According to Article 16 of Regulation (EC) No 300/2008 1 , the Commission shall every year present a report to the European Parliament, the Council and the Member States informing them of the application of this Regulation and of its impact on improving aviation security. This report contains five parts. First part covers aviation security inspection activities, second part amendments to the legislative framework for aviation security, third part trials, studies and new initiatives in the field of aviation security, fourth part threat events and outlook, and finally the fifth part illustrates the international dialogue that the Commission is engaging in with international bodies and third countries.

In 2020, the Commission continued to strengthen aviation security rules, with a particular focus on addressing the impact of the COVID-19 pandemic on the implementation of existing and new aviation security rules.

In aviation security, the objective of the Commission during the COVID-19 pandemic period has been twofold: firstly, to ensure that security is not compromised, as a security incident could not be afforded on top of the health and economic crisis. Secondly, to create a solid basis for the gradual resumption of operations and to restore public confidence in transport, while ensuring that safety and security remain at the highest level.

Commission Implementing Regulation (EU) 2015/1998 2 was updated through the adoption of the Commission Implementing Regulation (EU) 2020/111 3 in January 2020. This latter Implementing Regulation contains provisions for granting an “EU Stamp” marking for aviation security equipment as well as additions to the list of third countries that qualify for the application of One Stop Security arrangements.

Later in the year, the Commission adopted another Implementing Regulation 4 to address in particular the impact of the COVID-19 pandemic. It was considered necessary to adopt urgent measures establishing the appropriate legal basis to implement an alternative and expedite process for the EU aviation security validations of the Union-bound supply chain operators affected by the current situation and to provide some flexibility for the implementation of new requirements in the areas of background check for civil aviation personnel and cybersecurity. Another legislative procedure amending Commission Implementing Regulation (EU) 2015/1998, initiated in autumn 2020, was concluded in February 2021 5 . This amendment extended the applicability of the alternative and expedite process for the EU aviation security validations and introduces the rules concerning Pre-Loading Advance Cargo Information (PLACI) into the legislation. It also contains provisions to clarify, harmonise, simplify and strengthen certain specific aviation security measures.

Furthermore, the Commission issued guidance aiming at assisting Member States and operators affected by the extraordinary situation caused by the pandemic, including in the area of compliance monitoring.

A general note was issued in March 2020 for all modes of transport related to exceptional measures to deal with the inability to comply with certain provisions of EU legislation as a result of the crisis. The Commission also prepared operational guidance to the aviation security community regarding contingency and alternative aviation security measures in the context of COVID-19. Finally, the Commission issued also COVID-19 Guidelines for the progressive restoration of transport services and connectivity 6 .

European Commission’s inspections were made difficult by mobility restrictions during the COVID-19 crisis, but they were in any case continued using new approaches and supporting techniques such as documented-based remote inspections.

The unlawful use of unmanned aircraft systems, better known as drones, as a vector of attack and disruption of airport operations, has attracted the attention of authorities and media. The Commission supported the European Union Aviation Safety Agency (EASA) in developing guidelines for management of drone incidents at airports. Additionally, the Commission fostered discussion amongst Member States, looking at the adverse consequences of drone-related incidents to the aviation system.

As in previous years, the Commission continued to analyse the threat situation in close cooperation with Member States, ICAO and partner countries, such as the US - in particular with respect to potential new terrorist approaches - and developed mitigation strategies where appropriate based upon regular risk assessments.

The Commission continued to contribute to the enhancement of aviation security worldwide, through its longstanding cooperation with ICAO and through its capacity-building project CASE-II for Africa, Asia and Middle East. Furthermore, the Commission provided risk assessments as regards overflying conflict zones through the integrated EU aviation security risk assessment process. This process also provides risk assessment capability and supports the decision-making process (risk mitigation) in the area of air cargo security and aviation security standards.

PART ONE: INSPECTIONS

1.General

Regulation (EC) No 300/2008 on common rules in the field of aviation security aims at preventing unlawful interference with civil aircraft in order to protect persons and goods.

While this Regulation requires Member States to monitor regularly all airports, operators and other entities applying aviation security standards and to ensure the swift detection and correction of failures, the role given to the Commission by the legislator is to monitor the effective implementation by the EU/EEA 7 Member States of this legal requirement.

In order to fulfil this monitoring objective, the oversight system of the Commission covers the activities of the EU/EEA Member States in setting up, maintaining and applying an effective national civil aviation security programme and an effective national civil aviation quality control programme.

To this end, the Commission put in place a two layer system of compliance monitoring, i.e. Commission inspections complemented by the assessment of Member States' own annual reports on national monitoring activities (security audits, inspections and tests).

Article 15 of Regulation (EC) No 300/2008 requires the Commission to conduct inspections, including inspections of airports, operators and entities applying aviation security standards, in order to monitor the application of the Regulation by the Member States and, as appropriate, to make recommendations to improve aviation security. Switzerland is also covered by the Union programme, while Norway and Iceland are inspected against parallel provisions by the EFTA Surveillance Authority (ESA).

To carry out its inspection work in 2020, the Commission had a team of six full time aviation security inspectors. The inspection work is supported by a pool of some 100 national auditors nominated by Member States, Iceland, Norway and Switzerland who qualify for participation in Commission inspections through training provided by the Commission. Inspectors from the ESA and the European Civil Aviation Conference (ECAC) are as of 2016 8 equally participating as fully fledged inspectors in this process. The significant number of national auditors participating in Commission inspections ensures a peer review system and allows spreading methodologies and best practices across Member States and associated countries. A chart summarising all Commission and ESA compliance monitoring activities carried out in 2020 is attached in Annex 1.

Commission Regulation (EU) No 72/2010 9 , as amended, lays down the procedures for conducting Commission inspections in the field of aviation security. It includes, inter alia, provisions for the qualification and powers of Commission inspectors.

The methodology used to conduct the inspections has been developed in close cooperation with Member State aviation security authorities and is based on the verification of the effective implementation of security measures. In order to interpret the requirements and procedures to conduct inspections in a harmonised manner, the security unit of Directorate General Mobility and Transport (DG MOVE) draws up and maintains handbooks for airport and cargo inspections. These handbooks also contain detailed prompts and guidance on all aviation security measures required by EU legislation. In addition, they contain details on all organisational and practical aspects of Commission inspections. The handbooks are EU classified information and are only made available to Commission inspectors and the appropriate authority of each Member State.

The Commission carries out inspections of Member States' aviation security administrations (the 'appropriate authorities') and inspections of a number of airports, operators and entities applying aviation security standards. The inspections of appropriate authorities aim at verifying whether Member States have the necessary tools – including a national quality control programme, the necessary powers and the appropriate resources – to be able to adequately implement the EU aviation security legislation. The inspections of airports aim at verifying if the appropriate authority adequately monitors the effective implementation of aviation security measures and is capable of swiftly detecting and rectifying potential deficiencies. In both cases, any deficiency identified by Commission inspectors must be rectified within an established timeframe. Inspection reports are shared amongst all Member States.

Despite the constraints linked to the COVID-19 pandemic, the Commission continued inspections of national administrations of Member States in accordance with its inspection strategy, using remote methods. In 2020, the Commission carried out 11 comprehensive inspections covering airports (including air carriers and entities) as well as appropriate authorities in seven Member States. All airport inspections scheduled for the period after the outbreak of the pandemic in March 2020 in the EU were postponed.

With the aim to provide Member States with feedback from inspections, promote transparency and harmonise compliance monitoring methodologies, the Commission scheduled for April 2020 a meeting of the AVSEC inspection working group. However, this meeting had to be cancelled because of the COVID-19 outbreak. As part of their recurrent training, national auditors were convened for an annual meeting in October 2020, held via videoconference.

1.1 Commission multiannual compliance monitoring

To provide the Commission with adequate assurances on the compliance level of Member States, a multi-annual monitoring approach is used. As such, evidence is acquired concerning the application of Regulation (EC) No 300/2008 and its implementing legislation by every Member State in a cycle of two years, by means of either an inspection of its appropriate authority or an inspection of at least one of its airports. In addition, evidence of the application of the common basic standards on aviation security is obtained in a cycle of five years by a selection of at least 15% of all EU airports falling under Regulation (EC) No 300/2008 including the largest airport in terms of passenger volumes in every Member State.

As per the requirements of the framework Regulation, Member States have the primary responsibility for monitoring the compliance of the implementation of the common basic standards at airports, by air carriers and entities responsible for security. The inspections carried out by the Commission at selected airports constitute a strong indicator of the overall compliance level in each Member State.

The frequency and scope of Commission inspections are established in the DG MOVE strategy for monitoring the implementation of EU aviation security standards. It takes into consideration the level of aviation activity in each Member State, a representative sample of the airport operations type, the standard of implementation of the aviation security regulations, results of previous Commission inspections, assessments of national annual quality control reports, security incidents (acts of unlawful interference), threat levels and other factors and assessments.

Since 2010, the compliance rate 10 identified during Commission inspections is around 80% (2010: 80%, 2011: 80%, 2012: 83%, 2013: 80%; 2014: 81%, 2015: 80%, 2016: 79%, 2017: 81%, 2018: 81%, 2019: 81%, 2020: 81%). However, this relatively stable figure does not mean that Member States have not increased their efforts. On the contrary, Member States' efforts in the field of aviation security have significantly increased as requirements have also increased over the years, in particular in areas such as air cargo security, liquids, aerosols and gels screening or the use of explosive trace detection.

2.Inspections of national appropriate authorities

The Commission continued its sixth cycle of inspections of appropriate authorities in 2020. In total, six inspections of appropriate authorities were carried out during the year.

The deficiencies most commonly found related to shortcomings in the implementation of the National Quality Control Programmes. Difficulties were detected in ensuring that airports, air carriers and regulated entities with security responsibilities update and maintain security programmes in line with Commission implementing regulations and decisions. In addition, some Member States did not monitor with the expected regularity foreign air carriers and some entities with security responsibilities. Other Member States did not fully apply the methodology required for inspections and the elements to be included in the reporting of compliance monitoring activities. Furthermore, some Member States did not reach the minimum frequencies for security audits and inspections and did not always ensure that identified deficiencies were swiftly rectified and that they do not recur. Nevertheless, the majority of Member States inspected in 2020 did align National Aviation Security Programmes with EU legislation; provided their appropriate authorities with the necessary enforcement powers for monitoring and enforcing all requirements of the Regulation and its implementing acts; ensured that a sufficient number of auditors were available for performing compliance monitoring activities; and implemented most of the requirements related to security training.

3.Initial inspections at airports

Five initial inspections of airports were conducted during 2020. All chapters were covered in accordance with the applicable areas of security in four of these airport inspections, whereas one airport inspection focused on cargo and mail as well as the related security equipment provisions. The overall percentage of core measures found to be in compliance in 2020 was 81%, the same as in 2019. 11

After the eleventh year of implementation of Regulation (EC) No 300/2008, the inspection results reflect the efforts made by appropriate authorities and the industry. The majority of security requirements stemming from this ambitious legislation were correctly implemented; the level of compliance for the most important areas of aviation security remained stable at around 80%. However, the effectiveness of the implementation of some measures still leaves room for improvement.

Most of the deficiencies found continued to stem from human factor issues. These mainly occurred in the practical implementation of certain areas where the legal requirements are new or have significantly changed recently. In particular, some provisions relating to access control and screening of cabin baggage will require continued efforts by the appropriate authorities, industry stakeholders and the Commission. These issues should be addressed through increased national quality control activities in the areas concerned.

Year 2020 showed clear improvements in security controls of airport supplies and again high compliance levels in relation to screening and protection of hold baggage, in-flight supplies, training and security equipment. This follows relatively good results in previous years, but further improved by increased awareness and practical experience with the revised implementing legislation, which provided more clarity and consistency in the measures.

4.Follow-up inspections

In accordance with Article 13 of Commission Regulation (EU) No 72/2010, as amended, the Commission routinely carries out a limited number of follow-up inspections. Such inspections are scheduled when several serious deficiencies have been identified during the initial inspection, but also on a random basis to verify that appropriate authorities have the necessary powers to require rectification of deficiencies within set timeframes. No such activities were carried out during 2020 due to the outbreak of the COVID-19 pandemic.

5.Assessments of Member States' ANNUAL QUALITY CONTROL Reports

Point 18 of the Annex to Regulation (EC) No 300/2008 12 requires Member States to annually submit a report to the Commission on the measures taken to fulfil their obligations under this Regulation and on the aviation security situation at airports located in their territory. The content of the report shall be in accordance with Appendix III using a template provided by the Commission.

The assessment of these reports, in addition to the Commission's regular inspections, provide a tool for the Commission to closely follow the implementation of robust national quality control measures. This, in turn, allows for swift detection and correction of deficiencies in each Member State.

The assessment includes an analysis of regular monitoring of airports, air carriers and other entities with aviation security responsibilities, as well as the amount of days spent by the auditors in the field, scope and frequencies of a suitable mixture of compliance monitoring activities, national compliance levels, follow-up activities and the use of enforcement powers.

With regards to the 2020 annual reports submitted by Member States, the COVID-19 pandemic significantly impacted the capability of Member States to perform their ordinary quality control activities conducted on-site at airports and at other operators’ sites during year 2020.

In March 2020, the Commission issued a general note setting out exceptional measures to deal with the inability to comply with certain provisions of EU legislation. It allowed Member States to take contingency measures also in regard to compliance monitoring activities in case the performance thereof was impeded or severely impacted by the effects of the pandemic. In general terms, the negative effects and limitations of COVID-19 impacted all Member States. However, as the pandemic evolved in a non-uniform manner throughout the Union, at a different pace and with varying impact depending on the Member State (in some cases even within the same Member State), the 27 Member States faced slightly different situations in time and severity of these limitations. Civil aviation operations (volume of passengers and number of aircraft movements) experienced a dramatic drop, which resulted in the re-planning, cancellation or reconversion of a number of compliance monitoring activities. In May 2020, the Commission presented to Member States a list of compliance monitoring activities 13 to be performed as an alternative to, or integrated in the traditional audits, inspections and tests in case these could not be performed entirely or partially due to the pandemic. The Commission made available to Member States a notification tool to be used to include such activities in the context of the submission of their annual report for 2020.

Therefore, the assessment for the 2020 annual reports performed by the Commission focused on the ordinary quality control tools that could be implemented by the Member States, combined with an evaluation and weighing of the abovementioned alternative and additional activities that were conducted during the most severe lockdown period. The Commission noted that while some Member States could discharge their quality control obligations in full still using the ordinary methodology and tools, the majority of them made large use of the additional alternative compliance monitoring activities, which contributed to the achievement of satisfactory performance both in terms of days spent by the auditors and in the actual number of operators monitored.

Due to the unprecedented situation, as well as the above illustrated solutions and tools used by Member States, the assessment of the annual reports acknowledged the outstanding efforts put in place by all Member States in maintaining their aviation security regime under continuous review through a combination of desk-top assessments and where possible, targeted on-site activities.

The overall assessment did not reveal any shortcoming or weakness that required a follow up: the Commission considered the response of Member States and the efforts produced as sufficient. As the effects of the pandemic have continued throughout 2021, the Commission will consider improving this alternative regime of compliance monitoring activities in the light of the assessment of the annual reports for 2021.

The Commission sent a formal comprehensive evaluation to the Member States highlighting, where needed, suggestions on how to improve or better tailor the national efforts.

6.Assessments of third country airports

In the course of the year, due to exceptional circumstances, no assessments of US airports were conducted in the framework of the Working Arrangement with the Transportation Security Administration of the United States of America established under the EU-US Air Transport Agreement 14 . In the context of One Stop Security arrangements between the Commission and third countries, and for similar reasons, it was not possible to conduct assessments. In normal circumstances, these are undertaken to cross-check that the implementation of certain security measures continue to be of an equivalent standard to the implementation of EU aviation security legislation.

7.Open files, Article 15 cases and legal proceedings

Inspection files remain open until the Commission is satisfied that appropriate rectification action has been implemented. The duration of a file therefore depends upon the good cooperation of the concerned Member State. Fifteen inspection files (eleven files concerning airport inspections and four concerning inspections of appropriate authorities) could be closed in 2020. All in all, inspection files related to seven appropriate authorities and seven airports remained open at the end of the year.

If identified deficiencies in the implementation of security measures at an airport are considered to be serious enough as to have a significant impact on the overall level of civil aviation security in the Union, the Commission will activate Article 15 of Commission Regulation (EU) No 72/2010. This means that all other appropriate authorities are alerted to the situation and compensatory measures would have to be considered in respect of flights from the airport in question. No Article 15 case was initiated in 2020, but one pre-warning letter was sent to a Member State, inviting it to take appropriate compensatory measures pending full rectification of the concerned deficiency.

Regardless of whether or not Article 15 is applied, another available measure, particularly in cases of prolonged non-rectification or recurrence of deficiencies, is for the Commission to open infringement proceedings. In 2020, one infringement proceeding was launched. Another infringement could be closed in the same period.

PART TWO: LEGISLATIVE FRAMEWORK AND SUPPLEMENTARY TOOLS

1.Legislative framework

Civil aviation remains an attractive target for terrorist groups and countering this threat requires the implementation of proportionate, risk based protective measures. The Commission and Member States are therefore constantly adjusting the mitigation measures in order to achieve the highest level of security while minimising adverse effects on operations.

Commission Implementing Regulation (EU) 2015/1998 was updated in January 2020 15 as regards the approval of civil aviation security equipment as well as the list of third countries recognised as applying security standards equivalent to the common basic standards on civil aviation security. In June 2020, following the outbreak of the COVID-19 pandemic, the Regulation was modified again 16 as regards rules for the re-designation of airlines, operators and entities providing security controls for cargo and mail arriving from third countries, as well as the postponement of certain regulatory requirements in the area of cybersecurity, background checks, explosive detection system equipment standards, and explosive trace detection equipment.

The Commission issued a general note in March 2020 for all modes of transport related to exceptional measures to deal with the inability to comply with certain provisions of EU legislation as result of the crisis. This was particularly relevant for aviation security in terms of dealing with the extension of certifications, trainings, airport and crew identification cards, re-approvals of regulated or known entities, compliance monitoring and other activities that were impeded or severely affected by the extraordinary situation caused by the pandemic, including in the area of compliance monitoring. The Commission also prepared operational guidance to the aviation security community regarding contingency and alternative aviation security measures in the context of COVID-19. This guidance aimed to help protect screeners, passengers and staff while preserving aviation security objectives as well as harmonising contingency and alternative measures. As a response to the pandemic, the Commission issued also COVID-19 Guidelines for the progressive restoration of transport services and connectivity 17 .

2.Union database on supply chain security (UDSCS)

Since 1 June 2010, the database of regulated agents and known consignors 18 has been the primary and only legal tool for consultation when accepting consignments from another regulated agent or from a known consignor. Since activated, it has been extended to include the list of air carriers authorised to carry cargo and mail into the EU from third country airports (ACC3) and their ground service providers in the third country (RA3 and KC3), the list of EU aviation security validators approved by the Member States, the EU Regulated Suppliers delivering catering and other supplies to airports and airlines, and finally the list of Union airports applying Regulation (EC) No 300/2008. The database’s extension in scope justified its renaming as "Union database on supply chain security" 19 to better reflect the wider use thereof. At the end of 2020 the database contained 14,000 records of regulated agents, known consignors, independent validators, ACC3 airlines, regulated suppliers, and third country regulated agents and known consignors. Its target availability rate of 99.5% was continuously met in 2020 as well. A new version of this database is being completed and its full activation is expected at the end of 2021.

Commission Implementing Regulation (EU) 2020/111 established the European regime of approval for civil aviation security equipment, the so-called ‘EU Stamp’ that is applicable form 1 October 2020. This regulation harmonises the approval of aviation security equipment, which was previously under the responsibility of each Member State. The new system is built upon the existing Common Evaluation Process of ECAC. Its implementation has required all approved aviation security equipment to be included and listed in the database 20 from which also the ‘EU Stamp’ marking, that has to be affixed on equipment, can be downloaded. This part of the new database became operational in December 2020.

3.Pre-Loading Advance Cargo Information (PLACI)

In relation to air cargo, the Commission continued to work closely with Member States in order to prepare the first phase implementation of pre-loading advance cargo information (PLACI) analysis. This first phase, containing requirements in respect of postal/mail and express parcels consignments, was activated on 15 March 2021. New provisions were included in EU legislation 21 in the fields of both customs and civil aviation security.

According to the requirements, details (7+1 advance elements of the Customs Entry Summary Declaration) pertaining to each shipment flying to the EU are to be electronically submitted (via the ICS2 – Import Control System) to EU customs by the Economic Operators responsible for bringing into the Union customs territory goods in postal or express consignments and analysed for civil aviation security purposes by the first point of entry customs agency in the EU. The same requirements will become applicable from 1 March 2023 in respect of all air cargo consignments.

The outcome of the PLACI risk analysis may require the implementation of specific mitigating aviation security measures. These may be applied by economic operators (directly or indirectly by its ground service providers and/or ultimately by the air carrier) engaged in the EU in-bound supply chain before the consignment is loaded on board of a flight departing to the EU. Such actions (as globally accepted within ICAO and World Customs Organisation) may consist of requests for more information, requests for screening in accordance with High Risk standards or a denial of loading the shipment onto an aircraft. The PLACI requirements apply to all third country locations worldwide, including those where airlines and cargo operators are exempted from the EU ACC3 programme.

The Commission organised in November 2020 a joint workshop with aviation security authorities and national customs authorities to foster understanding and harmonisation of actions for the smooth implementation of the EU PLACI. Cooperation with customs community continued also in the global context with ICAO and the World Customs Organisation.

PART THREE: TRIALS, STUDIES AND NEW INITIATIVES

1.Trials

A 'trial' in the sense of EU aviation security legislation is conducted when a Member State agrees with the Commission that it will use a particular means or method not recognised under the terms of the legislation to replace one of the recognised security controls, for a limited period of time on condition that such trial does not impact negatively on the overall levels of security. The term does not, in the legal sense, apply when a Member State or entity is conducting an evaluation of a new security control deployed in addition to one or more of those already covered by the legislation.

No trials were conducted or initiated in the course of 2020.

2.Studies, Reports and Conferences

While the organisation of physical events was impossible during most part of the year 2020, the Commission organised in November 2020 a virtual first meeting of the Aviation Cybersecurity Working Group 22 , bringing together Member State authorities responsible for aviation security and implementation of the NIS Directive 23 , as well as stakeholders. The Commission considers that implementing and further improving the complex regulatory environment of aviation cybersecurity can greatly benefit from advice and sharing of experience and best practices within such a working group. There is also a keen interest to ensure that the specificities of the aviation sector are taken into account and to see how sectorial and horizontal efforts can complement each other, while avoiding duplication of effort and undue burden on administrations and industry.

In December 2020, the Commission published a transport cybersecurity toolkit 24 , with the aim to raise awareness on cyber-risks and cyber-hygiene and to build preparedness in the transport sector. This toolkit contains recommended practices to mitigate some of the cyber threats 25 that may affect the transport sector. It also contains a more advanced level, which provides information that is particularly relevant for security and cybersecurity professionals in transport organisations. This advanced level provides guidance on identifying, protecting, detecting and responding to cyber-threats.

3.New Initiatives

Further progress was made regarding the development of new technologies in aviation security. In particular, work was undertaken to elaborate detection standards for security equipment to tackle new threats, especially chemical substances. To this end, excellent cooperation is in place with the US and other international partners. However, the COVID-19 crisis impaired also this cooperation, since this activity requires the exchange of classified information in a secure environment and it was not possible to arrange physical meetings.

The Commission launched in 2020 a discussion on a new “AVSEC strategy”, the purpose of which is to reflect on a strategic vision for the future of aviation security. While delayed by COVID-19 pandemic priorities, the work resumed in earnest in 2021. This includes input from various work streams in the areas of risk based security, security culture and holistic approach, innovation, and aviation security standards. The intention of the Commission is to finalise this work by the end of the year 2021 with proposals for a way forward, in terms of possible concrete actions and decisions.

PART FOUR: THREAT EVENTS AND OUTLOOK

Also in light of recent international developments, international jihadist terrorism remains a major threat to the EU that requires careful monitoring 26 . Despite global efforts to limit terrorist financing sources, terrorist organisations still have access to large cash reserves 27 to finance their activities and propaganda, and air transport remains a potential target, including via attempts to hijack airline security systems 28 or to develop innovative explosive concealments. Other potential threats such as CBRN, chemicals in particular, are continually being assessed by the Commission and Member States. Insider threats and homegrown terrorism must remain an area of particular attention in light of continuing online radicalisation, and the perspective of returned foreign terrorist fighters to Europe. At the same time, other threats and means of attack have come into focus. Drones create new opportunities for the European economy and the vast majority of drone operations are and will remain legitimate. Put in the wrong hands, however, drones have the potential to be used by different malicious actors, to conduct surveillance, disrupt critical infrastructure operations or attack high-value targets. Such a “drone threat” is likely to grow as drones become more widely available, more affordable and more capable. The Commission is engaged in supporting Member States in countering such misuse through a combination of measures, including both legislation and guidance. The Commission has taken concrete steps in this area with the adoption on 22 April 2021 of a regulatory framework for the European unmanned traffic management concept (the U-Space) 29 , which should make it easier for authorities to distinguish between cooperative and non-cooperative, potentially malicious, drones overhead. In addition, Regulation (EU) 2019/945 30 requires consumer drones intended for use without prior approval to be designed with a built-in function that automatically broadcasts the operator's registration number and the drone's position so that they can be received by mobile devices, allowing enforcement authorities and the general public in the vicinity of the drone to have easy access to this information (even outside a U-Space airspace) and therefore promoting responsible pilot behaviour and reducing the possibilities of using these drones in a covert and anonymous way for illegal or malicious purposes. 31 Moreover, in order to support authorities dealing with non-cooperative drones, the Commission is supporting the development of different forms of guidance materials, financing innovative counter-drones projects and studies, and building bridges between different affected sectors (e.g. law enforcement, aviation, critical infrastructure, prisons, customs/borders, personal protection, mass events) and stakeholders. The Commission has also launched a European Programme for counter-UAS systems testing. This initiative aims to facilitate a more coordinated European approach to the testing of different counter-drones technologies. In March 2021, EASA – with the support of the Commission – issued guidance to help aviation operators and national authorities to manage drone incidents at and around airports. Countering the threat posed by non-cooperative drones will form an integral part of the “Drone Strategy 2.0”, which the Commission plans to adopt in 2022.

For all areas of transport, including aviation, the Commission, together with the relevant agencies, maintained a continuous dialogue on emerging security threats, including those of a hybrid nature, with Member States and Contracting Parties to the Agreement on the European Economic Area, industry and other stakeholders. This is in order to build up the knowledge and capacity to react to those threats, effectively managing the risk.

The Commission continued to carry out its regular monitoring of emerging threats in different areas 32 , including hybrid threats, to adapt the Aviation Security (AVSEC) baseline. The Commission also continued to ensure a high level of protection of civil aviation against acts of unlawful interference, supported by the Commission’s aviation security inspections system, in accordance with the applicable EU legislation 33 . In the international context and fora, the Commission provided its support and close cooperation with ICAO and third countries in the identification of the global threat and risk picture.

Under the Conflict Zone Alerting System common risk assessments took place on a regular basis, with some practical limitations imposed by the COVID-19 pandemic, under the lead of the integrated EU aviation security risk assessment group. The aim of this exercise is to share information on the assessment of risks arising from conflict zones in a timely manner. The outcomes of the integrated EU aviation security risk assessment group supports the decision making process on possible mitigation measures including the issuance of a Conflict Zone Information Bulletin (CZIB) or information notes by EASA.

PART FIVE: INTERNATIONAL DIALOGUE

1. General

The Commission engages with international bodies and key trading partners and participates in associated international meetings, such as the annual meeting of the ICAO Aviation Security Panel. It works with Member States to ensure co-ordinated EU positions. Bilateral dialogues are held with certain third countries, such as the United Kingdom, the United States, Canada, Australia, Singapore, etc. They enable the Commission to build up a good understanding and a high level of trust with countries taking a like-minded approach to aviation security.

2. International bodies

The EU actively participated, as an observer, in the annual meeting of the ICAO Aviation Security Panel (AVSECP/31) which took place in Montreal on 14-17 December 2020. The EU submitted an Information Paper on the EU’s implementation of the Pre-Loading Advance Cargo Information Programme (PLACI). In considering the challenges that airports may have in implementing certain provisions of Annex 17 to the Convention on International Civil Aviation during the COVID-19 crisis, the Panel recalled the need to continue providing assistance to industry in implementing security measures while stressing that aviation security should not be compromised. An important issue discussed during the Panel meeting were the security aspects related to the transport of the COVID-19 vaccine. The Panel’s Working Group on Air Cargo Security developed guidance on the matter that was published in ICAO State Letter 34 concerning the “Distribution of COVID-19 Vaccines and Air Cargo Security”. These ICAO guidelines aim to help states and industry apply aviation security measures while facilitating a smooth flow of vaccines throughout the supply chain and to the final destination. The Panel was followed by a (virtual) Security Symposium which was titled “Improving security culture by connecting the dots” and which inaugurated 2021 as the “Year of Aviation Security Culture”.

3. Third countries

The Commission actively engages with a number of international partners in the field of aviation security on a bilateral and multilateral basis, cooperating on important dossiers and coordinating actions in the global context.

With the United States for instance, the EU-US Transportation Security Cooperation Group (TSCG) aims at fostering co-operation in a number of areas of mutual interest. It ensures the continued functioning of One Stop Security arrangements and of the mutual recognition of respective EU and US air cargo and mail regimes. These initiatives save air transport operators’ time, costs and operational complexity. The 30th meeting of the EU-US Transport Security Cooperation Group (TSCG) took place on 3 December 2020 in virtual format due to the travel restrictions in place. The topics of the meeting included in particular an exchange on the COVID-19 developments and current topics regarding cooperation in aviation security.

As threats and risks are global, the Commission, the US Transport Security Administration (TSA) and other partners engage in consultations and assist each other in identifying and coordinating actions, including the possible implementation of additional measures to mitigate specific emerging threats. This approach ensures that any impact on operators as well as on passengers is kept to the minimum.

In conformity with EU law, the Commission has established agreements recognising security standards applied in some third countries, or airports of third countries, as equivalent to EU standards in order to advance the goal of One Stop Security (OSS) for all flights between the EU and those third countries. Equivalence and OSS are currently recognised, among others, for the United States, Canada, Singapore, Montenegro, Serbia, the United Kingdom and Israel (only for hold baggage). The Commission continues engagement with Israel and Japan on OSS arrangements. However, due to the pandemic there was little progress in 2020. In the case of Israel, a technical visit by EU aviation security experts is planned to assess equivalence of the measures on passengers and cabin baggage screening at Ben Gurion Airport once the COVID-19 situation allows. With Japan, the Commission is having technical discussions to compare the respective aviation security legislations as a first step.

In view of the withdrawal of the United Kingdom of Great Britain and Northern Ireland (UK) from the EU (initially foreseen at the end of March 2019, but subsequently postponed to 31 January 2020 - after which a transition period applied until the end of year 2020), the Commission adopted contingency measures in order to ensure the smooth continuation of the One Stop Security process for passengers, baggage and cargo arriving from the UK in transfer at European airports. Following the formal confirmation from the UK that it would maintain its regulations and standards on aviation security equivalent to the Union legislation beyond the date of withdrawal from the EU, the Commission amended the implementing legislation 35 introducing provisions allowing One Stop Security from the UK from the day after the Treaties cease to apply in the UK. This Regulation became applicable on 1 January 2021 after the end of the transition period providing significant benefits for airports, airlines and passengers. Actors previously under the responsibility of the United Kingdom in third countries and involved in the secure supply chain for air cargo (ACC3, RA3 and KC3) were reattributed to the remaining Member States.

Regarding capacity building, the “Civil Aviation Security in Africa, Asia and the Middle East” project (CASE II) started its operations in the second quarter of 2020 36 . It is entirely funded by the EU and implemented by ECAC. The overall objective of CASE II is to counter the threat of terrorism to civil aviation by partnering with States in the three regions, in order to strengthen the civil aviation security regimes in the Partner States. 37

CONCLUSIONS

Compared to previous years, year 2020 was a very different year as COVID-19 had a profound effect on all the activity normally carried out by the Commission and the Member States. A lot of additional legislation and guidance had to be prepared. Normal inspection activities were suspended and replaced by alternative methods. Meetings could be arranged only virtually and this can hardly be as productive as physical meetings. International cooperation was also affected due to the same reason. However, throughout the crisis, the Commission’s starting point has been that the level of aviation security cannot be compromised, not even while facing the new challenges of a reduced workforce and financial constraints.

As to the future, the Commission is continuously reflecting on how the current framework for aviation security could be improved even further by increasing efficiency, sustainability, flexibility and more risk-based capabilities to react to emerging threats, without any compromise of the high level of aviation security achieved so far.

(1) Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).

(2) Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security (OJ L 299, 14.11.2015, p. 1).

(3) Commission Implementing Regulation (EU) 2020/111 of 13 January 2020 amending Implementing Regulation (EU) 2015/1998 as regards the approval of civil aviation security equipment as well as third countries recognised as applying security standards equivalent to the common basic standards on civil aviation security (OJ L 21, 27.1.2020, p. 1).

(4) Commission Implementing Regulation (EU) 2020/910 of 30 June 2020 amending Implementing Regulations (EU) 2015/1998, (EU) 2019/103 and (EU) 2019/1583 as regards the re-designation of airlines, operators and entities providing security controls for cargo and mail arriving from third countries, as well as the postponement of certain regulatory requirements in the area of cybersecurity, background check, explosive detection systems equipment standards, and explosive trace detection equipment, because of the COVID-19 pandemic (OJ L 208, 1.7.2020, p. 43).

(5) Commission Implementing Regulation (EU) 2021/255 of 18 February 2021 amending Implementing Regulation (EU) 2015/1998 laying down detailed measures for the implementation of the common basic standards on aviation security (OJ L 58, 19.2.2021, p. 23).

(6) Communication from the Commission: Guidelines on the progressive restoration of transport services and connectivity – COVID-19 (OJ C 169, 15.5.2020, p. 17).

(7) European Economic Area countries + Switzerland.

(8) See Commission Implementing Regulation (EU) 2016/472 of 31 March 2016 amending Regulation (EU) No 72/2010 as regards the definition of the term ‘Commission inspector’ (OJ L 85, 1.4.2016, p. 28).

(9) Commission Regulation (EU) No 72/2010 of 26 January 2010 laying down procedures for conducting Commission inspections in the field of aviation security (OJ L 23, 27.1.2010, p. 1).

(10) To ensure comparability and allow for an evaluation of compliance levels over time, the Commission uses a calculation method for its compliance indicator where only the main security requirements that are inspected most frequently are included in the calculation. These cover the requirements relating to airport security, aircraft security, passenger and cabin baggage security and hold baggage security. Security measures are clustered in sets of directly linked security requirements and assessed as a whole. A fixed weighing factor reflecting the level of implementation per cluster is then applied as follows: The overall compliance indicator for a given year is therefore the sum of the weighed factors divided by the number of classified sets of directly linked requirements.

(11) See chapter 1.1.

(12) As amended by Commission Regulation (EU) No 18/2010 of 8 January 2010 amending Regulation (EC) No 300/2008 of the European Parliament and of the Council as far as specifications for national quality control programmes in the field of civil aviation security are concerned (OJ L 7, 12.1.2010, p. 3).

(13) Consisting, inter alia, in the assessment and review of the national security programme (NASP, NSTP and NQCP), security programmes of airlines, airport operators and other entities, on-line training and certification activities, review of national risk assessments, desktop inspections, analysis of trends, etc.

(14) OJ L 134, 25.5.2007, p. 4.

(15) See footnote 3.

(16) See footnote 4.

(17) Communication from the Commission: Guidelines on the progressive restoration of transport services and connectivity – COVID-19 (OJ C 169, 15.5.2020, p. 17).

(18) The Commission set up this database, the use of which is mandatory for actors in the supply chain through Commission Implementing Regulation (EU) 2015/1998 and Decision C(2015) 8005.

(19) Commission Implementing Regulation (EU) No 1116/2013 of 6 November 2013 amending Regulation (EU) No 185/2010 as regards clarification, harmonisation and simplification of certain specific aviation security measures (OJ L 299, 9.11.2013, p. 1).

(20) https://ksda.ec.europa.eu/

(21) Commission Implementing Regulation (EU) 2021/255 of 18 February 2021 amending Implementing Regulation (EU) 2015/1998 laying down detailed measures for the implementation of the common basic standards on aviation security (OJ L 58, 19.2.2021, p. 23); Commission Delegated Regulation (EU) 2020/877 of 3 April 2020 amending and correcting Delegated Regulation (EU) 2015/2446 supplementing Regulation (EU) No 952/2013, and amending Delegated Regulation (EU) 2016/341 supplementing Regulation (EU) No 952/2013, laying down the Union Customs Code (OJ L 203, 26.6.2020, p. 1); Commission Implementing Regulation (EU) 2020/893 of 29 June 2020 amending Implementing Regulation (EU) 2015/2447 laying down detailed rules for implementing certain provisions of Regulation (EU) No 952/2013 of the European Parliament and of the Council laying down the Union Customs Code (OJ L 206, 30.6.2020, p. 8).

(22) One of the key outcomes of the cybersecurity workshop organised by the Commission services (DG MOVE and DG CNECT) in November 2019 was the recommendation of the establishment of an Aviation Cybersecurity Working Group.

(23) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).

(24) Available here (in 23 languages): https://transport.ec.europa.eu/transport-themes/security-safety/cybersecurity_en

(25) Namely malware diffusion, denial of service, unauthorised access and theft, and software manipulation.

(26) The EU’s Counter-Terrorism Action Plan identifies areas of action where the EU and its Member States could prepare and mobilise existing instruments in a timely fashion to anticipate and address possible terrorism risks to EU internal security stemming from the Taliban’s takeover of power in Afghanistan in September 2021, see: https://data.consilium.europa.eu/doc/document/ST-12315-2021-INIT/en/pdf

(27) https://home.treasury.gov/news/press-releases/jy0532

(28) https://www.justice.gov/opa/pr/kenyan-national-indicted-conspiring-hijack-aircraft-behalf-al-qaeda-affiliated-terrorist

(29) Commission Implementing Regulation (EU) 2021/664 of 22 April 2021 on a regulatory framework for the U-space (OJ L 139, 23.4.2021, p. 161); Commission Implementing Regulation (EU) 2021/665 of 22 April 2021 amending Implementing Regulation (EU) 2017/373 as regards requirements for providers of air traffic management/air navigation services and other air traffic management network functions in the U-space airspace designated in controlled airspace (OJ L 139, 23.4.2021, p. 184); Commission Implementing Regulation (EU) 2021/666 of 22 April 2021 amending Regulation (EU) No 923/2012 as regards requirements for manned aviation operating in U-space airspace (OJ L 139, 23.4.2021, p. 187).

(30) Commission Delegated Regulation (EU) 2019/945 of 12 March 2019 on unmanned aircraft systems and on third-country operators of unmanned aircraft systems (OJ L 152, 11.6.2019, p. 1).

(31) This requirement applies to consumer drones weighing more than 250 grams and will become fully applicable from 1 January 2024.

(32) For instance, concerning improvised explosive devices, the use of drones, cyber security, cargo and mail, etc.

(33) As detailed in Part 1, in 2020 the Commission carried out 11 comprehensive inspections covering airports, air carriers and entities as well as appropriate authorities in seven Member States. This was done in accordance with its inspection strategy using remote methods.

(34) AS 8/7-21/6 of 27 January 2021.

(35) Commission Implementing Regulation (EU) 2019/413 of 14 March 2019 amending Implementing Regulation (EU) 2015/1998 as regards third countries applying security standards equivalent to the common basic standards on civil aviation security (OJ L 73, 15.3.2019, p. 98).

(36) CASE II is the successor of the Civil Aviation Security in Africa and the Arabian Peninsula Project (CASE) project launched in early 2016, for a duration of four years. The duration of the CASE II Project is also four years and the budget allocated by the Commission for the overall period is EUR 8 million. The inclusion of Asia is a new feature of CASE II, compared to CASE I.

(37)

The Partner States are selected on the basis of objective criteria, such as the commitment/capability of a given State to fully benefit from the capacity-building activities delivered by the Project, or the absence of possible duplication with other capacity-building initiatives, either bilateral or multilateral.

State	Number of inspections (initial and follow-up inspections) period 01/2020-12/2020	Total number of inspections (initial and follow-up inspections) since 2004
Austria	0	17
Belgium	0	20
Bulgaria	0	14
Croatia	0	8
Cyprus	0	11
Czech Republic	0	14
Denmark	2	20
Estonia	0	10
Finland	0	17
France	1	34
Germany	0	33
Greece	0	24
Hungary	0	12
Ireland	0	17
Italy	2	32
Latvia	0	9
Lithuania	1	11
Luxembourg	0	11
Malta	0	8
Netherlands	2	18
Poland	0	19
Portugal	0	19
Romania	0	12
Slovak Republic	0	10
Slovenia	0	9
Spain	0	32
Sweden	2	24
Non-EU Member: Switzerland	1	13
TOTAL	11	478

State	Number of inspections (initial and follow-up inspections) period 01/2020-12/2020	Total number of inspections (initial and follow-up inspections) since 2004
Iceland	1	17
Norway	2	59
TOTAL	3	76