Aviation security is another significant matter with regard to safeguarding basic passenger rights. Risks and dangers to a safe flight may be of different nature and origins. Aviation security addresses all those cases in which the integrity of a flight may be endangered by unlawful acts against civil aviation, whether they be actually committed or merely planned.¹

In view of the strongly international nature of air transport and travel and that any unlawful act would affect the interests of a number of States, it is fundamental that a common legal framework be prepared at an international level aiming at detecting and preventing such criminal activities.

The need for concrete initiatives designed to prevent these acts of unlawful interference is generally dated back to 1970, when a series of attacks on the world of civil aviation brought the phenomenon to the international community’s attention.² The international community reacted, in June of the same year, by calling an extraordinary assembly at the initiative of Switzerland.³ The assembly agreed that the adoption of an annex to the Chicago convention on Security was strongly desirable.

Only a few months after this meeting, one of the most spectacular hijackings in the history of world aviation took place, the ‘Dawson’s Field’ hijackings, in which 310 people were taken hostage. On 6 September 1970 armed groups of the ‘Popular Front for the Liberation of Palestine’ simultaneously hijacked four aircraft: EI Al Israel Airlines Flight 219, TWA Flight 714, Swissair Flight 100 and Pan Am Flight 93. On 9 September a fifth aircraft, operating BOAC Flight 775, was also hijacked. All five aircraft were made to land at Dawson’s Field in Jordan. The terrorist attack came to a conclusion the following fortnight, with the freeing of all the hostages, although the aircraft were destroyed with explosives on 12 September.⁴

On 22 March 1974, 4 years after this incredible event, ICAO adopted its 17th Annex , entitled ‘Safeguarding International Civil Aviation Act of Unlawful Interference’, which came into force on 27 February 1975, which provided for the adoption of security systems aboard and inside aircrafts to ensure an effective safeguard of passengers, crew, ground personnel and the general public in airport areas, to be followed by signatory.⁵ Moreover, as balancing out the Annex, Document 8973 ‘Security Manual for Safeguarding against Act of Unlawful Interference’ was also adopted to provide precise guidelines on the application of the Standards and Recommended Practices to the States and carriers.⁶

Besides Annex 17 and Document 8973, further provisions concerning Aviation Security, aiming at regulating particular operational aspects and measures to be adopted for amore effective response to and prevention of unlawful acts in air transport are also present in further Annexes to the Chicago Convention .

The adoption of these measures , however, has not prevented the occurrence of further acts of unlawful interference on passenger planes in the decades that followed.

Amongst the most notorious is the Lockerbie bombing of Pan Am Flight 103 on 21 December 1988 over Lockerbie in southwest Scotland. At around 7 p.m. the airplane flickered off the radar tracking and then fell to the ground, broken in three pieces, about 2 min later, killing all 259 people on board and 11 people living in a part of the town destroyed by the impact of a wing section. Later the cause of the disaster was ascertained to be an in-flight explosion, caused by a bomb, brought on board the aircraft inside a piece of luggage in the hold. The Lockerbie tragedy, with its 270 victims, was the worst air disaster caused by an act of unlawful interference in the history of civil aviation, at least until 11 September 2001. That day, four flights operated by the two main American air carriers, after being hijacked almost immediately after take-off were used as weapons of mass destruction in suicide attacks to strike sensitive United States targets. American Airlines Flight 11 and United Airlines Flight 175 respectively crashed into Tower 1 and Tower 2 of the New York World Trade Centre at 8.46 and 9.03 a.m. local time. American Airline Flight 77 struck the west section of the Pentagon (Arlington, Virginia) at 9.47 a.m. And finally, United Flight 93 crashed to the ground near Shanksville in Pennsylvania a few seconds after 10 a.m.: the crash occurred during the revolt of the passengers who, realising the hijackers’ intentions, tried in vain to take back control of the aircraft.⁷ The most serious terrorist attack in history, carried out using civil aviation passenger planes, caused the death of 2,974 people.⁸

In the face of the dramatic and at the same time spectacular nature of the 9/11 attacks, the International Community understood the necessity of finding, yet again, new measures to avoid tragedies such as this from ever happening again.

At the 33rd ICAO Assembly, held between 25 September and 5 October 2001,⁹ participating States agreed on the need to review the provisions of Annex 17 with a view to making them more stringent in order to tackle this specific new type of threat.¹⁰

With the adoption of Resolution A-33 ‘Declaration on misuse of civil aircraft as weapons of destruction and other terrorist acts involving civil aviation’, Contracting States stated the necessity of a stronger and closer cooperation (both in financial and human resources) in ensuring the full transposition and implementation of ICAO Security rules within their systems and also asserted the need to call, as soon as possible, a ‘high-level ministerial conference on aviation security’ aiming at an update of ICAO Regulations by the adoption of new SARPs, the creation of an audit system to verify their degree of implementation and the provision for suitable measures to fund the new security mechanisms.¹¹ This conference was held in Montreal, at ICAO headquarters, on 19 and 20 February 2002. The conference highlighted the need to draft an ‘Aviation Security Plan of Action’ and, as part of this, to design a ‘Universal Security Audit Programme—USAP’ for the strengthening of Aviation Security at a global level. These documents state the need for States to intensify their implementation of ICAO provisions, introducing additional security measures commensurate with the type of threat that they may possibly be facing as well as economic reasons based on cost–benefit ratio. In this regard, ICAO stressed the necessity for studies to identify new and possible threats.

Furthermore, many recommendations giving guidelines on the updating of already existing SARPs Regulations have been adopted, such as the requirement that the cockpit be suitably locked off to foil any attempted unauthorized intrusion, or the organisation of ground passenger checking instrumentation. Such recommendations were laid down in the above-mentioned Annexes 1, 6, 9, 11, 14 and 18.

Despite the hard work carried out by the international community and the European Union to reach a higher level of flight security, which will be analysed further, 13 years after the dramatic events of 11 September 2001, another terrorist attack, this time directed against a commercial aircraft, shocked the entire world. On 17 July 2014 Malaysia Flight MH17 heading from Amsterdam (The Netherlands) to Kuala Lumpur (Malaysia) with 298 people on board (210 European Union citizens) was shot down by a missile while it was flying at an altitude of more than 10,000 meters over the eastern Ukrainian aerospace, above a war zone, not too far from the Ukraine–Russian borders. The shooting down of the plane caused the death of all passengers and crew. The international investigation on the accident is just at its beginning, but several disturbing issues have already arisen. In particular, there is now much public debate on how an airliner jet could have been allowed to fly above a war zone. The Ukrainian authorities and European Union aviation institutions did not place restrictions over the Ukrainian airspace and did not issue any warnings or recommendations until the day after the disaster. As early as April, only the FAA warned the U.S. air carriers not to fly over Crimea due to the tensions between the Russia—backed separatists and the Ukrainian Army. The MH17 crash happened 200 miles northeast of the restricted zone. Until 17 July 2014, in fact, a deviation from the standard path above the Ukrainian war zone territory for airlines flying between East Europe and Asia was not mandatory. Once again, economic benefits and the balance sheet bottom lines seem to have overcome the primary rights of passengers. In the light of the above, it is imperative that the international community immediately act in order to prevent such dramatic events from happening again. The first step would be the institution of a independent, impartial and supranational Commission, possibly under the aegis of ICAO, provided with all full powers to conduct a fair and independent investigation in this kind of events.

The European Union too, after the tragic attacks of 11 September 2001, understood the importance and the need to adopt a uniform system of Regulations for the prevention of unlawful acts in civil aviation. Before this date, in fact, each Member State was individually responsible for security legislation relating to air transport .

On 10 October 2001, a month after the tragic events of New York and Washington, the Commission, on initiative of the European Parliament, proposed the adoption of a common Regulation in the field of security.¹² This Proposal resulted in the adoption of Regulation (EC) No 2320/2002 of 16 December 2002,¹³ which was implemented at European Union airports from 19 January 2003. This Regulation, no longer in force today,¹⁴ is of fundamental importance since it made, for the first time, the control procedures on passengers and their baggage in airport access areas uniform under common aviation security rules. The first Recital of the preamble to the Regulation, which states ‘that terrorism is one of the greatest threats to the ideals of democracy and freedom and the values of peace’, is significant. Since the latter principles constitute the very essence of the European Union, the importance of this provision is quite clear.

Regulation (EC) No 2320/2002 was then superseded by Commission Regulation (EC) No 622/2003 of 4 April 2003 laying down specific measures for the implementation of the common basic standards on aviation security .¹⁵

The former is a Regulation adopted on the basis of and in conformity with the principle of subsidiarity and in compliance with the principle of proportionality , as Recital 14 makes clear, according to which the Regulation confines itself to the common basic standards required in order to achieve the objectives of aviation security and does not go beyond what is necessary for that purpose.

The principle of proportionality is applied, in particular, to small airports, where the implementation of particularly stringent security rules could be disproportionate, if not even impracticable, for objective, concrete reasons. Where this is the case, a matter which must be carefully assessed by the Commission, Member State authorities may apply alternative measures which must, in any event, provide adequate levels of protection.

On the other hand, States may apply more stringent rules than those provided for in the Regulation itself.

As a general point, the EU legislature takes account of the fact that the rules adopted by individual Member States to ensure their own national security, as well as those adopted under Title VI of the TEU, must come within common rules for the whole of the Union, while paying particular attention to the needs of this particular sector.

In summary, this particular legislation on aviation security provides a series of instruments for the prevention and punishment of unlawful actions , while fully respecting fundamental rights and in compliance with the principles recognised, first and foremost, by the Charter of Fundamental Rights of the European Union whose legal status, as a result of the amendments to Article 6 TEU by the Lisbon Treaty, is equal to that of Treaties, and by the European Convention on Human Rights (ECHR).

The European legislature pursued, in substance, two aims: the introduction of EU measures that, in accordance to the criteria laid down internationally, are appropriate to prevent ‘acts of unlawful interference in civil aviation’; furnishing the basis for a uniform interpretation of the relevant parts of the 1944 Chicago Convention , in particular Annex 17.

Before considering the merits of the measure to be adopted in order to achieve these goals, the Regulation gives a definition of the fundamental common rules.

These are, according to Article 4, based on the recommendations of document 30 of the European Civil Aviation Conference (ECAC) , which are set out in full in the Annex to the Regulation.

Such fundamental common rules accordingly require implementing measures, as well as technical adaptations. The latter are found in national programmes for civil aviation security, whose adoption, according to Article 5 of Regulation (EC) No 2320/2002 was a matter for the Member States to be effected within 3 months of the entry into force of the Regulation.

Under Article 5(2) of the above-mentioned Regulation, each Member State must designate an appropriate authority responsible for the coordination and the monitoring of the implementation of its national civil aviation security, which must undertake continuous checks so as to ensure it meets the requirements of common basic rules.

Monitoring the efficiency of national programmes, however, is not nor could not be exclusively entrusted to the national authorities. Within 6 months following the entry into force of Regulation (EC) No 2320/2002 , the Commission, in cooperation with the appropriate national authorities, was able to carry out sample inspections to monitor the work of Member States.

The officials sent by the Commission to conduct inspections may only exercise their powers if they can produce written authorisation in which is set out the subject matter, the purpose of the inspection and the date on which it is to begin.

Article 7(3) of Regulation (EC) No 2320/2002 is rather convoluted, since it provides that the inspections of airports are to be unannounced. However, it also provides that ‘[t]he Commission shall in good time before scheduled inspections inform the Member States concerned of the inspections’.

Following their inspection, the officials draw up a report which is to be notified by the Commission to the Member State. The Member State then has 3 months from the communication to answer it indicating what measures it has adopted to remedy any shortcomings which may have been found.

Member States are always allowed to apply stricter rules than those laid down by the Regulations, provided that ‘as soon as possible’ after their application, these measures are communicated to the Commission.

Article 10 of the Regulation then deals with the thorny issue of checks on flights coming from third-country airports . According to this provision, the Commission, assisted by the Security Committee of the International Civil Aviation Authority (ICAO) and the ECAC, is to consider developing a mechanism to assess whether flights coming from third-country airports meet the essential security requirements.

Article 8 concerns an extremely delicate and controversial aspect, namely the rules relating to the dissemination of and public access to information relative to security. The rules state that ‘[w]ithout prejudice’ to the implementation of Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents,¹⁶ amongst other pieces of information, the detailed criteria for exemption from security measures , the specifications for the national civil aviation security quality control programme to be implemented by the Member States and the inspection reports as well as the answers of the Member States were to be secret and, therefore, were not to be published. This information is to be accessible only to the appropriate competent national authorities which are to communicate them only to any interested parties in accordance with applicable national rules for dissemination of sensitive information.

In addition, Article 8(2) requires the Member States to treat as confidential the information arising from inspection reports and the answers by national authorities when such information relates to other Member States.

On the basis of these provisions, Article 3 of Regulation (EC) No 622/2003 states that the measures set out in its Annex , which must be inserted in the programmes for civil aviation security , are secret, and thus cannot be published, and are to be made available only to persons authorised by a Member State or the Commission.

The matter of the confidentiality of information in the Annex to Regulation (EC) No 622/2003, already the subject of disagreement between EU institutions, was submitted to the attention of the Court of Justice during a reference for a preliminary ruling by the Unabhängiger Verwaltungssenatim Land Niederösterreich (the independent administrative regional court for Lower Austria) in Case C-345/06.

The issues raised by the Austrian court arise from a somewhat curious event. On 25 September 2005, Mr. Heinrich was not permitted to pass through the security control at Vienna-Schwechat airport. It appears that he nevertheless boarded the aircraft with tennis racquets in his cabin baggage, despite their being ‘allegedly’¹⁷ forbidden by Regulation (EC) No 622/2003 as being suitable to be used as weapons.¹⁸ Security staff subsequently ordered him to leave the aircraft.

Two questions were referred to the Court for its interpretation: do Regulations fall under the category of documents whose public access may be the object of specific limitations, considering that being published in the Official Journal of the European Union is a specific requirement for their applicability or, if this is not the case, are such Regulations binding despite being contrary to Article 254(2) TEC (now Article 280 TFEU).

In essence, the referring court wondered whether a provision such as Article 8 of Regulation (EC) No 622/2003 constitutes a legal basis for the non-publication of documents for which TEC (now TFEU) expressly prescribes the obligation and if such documents are furthermore valid.

Advocate General Sharpston delivered her Opinion on 10 April 2008 which was not only of great interest but also had a strong media impact.¹⁹

The initial assumption is as simple in its formulation as it is full of difficult questions. Since Article 254(1) and (2) TEC sanction the obligation to publish Regulations, and since the Annexes are an integral part of the law containing them, logic dictates that the information therein is also subject to the same publication requirement. The contrary view, according to Advocate General Sharpston, would permit its authors to avoid the requirements of Article 254 TEC by the simple expedient of placing provisions, even substantive ones, in an unpublished annex. Advocate General Sharpston does not stop at these considerations, but goes well beyond them. Starting from a request to interpret EU law, she suggests that the Court should go on to rule on validity in accordance with settled case law according to which the function of the Court of Justice is to ‘extract from all the information provided by the national court those points of Community law which, having regard to the subject-matter of the dispute, require interpretation, or whose validity requires appraisal’.²⁰ In support of her arguments, Advocate General Sharpston points out how, previously, the Court of Justice had held a provision of EC law to be inapplicable if it entered into force before its publication,²¹ without this being justified by the objective to be achieved requiring it and that the legitimate expectations of those concerned are duly respected, or by omitted notification,²² considered the ‘functional equivalent’ of the duty to publish. In other words, according to Advocate General Sharpston, the partial publication of Regulation (EC) No 622/2003 constitutes a breach of an essential procedural requirement, resulting in its invalidity.

In her opinion, Advocate General Sharpston went even further, with quite a bold thesis, suggesting that the Court should not limit itself to merely declaring Regulation (EC) No 622/2003 invalid, but actually non-existent. The persistent and deliberate, and therefore far from accidental, disregard for the mandatory publication requirements laid down in TEC was—in her view—of such gravity that it could not be tolerated by the Community legal order. In this context, the Opinion made specific reference to the theory of the non-existent act, according to which an act must be treated as having no legal effect, even provisionally where the irregularities are so obviously serious that it cannot be tolerated by the Community legal order. The purpose of such a doctrine is ‘to maintain a balance between two fundamental, but sometimes conflicting, requirements with which a legal order must comply, namely stability of legal relations and respect for legality’.²³

While it can be said that some of Advocate Sharpston’s considerations are valid, others do cause some perplexity.

A careful reflection on this theme, directly involving the observance of two pivotal principles of EU Law, namely legal certainty and legitimate expectation, and consequently the very foundations of Union Law, was certainly foreseeable, as well as necessary.

In a Community governed by the rule of law it is not tolerable that individuals are not able to know the scope of the obligations imposed on them, especially if they are ambiguous and not immediately comprehensible. It seems in fact undeniable that Regulation (EC) No 622/2003, through its Annex, imposes obligations directly on individuals.

It is easy to see how these provisions seriously harm the rights of users-passengers, ranging from the right of defence against the possible imposition of sanctions , or the simple limitation to movement, to the right to be informed of the degree of security in the airport structures that one’s flight departs from or arrives at.

When considering the provisions which could be included in the Annex to Regulation (EC) No 622/2003 it is, in fact, necessary to make a distinction. There is no easily discernible reason for keeping the list of forbidden items secret. The opposite conclusion may be reached regarding data on operational security measures of an airport which do not directly impose obligations on individuals. In this connection, when facing particularly high risks to public security, a ‘temporary’ brake on the defence of citizens’ fundamental rights cannot be completely excluded. Any provision tending in this direction should in any case be the subject of permanent monitoring by the judicial authorities.

In that context, it was already possible to envisage a double solution. Information relative to forbidden items that cannot be brought on board aircraft should be clear and transparent so as to allow individuals to know their obligations and thus enable them to comply. If tomorrow the EU legislature should decide to consider forbidden an apparently innocuous item, individuals should be informed. This was the case, for example, for liquids above a certain volume.

As regards, however, the decision to keep secret some information on security measures to be adopted at airports, the EU legislature should, as Advocate General Sharpston suggested, have resorted instead to an alternative legal instrument: a decision under Article 288 TFEU, as it is now, addressed to the Member States, thus safeguarding the respect of the general principles of the EU and, at the same time, achieving the declared aims. It is also a binding act, which acquires effectiveness not by virtue of publication in the Official Journal, but by notification to its recipients.

The Court, in its judgment in Case C-345/06, after recalling that if a Regulation is to have any effect on individuals it must be published in the Official Journal of the European Union, went on to state that the principle of legal certainly requires that individuals must be given the possibility of ascertaining unequivocally what their rights and obligations are in order to adjust their behaviour in the light of their knowledge. It follows that an act adopted by a Community institution cannot be enforced against natural and legal persons in a Member State before its publication in the Official Journal of the European Union.²⁴ The Court then added, in regard to this last aspect, that when EU Regulations impose obligations on individuals, national implementing measures must also be published since it is not possible to require that individuals comply with them if they have had no way of knowing them.

The Court, in assessing the conduct of the Commission in the case, found that its ‘implementing legislation is clearly inconsistent in this respect, since on the one hand it considers it necessary to keep secret the measures on prohibited Articles, whilst on the other it declares there is a need to draw up a harmonised list of those Articles accessible to the public’.²⁵ When amending Regulation (EC) No 622/2003 by Regulation(EC) No 68/2004, the Commission itself clarified, in Recital 3, that ‘[t]here is, none the less, a need for a harmonised list, accessible to the public, setting out separately those Articles that are prohibited from being carried by passengers into restricted areas and the cabin of an aircraft’.²⁶ It is thus completely obvious how the two positions held by the Commission were clearly contradictory.

Regulation (EC) No 622/2003, amended 14 times, was subsequently repealed and replaced by Regulation (EU) No 185/2010 ,²⁷ containing detailed provisions for the implementation of the common basic standards under Article 4(1) and general measures supplementing the common basic standards under Article 4(2) of the basic Regulation, stated that, following a re-examination by the Commission of the measures under the Annex to Regulation (EC) No 622/2003, as amended, in the light of Article 18(a) of Regulation (EC) No 300/2008 ,²⁸ many of these measures do not have to be secret and must, accordingly, be published in the Official Journal of the European Union.

Thus now, in accordance with Article 4(3) of Regulation (EC) No 300/2008 , the Commission, having taken into account the directions of the Court of Justice and adopted Regulation (EU) No 185/2010 , provided that, whenever the adoption of sensitive security measures is necessary, as defined by Commission Decision 2001/844, ECSC, Euratom of 29 November 2001,²⁹ amending its internal Rules of Procedure, it is expedient they be adopted by means of a separate Decision addressed to all Member States. Since decisions are not of general application unless otherwise provided for under Article 288 TFEU, they produce an effect only after being notified to its addressees. By the same token, non-sensitive, and thus not EU classified, security measures must be published.

Regulation (EC) No 2320/2003 soon proved to be inadequate as a result of the complexity of its procedures and the fact that some of the technical requirements it provided for had a very limited impact on levels of security while, on the other hand, they made it particularly difficult for air carriers to carry out routine procedures, especially at small airports . The Commission also attributed this inadequacy to the speed with which, in the wake of the events of 11 September 2001, a number of non-binding recommendations, drawn up by the Member States, took the shape of a piece of legislation which was extremely complex from the point of view of its implementation.

In 2005 the Commission proposed a new Regulation to replace Regulation (EC) No 2320/2002 , which aimed at strengthening while at the same time simplifying and harmonising the procedures provided for in the original provision. This was also prompted by the fact that in the over 40 unannounced inspections carried out in Member States’ airports as from February 2004, serious shortcomings in security systems were discovered.³⁰ Three years after this Proposal was presented, Regulation (EC) No 300/2008 was adopted. The new Regulation underwent a rather tortuous legislative procedure because of the widely diverging positions among the EU institutions so much so that it required a decision by the Conciliation Committee under the codecision procedure under Article 251 TEC (now Article 294 TFEU), which delivered its decision on 11 January 2008. This was followed by the Council’s decision at third reading on 4 March 2008 and of the European Parliament on 11 March 2008.

With the adoption of Regulation (EU) No 185/2010 ³¹ legislature took steps to clarify the procedures that must be followed in carrying out the numerous security controls. As was seen in the preceding paragraph, the Regulation establishes the detailed rules on the implementation of the common security standards, as required by Article 4(2) of Regulation (EC) No 300/2008.

Regulation (EC) No 300/2008 achieved its full effectiveness from 29 April 2010,³² with the exception of Article 4 (Procedure for the common basic standards not foreseen at the entry into force of the Regulation and the amendment non-essential elements of the common basic standards), Paragraphs 2, 3 and 4, Article 8 (Cooperation with the International Civil Aviation Organisation), Article 11 (Procedure for the modification of National quality control programmes), Paragraph 2, Article 15 (Commission inspections), Paragraph 1, Second subparagraph, Article 17 (Stakeholders’ Advisory Group), Article 19 (Committee procedure) and Article 22 (Commission report on financing), which were implemented with effect from the publication of the Regulation.

In general terms, while Regulation (EC) No 300/2008 restricts itself to determining only general rules to which are subject all interventions aiming at preventing unlawful acts , without specifying the technical and procedural details relative to their concrete execution, leaving technical and procedural methods to implementation measures, it nonetheless corrected a few operational problems which had arisen in the application of the preceding Regulation. Thus, Regulation (EC) No 300/2008 takes account of and provides for the need to ensure greater flexibility in the adoption of security measures and procedures so as to take into account changes in the assessment of risks and enable the introduction of new technologies in a timely fashion.

In other words, the declared aim of the Regulation is, then, to clarify, simplify and bring further into line legislative provisions to reinforce civil aviation security as a whole.

What Regulation (EC) No 300/2008 does, as for that matter Regulation (EC) No 2320/2002 did, is to provide, in the Annex referred to by Article 4(1) or its subsequent amendments, the basic common rules for the protection of civil aviation from acts of unlawful interference that endanger its safety. However, it leaves to the Commission the task of establishing both the means of incorporating and applying common rules and the criteria that allow Member States to derogate from those rules and adopt alternative security measures to ensure an adequate level of protection on the basis of local risk assessment, which it may do by modifying the Regulation with a decision adopted according to the regulatory procedure under Article 5 of the Council Decision of 28 June 1999.³³

In this latter regard, the Commission, under Article 4(4) of Regulation (EC) No 300/2008, may lay down, by a decision adopted according to the procedure under Article 19(3), the criteria allowing Member States to derogate from common basic standards and adopt alternative security measures that provide an adequate level of protection on the basis of a specific risk assessment, provided such alternative measures are justified by reasons relating to the size of the aircraft, or by reasons relating to the nature, scale or frequency of operations or of other relevant activities. This allows, especially in small airports³⁴ where the number of flights is limited, the application of less stringent measures than those prescribed by the Regulation, provided an adequate level of security is ensured.

This amendment, which takes account of the objective difficulties encountered by some airports in complying with stringent security measures , includes some aspects set out in the preamble to Regulation (EC) No 2320/2002 , in particular Recital 14 which, as already mentioned, is informed by the principle of proportionality , and at the same time removes some of the ambiguity of Article 4(3) of that Regulation, the implementation of which has given rise to many interpretative doubts. Article 4(3) entrusted the competent national authorities with the adoption of national security measures for the provision of an adequate level of protection at airports on the basis of local risk assessment, and ‘where the application of the security measures specified in the Annex to this Regulation may be disproportionate, or where they cannot be implemented for objective practical reasons’.

Although the measures allowing derogation from the basic common standards are established by the new Regulation at EU level, Member States may nevertheless adopt more stringent measures, provided they are relevant, objective, non-discriminatory and proportionate to the local risk. In this case, Member States have an obligation to inform the Commission even when the measures adopted are limited to one specific flight on a particular day.

Other provisions of Regulation (EC) No 300/2008 are innovative. Amongst these, Article 5 allows each State to determine the extent to which the costs of security measures taken should be borne by the State, the airport authorities, air carriers, other responsible agencies or even users. If appropriate, and in conformity with Community law, Member States may contribute to the costs of more stringent security measures taken.

According to Article 22 of Regulation (EC) No 300/2008, the Commission was to submit by 31 December 2008 a report on the principles of the financing of the costs of civil aviation security measures .³⁵ In substance, the aim was to ensure that the financing for security measures was actually used to cover the specific costs relating to security rather than as a pretext to distort competition between airports and air carriers or to impose unnecessary taxes on users.

One of the most important innovations in Regulation (EC) No 300/2008 is to be found, however, in Article 7, which concerns the controversial issue of security measures in third countries compared to those in the EU.