Aviation is a complex interconnected "system of systems" consisting of infrastructures or systems such as ATM, ground services, telecommunications, etc. All these systems and infrastructures are interconnected and interdependent with different levels of criticality, threats, vulnerabilities and risks. Aviation depends on other infrastructures and systems such as energy, transport and telecommunications, and other infrastructures and sectors depend on aviation to provide services to citizens.
Critical infrastructures and entities providing essential services have always been on the EU’s radar. The EU has made several efforts in the past with the ECI (2008/114/EC) Directive, NIS (EU 2016/1148) Directive and other sectoral measures to address a wide range of threats (including cyber) that could potentially affect critical infrastructures including, of course, aviation. In recent years, collective thinking on critical infrastructures and their protection has evolved, and the EU is taking additional measures to support Member States and operators to improve their security postures and the resilience of critical infrastructures, and protect the services they provide against all possible threats, including man made, natural hazards, cyber-attacks and terrorism. The CER (Critical Entities Directive) and NIS2 constitute the culmination of these efforts and both provide the necessary framework and measures in order to improve the security and resilience of such infrastructures and essential services to EU citizens and beyond. Aviation is considered in the CER directive as a transport subsector and more specifically air carriers, airport management bodies and operators providing air traffic control.