(fra kommisjonsforordningen)

(1) Regulation (EU) 2018/1139 establishes the essential requirements for the safe provision of ground handling services and organisations providing them, as well as requirements for oversight by competent authorities of those organisations and the ground handling services provided at the Union aerodromes within the scope of that Regulation. 

(2) In accordance with the essential requirements set out in Annex VII, point 4.2.1, to Regulation (EU) 2018/1139 and with Commission Delegated Regulation (EU) 202X/XXX4 [OP: please insert reference to C(2024) 8926], organisations responsible for the safe provision of ground handling services are to implement and maintain a management system to manage safety risks. Such safety risks may derive also from information security threats. The risks of this nature should be properly addressed by organisations providing GH services. To enable this, the scope of Regulation (EU) 2022/1645 should be amended to include organisations providing ground handling service. 

(3) Organisations subject to Regulation (EU) 2022/1645 such as the ground handling organisations and the organisations providing apron management services operate under a declaration regime. This implies that their management system or any of its components do not need to be approved by their competent authorities. The same regime should allow these organisations to apply the information security provisions without being required to have their information security management manual or the process to manage changes approved by the competent authority. The requirements related to these elements should be amended to reflect this exemption for the declaring organisations. 

(4) Organisations covered by this Regulation that are already subject to security requirements arising from Implementing Regulation (EU) 2015/1998 should also comply with the requirements of Annex I (Part IS.D.OR.230 ‘Information security external reporting scheme’) to Regulation (EU) 2022/1645 as Implementing Regulation (EU) 2015/1998 does not contain any provisions related to external reporting of information security incidents. 

(5) The requirements laid down in this Regulation are based on Opinion No 01/2024, issued by the Agency in accordance with Article 75(2) points (b) and (c) and Article 76(1) of Regulation (EU) 2018/1139. 

(6) In accordance with Article 128(4) of Regulation (EU) 2018/1139, the Commission consulted experts designated by each Member State in accordance with the principles laid down in the Inter-institutional Agreement of 13 April 2016 on Better LawMaking. 

(7) In order to provide organisations with sufficient time to ensure compliance with the new rules and procedures introduced by this Regulation, this Regulation should apply from 6 years after the date of entry into force,