EUROPEAN COMMISSION

Brussels, 16.4.2019

COM(2019) 183 final

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

2017 ANNUAL REPORT ON THE IMPLEMENTATION OF REGULATION (EC) N° 300/2008 ON COMMON RULES IN THE FIELD OF CIVIL AVIATION SECURITY

This report covers the period 1 January – 31 December 2017

INTRODUCTION

2017 featured renewed concerns related to the global threat that improvised explosive devices (IEDs) artfully concealed in tampered electronic devices constitute. The U.S. and UK governments banned from the cabins of flights from airports located in some Middle Eastern and North African countries all personal electronic devices larger than cell phones. The longstanding close cooperation between the European Union and the U.S., based upon the recognition of the respective aviation security measures, permitted to address those security concerns with targeted measures that did not require extending globally the ban of such devices, including on board of aircrafts departing from Europe.

The Commission continued its efforts to enhance aviation security worldwide, through its longstanding cooperation with ICAO and through its capacity building project CASE for Africa and Middle East.

Cybersecurity and the protection of public areas of airports remained a priority.

As in previous years, the Commission continued to clarify, harmonize and simplify aviation security legislation in line with the better regulation objectives of the EU.

The preparatory work leading to a new One-Stop-Security Agreement with Singapore for the benefit of both passengers and aviation industry was concluded, allowing to a formal adoption in early 2018.

PART ONE

Inspections

1.General

Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of aviation security aims at preventing unlawful interference with civil aircraft in order to protect persons and goods.

At the Union level, the implementation of the aviation security rules is based upon a two layer system of compliance monitoring, i.e. Commission inspections complemented by the assessment of Member States' annual reports on national monitoring activities (security audits, inspections and tests) carried out by each Member State.

Article 15 of Regulation (EC) No 300/2008 requires the Commission to conduct inspections, including inspections of airports, operators and entities applying aviation security standards, in order to monitor the application of the Regulation by the Member States and, as appropriate, to make recommendations to improve aviation security. Switzerland is also covered by the Union programme, while Norway and Iceland are inspected against parallel provisions by the EFTA Surveillance Authority (ESA).

To carry out its inspection work in 2017, the Commission had a team of seven full time aviation security inspectors. The inspection work is supported by a pool of some 100 national auditors nominated by Member States, Iceland, Norway and Switzerland who qualify for participation in Commission inspections through training provided by the Commission; inspectors from the EFTA Surveillance Authority (ESA) and the European Civil Aviation Conference (ECAC) are as of 2016 1 equally participating as fully fledged inspectors in this process; The significant number of national auditors participating in Commission inspections ensures a peer review system and allows spreading methodologies and best practices across Member States. A chart summarising all Commission and ESA compliance monitoring activities carried out in 2017 is attached in Annex 1.

Commission Regulation (EU) No 72/2010, as amended, lays down the procedures for conducting Commission inspections in the field of aviation security. It includes inter alia provisions for the qualification and powers of Commission inspectors and the conduct of follow-up inspections.

The methodology used for conducting these inspections has been developed in close cooperation with the aviation security authorities of Member States and is based on the examination of the effective implementation of security measures. In order to interpret the requirements and procedures to conduct inspections in a harmonised manner, the security unit of DG MOVE draws up and maintains handbooks for airport and cargo inspections. These handbooks also contain detailed prompts and guidance on all aviation security measures required by EU legislation. In addition, they also contain details on all organisational and practical aspects of Commission inspections. The handbooks are EU classified information and are only made available to Commission inspectors and the appropriate authority of each Member State.

The Commission carries out inspections of Member States' aviation security administrations (the 'appropriate authorities') and inspections of a limited number of airports, operators and entities applying aviation security standards. The inspections of appropriate authorities aim at verifying whether Member States have the necessary tools – including a national quality control programme, the necessary powers and the appropriate resources – to be able to adequately implement the European Union's aviation security legislation. The inspections of airports aim at verifying if the appropriate authority adequately monitors the effective implementation of aviation security measures and is capable of swiftly detecting and rectifying potential deficiencies. In both cases any deficiency identified by the Commission inspectors has to be rectified within an established timeframe; inspection reports are shared amongst all Member States.

Whilst the majority of inspections was carried out according to the originally foreseen inspection planning, four inspections were re-scheduled for different duly justified reasons.

With the aim of providing Member States with the feedback from inspections, promote transparency and harmonise compliance monitoring methodologies, the Commission organised in March an inspection working group with the heads of the civil aviation security quality control departments of Member States.

1.1 Commission multiannual compliance monitoring

To provide the Commission with adequate reassurances on the compliance level of Member States, a multi-annual monitoring approach is used. Thus, evidence of the application of Regulation (EC) No 300/2008 and its implementing legislation by every Member State is obtained in a cycle of two years, either by means of an inspection of its appropriate authority or an inspection of at least one of its airports. In addition, evidence of the application of the common basic standards on aviation security is obtained in a cycle of five years by an unpredictable selection of at least 15% of all EU airports falling under Regulation (EU) No 300/2008 including the largest airport in terms of passenger volumes in every Member State.

As per the requirements of the framework Regulation, Member States have the primary responsibility for monitoring the compliance of the implementation of the common basic standards at airports, air carriers and entities responsible for security. The inspections carried out by the Commission at selected airports constitute a strong indicator of the overall compliance level in each Member State.

The frequencies and scope of Commission inspections are established in the DG MOVE strategy for monitoring the implementation of EU aviation security standards. It takes into consideration the aviation size of each Member State, a representative sample of the airport operations type, the standard of implementation of the aviation security regulations, results of previous Commission inspections, assessments of national annual quality control reports, security incidents (acts of unlawful interference), threat levels and other factors and assessments which affect the frequency of monitoring.

Since 2010, the compliance rate 2 identified during Commission inspections is around 80% (2010:80%, 2011:80%, 2012: 83%, 2013: 80%; 2014: 81%, 2015: 80%, 2016: 79%, 2017: 81%); however, the relatively stable figure does not mean that Member States have not increased their efforts; to the contrary, Member States' efforts in the field of aviation security have significantly increased, since the requirements have also increased over the years, in particular in such areas as cargo security, liquid and gel screening or the use of explosive trace detection.

2.Inspections of national appropriate authorities

The Commission continued its fifth cycle of inspections of appropriate authorities in 2017. In total, nine inspections of appropriate authorities were carried out during the year. For most Member States, these inspections showed significant improvements from previous inspections.

The deficiencies most commonly found in 2017 related to shortcomings in the implementation of the National Quality Control Programmes. Difficulties were detected in ensuring that airports, air carriers and regulated entities with security responsibilities update and maintain security programmes in line with Commission implementing regulations and decisions. In addition, some Member States did not monitor with the expected regularity foreign air carriers and did not fully apply some of the compliance monitoring methodologies required by the Regulation. This was the result of limited resources and an increased number of entities concerned. The majority of Member States inspected did, nevertheless, align National Aviation Security Programmes with the EU legislation, implemented mostly the requirements relating to security training, met the minimum frequency for inspecting security measures at airports and ensured that identified deficiencies were rectified within established timeframes.

3.Initial inspections at airports

Eighteen initial inspections of airports were conducted during 2017. All chapters were covered in accordance with the applicable areas of security in each airport. The overall percentage of core measures found to be in compliance in 2017 was 81%, approximately the same as in previous years. 3

After the eighth year of implementation of Regulation (EC) No 300/2008, the inspection results reflect the efforts made by appropriate authorities and the industry. The majority of security requirements stemming from this ambitious legislation were correctly implemented; the level of compliance for the most important areas of aviation security remained stable at around 80%. However, the effectiveness of the implementation of some measures still leaves room for improvement.

Most of the deficiencies found continued to stem from human factor issues. These mainly occured in the practical implementation of certain areas where the legal requirements are new or have significantly changed recently. In particular, some provisions relating to access control, screening of staff and screening of cabin baggage will require continued efforts by the appropriate authorities, industry stakeholders and the Commission. Aircraft security searches was another area were further efforts are necessary. These issues should be addressed through increased national quality control activities in the areas concerned.

2017 showed again high compliance levels in relation to screening of hold baggage, in-flight supplies, training and security equipment following relatively good results in 2015 and 2016 due to further increased awareness and practical experience with the revised implementing legislation which improved clarity and consistency of the measures.

4.Follow-up inspections

In accordance with Article 13 of Commission Regulation (EU) No 72/2010, as amended, the Commission routinely carries out a limited number of follow-up inspections. Such an inspection will be scheduled where several serious deficiencies have been identified during the initial inspection, but also on a random basis to verify that appropriate authorities have the powers necessary to require any identified deficiency to be rectified within set timeframes. Four such activities were carried out during 2017 and confirmed rectification of most of the identified deficiencies.

5.Assessments of Member States' ANNUAL QUALITY CONTROL Reports

Commission Regulation (EU) No 18/2010 of 8 January 2010 amending Regulation (EC) No 300/2008 of the European Parliament and of the Council as far as specifications for national quality control programmes in the field of civil aviation security are concerned requires under point 18 Member States to annually submit a report to the Commission on the measures taken to fulfil their obligations under this Regulation and on the aviation security situation at the airports located in their territory. The content of the report shall be in accordance with Appendix III using a template provided by the Commission.

The assessment of these reports, in addition to the Commission's regular inspections, constitutes a tool for the Commission to closely follow the implementation of robust national quality control measures allowing for swift detection and correction of deficiencies in each Member State.

The assessment includes the analysis of regular monitoring of airports, air carriers and other entities with aviation security responsibilities, levels of monitoring man-days spent in the field, scope and frequencies of a suitable mixture of compliance monitoring activities, national compliance levels, follow-up activities and use of enforcement powers.

The results of the assessment of the annual reports from 2017 showed significant improvements as compared to 2016 in the areas of regular monitoring, levels of monitoring man-days in the field and minimum frequencies. Areas such as scope of monitoring activities and enforcement measures used to ensure that identified deficiencies are rectified and do not recur seem to be solidly implemented as improvements verified in previous years have been sustained. at most of the Member States. However, the reports revealed that Member States have still difficulties in implementing testing of some of the security areas required to be covered by the Regulation.

The Commission sent a formal individual comprehensive evaluation to each Member State highlighting shortcomings or weaknesses and requested adequate rectification measures to be submitted by the Member State. The implementation of these action plans will be closely followed by the Commission and in case a Member State confirms the existence of the highlighted shortcomings or weaknesses and does not propose adequate rectification measures, formal action will be taken.

6.Assessments of third country airports

In the course of the year, an assessment of one US airport (Charlotte-Douglas International airport) was conducted in the framework of the Working Arrangement with the Transportation Security Administration of the USA established under the EU-US Air Transport Agreement 4 . Such assessments take regularly place in the context of One Stop Security and this assessment confirmed that the implementation of US security measures continues to be of an equivalent standard to the implementation of EU aviation security legislation.

In accordance with the principles contained in the 2015 Aviation Strategy for Europe, Directorate-General for Mobility and Transport (DG MOVE) together with the Singapore Ministry of Transport (MOT), worked intensely towards establishing One Stop Security between the EU and Singapore. In the context of establishing whether aviation security measures of the Republic of Singapore are equivalent to those required by the EU legislation, an assessment visit by the EU inspection team was conducted at Singapore Changi Airport (October 2017). The formalisation of the OSS should take place early 2018.

7.Open files, Article 15 cases and legal proceedings

Inspection files remain open until the Commission is satisfied that appropriate rectification action has been implemented. The duration of a file therefore depends upon the good cooperation of the concerned Member State. Thirty-two inspection files (twenty files concerning airport inspections and twelve concerning inspections of appropriate authorities) could be closed. In all, inspection files related to ten appropriate authorities and seventeen airports remained open at the end of the year.

If identified deficiencies in the implementation of security measures at an airport are considered to be serious enough as to have a significant impact on the overall level of civil aviation security in the Union, the Commission will activate Article 15 of Commission Regulation (EU) No 72/2010. This means that all other appropriate authorities are alerted to the situation and compensatory measures would have to be considered in respect of flights from the airport in question. No Article 15 case had to be initiated in 2017.

Regardless of whether or not Article 15 is applied, another available measure, particularly in cases of prolonged non-rectification or reoccurrence of deficiencies, is for the Commission to open infringement proceedings. In 2017, infringement proceedings were launched against two Member States incriminating the facts that the national quality control programme was insufficiently implemented and that revised versions of national security and national quality control programmes were not officially adopted.

PART TWO

The Legislation and supplementary tools

1.Legislation

Civil aviation remains to be an attractive target for terrorist groups and countering this threat requires ensuring the implementation of proportionate, risk based protective measures. The Commission and Member States are therefore constantly adjusting the mitigation measures in order to achieve the highest level of security while minimising adverse effects on operations.

In May 2017 the Commission adopted Regulation (EU) 2017/815 of 12 May 2017 amending Commission Implementing Regulation (EU) 2015/1998 as regards clarification, harmonisation and simplification of certain specific aviation security measures. Non public, need-to-know security provisions were introduced through the adoption of Commission Implementing Decision C(2017)3030 of 15 May 2017 amending Decision C(2015)8005 as regards clarification, harmonisation and simplification of certain specific aviation security measures.

The Commission also adopted Commission Implementing Regulation (EU) 2017/837 of 17 May 2017 correcting the Polish and Swedish language versions of Implementing Regulation (EU) 2015/1998 laying down detailed measures for the implementation of the common basic standards on aviation security.

2.Union database on supply chain security (UDSCS)

The database of regulated agents and known consignors 5 has been the only legal primary tool to be used by regulated agents for consultation when accepting consignments from another regulated agent or from a known consignor since 1 June 2010. Since 1 February 2012, it has been extended to include the list of air carriers authorised to carry cargo and mail into the EU from third country airports (ACC3). In 2013, this database was legally extended to also contain the list of EU aviation security validators approved by the Member States. It was also renamed "Union database on supply chain security" 6 to better reflect the extended scope of its use. At the end of 2017 the database contained 14,000 records of regulated agents, known consignors, independent validators, ACC3 airlines, regulated suppliers, and third country regulated agents and known consignors. Its target availability rate of 99.5% was continuously met in 2017 as well.

PART THREE

Trials, Studies and New Initiatives

1.Trials

A 'trial' in the sense of the EU aviation security legislation is conducted when a Member State agrees with the Commission that it will use a particular means or method not recognised under the terms of the legislation to replace one of the recognised security controls, for a limited period of time on condition that such trial does not impact negatively on the overall levels of security. The term does not, in the legal sense, apply when a Member State or entity is conducting an evaluation of a new security control deployed in addition to one or more of those already covered by the legislation.

In the course of 2017, two trials conducted in the Netherlands and in France came to an end. These concerned the use of new generation screening equipment for cabin baggage that do not require the removal of laptops before screening and the use of shoe analysing equipment detecting both metal and explosive materials in combination with walk-through metal detection equipment and security scanners. Both trials delivered positive results and the one related to shoe analysing equipment will be considered for inclusion in an amendment to the legislation in 2018. No other trials were conducted or initiated in the course of 2017.

2.Studies and Reports

In October 2017, the Commission received a study 7 regarding the protection of landside areas at EU airports. The study analysed the measures taken at 11 European airports to protect the public areas, assessed their effectiveness and made recommendations, in particular regarding guidance, risk assessments and information sharing.

At the end of 2017, DG MOVE commissioned a Study on economic (and other benefits) of One Stop Security (OSS) to analyse economic and other benefits in the scope of existing OSS arrangements between the EU and the United States of America, the EU and Canada and the EU and Montenegro. If the study confirms the importance of the economic (and/or other) benefits that OSS entails, this could serve as additional incentive for continuing to work towards a global sustainability of aviation security and engage in OSS talks with our major partners. The study shall be completed in September 2018.

3.New Initiatives

Further progress was made regarding the roadmap for the development of technologies in aviation security. The roadmap sets various activities covering all aspects of security technology and methods and serves as reference for all European stakeholders involved in aviation security research.

In relation to cargo, the Commission continued to work closely with Member States in order to prepare the implementation of a regime for pre-loading advance cargo information (PLACI) analysis. In this context, cooperation with customs community continued in the context of the on-going international exercise undertaken within the joint ICAO/WCO Working Group on Advance Cargo Information where the Commission plays an active role participating with DG MOVE and DG TAXUD. Together with States and stakeholders, this exercise aims at reaching common agreed principles and possible standards and recommended practices to be adopted and implemented should a State or a Region decide to apply such concept in one or all business models in the field of air cargo and mail.

PART FOUR

Dialogue with International Bodies and Third Countries

1.    General

The Commission engages with international bodies and key trading partners and participation in associated international meetings, such as the annual meeting of the ICAO Aviation Security Panel, ensures that co-ordination of EU positions can be undertaken. Bilateral dialogue is held with certain third countries, such as the United States, Canada, Australia, Singapore, etc. which enable the Commission to build up a good understanding and high level of trust with countries taking a like-minded approach to aviation security.

2.    International bodies

The Commission participated in the annual meeting of the ICAO Aviation Security Panel (AVSECP/28) which took place in Montreal on 29 May – 2 June 2017 where the Global Aviation Security Plan (GASeP), a milestone in the AVSEC policies, has been presented and endorsed for its submission to the ICAO Council.

Following the 2016 ICAO Assembly Resolution A39-19 on Cybersecurity, the Commission participated at the ICAO Cybersecurity summit and exhibition, a joint safety and security event with the theme "Making sense of cyber" (Dubai, UAE, April 2017). DG MOVE presented the EU holistic approach on building up cyber strategy with multidisciplinary approach in mind in order to address and combat cyber threat in aviation. ICAO was invited to step up the challenge and address cyber security in aviation globally.

3.    Third countries

On 21 March 2017, the U.S. issued aviation security enhancements in what is called an Emergency Amendment/Security Directive (EA/SD), where air carriers operating flights from certain Countries to the U.S. were ordered not to carry electronic devices larger than a cell phone / smart phone in carry-on luggage. The UK implemented similar rules for UK bound flights from a limited number of Countries.

On 29 March 2017, Member States and the relevant services of the European Commission and EEAS (including the Intelligence and Situation Centre) met to discuss the risk situation in light of the restrictions introduced by the UK and US authorities. The Commission engaged in direct contacts with the US Authorities, followed by a series of technical meetings to discuss threat, vulnerability and risk. The parties agreed on the need to work jointly in enhancing aviation security and addressing together the threat in the medium/long-term.

On the basis of the robust security regime in place in the EU, a number of resulting EA/SD measures were absorbed by the existing EU measures, resulting in the Emergency Amendment having a reduced impact in the EU. Consultation and joint work EU-US is on-going on the matter, and the whole PEDs issue has been a useful opportunity to further strengthen dialogue and commitment to cooperate by the Parties.

At ICAO level, a Task Force to address the issue of the carriage of PEDs on board an aircraft was established with the strong support of the Member States and the Commission. The Task Force met in July in Paris and established a number of recommendations on how to mitigate the threat of concealed explosives without having to ban items like PEDs. Furthermore, ICAO established a Multidisciplinary Cargo Safety Group to consider the combined safety, security and facilitation aspects of this issue.

As in the past years, the Commission actively engaged on aviation security issues with the United States in a number of fora, in particular the EU-US Transportation Security Cooperation Group (TSCG). The TSCG aims at fostering co-operation in a number of areas of mutual interest and ensure the continued functioning of One Stop Security arrangements and of the mutual recognition of the respective air cargo and mail regimes of the EU and the U.S. Both initiatives save air transport operators time, cost, and operational complexity.

Regarding capacity building, the CASE Project 8 was adapted by offering new activities with the objective of better addressing the needs expressed by Partner States and the evolution of the threat picture. Furthermore a number of national activities – under the training component – were launched on a subregional basis. Main issues concerned the use of security equipment, the training of national auditors and a workshop on vulnerability assessments.

On the occasion of the Transport Dialogue with Singapore (June 2017), an Administrative arrangement was signed to show continuous commitment to make OSS between the EU and Singapore a reality. After a thorough process comprising of a table top exercise analysing Singapore aviation security legislation and a positive assessment visit of the Singapore Changi airport (October 2017), a draft legislative proposal has been prepared, consulted with Member States at the Aviation Security Regulatory Committee and submitted to the College of Commissioners (December 2017) 9 .

(1) Commission Implementing Regulation (EU) 2016/472 of 31 March 2016, JO L 85, p. 28

(2)      To ensure comparability and allow for an evaluation of compliance levels over time, the Commission uses a calculation method for its compliance indicator where only the main security requirements that are inspected most frequently are included in the calculation. These cover the requirements relating to airport security, aircraft security, passenger and cabin baggage security and hold baggage security. Security measures are clustered in sets of directly linked security requirements and assessed as a whole. A fixed weighing factor reflecting the level of implementation per cluster is then applied as follows;The overall compliance indicator for a given year is therefore the sum of the weighed factors divided by the number of classified sets of directly linked requirements.

(3)      See chapter 1.1.

(4)      OJ L134 of 25.5.2007, p.4

(5)      The Commission set up this database, the use of which is mandatory for actors in the supply chain through Regulation (EU) No 185/2010 and Decision C(2010) 774.

(6)      Commission Regulation (EU) No 1116/2013 of 6 November 2013, amending Regulation (EU) No 185/2010, OJ L 299 of 9.11.2013, p.1

(7)      The study was carried out by the consultant o&i.

(8) The EU-funded and ECAC-implemented Civil Aviation Security in Africa and the Arabian Peninsula Project (CASE) was launched in early 2016, for a duration of four years. Its purpose is to support the efforts of Partner States, in Africa and the Arabian Peninsula, to mitigate threats against civil aviation and to improve levels of compliance with international requirements, with a strong focus on quality control measures.

(9)     The final adopted act is the following: OJ L10/5, 13.1.2018; Commission Implementing Regulation (EU) 2018/55 of 9 January 2018 amending Implementing Regulation (EU) 2015/1998 as regards adding the Republic of Singapore to the third countries recognised as applying security standards equivalent to the common basic standards on civil aviation security (Text with EEA relevance. )