法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Commission Implementing Regulation (EU) 2025/2293 of 10 November 2025 amending Implementing Regulation (EU) 2023/203 as regards the requirements applicable to organisations subject to a declaration and correcting Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Implementing Regulation (EU) 2017/373

CELEX
Implementing Regulation (EU) 2025/2293
Date of document
Articles
17
Source
EUR-Lex
Article 1

Annex II to Implementing Regulation (EU) 2023/203 is amended in accordance with Annex I to this Regulation.

Article 2

Annex VI to Regulation (EU) No 1178/2011 is corrected in accordance with Annex II to this Regulation.

Article 3

Annex I to Regulation (EU) No 748/2012 is corrected in accordance with Annex III to this Regulation.

Article 4

Annex II to Regulation (EU) No 965/2012 is corrected in accordance with Annex IV to this Regulation.

Article 5

Annex II to Regulation (EU) No 139/2014 is corrected in accordance with Annex V to this Regulation.

Article 6

Annexes II and Vc to Regulation (EU) No 1321/2014 are corrected in accordance with Annex VI to this Regulation.

Article 7

Annex II to Regulation (EU) 2015/340 is corrected in accordance with Annex VII to this Regulation.

Article 8

Annex II to Implementing Regulation (EU) 2017/373 is corrected in accordance with Annex VIII to this Regulation.

Article 9

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .

It shall apply from 22 February 2026.

Schedules & Appendices

ANNEX I

ANNEX I

Annex II to Implementing Regulation (EU) 2023/203 is amended as follows:

(1)

in point IS.I.OR.250, points (b) and (c) are replaced by the following:

‘(b)

The initial issue of the ISMM shall be approved and a copy shall be retained by the competent authority. An approval shall not be required for declared organisations. The ISMM shall be amended as necessary to remain an up-to-date description of the ISMS of the organisation. A copy of any amendments to the ISMM shall be provided to the competent authority;

(c)

Amendments to the ISMM shall be managed in a procedure established by the organisation. Any amendments that are not included within the scope of that procedure and any amendments related to the changes referred to in point IS.I.OR.255(b), shall be approved by the competent authority. An approval shall not be required for declared organisations.’;

(2)

point IS.I.OR.255 is replaced by the following:

IS.I.OR.255 Changes to the information security management system

(a)

Changes to the ISMS may be managed and notified to the competent authority in a procedure developed by the organisation. That procedure shall be approved by the competent authority, except for declared organisations.

(b)

With regard to changes to the ISMS not covered by the procedure referred to in point (a), the organisation shall apply for and obtain an approval issued by the competent authority, except for declared organisations, for which an approval is not required.

With regard to those changes:

(1)

the application shall be submitted before any such change takes place, in order to enable the competent authority to determine continued compliance with this Regulation and to amend, if necessary, the organisation certificate and related terms of approval attached to it;

(2)

the organisation shall make available to the competent authority any information it requests to evaluate the change;

(3)

the change shall be implemented only upon receipt of a formal approval by the competent authority, except for declared organisations, which may implement the change immediately;

(4)

the organisation shall operate under the conditions prescribed by the competent authority during the implementation of such changes.’.

ANNEX II

ANNEX II

In Annex VI to Regulation (EU) No 1178/2011, point ARA.GEN.300(g) is replaced by the following:

‘(g)

With regard to the certification and oversight of the organisation’s compliance with point ORA.GEN.200A of this Annex, in addition to complying with points (a) to (f) of this point, the competent authority shall review any approval granted under point IS.I.OR.200(e) of Annex II to Commission Implementing Regulation (EU) 2023/203  ( *1 ) following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.

( *1 )   Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 ( OJ L 31, 2.2.2023, p. 1 , ELI: http://data.europa.eu/eli/reg_impl/2023/203/oj) .’.’

ANNEX III

ANNEX III

Annex I to Regulation (EU) No 748/2012 is corrected as follows:

(1)

in point 21.B.221, point (g) is replaced by the following:

‘(g)

With regard to the certification and oversight of the organisation’s compliance with point 21.A.139A of this Annex, in addition to complying with points (a) to (f) of this point, the competent authority shall review any approval granted under point IS.D.OR.200(e) of the Annex to Commission Delegated Regulation (EU) 2022/1645  ( *1 ) following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.

( *1 )   Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 and amending Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 ( OJ L 248, 26.9.2022, p. 18 , ELI: http://data.europa.eu/eli/reg_del/2022/1645/oj ).’;"

(2)

in point 21.B.431, point (d) is replaced by the following:

‘(d)

With regard to the certification and oversight of the organisation’s compliance with point 21.A.239A of this Annex, in addition to complying with points (a) to (c) of this point, the competent authority shall review any approval granted under point IS.D.OR.200(e) of the Annex to Delegated Regulation (EU) 2022/1645 following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.’.

( *1 )   Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 and amending Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 ( OJ L 248, 26.9.2022, p. 18 , ELI: http://data.europa.eu/eli/reg_del/2022/1645/oj ).’;’

ANNEX IV

ANNEX IV

In Annex II to Regulation (EU) No 965/2012, point ARO.GEN.300(g) is replaced by the following:

‘(g)

With regard to the certification and oversight of the organisation’s compliance with point ORO.GEN.200A, in addition to complying with points (a) to (f) of this point, the competent authority shall review any approval granted under point IS.I.OR.200(e) of Annex II to Implementing Regulation (EU) 2023/203 following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.’.

ANNEX V

ANNEX V

In Annex II to Regulation (EU) No 139/2014, point ADR.AR.C.005(f) is replaced by the following:

‘(f)

With regard to the certification and oversight of the organisation’s compliance with point ADR.OR.D.005A , in addition to complying with points (a) to (e) of this point, the competent authority shall review any approval granted under point IS.D.OR.200(e) of the Annex to Delegated Regulation (EU) 2022/1645 following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.’.

ANNEX VI

ANNEX VI

Annexes II and Vc to Regulation (EU) No 1321/2014 are corrected as follows:

(1)

in Annex II, point 145.B.300(g) is replaced by the following:

‘(g)

With regard to the certification and oversight of the organisation’s compliance with point 145.A.200A, in addition to complying with points (a) to (f) of this point, the competent authority shall review any approval granted under point IS.I.OR.200(e) of Annex II to Implementing Regulation (EU) 2023/203 following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.’;

(2)

in Annex Vc , point CAMO.B.300(g) is replaced by the following:

‘(g)

With regard to the certification and oversight of the organisation’s compliance with point CAMO.A.200A, in addition to complying with points (a) to (f) of this point, the competent authority shall review any approval granted under point IS.I.OR.200(e) of Annex II to Implementing Regulation (EU) 2023/203 following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.’.

ANNEX VII

ANNEX VII

In Annex II to Regulation (EU) 2015/340, point ATCO.AR.C.001(f) is replaced by the following:

‘(f)

With regard to the certification and oversight of the organisation’s compliance with point ATCO.OR.C.001A, in addition to complying with points (a) to (e) of this point, the competent authority shall review any approval granted under point IS.I.OR.200(e) of Annex II to Implementing Regulation (EU) 2023/203 following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.’.

ANNEX VIII

ANNEX VIII

In Annex II to Implementing Regulation (EU) 2017/373, point ATM/ANS.AR.C.010(d) is replaced by the following:

‘(d)

With regard to the certification and oversight of the organisation’s compliance with point ATM/ANS.OR.B.005A, in addition to complying with points (a) to (c) of this point, the competent authority shall review any approval granted under point IS.I.OR.200(e) of Annex II to Implementing Regulation (EU) 2023/203 following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.’.

17 articles

Cite this act

Commission Implementing Regulation (EU) 2025/2293 of 10 November 2025 amending Implementing Regulation (EU) 2023/203 as regards the requirements applicable to organisations subject to a declaration and correcting Regulations (EU) No 1178/2011 (EU) No 748/2012 (EU) No 965/2012 (EU) No 139/2014 (EU) No 1321/2014 (EU) 2015/340, and Implementing Regulation (EU) 2017/373 (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32025R2293

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com