EU Cyber Resilience Act Guide for Avionics & Aerospace Systems Manufacturers

The CRA explicitly excludes products intended exclusively for national security, defence, and military purposes under Article 2(2). Manufacturers of purely military avionics systems are therefore outside CRA scope. However, dual-use avionics products — and commercial civil avionics sold under non-defence contracts — are in scope. This includes flight management system software, aircraft communication addressing and reporting systems (ACARS), avionics networking equipment, electronic flight bags (EFBs), ground-based maintenance software, and flight data monitoring systems sold commercially. Manufacturers of both military and civil product lines must carefully assess which of their products are exclusively for defence use and document this exclusion clearly. Products sold commercially through distribution channels with possible dual-use cannot claim the defence exclusion.

For commercially distributed avionics and aerospace software, Annex I imposes security-by-design obligations that must be reconciled with existing DO-326A and DO-356A airworthiness security processes. Required measures include: implementing access controls that prevent unauthorised modification of safety-critical parameters; ensuring software update mechanisms are authenticated and integrity-verified, consistent with DO-326A security risk assessment requirements; maintaining comprehensive SBOMs for all software components, including DO-178C-certified flight software; providing secure default configurations with documented hardening guidance; and implementing audit logging for all security-relevant operations in ground-based maintenance systems. For embedded avionics products, the Annex I requirement to support security updates must be balanced against EASA supplemental type certificate (STC) requirements for in-service modifications.

Article 13 requires aerospace manufacturers to publish a coordinated vulnerability disclosure policy for commercially distributed products in scope. The aerospace sector has well-established safety reporting mechanisms — Mandatory Occurrence Reporting (MOR) under EU 376/2014 — but these address safety events rather than cybersecurity vulnerability reports. A dedicated CVD policy must exist alongside safety reporting, handling security researcher reports, penetration test findings, and third-party vulnerability intelligence. The CVD policy must specify: a dedicated security reporting contact separate from safety reporting channels; acknowledgment and response timelines; and a process for coordinating with EASA and ENISA where a security vulnerability has potential safety implications. Manufacturers should document the interaction between CVD and safety reporting processes to ensure vulnerabilities with dual safety/security relevance are handled through both channels.

Article 14 requires notification to the relevant national CSIRT within 24 hours of confirmed active exploitation. For avionics products, active exploitation of a cybersecurity vulnerability may simultaneously trigger EASA safety reporting obligations if the exploitation could affect airworthiness. Manufacturers must establish incident response procedures that coordinate between cybersecurity teams and safety/airworthiness teams, ensuring that the 24-hour CSIRT notification and any concurrent EASA occurrence report are consistent and mutually referenced. Pre-established relationships with EASA's cybersecurity team and national aviation authority cybersecurity contacts will facilitate rapid multi-channel notification. The 14-day detailed incident report required by Article 14 should document the safety assessment performed alongside the cybersecurity impact analysis.

Safety-critical avionics products placed on the commercial market are likely Class II under Annex III, requiring notified body assessment. Ground support software, maintenance information systems, and flight data monitoring platforms may qualify as Class I, permitting self-declaration. For Class II products, manufacturers should consider whether notified bodies with aerospace domain expertise are available — the intersection of CRA conformity assessment and avionics knowledge requires assessors who understand both regulatory frameworks. The CRA technical file must include a cybersecurity risk assessment that cross-references the DO-326A airworthiness security process and IASAS (Information Assurance Security Assessment) documentation where applicable. This cross-referencing approach leverages existing EASA compliance documentation to reduce duplicated effort.