By: FlySafe Research
On any given day in 2026, more than 1,500 flights face disruption from GPS jamming and spoofing alone — a figure that reflects a 220% increase in signal loss events over recent years, according to IATA's GADM FDX data. Airspace restrictions continue to multiply, and the operating environment demands that airlines move beyond reactive decision-making toward structured, repeatable risk assessment processes. FlySafe analysis shows that airlines with formalized airspace risk frameworks are materially better positioned to respond to rapidly shifting operational conditions.
The IATA Airspace Risk Assessment framework provides exactly that structure. Developed by the IATA Geopolitical Risk Taskforce (GRTF), the guidance — now in its second edition as the Airspace Risk Management Guidance 2026 — offers focused, practical advice for operators to assess risks in airspace affected by security situations and operational disruptions. This guide breaks down the framework's core components and explains how airlines can apply them in daily operations.
Understanding the Regulatory Foundation
The starting point for any airspace risk assessment program is ICAO Doc 10084, the Risk Assessment Manual for Civil Aircraft Operations Over or Near Conflict Zones. As outlined in IATA's own conflict zone guidance, this document establishes a critical principle: the absence of any restrictions in foreign airspace should not preclude the operator from making its own determination of safety and security risks.
This places the onus squarely on airlines. A state may not issue a NOTAM or restrict airspace, yet the threat environment may still warrant action. The IATA framework exists to fill this gap — providing operators with a methodology that does not depend on state-issued restrictions alone.
The IATA guidance is described as complementary to existing standards, meaning it does not replace an airline's Safety Management System (SMS) or Security Management System (SeMS). Rather, it layers airspace-specific risk processes on top of those existing structures. The IATA Airspace Risk Assessment Management Checklist, included in both the 2024 guidance and the 2025 edition of the IATA SeMS Manual, provides operators with a systematic tool to identify, evaluate, and mitigate risks associated with airspace operations.
The Core Risk Assessment Process
Step 1: Information Gathering and Validation
The framework's first operational step is establishing reliable information sources. Airlines are expected to gather data from publicly available channels — NOTAMs, Aeronautical Information Publications (AIPs), Aeronautical Information Circulars (AICs), EASA Safety Information Bulletins (SIBs), and ICAO state letters.
Based on publicly available NOTAMs and state publications, operators should establish a process to ensure that flight planning teams and dispatchers obtain officially updated notifications on airspace affected by security situations. This is not a one-time exercise. The framework emphasizes regular reviews and updates of risk assessments as the operational picture evolves.
It is worth noting that IATA's former AVSEC Insight product was decommissioned in March 2023. While its user guide remained available as of May 2024 to assist operators in developing open-source collection plans, airlines must now rely on alternative intelligence sources and their own collection frameworks.
Step 2: Threat Assessment
The IATA conceptual framework defines a threat scenario as the identification and description of a credible situation comprising a potential target, the modus operandi and methods involved, and the adversary based on the role that entity plays in the aviation system — whether passenger, non-travelling person, or insider.
Risk assessment, as defined in the IATA conceptual framework document, is the process of identifying, analyzing, and evaluating risks associated with potential threats to operations. The goal is to understand the level of risk posed by different threats and to prioritize them based on their severity and probability.
For airspace-specific assessments, this means evaluating not only intentional threats but also unintentional ones — such as misidentification scenarios where civil aircraft may be affected by operational factors not directed at them. The framework requires operators to consider both the intent and capability dimensions when assessing threat actors, whether state or non-state.
Step 3: Risk Handling and Decision-Making
Once threats are assessed, the framework prescribes specific risk handling strategies. The most consequential is the AVOID strategy, applied when risks are deemed too high to operate. This is explicitly described as a corporate-level decision — not one left to individual dispatchers or pilots — on whether to mitigate or cease operations in a given airspace entirely.
For intermediate risk levels, airlines may deploy temporary measures — additional mitigations put in place by the operator until more permanent solutions are incorporated into the local security system. These could include altitude restrictions, route deviations, enhanced crew briefings, or adjusted diversion planning.
Airspace status: when an AVOID determination is made, airlines have rerouted traffic to alternative FIRs and published internal guidance to dispatchers and crews. The framework ensures these decisions are documented, traceable, and subject to periodic review.
Integrating with SMS and SeMS
One of the most practical aspects of the IATA framework is its emphasis on integration with existing management systems rather than the creation of parallel structures. The IATA training curriculum — a three-day program covering the full scope of the framework — specifically teaches participants how to embed airspace risk assessments within their airline's SMS and SeMS.
This integration matters for several reasons. First, it ensures that airspace risk data feeds into the same hazard registers, risk matrices, and mitigation tracking systems that airlines already use for operational safety. Second, it means that oversight bodies — whether internal safety review boards or external regulators — can audit airspace risk decisions using established governance processes.
The IATA Safety Risk Management Framework, as presented to ICAO forums, includes the Safety Issue Hub — an internationally recognized central repository of aviation hazards. This repository feeds into what IATA calls the "Global Risk Picture," which captures regional-level concerns such as GNSS radio frequency interference, 5G signal interference, and the integration of remotely piloted aircraft systems into controlled airspace. Airlines that connect their airspace risk assessment outputs to this broader ecosystem gain access to sector-wide situational awareness.
The evolution of IATA's Operational Safety Audit (IOSA) into a risk-based model further reinforces this integration. Under the risk-based IOSA approach, compliance rates provide quantitative data against related controls, and auditing assesses control effectiveness — not merely the existence of a procedure, but whether it is actually working.
Tracking Effectiveness with KPIs
A risk assessment process is only as valuable as its ability to demonstrate outcomes. The IATA framework places significant emphasis on the development and tracking of Key Performance Indicators (KPIs) for continuous improvement.
Recommendation: airlines implementing the framework should consider tracking the following categories of KPIs:
- Timeliness of assessment updates. How quickly does the airline update its risk assessment after a new NOTAM is issued or an operational situation changes? Measured in hours from notification to revised assessment.
- Coverage of flight-planned routes. What percentage of routes passing through or near restricted or elevated-risk airspace have a current, documented risk assessment? The target should be 100%.
- Diversion airfield identification. Are all flight-planned diversion airfields assessed for adequacy based on aircraft performance parameters, security conditions, and operational capability? This is particularly relevant for overflights of large, sparsely served regions.
- Decision audit trail completeness. Can every AVOID or MITIGATE decision be traced back to a documented threat assessment, with clear rationale and approval authority recorded?
- Integration with SMS reporting. Are airspace risk events being captured in the airline's SMS reporting system, and are they generating appropriate follow-up actions?
These KPIs should be reviewed at regular intervals — monthly at minimum for high-risk route networks — and trends should be reported to senior management as part of the airline's safety performance monitoring.
The 2026 Threat Landscape and Why This Matters Now
The operating environment makes structured airspace risk assessment not merely advisable but essential. According to analysis by Osprey Flight Solutions, GNSS interference has extended well beyond traditional areas of concern to affect civil aviation across Europe, the Middle East, and Central Asia. The projection for 2026 is clear: GNSS interference will persist, and airspace restrictions will multiply.
Affected routes: airlines operating in European, Middle Eastern, and Central Asian FIRs face the highest density of GNSS disruption events. Flight crews and dispatchers operating in these regions require current, region-specific threat briefings that are updated as NOTAMs and operational conditions change.
IATA's own assessment of risks shaping 2026 identifies the convergence of cyber threats and artificial intelligence as a major concern, where AI-enhanced capabilities, geopolitical instability, and digital supply chain dependencies compound one another. Policy fragmentation — characterized by unilateral national decisions with limited regard for their impact on global aviation networks — adds another layer of complexity to airspace risk management.
Climate-related disruptions are also relevant to airspace risk assessment, as reduced international coordination on climate issues may slow progress on sustainable aviation goals while simultaneously increasing secondary risks such as greater food and water insecurity and increased migration, which in turn affect border and airport security postures.
A recent industry survey cited by the National Business Aviation Association found that 57% of aviation safety professionals identified complacency and procedural drift as the vulnerability that most concerns them over the next 12 months. This finding reinforces the importance of maintaining active, regularly reviewed risk assessment processes rather than allowing them to become static documents.
Practical Implementation Steps
For airlines that have not yet formalized their airspace risk assessment process — or that rely on ad hoc procedures — the following steps provide a practical starting point aligned with the IATA framework:
- Appoint a responsible function. Designate a team or individual responsible for airspace risk assessment, with clear authority and reporting lines to both the safety and security departments.
- Adopt the IATA Airspace Risk Assessment Management Checklist. Available through the IATA Security Department (contact: [email protected]), this checklist provides a structured baseline.
- Map current routes against active NOTAMs and known risk areas. Identify all FIRs and route segments that require elevated assessment.
- Establish information collection protocols. Define which sources are monitored, at what frequency, and by whom. Include NOTAMs, AIPs, EASA SIBs, and state aviation authority publications.
- Define risk thresholds and decision authorities. Clearly document what risk level triggers an AVOID decision, what triggers temporary measures, and who has the authority to make those calls.
- Integrate outputs with SMS and SeMS. Ensure airspace risk findings are entered into the airline's hazard register and that mitigations are tracked through existing safety action processes.
- Train relevant personnel. IATA offers a dedicated three-day training program covering all aspects of the framework, including information gathering, threat assessment, and KPI development.
- Establish a review cycle. Set calendar-based and event-triggered review points. Risk assessments should be living documents, not annual filings.
Frequently Asked Questions
How do you integrate airspace risk assessments with existing Safety Management Systems (SMS) and Security Management Systems (SeMS)?
The IATA framework treats airspace risk assessment as a process layer within existing SMS and SeMS structures rather than as a standalone system. Findings from airspace threat assessments feed into the airline's hazard register, risk matrices, and mitigation tracking processes. The 2025 IATA SeMS Manual includes the Airspace Risk Assessment Management Checklist specifically to facilitate this integration.
What Key Performance Indicators (KPIs) should be tracked to measure the effectiveness of continuous airspace risk assessment updates?
Effective KPIs include the timeliness of assessment updates following NOTAM issuance, route coverage percentage (proportion of elevated-risk routes with current assessments), diversion airfield adequacy checks, decision audit trail completeness, and the rate of airspace risk events captured in SMS reporting systems. These should be reviewed monthly for high-risk route networks.
What process should be used to identify all flight-planned diversion airfields based on aircraft performance parameters during airspace risk assessment?
Diversion airfield identification should account for aircraft type-specific performance parameters (range, runway requirements, approach capabilities), the security and operational status of each airfield as indicated by current NOTAMs and AIPs, and the availability of ground handling and emergency services. Each flight-planned route through or near elevated-risk airspace should have pre-assessed diversion options documented and available to dispatchers and crews.
How should unintentional threats from misidentification be evaluated and deconflicted between state and non-state actors?
The IATA conceptual framework requires operators to assess not only intentional threat scenarios but also unintentional risks such as misidentification of civil aircraft. This evaluation should consider the operational environment, the presence of active security situations in adjacent airspace, and the availability of reliable civil-military coordination mechanisms. Temporary measures — such as altitude adjustments or route offsets — may be deployed while the threat picture is clarified.
Analysis based on publicly available data only. FlySafe Research provides airspace risk intelligence derived exclusively from publicly available, independently verifiable data sources published by international aviation authorities, academic institutions, and open-data projects. FlySafe does not possess, access, or utilize any classified or non-public information. Airlines should consult their own security departments and national aviation authorities for operational decisions.
- The absence of state-issued NOTAMs or airspace restrictions does not absolve airlines of responsibility — ICAO Doc 10084 places the onus on operators to independently assess safety and security risks regardless of official restrictions.
- GPS jamming and spoofing events have surged 220% in recent years, with over 1,500 flights disrupted daily in 2026, making structured airspace risk frameworks operationally critical rather than optional.
- The IATA framework layers airspace-specific risk processes on top of existing SMS and SeMS structures rather than replacing them, using a dedicated checklist to identify, evaluate, and mitigate risks systematically.
Powered by B1KEY
Live tools behind the analysis.
The signals FlySafe writes about are also published live — continuously verified by the Sentinel pipeline.
Information is accurate as of the publication date. FlySafe uses exclusively publicly available data.
