Explanatory Memorandum to COM(2024)579 - - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2024)579 - . |
|---|---|
| source | COM(2024)579 |
| date | 18-12-2024 |
According to Article 16 of Regulation (EC) No 300/20081, the Commission shall every year present a report to the European Parliament, the Council and the Member States informing them of the application of this Regulation and of its impact on improving aviation security.
In 2020, the Commission services launched a stocktaking exercise on possible next steps for the EU aviation security system2. As a result, the Commission services published in February 2023 the Commission Staff Working Document (SWD) “Working towards an enhanced and more resilient aviation security policy: a stocktaking”, which confirmed the achievements of the EU AVSEC system, flagged some outstanding issues and their root causes, as well as identified potential remedy options together with - when possible - their likely impact. The SWD suggested a new, more ambitious intra-EU one stop security (OSS) compatible baseline for passenger and baggage screening, an improved regulatory process and enhanced innovation development and uptake.
In 2023, the Commission continued to strengthen the aviation security system and its services undertook several actions which were identified as crucial in the SWD. Through temporary measures targeted to security staff, it took action to address the capacity crunch at EU airports in the summer season 2023 when the aviation travel picked up post-COVID whereas the aviation sector faced employment shortages.
Throughout 2023, the Aviation Security Strategy Steering Group, supported by consultation workstreams, worked together to address the suggestions laid down in the SWD.
2. THREAT EVENTS AND OUTLOOK
The Commission, together with the relevant agencies, maintained a continuous dialogue on, and regular monitoring of, emerging security threats for aviation, including those of a hybrid nature, with Member States and other stakeholders, to build up the knowledge and capacity to react to those threats, effectively managing the risk. A comprehensive risk mapping exercise to assess the level of threat and risk against civil aviation was completed with Member States in the first quarter 2023. This exercise took place as part of efforts for an enhanced and more resilient aviation security policy, as listed in the SWD.
1. Terrorism and hybrid threats
The global terrorist picture remained unchanged in 2023. Terrorists operate across borders, leveraging new technologies and modi operandi. The spread of propaganda online and its potential for radicalisation remains a key concern, building on social isolation and the lack of a solid support system to recruit new followers. In an environment that is more decentralised and volatile, diffuse terrorist and violent extremist actors connect and inspire one another beyond ideology or group affiliation.
It is expected that the threats and challenges of civil aviation as high-profile target will continue to evolve, as well as increase, in the diversity of modi operandi of attack. Insider threats and home-grown terrorism remain an area of particular attention. Conflict zones will continue to provide terrorists with an environment offering the opportunity to acquire more sophisticated military grade equipment.
2. Cybersecurity
In the context of aviation’s growing reliance on information technology and digital operational systems, cybersecurity is becoming ever more critical. Cyber-attacks targeting the transport sector could potentially have disastrous consequences and lead to significant economic disruption. More than 6000 cyber-attacks impacting various aviation stakeholders were reported in 2023. The preferred methods for conducting cyber-attacks were fraudulent websites, phishing and malware (including ransomware), while the main targets were airspace users, airports and air navigation service providers and their supply chain.3 The existing aviation security framework had been updated in 2023 beyond the NIS2 Directive4. Meetings took place with national authorities with the objective to ensure maximum application and enforcement consistency between horizontal and sectoral cyber rules to make the transport sector and related infrastructure more resilient, including the means to tackle cyber threats. The cyber domain presents several specific challenges, including the array of actors and motivations (beyond terrorist groups).
3. RISK ASSESSMENTS
1. Drones
The unlawful use of unmanned aircraft systems (UAS), better known as drones, can disrupt airport operations and may endanger aircraft and their occupants.5 In this respect, and based on the recently adopted Commission’s strategy on countering potential threats posed by drones6, the Commission services have undertaken an aviation security risk assessment on drones with the objective to identify potential additional vulnerabilities of airports that could require regulatory solutions. The risk assessment exercise was launched in the last quarter 2023, to be finalized in the first quarter 2024.
2. Conflict Zones
Under the EU Conflict Zone Alerting System common risk assessments continued to take place on a regular quarterly basis in 2023, under the lead of the EU aviation security integrated risk assessment group, including EU Member States, EU Intelligence and Situation Centre (EU INTCEN) of the European External Action Service (EEAS) and European Union Aviation Safety Agency (EASA). The aim of this exercise is to share information on the assessment of risks to EU civil aviation arising from conflict zones in a timely manner to support risk mitigation. In case of urgency, exceptional meetings are arranged. The group held four quarterly meetings in 2023 and three ad hoc urgent meetings, in particular with regard to the Hamas-Israel conflict and its impact on EU civil aviation. This led to the publication of a new conflict zone information bulletin (CZIB), the withdrawal of two CZIBs, as well as the extension of 11 existing CZIBs.7
The integrated EU aviation security risk assessment process also provides risk assessment capability and supports the decision-making process (risk mitigation) for air cargo security and aviation security standards.
4. LEGISLATIVE FRAMEWORK AND SUPPLEMENTARY TOOLS
1. Legislative framework
Civil aviation remains an attractive target for hostile actors and countering this threat requires the implementation of proportionate, risk-based protective measures. The Commission and Member States are therefore constantly adjusting the mitigation measures to achieve the highest level of security while minimising adverse effects on operations.
Implementing Regulation (EU) 2015/1998 was amended in March 2023 by Implementing Regulation (EU) 2023/5668. The latter introduces amendments that have become necessary in view of the evolution of the threat and risk picture as well as recent developments in terms of technology. These amendments concern automated prohibited items detection (APID) software, explosive detection systems (EDS) for cabin baggage, explosive trace detection (ETD) equipment, security scanners, detection of certain chemical threats, as well as explosive vapour detection (EVD) equipment and related modifications in the screening process.
2. Union database on supply chain security
The Union database9 on supply chain security constitutes the only legal tool for consultation when accepting consignments from another regulated agent or from a known consignor. The same database also includes a list of approved civil aviation security equipment with ‘EU Stamp’ marking.
At the end of 2023, the database contained about 40 000 records of regulated agents, known consignors, known suppliers of airport supplies, independent validators, ACC3 airlines, regulated suppliers, third country regulated agents and known consignors, security equipment, airports and users. Its availability rate was 99.98%, meaning that during the year 2023 it was unavailable for less than 2 hours.
3. Pre-Loading Advance Cargo Information (PLACI)
Economic operators responsible for bringing consignments into the Union customs territory (as destination or as a place of transit) from third countries by air have to submit electronically advance cargo information to EU customs. This data is analysed for civil aviation security purposes by the customs authorities of the first point of entry in the EU using the new customs import system (ICS2).
The outcome of the PLACI risk analysis may require the implementation of specific mitigating aviation security measures, including the possibility of a “Do Not Load” (DNL) instruction or referral. These must be applied by economic operators engaged in the EU in-bound supply chain before the consignment is loaded on board of an EU-bound flight.
The second phase of ICS2 extending these requirements to cover all air cargo was implemented on 1 March 2023. In 2023, there were 202,539,068 PLACI filings and no DNL referral issued.
5. INSPECTIONS AND OTHER COMPLIANCE MONITORING ACTIVITIES
1. General
Regulation (EC) No 300/2008 aims at preventing unlawful interference with civil aviation in order to protect persons and goods. While this Regulation requires Member States to regularly monitor compliance in implementing the common basic aviation security standards by airports, air carriers and other entities and to ensure the swift detection and correction of failures, the role given to the Commission by the legislator is to monitor the effective implementation by the EU/EEA10 Member States of this legal requirement.
Article 15 of Regulation (EC) No 300/2008 requires the Commission to conduct inspections and, as appropriate, to make recommendations to improve aviation security. To fulfil this monitoring objective, the oversight system of the Commission covers the activities of the Member States in setting up, maintaining and applying an effective national civil aviation security programme and an effective national civil aviation quality control programme.
To this end, the Commission operates a two-layer system of compliance monitoring, i.e. its own inspections complemented by the assessment of Member States' annual reports on national monitoring activities.
Since 2010, the compliance rate identified during Commission inspections has remained stable at around 80%. However, this relatively stable figure does not mean that Member States have not increased their efforts, as aviation security requirements have also significantly strengthened over the years, particularly in areas such as air cargo security, liquids, aerosols and gels screening, or in the deployment and use of more sophisticated and performant technology.
2. Frequency and scope of the inspections
The Commission carries out inspections of Member States' aviation security administrations (the ‘appropriate authorities’ as defined in Article 9 of Regulation (EC) No 300/2008), as well as inspections of airports, operators and entities applying aviation security standards.
The number, frequency and scope of these inspections are established in the strategy of the Directorate-General for Mobility and Transport (DG MOVE) for monitoring the implementation of EU aviation security standards. It takes into consideration the level of aviation activity in each Member State, a representative sample of the airport operations type, their level of compliance in implementing the aviation security regulations, results of previous Commission inspections, assessments of national annual quality control reports, security incidents (‘acts of unlawful interference’), threat levels and other factors and assessments.
To provide the Commission with adequate assurances on the compliance level of Member States, a multiannual monitoring approach is used. As such, evidence is acquired concerning the application of Regulation (EC) No 300/2008 and its implementing legislation by every Member State in a cycle of two years, by means of either an inspection of its appropriate authority or an inspection of at least one of its airports.
In addition, evidence of the application of the common basic standards on aviation security is obtained in a cycle of five years by a selection of at least 15% of all EU airports falling under Regulation (EC) No 300/2008, including the largest airport in terms of passenger volumes in every Member State. The inspections carried out by the Commission at selected airports constitute a strong indicator of the overall compliance level in each Member State.
3. Procedures and methodology for inspections
Commission Regulation (EU) No 72/201011 lays down the procedures for conducting Commission inspections in the field of aviation security. It includes, inter alia, provisions for the qualification and powers of Commission inspectors.12
The methodology used to conduct the inspections has been developed in close cooperation with Member States’ aviation security authorities and is based on the verification of the effective implementation of security measures.
4. Inspections carried out by the Commission
The Commission had an active team of seven full time aviation security inspectors until August 2023, increased to eight as of September 2023, supported by a pool of some 80 national auditors nominated by Member States and who qualify for participation in Commission inspections.
Engaging national auditors in Commission inspections also contribute to a peer review system and allows spreading methodologies and best practices across Member States and associated countries.13
Contents
The inspections of appropriate authorities aim at verifying whether Member States have the necessary tools – including a national quality control programme, legal authority and appropriate resources – to be able to adequately implement EU aviation security legislation.
As part of its seventh cycle of appropriate authority inspections, the Commission carried out four inspections during 2023. The Member States inspected in 2023 did align their national aviation security programmes with EU legislation, provided their appropriate authorities with the necessary enforcement powers for monitoring and enforcing all requirements of the Regulation and its implementing acts, ensured sufficient auditors were available for performing compliance monitoring activities, and implemented most of the requirements related to security training.
However, the inspections highlighted the need for additional efforts in the following areas: ensuring full alignment of security programmes of airports, operators and entities with the regulations; including the methodology required for inspections and the fulfilment of requirements pertaining to the reporting process (e.g. submission time, corrective action plan, formal closure of the inspection file, etc.); fulfilling minimum frequencies for security audits, inspections and tests; and where required or applicable, carrying out proper risk assessments to define security measures or certain exemptions. In addition, issues related to frequency and scope were identified in the regular monitoring of national and/or foreign air carriers and some entities with security responsibilities.
In 2023, the Commission carried out 14 initial airport inspections aiming at verifying if the appropriate authority adequately monitors the effective implementation of aviation security measures and is capable of swiftly detecting and rectifying potential deficiencies. Any deficiency identified by Commission inspectors must be rectified within an established timeframe. Inspection reports are shared amongst all Member States.
After the 14th year of implementation of Regulation (EC) No 300/2008, the inspection results reflect the efforts made by appropriate authorities and the industry. Most of the security requirements were correctly implemented. However, the inspections highlighted difficulties in the effective implementation of some measures, for instance in access control and cabin baggage screening, as well as in the area of cyber security.
In accordance with Article 13 of Regulation (EU) No 72/2010, the Commission routinely carries out a limited number of follow-up inspections. Such inspections are scheduled when several serious deficiencies have been identified during the initial inspection, but also on a random basis to verify that appropriate authorities have the necessary powers to require rectification of deficiencies within set timeframes. In 2023, one follow-up inspection was carried out.
5. Assessments of Member States' annual quality control report
Point 18 of the Annex to Regulation (EC) No 300/2008 requires Member States to annually submit a report to the Commission on the measures taken to fulfil their obligations and on the aviation security situation at their airports.
The assessment of these reports, in addition to its own regular inspections, provides a tool for the Commission to closely follow the implementation of national quality control measures. This, in turn, allows for swift detection and correction of deficiencies in each Member State.
The assessment includes an analysis of regular monitoring of airports, air carriers and other entities with aviation security responsibilities, as well as time spent by the auditors in the field, scope and frequencies of a suitable mixture of compliance monitoring activities, national compliance levels, follow-up activities and the use of enforcement powers.
The quality of annual reports and information provided by Member States remains constant and further harmonisation was achieved during 2023.
A formal comprehensive evaluation was sent to the Member States highlighting, where needed, suggestions on how to improve or better tailor the national efforts.
6. Assessments of third country airports
The Commission conducts assessments in the context of One Stop Security (OSS) arrangements between the EU and third countries. The purpose is to confirm that implementation of certain security measures continues to be of an equivalent standard to the implementation of EU aviation security legislation. In 2023, three assessments were conducted, respectively in Norway14, Canada and the United Kingdom (UK).
7. Article 15 cases and legal proceedings
If the identified deficiencies in the implementation of security measures at an airport are serious enough as to have a significant impact on the overall level of civil aviation security in the Union, the Commission will activate Article 15 of Regulation (EU) No 72/2010. This means that the appropriate authorities of all Member States are alerted to the situation, and that flights arriving from the airport subjected to Article 15 shall be treated as arriving from a third country, resulting in the obligation for the receiving airports to implement compensatory security measures in respect of arriving transfer passengers and their baggage, as well as the aircraft on which they arrived. No such case was initiated in 2023.
The Commission also has the possibility to open infringement proceedings in accordance with Article 258 of the Treaty on the Functioning of the European Union, particularly in cases of prolonged non-rectification or recurrence of deficiencies. In 2023, no such proceedings were launched.
6. TRIALS AND MEETINGS
1. Trials
A trial within the meaning of the EU aviation security legislation is conducted when a Member State agrees with the Commission that it will use a particular means or method not recognised under the terms of the legislation to replace one of the recognised security controls, for a limited period of time on condition that such trial does not impact negatively on the overall levels of security. Two trials concerning implementation of automatic detection of prohibited items (APID) in combination with Explosives Detection Systems for Cabin Bags (EDSCB) were initiated during 2022, in the Netherlands and Germany.15
2. Meetings
The Commission and the US Transportation Security Administration (TSA) organised the first U.S. - EU Air Cargo Security Summit in Madrid, Spain, in February 2023. The event provided an opportunity to identify threats to air cargo and to collectively implement mitigation strategies.
The Commission organised in November 2023 a fourth meeting of the Aviation Cybersecurity Working Group, bringing together Member State authorities responsible for aviation security and implementation of the NIS Directive16. The objective of the meeting was to foster cooperation between authorities to facilitate alignment and compliance between NIS2 and aviation rules. It further sought to avoid potential gaps or duplications of cybersecurity obligations and minimise unnecessary administrative and operational burdens.
With the aim to provide Member States with feedback from inspections, promote transparency and harmonise compliance monitoring methodologies, the Commission organised an annual meeting and training of the AVSEC national inspectors in October 2023.
7. INTERNATIONAL DIALOGUE
1. General
The Commission continued its contribution to aviation security worldwide. It did so by engaging with international bodies, such as the International Civil Aviation Organisation (ICAO), the European Civil Aviation Conference (ECAC) and key trading partners, working closely with Member States to ensure co-ordinated EU positions. Dialogues were also held with certain third countries, such as the US, Canada, Australia, Singapore, and the UK.
2. International bodies
The EU actively participated, as an observer, in the annual meeting of the ICAO Aviation Security Panel (AVSECP/34), which took place from 29 May to 2 June 2023 as well as in the second meeting of the ICAO Cybersecurity Panel (CYSECP/2), which took place from 5 to 9 June 2023.
3. Third countries
In the context of the aviation security relations with the United States, the EU-US Transportation Security Cooperation Group (TSCG) aims at fostering co-operation in several areas of mutual interest. It ensures the continued functioning of One Stop Security (OSS) arrangements and of the mutual recognition of the respective EU and US air cargo and mail regimes. The 32nd meeting of the TSCG took place on 15-16 November 2023.
In application of Article 435 of the EU/UK Trade Cooperation Agreement, the EU-U.K. Aviation Security Cooperation ensures cooperation on aviation security matters, exchange of information, discussion and sharing of best practices and development of cooperation arrangements between technical experts. The 3rd EU-U.K. Aviation Security Cooperation Meeting took place on 16 October 2023.
In conformity with EU law, the Commission has established OSS arrangements recognising security standards applied in some third countries, or airports of third countries, as equivalent to EU standards.17 No new OSS arrangements were concluded in 2023. Discussions on OSS with Japan were ongoing.
Regarding capacity building, the “Civil Aviation Security in Africa, Asia and the Middle East” project (CASE II), funded by the European Commission with a budget of EUR 8 million and implemented by ECAC, continued in 2023. Activities delivered by aviation security experts included workshops, webinars and bilateral in-country activities.18 The overall objective of CASE II is to counter the threat of terrorism to civil aviation by partnering with States in the three regions, to strengthen their aviation security regimes.19
8. CONCLUSIONS
Ensuring secure aviation operations in the air and on the ground is a fundamental condition for commercial aviation to flourish. The optimal aviation security regulatory system combines innovation with stability and always maintains the highest level of security. In 2023, the Commission continued its work to ensure such an aviation security system, while meeting present and future challenges, and in close co-operation with regulators and stakeholders alike. This work will continue in 2024.
1 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).
2 A number of members of the Stakeholder Advisory Group on Aviation Security (SAGAS), constituted under Article 17 of Regulation (EC) N°300/2008, volunteered to participate in the consultation process.
3 EUROCONTROL/EATM-CERT 2024 report on cyber in aviation.
4 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (OJ L 333, 27.12.2022, p. 80).
5 According to EASA Annual Safety Review 2022, the drone occurrence rate decreased in 2021 (latest figures available).
6 Communication from the Commission to the Council and the European Parliament on countering potential threats posed by drones, COM(2023) 659 final.
7 https://www.easa.europa.eu/en/domains/air-operations/czibs
8 For details, see Annex 2.
9https://ksda.ec.europa.eu/
10 European Economic Area: 27 EU Member States, Norway, Iceland and Switzerland. The EFTA Surveillance Authority (ESA) is responsible for conducting aviation security inspections in Norway and Iceland. The Commission conducts aviation security inspections in Switzerland based on a bilateral agreement.
11Commission Regulation (EU) No 72/2010 of 26 January 2010 laying down procedures for conducting Commission inspections in the field of aviation security (OJ L 23, 27.1.2010, p.
1).
12 See Articles 4 and 5.
13 See Annex 1 for a summary of all Commission and ESA compliance monitoring activities in 2023.
14 In Svalbard, unincorporated area of Norway.
15 Final report for the trial in Netherlands was received in June 2023. The trial in Germany is still on-going.
16 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p.
1).
17 The EU has OSS arrangements with the US, Canada, Singapore, Montenegro, Serbia, the UK and Israel (only for hold baggage).
18 During 2023, 68 activities have been delivered, representing 94% increase in output as compared to the 35 activities delivered in 2022. 39 Partner States hosted these in-country activities and 66 Partner States participated in them for the benefit of 1119 participants. These activities consisted of 44 bilateral training activities, ten multilateral training activities, five mentoring activities, five workshops (two regional and three interregional), three APEX in Security Reviews and one webinar. In total, 131 in-country and remote activities have been delivered since the Project’s inception. In terms of expertise mobilisation, 30 experts have been released from 11 Member States and 39 experts from 22 Partner State CAAs contributed to the delivery of 25 activities over this period. Ten experts from eight Partner State CAAs contributed to the delivery of the 20 in-country activities alongside CASE II Project experts. 31 experts from 19 Partner State CAAs contributed to the delivery of two regional and three interregional workshops, accounting for 41% of all speakers.
19 Partner States are selected based on objective criteria, such as the commitment/capability of a given State to fully benefit from the capacity-building activities delivered by the Project, or the absence of possible duplication with other capacity-building initiatives, either bilateral or multilateral.
EN EN