What this session covered

This briefing, delivered by Grégoire Lewis, set out the two pressures that defined the ATM and CNS cybersecurity landscape in 2026 and explained why they had to be addressed together rather than in sequence. On one side, a new generation of AI-generated threats — automated vulnerability discovery, AI-generated phishing, and adaptive malware aimed at operational technology — was reshaping the attack surface for critical aviation infrastructure. On the other, a tightening EU regulatory environment, led by NIS2 and sector-specific aviation security requirements, was raising the compliance bar for air navigation service providers at the same time. The operational question Lewis put to ANSP leadership was how to defend against more sophisticated, AI-powered attacks while implementing AI within their own security operations and meeting live regulatory obligations — without being paralysed by the combined complexity.

Why it mattered

2026 was the year the two pressures arrived together for ANSPs. NIS2 audit cycles were live for air navigation service providers designated as essential entities, putting cybersecurity governance, incident reporting, and supply-chain assurance under formal regulatory scrutiny rather than voluntary best practice. At the same time, adversarial AI had lowered the cost and raised the speed of attacks against operational technology, the systems on which safe ATM and CNS depend. The combination mattered because the two demands pull on the same scarce resources — security staff, leadership attention, and assurance budgets — and because a compliance-only posture would not stop an AI-accelerated attack, while a threat-only posture would not satisfy an auditor. Lewis's framing made the case that ANSP security governance in 2026 had to treat regulatory compliance and AI-era threat defence as one programme.

Key takeaways for ATM operators

  • NIS2 was operational, not prospective. Audit cycles were already live for ANSPs designated as essential entities, making cybersecurity governance, incident reporting, and supply-chain assurance a present regulatory obligation rather than a future one.
  • Adversarial AI targeted operational technology. Automated vulnerability discovery, AI-generated phishing, and adaptive malware aimed at OT changed the threat model for the systems underpinning ATM and CNS, raising both the speed and the sophistication of attacks.
  • The two challenges shared one budget. Because threat defence and EU compliance draw on the same security staff and assurance resources, the session argued they had to be run as a single governance programme rather than parallel workstreams.

Frequently asked questions

Who delivered this cybersecurity session at Airspace World 2026?

The session was delivered by Grégoire Lewis, who set out the combined challenge of AI-era cyber threats and EU regulatory compliance for ATM and CNS security. It was presented as part of the Safety, Security & Resilience in ATM theme at Airspace World 2026.

When and where did this session take place at ASW 2026?

The session took place on Wednesday 27 May 2026 from 10:00 to 10:25 local Lisbon time (WEST, UTC+1) in the Integra Theatre at FIL — Feira Internacional de Lisboa, the Parque das Nações venue that hosted Airspace World 2026 from 26 to 28 May 2026.

What is NIS2 and how does it affect ANSPs?

NIS2 is the European Union's revised Network and Information Security Directive, which raises cybersecurity obligations for entities designated as essential — a category that includes air navigation service providers. For ANSPs it brings formal requirements on security governance, incident reporting, and supply-chain assurance, with audit cycles that were already live in 2026.

What are "AI threats" to ATM and CNS systems?

AI threats are attacks that use artificial intelligence to increase their speed, scale, or sophistication, including automated vulnerability discovery, AI-generated phishing, and adaptive malware aimed at operational technology. For ATM and CNS, the concern is that these techniques target the operational systems on which safe air traffic management depends.

Why did the session frame this as a single "dual challenge"?

Because defending against AI-accelerated attacks and meeting EU compliance obligations draw on the same scarce resources — security staff, leadership attention, and assurance budgets — and neither posture works alone. A compliance-only approach will not stop an AI-driven attack, and a threat-only approach will not satisfy a NIS2 auditor, so the session argued the two had to be governed as one programme.

Browse the agenda

All sessions at ASW 2026

See every session indexed in this hub, or jump to the related theme.