Tag Archives: drones

Disclosure Day: Drones in the EU – What’s Flying Above Us (and No, It’s Not Aliens)

Legal news, , , , , ,


With the recent wave of U.S. government declassifications of UFO files – officially referred to as UAPs (Unidentified Aerial Phenomena) – and a new Spielberg film tapping into our fascination with the unknown, the skies have never felt more mysterious. Yet, before looking up in wonder, a more grounded reality emerges: most of what we see overhead is far more explainable. Drones, for instance, are quietly reshaping our airspace – and the European Union has already put in place a comprehensive regulatory framework to govern them.

The Regulatory Framework: Two Regulations, One Clear Sky

Since 2019, two EU regulations have governed the production and operation of Unmanned Aircraft Systems (UAS) across all Member States, ending years of fragmented national rules.

Regulation (EU) 2019/945 – Manufacturing and Market Requirements

This regulation sets out the technical requirements for drones placed on the EU market, introducing a classification system based on maximum take-off mass (MTOM) and operational characteristics:

  1. Class C0 – under 250g; minimal requirements, no Remote ID required
  2. Class C1 – 250g to 900g; Remote ID mandatory, restrictions near populated areas
  3. Class C2 – 900g to 4kg; Remote ID, low-speed mode, geofencing capability required
  4. Class C3 / C4 – up to 25kg; reserved for “Specific” category operations
  5. Class C5 / C6 – designed for advanced operations, including drone swarms and controlled BVLOS flights

All drones must carry CE marking confirming conformity with their class requirements. From Class C1 upwards, every drone must be equipped with Remote ID, i.e. a real-time digital identification system that continuously broadcasts the drone’s unique identifier, position, altitude, speed and the operator’s location. Think of it as a number plate for the sky.

Manufacturers not established in the EU must designate an authorised representative within the Union to ensure compliance.

Regulation (EU) 2019/947 – Operational Rules for Pilots and Operators

This regulation, developed by EASA (the European Union Aviation Safety Agency), governs how drones are actually flown, organising all operations into three categories based on risk level:

Open Category – low-risk flights requiring no prior authorisation. Operations must remain within visual line of sight (VLOS), below 120 metres, and away from gatherings of people. This category is further divided into three subcategories (A1, A2, A3) depending on the drone’s class and its proximity to uninvolved persons. Subcategory A2, for instance, requires pilots to pass a theoretical examination before operating a Class C2 drone near people.

Specific Category – medium-risk operations that generally require either an authorisation from the national competent authority or compliance with a pre-defined Standard Scenario (STS). Authorisations are based on the SORA methodology (Specific Operations Risk Assessment), which helps assess the level of risk involved and determine what safety measures are needed. Two Standard Scenarios are currently available – STS-01 (visual line of sight flights in populated areas) and STS-02 (beyond visual line of sight flights in unpopulated areas). Operators meeting all the conditions of an STS can fly under a simple declaration, without needing individual authorisation.

This category is also where BVLOS operations (Beyond Visual Line of Sight) come in – flights where the drone operates beyond the pilot’s direct visual contact. BVLOS is key to unlocking use cases like long-range infrastructure inspection, medical delivery, and large-scale surveying. These flights typically require either a SORA-based authorisation or compliance with STS-02, and the drone must be equipped with detect-and-avoid capabilities to ensure safe separation from other aircraft.

Certified Category – high-risk operations equivalent in complexity to conventional aviation. Requires full EASA certification of the drone, a formal operator approval, and a licensed pilot. Reserved for operations where a system failure could have catastrophic consequences.

Cross-Cutting Obligations

Regardless of category, all operators must:

  1. Register with their national competent authority (mandatory for drones over 250g or equipped with a camera)
  2. Respect UAS geographical zones defined by each Member State, covering restricted, prohibited, and conditional airspace
  3. Maintain flight logs for all Specific and Certified category operations
  4. Ensure adequate pilot training appropriate to the subcategory or category of operation

The U-Space: Managing the New Low-Altitude Frontier

The two regulations sit within a broader framework that includes the U-Space system, established by Regulation (EU) 2021/664. U-Space is the EU’s digital infrastructure for managing low-altitude air traffic in real time – essentially an air traffic management system for drones. It enables flight authorisation, conflict detection, real-time traffic monitoring and information sharing between operators, authorities, and conventional airspace managers.

U-Space is the critical enabler for large-scale BVLOS operations, and its progressive rollout across Member States is expected to unlock entirely new categories of drone deployment in the coming years.

Why It Matters

Together, these regulations created a single European drone market: harmonised, scalable, and built around safety. For anyone operating drones professionally in Europe, compliance is not optional – it is the foundation of lawful and sustainable operations.

So while the debate on UAPs continues across the Atlantic, Europe has already answered its own version of the question: what’s flying up there, and who’s in charge of it?

The answer, refreshingly, involves neither little green men nor government cover-ups – just well-drafted regulations and a lot of paperwork.

Drones and Privacy: Risks and Recommendations.

Uncategorized, , , , , , , ,

Drones Are Increasingly Used in the Civil Field. The civil use of drones is increasing, as also witnessed by the DRONITALY event that will be hosted near the Milan Expo in late September. And attorneys who are contributors to this blog find it certainly exciting when new technologies become widespread and thus present legal challenges!

When a new technology starts to become mainstream, the lack of adequate legal provisions is often deplored. In truth, the interpreter needs to take a deep breath and (i) identify the applicable laws, as well as (ii) understand the unique risks entailed by such novel technology, while comparing them with previous technologies. In the case of unmanned vehicle systems, commonly referred to as drones, it does not look like the applicable rules are lacking, but they are simply difficult to apply.

EU Data Protection Authorities Scratch Their Heads Together. The data protection authorities of the European Union, who work together within the “Article 29 Data Protection Working Party”, have recently tackled the issue of drones. The June 16, 2015 opinion by the “Article 29 Data Protection Working Party” (“Opinion”) is especially interesting because of its solid logic approach, which starts with a careful analysis of potential data protection risks linked to the increased use of drones, goes on to finding specific issues that are unique to drones, and ends with a number of recommendations to operators, manufacturers, regulators and law enforcement officials.

Unique Challenges to Personal Data. Drones are aerial vehicles that can be used for a host of activities (including – as pointed out by the Opinion – dull, dirty or dangerous operations, also known as “3D”). The Opinion is careful in pointing out that the use of drones per se is not problematic: it is the possibility to equip drones with recorders of audio and video data that poses challenges to privacy. Additionally, drones overcome obstacles such as walls or fences, and small drones may even enter buildings. Subjects whose data are recorded are often unaware of the processing of their data and, if they are or suspect that they might be, this may trigger a “chilling effect” on their conduct. In short, the principles of purpose limitation, data minimization and proportionality are at risk. Therefore, the Opinion strongly encourages a data protection impact assessment to check how, given the circumstances, the processing of data by a drone may impact the privacy of interested subjects. The assessment must start early on, and the rule of data protection by design must be respected by manufacturers and users. Such assessment must take into account:

  • The Applicability (or Inapplicability) of Exceptions. When personal data is processed by sensors installed on the drone, there is no doubt that data protection legislation applies. The exception for personal data processed in the course of a personal or household activity is never compatible with the sharing of such data on the internet. Law enforcement may also be found as a legal basis for processing, but it must be lawful, necessary and proportionate: indiscriminate surveillance is not acceptable.
  • Informed Consent. Freely given, specific and informed consent is difficult to achieve when it comes to drones. The Opinion suggests to try anything that may work (they, more elegantly, talk about a “multi-channel approach”): from signposts to symbols, signals, lights, registration marks or the publication on the internet of information on drone activities, so that a specific drone can not only be detected by interested subjects, but also linked to a certain data controller. Other grounds for lawful data processing may be found depending on the circumstances, such as performance of a contract to which the data subject is a party (e.g., security services offered through drones only recording the data subject’s property), processing to protect the vital interests of the data subject (e.g., rescue of victims of accidents) or for the purposes of a legitimate interest (e.g., wildlife research).
  • Security Measures. Personal data gathered must be safely stored and communicated (encryption is encouraged).
  • Anonymization or Deletion of Data. Data must not be kept for a period that goes beyond what is necessary to fulfill the purpose of the processing. Data must be accessed only on a limited basis and anonymized or deleted as soon as possible.

Many of the legal issues connected with drones are similar to those arising in case of video surveillance, already tackled by the Italian Data Protection Authority in 2010, with the notable exception that providing information to data subjects may prove to be much more challenging in case of aerial vehicles that fly at a distance.