Explanatory Memorandum to COM(2024)107 - 2022 annual report on the implementation of regulation (ec) n° 300/2008 on common rules in the field of civil aviation security - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2024)107 - 2022 annual report on the implementation of regulation (ec) n° 300/2008 on common rules in the field of civil aviation ... |
|---|---|
| source | COM(2024)107 |
| date | 08-03-2024 |
According to Article 16 of Regulation (EC) No 300/20081, the Commission shall every year present a report to the European Parliament, the Council and the Member States informing them of the application of this Regulation and of its impact on improving aviation security.
In 2022, the Commission continued to strengthen aviation security rules, with a particular focus on supporting the recovery of the sector after the COVID-19 pandemic and contributing to finding solutions to the issues caused by workforce shortages. The aviation security sector did its part in exploring ways to alleviate capacity issues at EU airports, without compromising security. The Commission also engaged EU Member States and the aviation security sector in the modernisation of its policy.
2. FOR AN ENHANCED, MORE INNOVATIVE AND MORE RESILIENT EU AVIATION SECURITY POLICY
In 2020, the Commission launched a stocktaking exercise and strategic discussion on possible next steps for the EU aviation security system2. Consultations between the Commission services, Member States and stakeholders were concluded in 2022, with the objective to take stock of the existing EU aviation security framework and identify potential areas of improvement. The reflections were based on five workstreams corresponding to the main features of the aviation security ecosystem, including threat and innovation.
3. INSPECTIONS AND OTHER COMPLIANCE MONITORING ACTIVITIES
1. General
Regulation (EC) No 300/2008 aims at preventing unlawful interference with civil aviation in order to protect persons and goods. While this Regulation requires Member States to regularly monitor compliance in implementing the common basic aviation security standards by airports, air carriers and other entities and to ensure the swift detection and correction of failures, the role given to the Commission by the legislator is to monitor the effective implementation by the EU/EEA3 Member States of this legal requirement.
Article 15 of Regulation (EC) No 300/2008 requires the Commission to conduct inspections and, as appropriate, to make recommendations to improve aviation security. To fulfil this monitoring objective, the oversight system of the Commission covers the activities of the Member States in setting up, maintaining and applying an effective national civil aviation security programme and an effective national civil aviation quality control programme.
To this end, the Commission put in place a two-layer system of compliance monitoring, i.e. its own inspections complemented by the assessment of Member States' annual reports on national monitoring activities.
Since 2010, the compliance rate identified during Commission inspections has remained stable at around 80%. However, this relatively stable figure does not mean that Member States have not increased their efforts, as aviation security requirements have also significantly strengthened over the years, in particular in areas such as air cargo security, liquids, aerosols and gels screening, or in the deployment and use of more sophisticated and performant technology.
2. Frequency and scope of the inspections
The Commission carries out inspections of Member States' aviation security administrations (the appropriate authorities), as well as inspections of airports, operators and entities applying aviation security standards.
The number, frequency and scope of these inspections are established in the strategy of Directorate-General Mobility and Transport (DG MOVE) for monitoring the implementation of EU aviation security standards. It takes into consideration the level of aviation activity in each Member State, a representative sample of the airport operations type, their level of compliance in implementing the aviation security regulations, results of previous Commission inspections, assessments of national annual quality control reports, security incidents (acts of unlawful interference), threat levels and other factors and assessments.
To provide the Commission with adequate assurances on the compliance level of Member States, a multiannual monitoring approach is used. As such, evidence is acquired concerning the application of Regulation (EC) No 300/2008 and its implementing legislation by every Member State in a cycle of two years, by means of either an inspection of its appropriate authority or an inspection of at least one of its airports.
In addition, evidence of the application of the common basic standards on aviation security is obtained in a cycle of five years by a selection of at least 15% of all EU airports falling under Regulation (EC) No 300/2008 including the largest airport in terms of passenger volumes in every Member State. The inspections carried out by the Commission at selected airports constitute a strong indicator of the overall compliance level in each Member State.
3. Procedures and methodology for inspections
Commission Regulation (EU) No 72/20104 lays down the procedures for conducting Commission inspections in the field of aviation security. It includes, inter alia, provisions for the qualification and powers of Commission inspectors.
The methodology used to conduct the inspections has been developed in close cooperation with Member States’ aviation security authorities and is based on the verification of the effective implementation of security measures.
4. Inspections carried out by the Commission
In 2022, the Commission was able to conduct inspections normally, as the mobility restrictions due to the COVID-19 pandemic were finally lifted.
The Commission had an active team of six full time aviation security inspectors, supported by a pool of some 80 national auditors nominated by Member States and who qualify for participation in Commission inspections.
Engaging national auditors in Commission inspections also contribute to a peer review system and allows spreading methodologies and best practices across Member States and associated countries.5
Contents
The inspections of appropriate authorities aim at verifying whether Member States have the necessary tools – including a national quality control programme, legal authority and appropriate resources – to be able to adequately implement EU aviation security legislation.
As part of its sixth cycle of appropriate authority inspections, the Commission carried out two inspections during 2022. This number corresponds to the number of appropriate authority inspections carried out in 2021.
The Member States inspected in 2022 did align national aviation security programmes with EU legislation, provided their appropriate authorities with the necessary enforcement powers for monitoring and enforcing all requirements of the Regulation and its implementing acts, ensured sufficient auditors were available for performing compliance monitoring activities, and implemented most of the requirements related to security training.
However, the inspections highlighted the need for additional efforts in the following areas: security programmes of airports, operators and entities that were still not fully in line with the regulations; the methodology required for inspections and the elements to be included in compliance monitoring reporting; minimum frequencies for security audits and inspections; and where required or applicable, proper risk assessments to define security measures or certain exemptions. In addition, issues were identified in the regular monitoring of national and/or foreign air carriers and some entities with security responsibilities.
In 2022, the Commission carried out 18 initial airport inspections aiming at verifying if the appropriate authority adequately monitors the effective implementation of aviation security measures and is capable of swiftly detecting and rectifying potential deficiencies. Any deficiency identified by Commission inspectors must be rectified within an established timeframe. Inspection reports are shared amongst all Member States.
After the 13th year of implementation of Regulation (EC) No 300/2008, the inspection results reflect the efforts made by appropriate authorities and the industry. Most of the security requirements were correctly implemented. However, the inspections highlighted difficulties in the effective implementation of some measures, for instance in access control and cabin baggage screening, as well as in the area of cyber security.
In accordance with Article 13 of Regulation (EU) No 72/2010, the Commission routinely carries out a limited number of follow-up inspections. Such inspections are scheduled when several serious deficiencies have been identified during the initial inspection, but also on a random basis to verify that appropriate authorities have the necessary powers to require rectification of deficiencies within set timeframes. As 2022 was the year of resumption of inspection activities after the COVID-19 pandemic, the Commission was focused on initial inspections and no follow-up inspections were carried out that year.
5. Assessments of Member States' annual quality control report
Point 18 of the Annex to Regulation (EC) No 300/2008 requires Member States to annually submit a report to the Commission on the measures taken to fulfil their obligations and on the aviation security situation at their airports.
The assessment of these reports, in addition to its own regular inspections, provides a tool for the Commission to closely follow the implementation of national quality control measures. This, in turn, allows for swift detection and correction of deficiencies in each Member State.
The assessment includes an analysis of regular monitoring of airports, air carriers and other entities with aviation security responsibilities, as well as time spent by the auditors in the field, scope and frequencies of a suitable mixture of compliance monitoring activities, national compliance levels, follow-up activities and the use of enforcement powers.
The quality of annual reports and information provided by Member States remains constant and further harmonisation was achieved during 2022. The assessment of the reports showed that the overall quality of monitoring activities had not yet returned to the pre-COVID-19 level, most likely due to the pandemic which had an impact on all monitored areas and the capability of both authorities and operators. There is also room for improvement particularly in the performance of covert testing and follow-up inspections as well as in the use of enforcement measures.
A formal comprehensive evaluation was sent to the Member States highlighting, where needed, suggestions on how to improve or better tailor the national efforts.
6. Assessments of third country airports
Assessments are conducted in the context of One Stop Security (OSS) arrangements between the EU and third countries. The purpose is to confirm that implementation of certain security measures continues to be of an equivalent standard to the implementation of EU aviation security legislation. In 2022, three assessments were conducted, including the US, Singapore, and Serbia.
7. Article 15 cases and legal proceedings
If identified deficiencies in the implementation of security measures at an airport are serious enough as to have a significant impact on the overall level of civil aviation security in the Union, the Commission will activate Article 15 of Regulation (EU) No 72/2010. This means that all other appropriate authorities are alerted to the situation and compensatory measures would have to be considered in respect of flights from the airport in question. No such case was initiated in 2022.
The Commission also has the possibility to open infringement proceedings, particularly in cases of prolonged non-rectification or recurrence of deficiencies. In 2022, no such proceedings were launched.
4. LEGISLATIVE FRAMEWORK AND SUPPLEMENTARY TOOLS
1. Legislative framework
Civil aviation remains an attractive target for hostile actors and countering this threat requires the implementation of proportionate, risk based protective measures. The Commission and Member States are therefore constantly adjusting the mitigation measures to achieve the highest level of security while minimising adverse effects on operations.
Implementing Regulation (EU) 2015/1998 was amended in March 2022 by Implementing Regulation (EU) 2022/4216. The latter re-establishes the correct lists of third countries recognised as applying security standards equivalent to the common basic standards, allows granting of a short extension of the use of standard 2 EDS for screening cargo and mail and clarifies the provision on progressive phase-out of single-view x-ray equipment. A second amendment to Implementing Regulation (EU) 2015/1998 was adopted in July 2022 by Implementing Regulation (EU) 2022/11747. In addition to clarifications, it contains amendments regarding airport security, safe and secure carriage of firearms on board, training of personnel, air cargo and mail security, known suppliers of airport supplies, background checks, explosive detection dogs (EDD), and detection standards for walk-through metal detection equipment (WTMD).
2. Union database on supply chain security
The Union database8 on supply chain security constitutes the only legal tool for consultation when accepting consignments from another regulated agent or from a known consignor. The same database also includes a list of approved civil aviation security equipment with ‘EU Stamp’ marking.
At the end of 2022, the database contained about 20 000 records of regulated agents, known consignors, independent validators, ACC3 airlines, regulated suppliers, third country regulated agents and known consignors, security equipment and airports. Its target availability rate of 99.7% was continuously met in 2022.
3. Pre-Loading Advance Cargo Information (PLACI)
The first phase of the new customs import system (ICS2) based on pre-loading advance cargo information requirements applies in respect of postal/mail and express consignments since 15 March 2021.
Under PLACI requirements, details pertaining to each shipment flying to the EU from third country locations are to be electronically submitted to EU customs by the economic operators responsible for bringing consignments into the Union customs territory and analysed for civil aviation security purposes by the customs authorities of the first point of entry in the EU.
The outcome of the PLACI risk analysis may require the implementation of specific mitigating aviation security measures. These must be applied by economic operators engaged in the EU in-bound supply chain before the consignment is loaded on board of an EU-bound flight. The Commission organised in November 2022 a third joint workshop with aviation security authorities and national customs authorities to foster a smooth PLACI implementation and to prepare for launching the second phase of ICS2 in March 2023.
5. TRIALS, MEETINGS AND NEW INITIATIVES
1. Trials
A trial in the sense of EU aviation security legislation is conducted when a Member State agrees with the Commission that it will use a particular means or method not recognised under the terms of the legislation to replace one of the recognised security controls, for a limited period on condition that such trial does not impact negatively on the overall levels of security. Two trials concerning implementation of automatic detection of prohibited items (APID) in combination with Explosives Detection Systems for Cabin Bags (EDSCB) were initiated during 2022, in the Netherlands and Germany.9
2. Meetings
The Commission organised in November 2022 a third meeting of the Aviation Cybersecurity Working Group, bringing together Member State authorities responsible for aviation security and implementation of the NIS Directive10. The meeting provided an opportunity to jointly discuss relevant issues in aviation cybersecurity and to identify specific areas where further work is necessary. The Commission considers that implementing and further improving the complex regulatory environment of aviation cybersecurity can greatly benefit from the sharing of experience and best practices within such a working group. There is also a keen interest to ensure that the specificities of the aviation sector are considered and to see how sectorial and horizontal efforts can complement each other, while avoiding duplication of effort and undue burden on administrations and industry.
With the aim to provide Member States with feedback from inspections, promote transparency and harmonise compliance monitoring methodologies, the Commission organised an annual meeting and training of the AVSEC national inspectors in September 2022.
3. New initiatives
Progress was made regarding the development of new aviation security technologies. Work was notably undertaken to elaborate security equipment detection standards to tackle new threats, especially chemical substances. To this end, excellent cooperation is in place with the United States (US) and other international partners.
6. THREAT EVENTS AND OUTLOOK
1. General
International jihadist terrorism remains a significant threat to the EU that requires careful monitoring11. Despite global efforts to limit terrorist financing sources, terrorist organisations still have access to large cash reserves12 to finance their activities and propaganda. They retain intent to attack aviation as a high-profile target as well as the capability to develop innovative explosive concealments. It is expected that the threats and challenges of aviation security will continue to evolve, as well increase in the diversity of modus operandi of attack. Other potential threats such as chemical, biological, radiological and nuclear (CBRN) are continually being assessed by the Commission and Member States. Insider threats and home-grown terrorism remain an area of particular attention. At the same time, other threats and means of attack have come into focus. Conflict zones will continue to provide terrorists with an environment offering the opportunity to acquire more sophisticated military grade equipment and to exploit less stringent aviation security measures.
The Commission, together with the relevant agencies, maintained a continuous dialogue on, and regular monitoring of, emerging security threats for aviation, including those of a hybrid nature, with Member States and other stakeholders, to build up the knowledge and capacity to react to those threats, effectively managing the risk. In October 2022 a comprehensive risk mapping exercise was launched (and completed in the first quarter 2023) to assess the level of threat and risk against civil aviation. This exercise took place in the context of the aviation security strategy working group set up to take stock of developments both in terms of evolution of the threat picture and of detection capabilities. The outcomes of the aviation security risk mapping will support the decision-making process on a new passenger checkpoint baseline. In 2022 the air cargo risk assessment work stream has also been relaunched as result of the lifting of covid restrictions.
2. Cybersecurity
In the context of aviation’s growing reliance on information technology and digital operational systems, cybersecurity is becoming ever more critical. Cyber-attacks targeting transport could potentially have disastrous consequences and lead to significant economic disruption. It is estimated that at least a couple of thousand cyber-incidents impacting various aviation stakeholders took place in 2022.13 In its efforts to make the transport sector and related infrastructure more resilient, the Commission confirmed that the EU will update and improve the existing security framework, including the means to tackle cyber threats, under the overarching umbrella of the existing rules governing this matter14. The cyber domain points to a number of specific challenges, including the array of actors and motivations (beyond terrorist groups). The Commission has adopted measures also in this domain15, in the face of more malicious intentions and increased capabilities of hostile third parties. The situation in aviation underlines the need to ensure maximum consistency between horizontal and sectoral rules. From the Commission’s perspective, it is imperative to avoid duplication and burden on operators and administrations.
3. Drones
The unlawful use of unmanned aircraft systems (UAS), better known as drones, can disrupt airport operations and may endanger aircraft and their occupants.16 Increasing system resilience and counter-UAS capabilities also forms an integral part of the “Drone Strategy 2.0”17 that the Commission adopted in November 2022 to develop drones into a vector for the smart and sustainable mobility of the future. This initiative aims to enable drones to contribute, through digitalisation and automation, to a new offer of sustainable services and transport, while accounting for possible civil/military technological synergies. In this respect, the Commission will undertake an aviation security risk assessment on drones with the objective to identify potential additional vulnerabilities of airports that could require regulatory solutions.18
4. Conflict Zones
Under the Conflict Zone Alerting System common risk assessments continued to take place on a regular quarterly basis in 2022, under the lead of the integrated EU aviation security risk assessment group. The aim of this exercise is to share information on the assessment of risks to EU civil aviation arising from conflict zones in a timely manner to support risk mitigation. In case of urgency, exceptional meetings are arranged.19
The integrated EU aviation security risk assessment process also provides risk assessment capability and supports the decision-making process (risk mitigation) for air cargo security and aviation security standards.
7. INTERNATIONAL DIALOGUE
1. General
The Commission continued its contribution to aviation security worldwide. It did so by engaging with international bodies, such as the International Civil Aviation Organisation (ICAO), and key trading partners, and working closely with Member States to ensure co-ordinated EU positions. Dialogues were also held with certain third countries, such as the US, Canada, Australia, Singapore, and the United Kingdom (UK).
2. International bodies
The EU actively participated, as an observer, in the annual meeting of the ICAO Aviation Security Panel (AVSECP/33), which took place from 9 to 13 May 2022 as well as the first meeting of the ICAO Cybersecurity Panel (CYSECP/1), which took place from 16 to 20 May 2022.
The 41st ICAO Assembly was organised on 27 September – 7 October 2022. Europe had four main aviation security inputs to the Assembly. These concerned: (1) ensuring effective aviation security in the COVID19 recovery world; (2) the development of a framework for cyber security; (3) human factors in the aviation security domain; and (4) an information paper on the CASE aviation security capacity building project. The EU and its Member States also co-sponsored a working paper with Canada on Endorsing Global, Regional, and Industry Initiatives intended to mitigate conflict zone risks for civil aviation.
3. Third countries
In the context of relations with the United States, the EU-US Transportation Security Cooperation Group (TSCG) aims at fostering co-operation in several areas of mutual interest. It ensures the continued functioning of One Stop Security (OSS) arrangements and of the mutual recognition of respective EU and US air cargo and mail regimes. These initiatives save air transport operators’ time, cost, and operational complexity. The 31st meeting of the European Union (EU) - United States (US) Transportation Security Cooperation Group (TSCG) took place on 29-30 March 2022 and was hosted by the Transportation Security Administration (TSA).
In conformity with EU law, the Commission has established one-stop security (OSS) arrangements recognising security standards applied in some third countries, or airports of third countries, as equivalent to EU standards.20 No new OSS arrangements were concluded in 2022. In the case of Israel, the extension of the existing OSS arrangement to passengers and cabin baggage is still suspended pending the execution of all development projects at Tel Aviv Ben Gurion Airport, including investment into screening technology required for OSS. These development projects have been postponed due to the negative financial effects of the COVID-19 pandemic. As to Japan, assessment of its relevant aviation security legislation is on-going.
Regarding capacity building, the “Civil Aviation Security in Africa, Asia and the Middle East” project (CASE II), funded by the European Commission with a budget of EUR 8 million and implemented by ECAC, continued in 2022. Activities delivered by aviation security experts included workshops, webinars and bilateral in-country activities.21 The overall objective of CASE II is to counter the threat of terrorism to civil aviation by partnering with States in the three regions, to strengthen their aviation security regimes.22
8. CONCLUSIONS
In 2022, the COVID-19 pandemic finally receded and travel restrictions were removed. Normal on-site inspections could be carried out and international co-operation on aviation security also returned to the pre-pandemic levels.
The increasing air traffic growth brought challenges for the aviation ecosystem at some EU airports, especially at the beginning of the summer. After more than two years of suppressed air travel demand, it took time and careful planning by all stakeholders to ensure that passengers could have the best experience when travelling. The Commission contributed by exploring ways to alleviate capacity issues at EU airports without compromising security, for instance by facilitating the exchange of information and operational experience between airports and regulators to improve passenger throughput, as well as by enhancing coordination and possible mutual recognition of background checks.
As to the future, the Commission reflected on how the aviation security framework could be further improved. To this end, it considered ways to increase its efficiency, sustainability, and flexibility, without compromising the high levels of security achieved thus far. This work will continue on the basis of the improvements identified in the Commission Staff Working Document23 published in 2023, with a view to implementing with Member States and stakeholders the measures that will allow a more resilient, innovative, and fit for the future aviation security framework.
1 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).
2 A number of members of the Stakeholder Advisory Group on Aviation Security (SAGAS), constituted under Article 17 of Regulation (EC) N°300/2008, volunteered to participate in the consultation process.
3 European Economic Area: 27 EU Member States, Norway, Iceland and Switzerland. The EFTA Surveillance Authority (ESA) is responsible for conducting aviation security inspections in Norway and Iceland. Regarding Switzerland, the Commission conducts aviation security inspections in this country on the basis of a bilateral agreement.
4Commission Regulation (EU) No 72/2010 of 26 January 2010 laying down procedures for conducting Commission inspections in the field of aviation security (OJ L 23, 27.1.2010, p.
1).
5 See Annex 1 for a chart summarising all Commission and ESA compliance monitoring activities in 2022.
6 Commission Implementing Regulation (EU) 2022/421 of 14 March 2022 amending Implementing Regulation (EU) 2015/1998 laying down detailed measures for the implementation of common basic standards on aviation security (OJ L 87, 15.3.2022, p.
1).
7 Commission Implementing Regulation (EU) 2022/1174 of 7 July 2022 amending Implementing Regulation (EU) 2015/1998 as regards certain detailed measures for the implementation of the common basic standards on aviation security (OJ L 183, 8.7.2022, p. 35).
8https://ksda.ec.europa.eu/
9 Final report for the trial in Netherlands was received in June 2023. The trial in Germany is still on-going.
10 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p.
1).
11 See for example: https://data.consilium.europa.eu/doc/document/ST-12315-2021-INIT/en/pdf
12 https://home.treasury.gov/news/press-releases/jy0532
13 The main incident types are fraudulent websites, malware, distributed denial of service (DDoS) and phishing.
14 Paragraph 102 of the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Sustainable and Smart Mobility Strategy – putting European transport on track for the future, COM(2020) 789 final, 9 December 2020.
15 For instance, cyber requirements under Commission Implementing Regulation (EU) 2019/1583 of 25 September 2019 entered into force on 31 December 2021 and their implementation is subject to the inspection programme of the Commission.
16 According to EASA Annual Safety Review 2022, the drone occurrence rate decreased in 2021 (latest figures available).
17 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A Drone Strategy 2.0 for a Smart and Sustainable Unmanned Aircraft Eco-System in Europe, COM(2022) 652 final, 29 November 2022.
18 Flagship action 18.
19 The group had 4 regular quarterly meetings that were preceded by preparatory meetings with airlines and their associations. In addition, an urgent meeting was organised in February 2022 due to the Russian invasion of Ukraine. During the year, two new Conflict Zone Information Bulletins (CZIBs) were issued, nine amended and one revoked. In addition, two information notes were amended and one revoked.
20 The EU has OSS arrangements with, among others, the US, Canada, Singapore, Montenegro, Serbia, the UK and Israel (only for hold baggage).
21 In 2022, 35 activities were delivered, consisting of five multilateral activities (two workshops and three multilateral trainings) and 30 bilateral activities for the benefit of 61 Partner States and a total of 733 participants thanks to the mobilisation of 43 total speakers invited to contribute to the multilateral activities, 22 being sourced from Partner States. In addition to these larger events, six security experts from the Partner States have been mobilised to participate as co-instructors in training activities. The total number of activities delivered since the Project’s inception until December 2022 is 62.
22 Partner States are selected based on objective criteria, such as the commitment/capability of a given State to fully benefit from the capacity-building activities delivered by the Project, or the absence of possible duplication with other capacity-building initiatives, either bilateral or multilateral.
23 Commission Staff Working Document: Working towards an enhanced and more resilient aviation security policy: a stocktaking, SWD(2023) 37 final, 2 February 2023.
EN EN