This blog is written for organisations and professionals navigating the evolving regulatory landscape for drones in critical sectors, offering insights into how new UK, EU, and US standards are shaping UAV cyber security requirements.

The rapid expansion of drone technology is reshaping whole industries such as defence, critical infrastructure, and emergency services;, however, this expansion demands an equally fast response in regulatory oversight, especially concerning cybersecurity and supply chain integrity. In the UK and Europe, regulatory developments are intensifying as lawmakers respond to the risks and potential vulnerabilities drones introduce, there’s also the additional influences of established US frameworks, such as the Blue UAS and Green UAS programs that are worth considering and will be explored below. These programs in the U.S. prevent certain foreign technologies, including semiconductors from restricted nation-states, from being used in drones within national security, defence, and critical infrastructure.

The Current Regulatory Landscape

European NIS2 Directive

The NIS2 Directive aims to strengthen cybersecurity across the EU, focusing on sectors of essential services, including energy, transport, and digital infrastructure (critical infrastructure). Enacted in early 2023, NIS2 mandates all EU member states to integrate these standards into national laws by October 2024.

This directive potentially imposes stringent cybersecurity standards for industries using ‘connected’ drones in critical infrastructure, including risk management protocols, vulnerability assessments, and mandatory incident reporting within 24-72 hours. NIS2, while not UAV-specific, brings drones under its scope in any industry where they serve critical functions.

UK Cyber Security and Resilience Bill

The UK Cyber Security and Resilience Bill is a significant upcoming regulation expected to come into force in 2025. This bill will likely include strict cybersecurity guidelines, secure supply chain
requirements, and reporting mandates for sectors where drones are increasingly deployed such as
transport, energy, and health.. Though details are still unfolding, this bill reflects the UK’s alignment with EU cybersecurity standards and will become a pivotal law for any organisation using UAVs in critical sectors.

EU Cyber Resilience Act (EU CRA)

The EU Cyber Resilience Act passed in 2023 and anticipated to be enforceable by 2025, sets requirements for the cybersecurity of connected devices across industries. Though not UAV-focused, it covers all devices communicating within a network, including drones used in sensitive sectors. The CRA mandates secure-by-design principles, continuous patching, and risk assessments throughout a device’s lifecycle, ensuring that UAVs used in critical industries maintain a high level of cybersecurity.

The US Influence: Blue UAS and Green UAS Programs

The Blue UAS and Green UAS programs, led by the U.S. Defense Innovation Unit (DIU) and the Association for Uncrewed Vehicle Systems International (AUVSI), set high security and sourcing standards for drones in U.S. defence and critical infrastructure. Specifically, they ensure that drones meet rigorous cybersecurity and supply chain requirements, preventing drones containing semiconductors and components from restricted nation-states from entering US markets for national security uses. The focus on sourcing transparency and third-party testing reduces the risk of foreign influence and data compromise.

Driven by similar national security and geopolitical concerns, the UK and Europe are gradually adopting comparable standards, recognising the importance of secure sourcing and strong threat mitigation as drones take on increasingly critical roles in high-stakes sectors.

Emerging Regulatory Trends and Geopolitical Impacts

The UK and EU are intensifying regulatory efforts to secure UAVs, driven by geopolitical tensions, technological advances, and the growing role of drones in critical sectors. Key trends include:

• Enhanced Cybersecurity Requirements: With drones playing critical roles, the UK and EU are focusing on cybersecurity standards that require vulnerability assessments, real-time monitoring, and advanced threat detection.
• Supply Chain Security: Reflecting the U.S. programs, the UK and EU are pushing for transparency in supply chains, especially to prevent drones from relying on components sourced from certain foreign suppliers. This approach minimises the risk of nation-state influence and helps ensure the operational integrity of drones.
• Mandatory Incident Reporting: Both the UK’s Cyber Security and Resilience Bill and the EU’s NIS2 Directive emphasise quick incident reporting, allowing industries to address cybersecurity breaches before they escalate. This shift helps secure cross-border operations and ensures a unified response to potential threats.

Preparing for Future UAV Regulations

To stay compliant and competitive, organisations leveraging drones in critical sectors should take proactive steps to prepare for incoming regulatory requirements, these include:

• Comprehensive Cybersecurity Assessment: Assess UAV operations for cybersecurity vulnerabilities, implementing robust threat detection and response measures when out in the wild, as well as on return from operation.
• Supply Chain Vetting: Verify that UAV components are sourced from compliant, secure suppliers. Emulate the US approach of sourcing restrictions to avoid risks associated with components from restricted nation-states.
• Enhanced Incident Reporting Capabilities: Set up protocols for prompt incident reporting,
  ensuring compliance with NIS2, the Cyber Resilience Act, and the UK Cyber Security and Resilience Bill’s upcoming requirements.

Conclusion

The demand for secure, resilient drone operations will only increase as regulations continue to evolve, positioning UAVs as crucial assets that must adhere to the highest security standards. As the UK and EU approach US-level security measures for drones, the regulatory environment is becoming more stringent, driven by cybersecurity concerns and global political shifts. With frameworks like the NIS2 Directive and Cyber Resilience Act coming into enforcement within the next year or so, UAV operators across critical sectors should look to prioritise cybersecurity, secure sourcing, and compliance now to stay ahead and maintain seamless business operations.

Qomodo is an ARPAS-UK Member.

Email: contact-us@qomodo.io

Click here for more ARPAS-UK Member Success Stories & Blogs.

11 November 2024