at the forefront of major developments in fintech, cybersecurity, telecommunications, and technology-related legislation.

This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.