Explanatory Memorandum to COM(2023)186 - 2021 annual report on the implementation of regulation (ec) n° 300/2008 on common rules in the field of civil aviation security - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2023)186 - 2021 annual report on the implementation of regulation (ec) n° 300/2008 on common rules in the field of civil aviation ... |
---|---|
source | COM(2023)186 |
date | 13-04-2023 |
According to Article 16 of Regulation (EC) No 300/20081, the Commission shall every year present a report to the European Parliament, the Council and the Member States informing them of the application of this Regulation and of its impact on improving aviation security.
In 2021, the Commission continued to strengthen aviation security rules, with a particular focus on addressing the impact of the COVID-19 pandemic on the implementation of existing and new aviation security rules. In aviation security, the objective of the Commission during the pandemic has been twofold: firstly, to ensure that security is not compromised, as a security incident would be exceptionally damaging on top of a health and economic crisis. Secondly, to create a solid basis for the gradual resumption of operations and to restore public confidence in transport, while ensuring that safety and security remain at the highest level.
2. 2. FOR AN ENHANCED, MORE INNOVATIVE AND MORE RESILIENT EU AVIATION SECURITY POLICY
The Commission launched in 2020 a stocktaking exercise and strategic discussion on possible next steps for the EU aviation security system, the purpose of which is to reflect on a strategic vision for the future of aviation security. While delayed by COVID-19 pandemic priorities, the work resumed in 2021. This includes input from various work streams in the areas of risk-based security, security culture and holistic approach, innovation, and aviation security standards. The intention of the Commission is to finalise this work in the beginning of 2023 with proposals for a way forward, in terms of possible concrete actions and decisions.
3. 3. INSPECTIONS AND OTHER COMPLIANCE MONITORING ACTIVITIES
2. 3.1 General
Regulation (EC) No 300/2008 aims at preventing unlawful interference with civil aircraft in order to protect persons and goods. While this Regulation requires Member States to regularly monitor the compliance of the implementation of the common basic aviation security standards by airports, air carriers and other entities and to ensure the swift detection and correction of failures, the role given to the Commission by the legislator is to monitor the effective implementation by the EU/EEA2 Member States of this legal requirement.
Article 15 of Regulation (EC) No 300/2008 requires the Commission to conduct inspections and, as appropriate, to make recommendations to improve aviation security. To fulfil this monitoring objective, the oversight system of the Commission covers the activities of the Member States in setting up, maintaining and applying an effective national civil aviation security programme and an effective national civil aviation quality control programme.
To this end, the Commission put in place a two-layer system of compliance monitoring, i.e. its own inspections complemented by the assessment of Member States' annual reports on national monitoring activities.
Since 2010, the compliance rate identified during Commission inspections has remained stable around 80%. However, this relatively stable figure does not mean that Member States have not increased their efforts, as the requirements in the field of aviation security have also strengthened significantly over the years, in particular in areas such as air cargo security, liquids, aerosols and gels screening, or the use of explosive trace detection.
2. 3.2 Frequency and scope of the inspections
The Commission carries out inspections of Member States' aviation security administrations (the appropriate authorities), as well as inspections of airports, operators and entities applying aviation security standards.
The number, frequency and scope of these inspections are established in the DG MOVE strategy for monitoring the implementation of EU aviation security standards. It takes into consideration the level of aviation activity in each Member State, a representative sample of the airport operations type, standard of implementation of the aviation security regulations, results of previous Commission inspections, assessments of national annual quality control reports, security incidents (acts of unlawful interference), threat levels and other factors and assessments.
To provide the Commission with adequate assurances on the compliance level of Member States, a multiannual monitoring approach is used. As such, evidence is acquired concerning the application of Regulation (EC) No 300/2008 and its implementing legislation by every Member State in a cycle of two years, by means of either an inspection of its appropriate authority or an inspection of at least one of its airports.
In addition, evidence of the application of the common basic standards on aviation security is obtained in a cycle of five years by a selection of at least 15% of all EU airports falling under Regulation (EC) No 300/2008 including the largest airport in terms of passenger volumes in every Member State. The inspections carried out by the Commission at selected airports constitute a strong indicator of the overall compliance level in each Member State.
2. 3.3 Procedures and methodology for inspections
Commission Regulation (EU) No 72/20103 lays down the procedures for conducting Commission inspections in the field of aviation security. It includes, inter alia, provisions for the qualification and powers of Commission inspectors.
The methodology used to conduct the inspections has been developed in close cooperation with Member States’ aviation security authorities and is based on the verification of the effective implementation of security measures.
2. 3.4 Inspections carried out by the Commission
In 2021, the Commission continued to conduct inspections, despite mobility restrictions due to the COVID-19 pandemic. During this time new approaches were used, such as documentation-based remote inspections of appropriate authorities. Physical on-site airport inspection activities were resumed in October 2021.
To carry out its inspection work, the Commission had a team of seven full time aviation security inspectors, supported by a pool of some 80 national auditors nominated by Member States who qualify for participation in Commission inspections through training provided by the Commission.
In addition, a significant number of national auditors participating in Commission inspections ensures a peer review system and allows spreading methodologies and best practices across Member States and associated countries.4
1. 3.4.1 Inspections of national appropriate authorities
The inspections of appropriate authorities aim at verifying whether Member States have the necessary tools – including a national quality control programme, legal authority and appropriate resources – to be able to adequately implement EU aviation security legislation.
The Commission continued its sixth cycle of appropriate authority inspections in 2021 with eight inspections. The results highlighted the need for additional effort by Member States, in particular in the following areas: security programmes of airports, operators and entities that were still not fully in line with the regulations; the methodology required for inspections and the elements to be included in compliance monitoring reporting; minimum frequencies for security audits and inspections; and where required or applicable, proper risk assessments to define security measures or certain exemptions. In addition, some Member States did not monitor with the expected regularity national and/or foreign air carriers and some entities with security responsibilities.
Nevertheless, most of the Member States inspected in 2021 did align national aviation security programmes with EU legislation, provided their appropriate authorities with the necessary enforcement powers for monitoring and enforcing all requirements of the Regulation and its implementing acts, ensured that a sufficient number of auditors were available for performing compliance monitoring activities, and implemented most of the requirements related to security training.
2. 3.4.2 Initial inspections at airports
The inspections of airports aim at verifying if the appropriate authority adequately monitors the effective implementation of aviation security measures and is capable of swiftly detecting and rectifying potential deficiencies. In both cases, any deficiency identified by Commission inspectors must be rectified within an established timeframe. Inspection reports are shared amongst all Member States.
After the 12th year of implementation of Regulation (EC) No 300/2008, the inspection results reflect the efforts made by appropriate authorities and the industry. Most of the security requirements were correctly implemented. However, the three initial inspections of airports conducted in 2021 highlighted difficulties encountered by the airport operators in the effective implementation of some measures, for instance access control and cabin baggage screening.
3. 3.4.3 Follow-up inspections
In accordance with Article 13 of Regulation (EU) No 72/2010, the Commission routinely carries out a limited number of follow-up inspections. Such inspections are scheduled when several serious deficiencies have been identified during the initial inspection, but also on a random basis to verify that appropriate authorities have the necessary powers to require rectification of deficiencies within set timeframes. As on-site inspections were on hold until autumn 2021, only one follow-up inspection was carried out this year.
2. 3.5 Assessments of Member States' annual quality control report
Point 18 of the Annex to Regulation (EC) No 300/2008 requires Member States to annually submit a report to the Commission on the measures taken to fulfil their obligations under this Regulation and on the aviation security situation at airports located in their territory.
The assessment of these reports, in addition to its own regular inspections, provides a tool for the Commission to closely follow the implementation of robust national quality control measures. This, in turn, allows for swift detection and correction of deficiencies in each Member State.
The assessment includes an analysis of regular monitoring of airports, air carriers and other entities with aviation security responsibilities, as well as time spent by the auditors in the field, scope and frequencies of a suitable mixture of compliance monitoring activities, national compliance levels, follow-up activities and the use of enforcement powers.
The COVID-19 pandemic significantly impacted the capability of Member States to perform their ordinary quality control activities conducted on-site at airports and at other operators’ sites during 2021.
Therefore, the assessment for the 2021 annual reports performed by the Commission focused on the ordinary quality control tools that could be implemented by the Member States, combined with an evaluation, and weighing of alternative and additional compliance monitoring activities5 that were conducted during the most severe lockdown period. The Commission noted that while some Member States could discharge their quality control obligations in full using the ordinary methodology and tools, most made large use of alternative and additional activities. This contributed to the achievement of satisfactory performance.
The assessment of the annual reports acknowledged the outstanding efforts put in place by all Member States in maintaining their aviation security regime under continuous review through a combination of desktop assessments and where possible, targeted on-site activities. No shortcomings or weaknesses for follow-up were revealed.
The Commission sent a formal comprehensive evaluation to the Member States highlighting, where needed, suggestions on how to improve or better tailor the national efforts.
2. 3.6 Assessments of third country airports
In normal circumstances, assessments are conducted in the context of One Stop Security (OSS) arrangements between the EU and third countries to confirm the implementation of certain security measures continues to be of an equivalent standard to the implementation of EU aviation security legislation. In 2021, this was not possible due to the pandemic.
2. 3.7 Article 15 cases and legal proceedings
If identified deficiencies in the implementation of security measures at an airport are serious enough as to have a significant impact on the overall level of civil aviation security in the Union, the Commission will activate Article 15 of Regulation (EU) No 72/2010. This means that all other appropriate authorities are alerted to the situation and compensatory measures would have to be considered in respect of flights from the airport in question. No such case was initiated in 2021.
The Commission also has the possibility to open infringement proceedings, particularly in cases of prolonged non-rectification or recurrence of deficiencies. In 2021, no such proceedings were launched.
4. 4. LEGISLATIVE FRAMEWORK AND SUPPLEMENTARY TOOLS
2. 4.1 Legislative framework
Civil aviation remains an attractive target for hostile actors and countering this threat requires the implementation of proportionate, risk based protective measures. The Commission and Member States are therefore constantly adjusting the mitigation measures to achieve the highest level of security while minimising adverse effects on operations.
Implementing Regulation (EU) 2015/1998 was amended in February 2021 by Implementing Regulation (EU) 2021/2556. The latter contains provisions for extending the applicability of alternative and expedited processes for EU aviation security validations of the Union-bound supply chain operators affected by the COVID-19 pandemic, introduces rules concerning Pre-Loading Advance Cargo Information (PLACI), and provides flexibility for the process of installation of standard 3 explosive detection systems (EDS) equipment.
2. 4.2 Union database on supply chain security
The Commission deployed a new enhanced version of the Union database7 on supply chain security in November 2021. It constitutes the only legal tool for consultation when accepting consignments from another regulated agent or from a known consignor. The same database also includes a list of approved civil aviation security equipment with ‘EU Stamp’ marking.
At the end of 2021, the database contained about 20 000 records of regulated agents, known consignors, independent validators, ACC3 airlines, regulated suppliers, third country regulated agents and known consignors, security equipment and airports. Its target availability rate of 99.7% was continuously met in 2021.
2. 4.3 Pre-Loading Advance Cargo Information (PLACI)
The first phase of the new customs import system (ICS2) based on pre-loading advance cargo information requirements in respect of postal/mail and express consignments for air cargo and mail security risk analysis purposes was launched on 15 March 2021.
Under PLACI requirements, details pertaining to each shipment flying to the EU from third country locations are to be electronically submitted to EU customs by the economic operators responsible for bringing consignments into the Union customs territory and analysed for civil aviation security purposes by the customs authorities of the first point of entry in the EU.
The outcome of the PLACI risk analysis may require the implementation of specific mitigating aviation security measures. These must be applied by economic operators engaged in the EU in-bound supply chain before the consignment is loaded on board of an EU-bound flight. The Commission organised in January 2021 a second joint workshop with aviation security authorities and national customs authorities to foster smooth PLACI implementation.
5. 5. TRIALS, MEETINGS AND NEW INITIATIVES
2. 5.1 Trials
A trial in the sense of EU aviation security legislation is conducted when a Member State agrees with the Commission that it will use a particular means or method not recognised under the terms of the legislation to replace one of the recognised security controls, for a limited period on condition that such trial does not impact negatively on the overall levels of security. No trials were conducted or initiated during 2021.
2. 5.2 Meetings
The Commission organised in October 2021 a second virtual meeting of the Aviation Cybersecurity Working Group, bringing together Member State authorities responsible for aviation security and implementation of the NIS Directive8, as well as stakeholders. The Commission considers that implementing and further improving the complex regulatory environment of aviation cybersecurity can greatly benefit from the sharing of experience and best practices within such a working group. There is also a keen interest to ensure that the specificities of the aviation sector are considered and to see how sectorial and horizontal efforts can complement each other, while avoiding duplication of effort and undue burden on administrations and industry.
With the aim to provide Member States with feedback from inspections, promote transparency and harmonise compliance monitoring methodologies, the Commission organised an annual meeting and training of the AVSEC national inspectors in December 2021, held virtually.
The Commission co-organised with the European Civil Aviation Conference (ECAC) a virtual workshop on the impact of artificial intelligence on aviation security equipment in May 2021. The aim of this workshop was to contribute to a common understanding by bringing together international AI experts, practitioners and end-users and prepare further work, notably in the area of automated detection of prohibited items.
2. 5.3 New initiatives
Progress was made regarding the development of new aviation security technologies. Work was notably undertaken to elaborate security equipment detection standards to tackle new threats, especially chemical substances. To this end, excellent cooperation is in place with the United States (US) and other international partners. However, the COVID-19 pandemic impaired this cooperation by preventing physical meetings, since this activity requires the exchange of classified information in a secure environment.
6. 6. THREAT EVENTS AND OUTLOOK
2. 6.1 General
International jihadist terrorism remains a major threat to the EU that requires careful monitoring9. Despite global efforts to limit terrorist financing sources, terrorist organisations still have access to large cash reserves10 to finance their activities and propaganda. They retain intent to attack aviation as a high-profile target as well as the capability to develop innovative explosive concealments. It is expected that the threats and challenges of aviation security will continue to evolve, as well increase in the diversity of modus operandi of attack. Other potential threats such as chemical, biological, radiological and nuclear (CBRN) are continually being assessed by the Commission and Member States. Insider threats and home-grown terrorism remain an area of particular attention. At the same time, other threats and means of attack have come into focus. Conflict zones will continue to provide terrorists with an environment offering the opportunity to acquire more sophisticated military grade equipment and to exploit less stringent aviation security measures.
The Commission, together with the relevant agencies, maintained a continuous dialogue on, and regular monitoring of, emerging security threats for aviation, including those of a hybrid nature, with Member States and other stakeholders, to build up the knowledge and capacity to react to those threats, effectively managing the risk.
2. 6.2 Cybersecurity
In the context of aviation’s growing reliance on information technology and digital operational systems, cybersecurity is becoming ever more critical. Cyber-attacks targeting transport could potentially have disastrous consequences and lead to a significant economic disruption. This is of particular concern when considering that different cyber-incidents throughout 2021 demonstrated the vulnerability of the sector.11 In its efforts to make the transport sector and related infrastructure more resilient, the Commission confirmed that the EU will update and improve the existing security framework, including the means to tackle cyber threats, under the overarching umbrella of the existing rules governing this matter12. The cyber domain points to a number of specific challenges, including the array of actors and motivations (beyond terrorist groups). The Commission has adopted measures also in this domain13, in the face of more malicious intentions and increased capabilities of hostile third parties. The situation in aviation underlines the need to ensure maximum consistency between horizontal and sectoral rules. From the Commission’s perspective, it is imperative to avoid duplication and burden on operators and administrations.
2. 6.3 Drones
The unlawful use of unmanned aircraft systems (UAS), better known as drones, can disrupt airport operations and may endanger aircraft and their occupants.14 In March 2021, EASA – with the support of the Commission – issued guidance to help aviation operators and national authorities to manage drone incidents at and around airports. On 22 April 2021, the Commission adopted a regulatory framework for the European unmanned traffic management concept (the U-Space)15, which will make it easier for authorities to distinguish between cooperative and non-cooperative drones. The Commission is also supporting innovative projects such as Skyfall16 or Courageous for counter-UAS system testing. Increasing system resilience and counter-UAS capabilities also forms an integral part of the “Drone Strategy 2.0”17, which the Commission adopted in November 2022.
2. 6.4 Conflict Zones
Under the Conflict Zone Alerting System common risk assessments took place on a regular basis, with some practical limitations imposed by the COVID-19 pandemic, under the lead of the integrated EU aviation security risk assessment group. The aim of this exercise is to share information on the assessment of risks arising from conflict zones in a timely manner to support risk mitigation. In case of urgency, exceptional meetings are arranged.18
In 2021, the Commission launched a review process with Member States represented in the group and EASA on how to further streamline the conflict zones risk assessment process. It resulted in better defined rules governing the issuance of EASA Conflict Zones Information Bulletins (CZIBs) and EASA information notes, facilitation of their dissemination and special arrangements for urgencies.
The integrated EU aviation security risk assessment process also provides risk assessment capability and supports the decision-making process (risk mitigation) for air cargo security and aviation security standards.
7. 7. INTERNATIONAL DIALOGUE
2. 7.1 General
The Commission continued its contribution to the enhancement of aviation security worldwide. It did so by engaging with international bodies, such as the International Civil Aviation Organisation (ICAO), and key trading partners, and working closely with Member States to ensure co-ordinated EU positions. Bilateral dialogues were also held with certain third countries, such as the US, Canada, Australia, Singapore, and the United Kingdom (UK).
2. 7.2 International bodies
The EU actively participated, as an observer, in the annual meeting of the ICAO Aviation Security Panel (AVSECP/32) which took place on 31 May to 4 June 2021 in a virtual setting. The main deliverable was an agreement on a proposal for Amendment-18 to Annex 17 (Security) to the Chicago Convention.
2. 7.3 Third countries
In the context of relations with the United States, the EU-US Transportation Security Cooperation Group (TSCG) aims at fostering co-operation in several areas of mutual interest. It ensures the continued functioning of One Stop Security (OSS) arrangements and of the mutual recognition of respective EU and US air cargo and mail regimes. These initiatives save air transport operators’ time, cost, and operational complexity. Due to COVID-19 pandemic constraints, no formal TSCG meeting took place in 2021. However, there were continuing contacts between the EU and the TSA (Transportation Security Administration) throughout the year via virtual means.
In conformity with EU law, the Commission has established agreements recognising security standards applied in some third countries, or airports of third countries, as equivalent to EU standards.19 No new OSS arrangements were concluded in 2021. In the case of Israel, all development projects at Tel Aviv Ben Gurion Airport, including investment into screening technology required for OSS, have been postponed due to the negative financial effects of the COVID-19 pandemic. Technical discussions between the Commission and Japan on OSS are on-going.
As from 1 January 2021, the UK is no longer part of the EU. However, the OSS from the UK is maintained20 with benefits for airports, airlines and passengers in the EU.
Regarding capacity building, the “Civil Aviation Security in Africa, Asia and the Middle East” project (CASE II), implemented by ECAC, continued in 2021.21 However, the delivery of project activities was severely hampered by the COVID-19 pandemic, which limited outputs mainly to online activities including regional workshops and some state-to-state training activities. The overall objective of CASE II is to counter the threat of terrorism to civil aviation by partnering with States in the three regions, to strengthen their aviation security regimes.22
8. 8. CONCLUSIONS
In 2021, the COVID-19 pandemic continued to have a profound effect on all usual Commission and Member States activities. Normal on-site inspections could only resume in October 2021 before which only documentation-based assessments of appropriate authorities were conducted from March 2020. International co-operation on aviation security was also impacted for the same reason.
However, the Commission notes with satisfaction that throughout the COVID-19 pandemic the importance of maintaining effective security measures was understood, also as key factor in underpinning the sector’s recovery. Moreover, it was observed in a context of dramatic shifts in air travel demand and workforce issues.
As to the future, the Commission is continuously reflecting on how the current aviation security framework could be further improved. To this end, it is considering ways to increase its efficiency, sustainability, and flexibility, without compromising the high levels of security achieved thus far.
1 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).
2 European Economic Area countries + Switzerland. EFTA Surveillance Authority (ESA) is responsible for the monitoring of Norway and Iceland.
3Commission Regulation (EU) No 72/2010 of 26 January 2010 laying down procedures for conducting Commission inspections in the field of aviation security (OJ L 23, 27.1.2010, p.
1).
4 See Annex 1 for a chart summarising all Commission and ESA compliance monitoring activities in 2021.
5Consisting, inter alia, in the assessment and review of the national security programmes, security programmes of airlines, airport operators and other entities, on-line training and certification activities, review of national risk assessments, desktop inspections, analysis of trends, etc.
6 Commission Implementing Regulation (EU) 2021/255 of 18 February 2021 amending Implementing Regulation (EU) 2015/1998 laying down detailed measures for the implementation of the common basic standards on aviation security (OJ L 58, 19.2.2021, p. 23).
7https://ksda.ec.europa.eu/
8 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p.
1).
9 See for example: https://data.consilium.europa.eu/doc/document/ST-12315-2021-INIT/en/pdf
10 https://home.treasury.gov/news/press-releases/jy0532
11 However, observed cyber-incidents were mostly ransomware-type of attacks, with no impact on safety and security.
12 Paragraph 102 of the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Sustainable and Smart Mobility Strategy – putting European transport on track for the future, COM(2020) 789 final, 9 December 2020.
13 For instance, cyber requirements under Commission Implementing Regulation (EU) 2019/1583 of 25 September 2019 entered into force on 31 December 2021 and their implementation is subject to the inspection programme of the Commission.
14 According to EASA data, the number of drone occurrences being reported has steadily increased since 2014. The increase halted in 2020 (latest figures available), presumably due to the covid restrictions.
15https://transport.ec.europa.eu/news/drones-commission-adopts-new-rules-and-conditions-safe-secure-and-green-drone-operations-2021-04-22_en
16 www.projectskyfall.org/">https://www.projectskyfall.org/
17 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A Drone Strategy 2.0 for a Smart and Sustainable Unmanned Aircraft Eco-System in Europe, COM(2022) 652 final, 29 November 2022
18 For example, in August 2021 for Afghanistan.
19 EU has OSS with, among others, the US, Canada, Singapore, Montenegro, Serbia, the UK and Israel (only for hold baggage).
20Commission Implementing Regulation (EU) 2019/413 of 14 March 2019 amending Implementing Regulation (EU) 2015/1998 as regards third countries applying security standards equivalent to the common basic standards on civil aviation security (OJ L 73, 15.3.2019, p. 98).
21 The project is entirely EU-funded with a budget of EUR 8 million for four years.
22 Partner States are selected based on objective criteria, such as the commitment/capability of a given State to fully benefit from the capacity-building activities delivered by the Project, or the absence of possible duplication with other capacity-building initiatives, either bilateral or multilateral.
EN EN