Los RSIAC designados ante AESA de acuerdo con SA-16, ¿tendrán un papel en la implementación de PART-IS?

The figure of the Civil Aviation Information Security Officer is defined in section 2 of Security Instruction SA-16 as the person of an entity in charge of ensuring the security of the organization's information against threats and cyberattacks that could affect AVSEC, having established the following functions and responsibilities (after the last update of SA-16 of 18/12/2023):

a. Identification of critical functions that apply to the entity. 
b. Determination of criticality of communications systems and/or critical data based on the critical functions identified. 
c. Performing risk analysis to identify vulnerabilities, select and implement security measures of the entity. 
d. Develop, maintain and update the entity's information security documentation. 
e. Assignment of profiles and responsibilities for information security. 
f. Check that the personnel comply with the provisions of section 11.1.2 (c) and Instruction SA-20. 
g. Ensure staff awareness and training on information security. 
h. Point of contact with national competent authorities and other information security entities. 
i. Information security supply chain management. 
j. Establish the procedure for reporting information security incidents and monitoring their compliance. 
k. Manage and share relevant information with competent authorities and other entities, on their own initiative or at the request of the authorities. 
l. Information security incident management and coordination with the reference CSIRT. 
m. Responsible to the competent authority for the information security audits carried out. Manage deficiencies and implement corrective measures as necessary.

Likewise, Reg. EC No 2023/203 in IS.I.OR.240(b) Personnel Requirements states that the responsible manager shall appoint a person or group of persons to ensure that the organisation complies with the requirements of this Regulation, and shall define the scope of its authority. That person or group of persons shall report directly to the responsible manager and shall have the appropriate knowledge, training and experience to carry out their responsibilities. Proceedings shall determine who replaces a particular person in the event of his or her prolonged absence.

In addition, IS.I.OR.240(d) states that, if the organization shares organizational structures, policies, processes and procedures for information security with other organizations or with areas of its own organization that are not part of the approval or declaration, the responsible manager may delegate its activities to a Common Responsible Person (CRP).

The Acceptable Means of Compliance and Guidance Material to Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 clarifies that:

“The possibility of delegating a CRP applies to an organisation that shares organisational structures, policies, processes and procedures for information security with other organisations or with parts of its own organisation that are not part of the authorisation or declaration, therefore this CRP is expected to have responsibilities and competences for information security. In particular, the CRP should be able to manage the organisation’s information security strategy and its implementation to ensure the achievement of the objectives described in Article 1. According to the European Cybersecurity Skills Framework (ECSF) published by ENISA in September 2022, this person can be described, for example, as (chief) responsible for information security, director of the cybersecurity programme or responsible for information security.”

Therefore, both the AVSEC regulations, through the RSIAC, and the SAFETY regulations (PART-IS) through the CRP establish the need for a person or several to be appointed to guarantee compliance with the Information Security requirements established by said regulations.

It will be the power of each entity to establish whether the figure responsible for compliance with the information security requirements from the AVSEC point of view (RSIAC) and the figure responsible for compliance with the information security requirements from the SAFETY point of view (CRP) is a common figure or are different coordinated persons, as well as the possible organizational structure that ensures compliance with both legislations.