What is DO-326A? A plain-English guide to the aviation cyber security standard

Modern aircraft are networked systems. Flight management computers talk to ground stations, electronic flight bags sync with airline infrastructure, and maintenance laptops plug directly into avionics buses. Every connection point is a potential attack surface, and regulators have responded. Their response is DO-326A.

If you've been told you need to comply with DO-326A and you're trying to work out what that actually means, this is the starting point.

What DO-326A is

DO-326A is the aviation industry's process specification for protecting aircraft and systems from deliberate cyber interference. Its full title is Airworthiness Security Process Specification, published by RTCA. Its European counterpart, published by EUROCAE, is ED-202A. The two are technically identical and are routinely cited together as DO-326A / ED-202A.

It is the recognised means of compliance for cyber airworthiness in the US, Europe, and the UK.

Why it exists

Aviation safety standards spent decades focused on accidental failure. DO-178C addressed software faults. DO-254 addressed hardware failures. ARP4754A integrated them at system level. None addressed deliberate interference.

That gap mattered less when aircraft were closed systems. As airframes became networked, with ground stations, satellite links, passenger connectivity, and maintainer devices all in scope, the attack surface grew accordingly. DO-326A introduces a precise term for the threat: Intentional Unauthorised Electronic Interaction (IUEI). The entire standard is built around identifying, assessing, and mitigating IUEI throughout an aircraft's design lifecycle.

A short history

• 2007. RTCA SC-216 and EUROCAE WG-72 begin joint work on aeronautical systems security.
• 2010. DO-326 / ED-202 published.
• 2014. DO-326A / ED-202A released, alongside companion documents DO-356 and DO-355.
• 2018. DO-356A published, unified with ED-203A.
• 2019. DO-326A becomes the sole Acceptable Means of Compliance (AMC) for cyber airworthiness certification in the US and Europe.

What began as voluntary guidance in 2010 became mandatory means of compliance within a decade.

The seven-step Airworthiness Risk Management Framework

DO-326A defines a seven-step process that runs alongside the rest of a certification programme:

1. Plan for Security Aspects of Certification (PSecAC). Agree the security plan with the regulator.
2. Security Scope Definition. Define what's in scope, including the security perimeter and operating environment.
3. Security Risk Assessment. Identify threats, vulnerabilities, and potential impact.
4. Risk Acceptability. Determine which risks are tolerable and which require mitigation.
5. Security Development. Design and implement the security architecture and controls.
6. Security Effectiveness Assurance. Verify and validate that those controls work.
7. Communication of Evidence (PSecAC Summary). Package the evidence for the regulator.

These seven steps generate fourteen specific artefacts. Together they form the evidence package submitted for certification, covered in detail in a separate piece.

Where DO-326A sits in the wider document family

DO-326A is the framework. Its companion standards provide the methods and the lifecycle coverage:

• DO-356A / ED-203A. Methods and considerations used inside the DO-326A process, including Security Assurance Level assignment and risk assessment structure.
• DO-355 / ED-204. Continuing airworthiness: operations and maintenance after entry into service.
• DO-392 / ED-206. Security event management.

Who needs to comply

EASA has embedded cyber security requirements across CS-25, CS-23, CS-27, CS-29, CS-E, and CS-P. The acceptable means of compliance is AMC 20-42, which references DO-326A and its companion standards directly.

The UK Civil Aviation Authority has replicated the EASA position. A separate UK cyber security regulation modelled on Part-IS is in development.

The FAA treats DO-326A as effectively required for new and modified type certifications, with formal rulemaking ongoing.

The UK Military Aviation Authority has recognised DO-326A, DO-355, and DO-356 as acceptable means of compliance since their introduction into Defence Standard 00-970 in late 2015. RA 5890 (Cyber Security for Airworthiness and Air Safety), introduced in 2023, built on that foundation by establishing a dedicated regulatory article for cyber airworthiness across UK military air systems. If you are a UK defence supplier working on military air platforms, DO-326A is the route to demonstrating compliance.

DO-326A and EASA Part-IS: not the same exercise

DO-326A operates at product level. It answers the question: does this aircraft or system meet airworthiness security objectives?

Part-IS operates at organisation level. It asks whether your organisation has an Information Security Management System capable of managing risks that could affect aviation safety.

The two are complementary, not interchangeable. A design organisation producing certified aircraft systems will often need to demonstrate both, and treating them as a single exercise is a common and costly mistake.

What this means in practice

If you design, modify, integrate, or certify avionics, you will produce DO-326A artefacts, directly if you're the applicant, or indirectly if you sit in a programme or quality role on a project that has to deliver them.

The standard is a process, not a checklist. The fourteen artefacts only make sense in the context of how they feed into one another. The most common failure mode is treating them as fourteen standalone documents rather than the evidence trail of a coherent risk-management exercise. Get the framework right and the artefacts follow. Get it wrong and you'll rewrite them repeatedly before the regulator is satisfied.