•
Stephan van Vuren
SORA 2.5 lands in the rulebook: what the June 2026 Easy Access Rules for UAS mean for critical infrastructure, security and public safety operators

At the end of June 2026, EASA released a new revision of the Easy Access Rules for Unmanned Aircraft Systems (the EAR for UAS). For anyone who works with the specific category on a daily basis, this is the edition worth reading, because it is the point at which SORA 2.5 finally sits inside the single, consolidated reference document alongside Regulation (EU) 2019/947 and its acceptable means of compliance (AMC) and guidance material (GM).
If you have been following the file, none of the underlying content is a surprise. The legal change happened in September 2025, when EASA published Executive Director Decision 2025/018/R and introduced SORA 2.5, the latest version of the Specific Operations Risk Assessment developed by JARUS, into the AMC and GM to Regulation (EU) 2019/947. We looked at that moment when SORA 2.5 first landed. What the June 2026 EAR does is bring that decision, catalogued as Issue 1, Amendment 4 to the AMC and GM, into the one document that most operators and competent authorities actually open when they need an answer. The Easy Access Rules are a consolidation, so no new legal obligation arrives with them. What arrives is readability: three separate publications you used to cross-reference now sit in one coherent, colour-coded, navigable whole.
This post is written for the operators we work with most closely, meaning those flying in and around critical infrastructure, those running security operations, and public safety teams who often sit under their own national regime. Below is what changed, and what it means for each of you.
What actually changed
SORA 2.5 keeps the same fundamental logic as SORA 2.0: you describe your operation, assess the ground risk and the air risk, mitigate what you can, and arrive at a Specific Assurance and Integrity Level (SAIL) that tells you how much evidence you have to produce. What SORA 2.5 adds is a tidier method, sharper definitions, and less friction than operators and authorities met over the first years of practical use.
The methodology is now expressed as ten systematic steps. In outline, you document the proposed operation, determine the intrinsic ground risk class, optionally reduce it to a final ground risk class through mitigations, determine the initial air risk class and then the residual air risk class after strategic mitigations, apply tactical mitigation performance requirements, determine the SAIL, determine the containment requirements, identify the operational safety objectives, and finally compile the comprehensive safety portfolio.
A few points stand out for professional operators:
The intrinsic ground risk is now more quantitative. The intrinsic ground risk class is scaled from 1 to 10 and is driven by the unmanned aircraft characteristics, meaning maximum characteristic dimension and maximum speed, together with the population density at risk in the operational volume and the ground risk buffer. This is a more explicit, data-led starting point than many operators were used to.
The SAIL still runs from I to VI, and it remains the pivot of the whole assessment. A final ground risk class above 7 falls outside SORA and belongs in the certified category. SAIL V and VI operations require a type certificate issued by EASA under Part 21.
The operational safety objectives are consolidated to seventeen. For the assigned SAIL, you show compliance with each of the seventeen OSOs at the required level of robustness, low, medium or high. This is a leaner set than the previous version, and the robustness logic is clearer.
Containment is treated as its own function. Step 8 sets containment requirements at one of three robustness levels, low, medium or high, calculated from the unmanned aircraft characteristics, the SAIL, the average population density in the defined adjacent ground area, and the presence of any outdoor assembly of people within one kilometre of the outer limit of the operational volume.
The comprehensive safety portfolio replaces the older documentation set. SORA 2.5 also ships with official templates, which is a welcome step towards harmonisation across Member States.
One practical warning on timing. SORA 2.5 became applicable across the European Union on the date ED Decision 2025/018/R was published, 29 September 2025. Individual Member States were permitted to set their own transition windows during which applications prepared under SORA 2.0 would still be accepted, and to define the maximum validity of authorisations granted in that window. Those windows differ by country and several have already closed. If you operate across borders, do not assume a single deadline. Check the position of each national aviation authority you deal with.
What SORA 2.5 means for critical infrastructure operators
This is where the detail rewards close reading, because SORA treats critical infrastructure in a very specific way.
SORA is a safety methodology. Its categories of harm are the potential for fatal injuries to third parties on the ground and fatal injuries to third parties in the air. Damage to critical infrastructure is acknowledged as a genuine and more complex condition, and it is explicitly left out of the quantified part of SORA itself. The reasoning is that different countries have differing sensitivities to this harm, so it is treated as a national specificity and is expected to be assessed in cooperation with the organisation responsible for the infrastructure, which is the party that best understands the threat to its own assets.
There are two consequences for those of you protecting or inspecting energy assets, ports, airports, rail, water, and comparable sites.
First, if your operation could affect critical infrastructure, you complete the SORA risk picture with an additional assessment of the critical infrastructure risk, run in cooperation with the infrastructure owner and folded into your concept of operations. In practice this means an earlier and more structured conversation with the asset owner, and it means your emergency response plan must explicitly account for the possibility of harming critical infrastructure, which the AMC now lists among the emergency situations an operator should plan for. The definition to keep in mind is broad: critical infrastructure means systems and assets vital to national defence, national security, economic security, and public health or safety, at both regional and national level.
Second, when you fly close to sensitive sites, the containment and adjacent-area logic in Step 8 moves to the centre of your assessment. Beyond-visual-line-of-sight inspection routes over or beside a live facility, and drone-in-a-box deployments that hold a fixed operational volume against a fixed asset, are exactly the operations where average population density in the adjacent ground area and the presence of nearby assemblies of people drive the robustness level you have to demonstrate. SORA 2.5 makes those inputs more explicit, which helps, and it also means you need to work the assessment through properly.
What SORA 2.5 means for security operators
For security operations, the same specific-category machinery applies, and there are two things worth separating clearly.
The operation you fly, whether that is perimeter surveillance, a rapid-response deployment, or persistent overwatch of a site, is assessed through SORA in the ordinary way. The site you are protecting may itself meet the definition of critical infrastructure, which brings the cooperation and adjacent-area considerations above directly into your own planning.
It is worth being precise about scope, because it is a common source of confusion. Regulation (EU) 2019/947 and SORA govern how you operate your own unmanned aircraft safely. They do not, on their own, regulate the detection of, or defence against, third-party drones. Counter-UAS sits under a different set of legal instruments, and the security threat posed by an uncooperative third-party aircraft is outside what SORA is designed to quantify. SORA does note that competent authorities may, where appropriate, consider additional categories of harm such as cybersecurity and privacy under Article 12 of the Regulation, and these sit outside the core safety calculation. For those of us building integrated detection, assessment and response capability, the takeaway is that safety compliance for your own platforms and security assurance for the wider site are two distinct workstreams that must be run in parallel and joined up deliberately.
Public safety and the state-operator question
Public safety teams frequently ask whether any of this applies to them at all, and the honest answer is: it depends on how your country has organised itself.
Under the EASA Basic Regulation, Regulation (EU) 2018/1139, aircraft used in military, customs, police, search and rescue, firefighting, border control, coastguard and similar services are treated as state aircraft and fall outside the scope of the EASA framework. Many police and emergency services therefore do not operate under Regulation (EU) 2019/947 directly.
In practice, though, very few Member States have built their state-operator frameworks from a blank sheet. It is far more common for a national authority to construct a regime for state drone operations that borrows heavily from the civil rules, taking large parts of Regulation (EU) 2019/947 and, importantly, its AMC and GM, including the SORA methodology, and adapting them to the operational reality of a state service. Where that is the case, and it is the norm, SORA 2.5 becomes the de facto benchmark even for public safety operators who are formally outside EASA scope. If your national framework references SORA, it will over time reference the current version of SORA, and the ten-step method, the seventeen OSOs, and the containment logic described above will shape how your operations are assessed regardless of the state-aircraft carve-out.
The pragmatic conclusion for public safety operators is to look at how closely your national regime tracks the civil AMC and GM, and to assume that the SORA 2.5 vocabulary is the one your authority and your partners will increasingly speak. Prepare for that language now, whatever your formal status.
What operators should do now
If you take one action from this blog, make it a re-baselining exercise. Concretely:
Re-map your existing concepts of operations against the ten SORA 2.5 steps, and identify where the more quantitative intrinsic ground risk and the revised containment inputs change your SAIL or your evidence burden.
Confirm the transition position with each national aviation authority you work with. The SORA 2.0 acceptance windows were set nationally and are not uniform. Do not let a live authorisation lapse on an assumption.
Adopt the official SORA 2.5 templates and update your internal operations manual, compliance matrix and comprehensive safety portfolio to match.
For critical-infrastructure-proximate work, open the conversation with the asset owner early, and build the separate critical infrastructure risk assessment into your concept of operations and your emergency response plan from the start.
For security operations, keep the safety case and the security case as distinct but coordinated workstreams, and be clear internally about where the specific-category rules stop and the counter-UAS and site-security regimes begin.
For public safety teams, check how your national state-operator framework references the civil AMC and GM, and prepare for SORA 2.5 to become the working language even if you are formally outside EASA scope.
The June 2026 Easy Access Rules confirm the direction of travel and make it official and readable in one place. SORA 2.5 is a genuine step towards a more harmonised, predictable and practical framework for the specific category, and for those of us operating in and around critical infrastructure it brings the risk conversation closer to where it always should have been, which is a shared conversation between the operator and the owner of the asset at stake.
At AirHub we build the software that carries this compliance work through the whole operational lifecycle, from concept of operations and risk assessment to live mission coordination and evidence capture.
If you would like to talk through what SORA 2.5 means for your specific operations, we are always happy to have that conversation. Book a demo and we will walk you through it.
This article is a general overview and does not constitute legal advice. For binding requirements, always refer to the official EASA publications and to the guidance issued by your national aviation authority.