What is DO-326A / ED-202A and what is its legal status?

DO-326A (RTCA) and ED-202A (EUROCAE) are the harmonised Airworthiness Security Process Specification, published jointly in 2014 by the two standardisation bodies. They define the process by which intentional unauthorised electronic interaction with airborne systems is assessed and mitigated within the airworthiness certification of an aircraft, engine, or appliance. The documents are not regulations in themselves; they are Means of Compliance accepted by EASA through CRI F-19 historically, and by both EASA and the FAA through the new CS 25.1319 and Part 25 Section 25.1319 provisions in force since August 2024 (Amendment 25/29 on the EASA side). Their use becomes binding through the certification basis of a programme, in the same way that DO-178C and DO-254 are binding for software and electronic hardware.

How does DO-326A fit with DO-178C and DO-254?

DO-326A operates at the same system level as ARP4754A and ARP4761A, one layer above DO-178C and DO-254. It produces a Security Risk Assessment (SecRA) using a TARA (Threat Analysis and Risk Assessment) framework, identifies threat scenarios analogous to failure conditions in safety, and allocates security measures to the architecture. Those security measures are then implemented as requirements that flow into the software life cycle (DO-178C) and the electronic hardware life cycle (DO-254). The two pipelines must be co-developed, not sequenced. A late security pass commonly invalidates safety partitioning decisions taken under ARP4754A and forces re-architecture.

What is the difference between DO-326A and DO-355A?

DO-326A / ED-202A covers airworthiness security as a development and certification process: it produces evidence consumed by the type certification authority before entry into service. DO-355A / ED-204A covers Information Security Guidance for Continuing Airworthiness, that is, the operational phase after type certification: software part loadable updates, vulnerability monitoring, security operations centre interfaces, configuration management of the in-service fleet. The two are complementary and both are usually invoked in the certification basis, but they have distinct scopes and produce distinct deliverables. ED-204A was revised in 2022 to align with the maturity of in-service cybersecurity practice.

What is the role of DO-356A / ED-203A?

DO-356A / ED-203A, Airworthiness Security Methods and Considerations, published in 2018, is the methods companion to DO-326A / ED-202A. Where DO-326A defines the process and the required outputs, DO-356A provides the technical methods: how to conduct a TARA, how to score attacker capability across the basic, enhanced, high, and extended levels, how to structure security verification, how to demonstrate the effectiveness of security measures. A programme rarely invokes DO-326A without DO-356A; they operate as a pair, similar to the ARP4754A / ARP4761A pairing on the safety side.

Which documents are required in a DO-326A certification dossier?

The core deliverables are the PSecAC (Plan for Security Aspects of Certification), the contractual interface with the authority; the SecRA (Security Risk Assessment), which documents the TARA and the residual risk; the Security Architecture Document, which describes the security measures embedded in the system architecture; the SecVer Plan and SecVer Reports, which describe and record the security verification activities (penetration testing, code review, analysis); and the Security Compliance Summary, which consolidates the compliance demonstration at the end of the cycle. For continuing airworthiness, the DO-355A / ED-204A deliverables are added: in-service security plan, vulnerability handling process, configuration management of loadable software parts.

How are threat scenarios classified and severity-mapped?

DO-326A maps threat scenarios to the same failure-condition classification used by ARP4761A on the safety side: Catastrophic, Hazardous, Major, Minor, No Safety Effect. A successful cyberattack scenario that causes a Catastrophic failure condition drives the most stringent security objectives, in the same way that a Catastrophic failure condition drives DAL A on the safety side. Attacker capability is scored separately through a TARA framework with four standard levels (basic, enhanced, high, extended), reflecting the resources, skills, and access required to execute the scenario. The combination of failure-condition severity and attacker capability drives the strength and independence requirements on the security measures.

When must the PSecAC be submitted to the authority?

The PSecAC is part of the certification basis interface, and authorities expect it early in the programme, typically at or before PDR (Preliminary Design Review) and certainly no later than CDR (Critical Design Review). A missing PSecAC at CDR is one of the most common findings during the airworthiness security review, because the document defines the security process the applicant will follow and therefore conditions all downstream evidence. EASA has historically issued CRI F-19 to formalise the security certification basis on programmes predating CS 25.1319; under CS 25.1319, the airworthiness security process is now part of the default certification basis for new aircraft and major changes, without needing a CRI.

How does CS 25.1319 (since 2024) change the obligation?

Before August 2024, airworthiness security was handled programme-by-programme through Special Conditions or CRIs (such as F-19 on the EASA side, individual Special Conditions on the FAA side for the 787, A350, etc.). The new CS 25.1319 on the EASA side (Amendment 25/29 effective August 2024) and the corresponding 14 CFR Part 25 Section 25.1319 on the FAA side make airworthiness security a default requirement for new large aeroplanes and major changes. In practice this means a security risk assessment, security measures, and security verification are mandatory deliverables in the certification basis, with DO-326A / ED-202A and DO-356A / ED-203A as the accepted Means of Compliance. CS-29 and Part 29 carry equivalent provisions for civil rotorcraft.

DO-326A and ED-202A: avionics cybersecurity airworthiness

Author Hugues Orgitello Last updated 27 May 2026 ~10 min read

Guide - Avionics cybersecurity airworthiness

Civil avionics cybersecurity is no longer a Special Condition tacked onto individual programmes. With CS 25.1319 (EASA Amendment 25/29, effective August 2024) and the corresponding 14 CFR Part 25 Section 25.1319 on the FAA side, airworthiness security is now a default certification requirement for new large aeroplanes and major changes, with DO-326A / ED-202A as the accepted process Means of Compliance and DO-356A / ED-203A as the methods companion. The framework reaches further: DO-355A / ED-204A governs the continuing airworthiness side (in-service patching, vulnerability handling), and DO-392 / ED-205A extends the same logic to ATM/ANS ground systems. This guide maps the document set, the regulatory anchors, the certification deliverables (PSecAC, SecRA, Security Architecture, SecVer, Security Compliance Summary), the TARA framework, the failure-condition mapping to attacker capability, the articulation with DO-178C and DO-254 on the safety side, and the recurring pitfalls observed during certification reviews.

The document set: who publishes what

The airworthiness security framework is structured by RTCA on the US side and EUROCAE on the European side, with each document published in a harmonised pair so that one specification serves both regulators.

RTCA reference	EUROCAE counterpart	Scope	First publication
DO-326A	ED-202A	Airworthiness Security Process Specification	2014
DO-356A	ED-203A	Airworthiness Security Methods and Considerations	2018
DO-355A	ED-204A	Information Security Guidance for Continuing Airworthiness	2014, revised (ED-204A, 2022)
DO-392	ED-205A	Cybersecurity Process Standard for ATM/ANS Ground Systems	recent

These four documents operate as a coherent set. DO-326A defines the process: what activities must occur, what artefacts must be produced. DO-356A defines the methods: how to conduct each activity, how to score attacker capability, how to structure verification. DO-355A defines the continuing airworthiness layer: what happens after type certification, when the aircraft enters service and faces evolving threats. DO-392 extends the framework to ground-side ATM/ANS systems.

A type certification programme today typically invokes DO-326A and DO-356A together for the airborne side, with DO-355A invoked separately for in-service maintenance. None of the documents replaces the others.

Regulatory anchors

EASA: from CRI F-19 to CS 25.1319

Before 2024, EASA managed airworthiness security on a programme-by-programme basis through Certification Review Items, the most common of which was CRI F-19, Airworthiness Security. The CRI imposed DO-326A / ED-202A as the Means of Compliance and listed the deliverables expected.

EASA Amendment 25/29, effective August 2024, introduced CS 25.1319, Equipment, systems and installations - aeroplane intentional unauthorised electronic interaction. The new paragraph elevates airworthiness security to a default CS-25 requirement: any new large aeroplane and any major change submitted under CS-25 must include the corresponding security assessment in the certification basis, without a CRI being needed to introduce it. CS-29 carries the equivalent provision for civil rotorcraft.

The acceptable Means of Compliance pointed to are DO-326A / ED-202A (process), DO-356A / ED-203A (methods), and ED-204A (continuing airworthiness).

FAA: 14 CFR Part 25 Section 25.1319 and AC 119-1

On the FAA side, individual programmes had historically been handled through Special Conditions issued under 14 CFR 21.16 for the Boeing 787, the Airbus A350, and other systems with high integration of e-Enabled functions. The 2024 update incorporates 14 CFR Part 25 Section 25.1319 with substantively equivalent content to CS 25.1319, making airworthiness security a default Part 25 requirement.

AC 119-1, Airworthiness and Operational Authorization of Aircraft Network Security Program (ANSP), provides operator-side guidance on the continuing-airworthiness aspects, complementing the type-certification view.

Civil rotorcraft and engines

Aircraft type	Specification	Security provision
Large aeroplanes (transport category)	CS-25, 14 CFR Part 25	CS 25.1319 / Part 25 Section 25.1319
Large rotorcraft	CS-29, 14 CFR Part 29	CS 29.1319 / Part 29 Section 29.1319 equivalent
Engines	CS-E, 14 CFR Part 33	covered via system integration on the airframe side
Small aeroplanes	CS-23	airworthiness security on a case-by-case basis through Special Conditions

Process layers: parallels with DO-178C / DO-254 safety

DO-326A mirrors the safety pipeline of ARP4754A and ARP4761A at system level, with security replacing safety. The two pipelines are co-developed.

Safety side (ARP4761A)	Security side (DO-326A)	Output
FHA (Functional Hazard Assessment)	TARA (Threat Analysis and Risk Assessment)	Identification of failure conditions / threat scenarios
Failure condition severity (Cat / Haz / Maj / Min / NSE)	Threat scenario severity (same five-tier scale)	Allocation of assurance level / security measures
PSSA (Preliminary System Safety Assessment)	Preliminary SecRA	Architecture-driven assessment, mitigation allocation
SSA (System Safety Assessment)	Final SecRA	Compliance demonstration, residual risk
Safety architecture (partitioning, redundancy, dissimilarity)	Security architecture (segregation, defence in depth)	Architectural decisions implemented in software / hardware
Verification of safety properties	SecVer (pen test, code review, analysis)	Verification evidence

The conceptual symmetry is deliberate. DO-326A reuses the failure-condition vocabulary of ARP4761A so that security and safety assessments can be cross-referenced. A threat scenario that leads to a Catastrophic outcome drives the same severity tier as the equivalent safety failure condition, and therefore the most stringent security measures and verification effort.

Failure-condition mapping for threat scenarios

Failure condition class	Effect on aircraft / occupants	Security implication
Catastrophic	Aircraft loss, multiple fatalities	Highest security measures, deepest verification, independence required
Hazardous	Large reduction of safety margins, serious injury	High security measures, structured verification
Major	Significant reduction of safety margins, occupant discomfort	Moderate security measures
Minor	Slight reduction of safety margins, minor inconvenience	Light security measures
No Safety Effect (NSE)	No safety consequence	No specific airworthiness security objective

TARA: Threat Analysis and Risk Assessment

DO-356A defines the TARA framework that underpins the SecRA. The TARA structures the analysis around four standard attacker-capability tiers.

Attacker capability tier	Characterisation
Basic	Limited resources, off-the-shelf tools, no insider knowledge
Enhanced	Skilled attacker, public exploit toolchains, some target knowledge
High	Organised group, custom tooling, persistent access, targeted reconnaissance
Extended	Nation-state level resources, supply chain access, multi-vector campaigns

A threat scenario is then characterised by:

the assets at risk (data, function, integrity, availability),
the attack path (entry point, propagation, target),
the failure condition triggered if the scenario succeeds,
the attacker capability required,
the likelihood given the capability and exposure,
the residual risk after security measures are applied.

The TARA is refreshed at each major design milestone and after any change that affects the attack surface (architecture change, new external interface, supplier substitution). Missing a TARA refresh after a software update is a frequent finding during continued airworthiness reviews.

Asset classification

Assets are classified by the criticality of the failure condition they would trigger if compromised, not by their intrinsic technical category. A simple log file may be Catastrophic-critical if its tampering masks an attack on a flight-critical function, while a complex display subsystem may be only Minor-critical if its corruption does not propagate to flight-critical systems. The TARA logic is consequence-driven, not technology-driven.

Required plans and deliverables

DO-326A imposes a defined set of plans, analyses, and summaries, mirroring the documentary structure of DO-178C on the software side.

Plans

Deliverable	Purpose
PSecAC (Plan for Security Aspects of Certification)	Contractual interface with the authority; describes the security process, the standards applied, the deliverables, the schedule, the organisation. Equivalent of the PSAC in DO-178C.
Security Verification Plan (SecVer Plan)	Describes the verification strategy: penetration testing, code review, fuzzing, static analysis, security analysis. Equivalent of the SVP.
Security Risk Assessment Plan	Describes the methodology to conduct the TARA and the SecRA.

Analyses and verification

Deliverable	Content
SecRA (Security Risk Assessment)	TARA, threat scenarios, attacker capability, residual risk, security measures and their allocation
Security Architecture Document	Description of security measures embedded in system architecture: segregation, cryptography, authentication, defence in depth
SecVer Reports	Records of verification activities, with traceability to security objectives
Security Compliance Summary	Consolidation of evidence at the end of the cycle, equivalent of the SAS for software

Continuing airworthiness (ED-204A)

Deliverable	Content
In-Service Security Plan	How the security posture is maintained after entry into service
Vulnerability Handling Process	Discovery, assessment, response, communication with operators
SOC interfaces	Security Operations Centre engagement, monitoring, incident response
Configuration management	Software part loadable updates, signing, deployment, rollback

Interface with safety: co-development, not sequence

The most frequent architectural error is treating security as a downstream addition to a safety-assessed architecture. Security measures (cryptographic isolation, authentication, intrusion detection, audit logging) often introduce new failure modes that need their own safety assessment under ARP4761A. Conversely, safety partitioning decisions (e.g. ARINC 653 partitioning under DO-178C) often constrain the placement of security measures.

The two pipelines must be co-developed:

joint system architecture review with safety and security teams,
shared failure-condition catalogue, so that a threat scenario can be checked against an existing safety failure condition,
shared architectural rationale, with explicit justification when a security measure changes a safety partitioning decision,
joint verification planning, to avoid duplicated test campaigns and conflicting test environments.

For the safety side that DO-326A interfaces with, see DO-178C and DO-254 and the broader risk assessment framework in ISO 14971, IEC 31010, FMEA, FTA.

DO-326A versus DO-355A / ED-204A: scope boundary

These two documents are routinely confused in scoping discussions, because both carry the word security. They occupy different layers of the certification lifecycle.

Aspect	DO-326A / ED-202A	DO-355A / ED-204A
Phase	Type certification (before entry into service)	Continuing airworthiness (after entry into service)
Audience	Type certificate applicant	Operator, maintainer, software part loadable supplier
Output	Security Compliance Summary, certification basis evidence	In-service security plan, vulnerability handling process
Authority interaction	EASA / FAA certification team	EASA / FAA continued airworthiness oversight
Companion methods	DO-356A / ED-203A	Operator-side AC 119-1 and equivalents

A common scoping error is treating DO-326A as covering in-service patching, which it does not. The in-service layer is the responsibility of ED-204A and the operator-side guidance.

DO-326A versus ISO 27001: not interchangeable

A second common confusion is mapping DO-326A objectives to ISO/IEC 27001 controls. The two frameworks have different vocabularies and different scopes:

ISO 27001 is an organisational ISMS standard: it certifies that an organisation manages information security at the management-system level, with risk-based controls applied across the enterprise.
DO-326A is a product / aircraft airworthiness security process: it produces evidence on a specific type design, with security measures implemented in the airborne system itself.

A supplier holding ISO 27001 certification on its corporate IT does not satisfy DO-326A objectives on a specific aircraft programme. Conversely, DO-326A compliance on a programme says nothing about the supplier's enterprise security posture. The two can coexist (and often must) but they do not substitute.

For the enterprise cybersecurity baselines on the corporate IT side, see CMMC and UK Cyber Essentials.

Programme integration: when to do what

Milestone	Security activity	Output
Concept	Preliminary threat identification, security scope definition	Input to ARP4754A allocation
PDR (Preliminary Design Review)	First version of PSecAC, preliminary TARA, preliminary SecRA	PSecAC v1, preliminary SecRA
CDR (Critical Design Review)	PSecAC finalised, security architecture frozen, security measures allocated	PSecAC final, Security Architecture Document
TRR (Test Readiness Review)	SecVer Plan executed, evidence collected	SecVer Reports
Certification	Security Compliance Summary submitted with type certification dossier	Security Compliance Summary
Entry into service	Switch to ED-204A continuing airworthiness regime	In-Service Security Plan active
Post-EIS update	TARA refresh after any change affecting attack surface	Updated SecRA, updated SecVer Reports as needed

Missing the PSecAC at CDR is the single most cited finding in early airworthiness security reviews, because the document is the contractual interface that defines the process to be followed. Without it, no downstream evidence can be assessed.

Frequent pitfalls

Pitfall	Consequence
Treating cybersecurity as a bolt-on after the safety architecture is frozen	Late re-architecture, partitioning decisions invalidated, programme slip
Missing PSecAC at CDR	Authority finding, security process undefined, downstream evidence unassessable
Confusing DO-326A (airworthiness) with DO-355A / ED-204A (continuing airworthiness)	In-service patching process missing or under-resourced
Mapping DO-326A objectives one-to-one to ISO 27001 controls	Vocabulary mismatch, gaps in airworthiness coverage
No TARA refresh after a software update or supplier change	Stale SecRA, residual risk under-estimated, finding during surveillance
No SOC plan or interface for ED-204A continuing airworthiness	In-service vulnerability cannot be triaged or responded to
Confusing attacker capability tiers with safety DAL	Security measures over-engineered or under-engineered relative to the actual threat
Sequencing security verification after safety verification	Conflicting test environments, duplicated effort, late discovery of architectural conflicts
Ignoring CS 25.1319 default applicability post-August 2024	Filing without security deliverables, certification basis rejected
Treating ground-side and airborne-side cybersecurity as a single document set	DO-392 / ED-205A scope missed for ATM/ANS ground systems

Going further

DO-178C and DO-254, airborne software and hardware: the safety-side pipelines that DO-326A interfaces with at system level
Risk management, ISO 14971, IEC 31010, FMEA, FTA: the broader risk-assessment families
CMMC and UK Cyber Essentials: corporate cybersecurity baselines, distinct from product airworthiness security
Glossary: definitions of PSecAC, SecRA, TARA, ED-202A, ED-203A, ED-204A, CRI