UK CAA seeks feedback on Cyber Safety Objectives for Specific Category

The UK Civil Aviation Authority (CAA) is asking for industry feedback on CAP 3098 - Guidance on Cyber Safety Objectives for Specific Category Operations.

CAP 3098 is designed to help drone operators integrate cyber resilience into their safety risk assessments.

The CAA wants to hear people's views before incorporating it into Acceptable Means of Compliance (AMC) within the SORA online application system, as part of a longer-term project.

Why cyber safety matters in drone operations

As drones become more sophisticated and widely used, the role of cyber safety in ensuring operational safety grows ever more critical.

Unlike crewed aviation, UAS operations lack onboard human resilience and rely heavily on technology—from command and control (C2) links to ground stations and avionics.

This increases the importance of designing and operating systems with 'secure by design' principles, ensuring cyber resilience across all subsystems.

CAP 3098 recognises that cyber risks—from jamming and spoofing to malware and supply chain vulnerabilities—pose real threats to air safety.

The guidance provides operators with proportionate measures to address these risks and align with the UK SORA methodology.

What CAP 3098 guidance covers

The document builds on the JARUS SORA 2.5 Cyber Safety Extension, tailoring it for UK operations.

It covers subjects such as:

• Cyber safety culture: Embedding awareness and executive-level commitment within organisations.

• Threat analysis and risk assessment: Helping operators identify vulnerabilities and apply proportionate mitigations.

• Operational Safety Objectives (OSOs): Practical requirements covering areas such as operator competence, UAS maintenance, system design, communication links, and external services.

• Appendices on cyber threats and concepts: This includes definitions of denial of service, hijacking, spoofing, malware, supply chain risks, and mitigation approaches like defence-in-depth and least privilege access.

The guidance is structured according to Specific Assurance and Integrity Levels (SAIL), providing operators with proportionate measures ranging from basic policies to advanced, independently validated processes.

Implications for operators

For UAS operators seeking authorisations in the Specific Category, cyber safety will increasingly form part of the overall safety assessment.

CAP 3098 provides clarity on the minimal level of cyber measures expected, whether for operators, OEMs, maintainers, or service providers.

The document also emphasises continuous improvement—recognising that both the threat landscape and regulatory framework will evolve. Operators are encouraged to adopt robust cyber practices now to stay aligned with future requirements.

Next steps

The CAA is currently seeking industry views before formal adoption of CAP 3098 into AMC. Feedback from operators, manufacturers, and service providers will help shape how cyber safety is embedded into the SORA framework. Contact the CAA.