EU 2017/373

Regulation (EU) 2017/373 is the backbone of European ATM/ANS service-provision oversight. Adopted on 1 March 2017 and applicable from 2 January 2020, it lays down the common requirements for providers of air traffic management and air navigation services, and for the competent authorities that certify and oversee them.

For any organisation seeking, holding or extending an ATM/ANS certificate in the EASA system, 2017/373 is the regulation against which you will be assessed. It repealed and consolidated the earlier 1034/2011, 1035/2011 and 482/2008 instruments into a single, structured framework — and understanding its architecture is the first step to a successful certification.

2017/373
Common requirements for ATM/ANS providers
13 Annexes
Part-Definitions through Part-PERS
Applicable
2 January 2020

Regulatory scope

The Regulation applies to providers of air traffic services (ATS), meteorological services (MET), aeronautical information services (AIS), communication, navigation and surveillance services (CNS), air traffic flow management (ATFM), airspace management (ASM), procedure design and data services, as well as to the Network Manager. It also defines the oversight tasks of National Competent Authorities (NCAs) and the Agency. In short, if you provide a service or function within the European ATM network for general air traffic, 2017/373 almost certainly applies to you.

Key articles and annexes

The main body of the Regulation — Articles 1 to 10 — sets out subject matter, definitions, the obligation to be certified (Article 3), the role of the competent authority (Articles 4 and 5) and the certification mechanism (Article 6). The substantive requirements then sit across thirteen annexes:

  • Annex I — Part-Definitions
  • Annex II — Part-ATM/ANS.AR: requirements for competent authorities (oversight)
  • Annex III — Part-ATM/ANS.OR: common requirements for all service providers, including the management system (Subpart B) and the change process (ATM/ANS.OR.A.045)
  • Annex IV — Part-ATS: specific requirements for air traffic services providers
  • Annexes V–XIII — Part-MET, Part-AIS, Part-DAT, Part-CNS, Part-ATFM, Part-ASM, Part-ASD (procedure design), Part-NM and Part-PERS (personnel training and competence)

The structure matters: a provider must comply with Subparts A and B of Part-ATM/ANS.OR and with Part-PERS as a baseline, and then with the additional annexes relevant to the specific services it delivers.

Part-IS — information security integrated into the safety system

Under Commission Implementing Regulation (EU) 2023/203 (‘Part-IS’), ATM/ANS providers must establish and maintain an information security management system (ISMS) that addresses information security risks with a potential impact on aviation safety, and integrate it with their existing safety management arrangements under 2017/373. In practice this means information security risk identification and assessment, information security incident detection, response and reporting, and explicit links between Part-IS findings and the change-management and safety-assurance processes in ATM/ANS.OR. The expectation is one coherent management system — not a parallel cyber programme bolted on the side. AVISU has supported providers in scoping their ISMS, mapping it onto the existing 2017/373 management system and producing the evidence the National Competent Authority needs to see during oversight.

What compliance demands

At its heart, 2017/373 is a management-system regulation. Certification is not a one-off document exercise; it requires a functioning, evidenced and continuously maintained management system covering safety, security, quality, human resources and the safe management of change to the functional system. In practice, the most demanding elements are a credible Safety Management System aligned with ICAO Annex 19, a robust change-management process under ATM/ANS.OR.A.045 that demonstrates the acceptable safety of each change before it is introduced, and the technical and operational competence required by ATM/ANS.OR.B.001. Evidence, traceability and the ability to satisfy your NCA throughout the certificate’s life are what separate a smooth certification from a costly one.

How AVISU helps

AVISU is one of the few consultancies to have supported the complete certification lifecycle of an entire ATM service delivery. We bring operational and safety credibility, not theory.

  • Gap analysis of your organisation against Part-ATM/ANS.OR and the relevant service-specific annexes.
  • Design and population of a compliant management system, including safety, change and competence frameworks.
  • Development of safety cases and change submissions under ATM/ANS.OR.A.045, including FHA, PSSA and SSA.
  • Preparation for, and support through, NCA certification audits and findings closure.
  • Part-PERS training and competence-assessment scheme design.
  • Part-IS compliance under Regulation (EU) 2023/203 — ISMS scoping, risk assessment and integration with the existing 2017/373 safety system.
  • Ongoing oversight readiness so your certificate remains robust between audits.

Get in Touch

For more information on our services, speak to one of our experts on 01463 554024 or email contact@avisu.co.uk.