Introduction

On 29 September 2025, the European Union Aviation Safety Agency (EASA) published ED Decision 2025/018/R, updating the Acceptable Means of Compliance (AMC) and Guidance Material (GM) to Implementing Regulation (EU) 2019/947. This update introduces the European version of the Specific Operations Risk Assessment (SORA) 2.5, developed by the Joint Authorities for Rulemaking on Unmanned Systems (JARUS).

Although the UK has left the EU regulatory framework, these developments are highly relevant. UK operators, manufacturers, and regulators can learn much from how EASA is simplifying compliance, clarifying roles, and promoting harmonisation across Member States.

What Changed under SORA 2.5?

• Simplification of procedures: Ambiguities from earlier SORA versions have been removed, making it easier for operators and authorities to understand their obligations.
• Clarity of roles: Responsibilities are now more clearly divided between operators, designers, and manufacturers. For example, design verification reports (DVRs) from EASA are required at SAIL IV, and type certification is required at SAIL V and VI.
• Terminology alignment: EU-specific terms replace JARUS wording. For instance, “EVLOS” has been dropped in favour of “BVLOS with airspace observer”.
• Containment requirements: Refined criteria for ground risk buffers and adjacent ground areas, particularly relevant for BVLOS and urban operations.
• Flexibility for competent authorities: NAAs can use direct assessment, recognised entities, or qualified entities to review compliance.
• Removal of weak cybersecurity rules: EASA stripped out JARUS’s cybersecurity provisions, deeming them disproportionate, but stressed that vulnerability assessments remain best practice.

Lessons for the UK CAA

1. Consistency and clarity – EASA has responded to industry feedback by clarifying operator versus manufacturer responsibilities. The UK’s guidance could benefit from similar precision, particularly in BVLOS authorisations.
2. Streamlining approvals – The two-phase SORA process (Phase 1 for risk identification, Phase 2 for compliance evidence) allows operators to obtain early regulatory feedback. This approach could make the UK’s OSC process faster and more predictable.
3. Population density mapping – EASA now recommends more accurate, dynamic maps to avoid over- or under-estimating risk in commercial and recreational areas. The UK could adopt a similar model, especially for urban drone delivery corridors.
4. Terminology alignment – Dropping “EVLOS” in favour of “BVLOS with AO” reflects operational reality and removes confusion. The UK should consider whether maintaining unique terminology helps or hinders international harmonisation.
5. Cybersecurity gap – By removing JARUS’s rules but encouraging vulnerability assessments, EASA has left space for proportionate, risk-based security. The CAA could similarly mandate cybersecurity risk assessments in line with wider aviation resilience standards.

Best Practice for UK Drone Pilots and Operators

• Adopt SORA 2.5 methodology voluntarily – Even though the UK hasn’t formally adopted it, operators preparing risk assessments will benefit from aligning with European standards, especially if seeking approvals abroad.
• Keep clear records – Maintain compliance matrices and comprehensive safety portfolios (CSPs) as outlined in SORA 2.5. This not only supports OSC applications but also protects operators in audits and insurance claims.
• Use accurate population data – Don’t rely solely on outdated maps; supplement with local knowledge, real-time data, or site surveys to avoid underestimating risk.
• Plan robust contingency procedures – Ensure abnormal and emergency procedures are well defined, tested, and rehearsed with crew. The new focus on containment means that “fly-away” risks must be demonstrably controlled.
• Stay ahead on cybersecurity – Even though not mandated, conduct vulnerability assessments for command-and-control links and data storage. Cyber weaknesses could undermine insurance and liability cover.

Conclusion

EASA’s adoption of SORA 2.5 is a significant step towards regulatory clarity and harmonisation across Europe. The UK CAA should take note: simplifying authorisations, clarifying roles, and embracing proportionate risk-based approaches would strengthen the UK’s position as a leader in drone regulation.

For operators and pilots, the message is clear: best practice means anticipating international standards, not just meeting the minimum domestic requirement.