Early drone legislation focused predominantly on airspace safety, privacy, and registration [ 7 ]. The European Union’s landmark Regulation (EU) 2019/947 marked a shift toward harmonization, introducing a risk-based approach and operator categories [ 8 ]. The U-space package, especially Regulation (EU) 2021/664, further formalized the integration of drones into civil airspace with service-based architectures [ 9 ]. However, these frameworks give limited attention to AI-specific risks and often exclude airportspecific protocols [ 10 ]. Table 1 presents regulation gaps and focus.

The aviation sector increasingly integrates AI in flight control, predictive maintenance, and surveillance [ 11, 12 ]. UAS trafic management (UTM) systems under development by SESAR and NASA feature autonomous decision-making capabilities, which raise legal uncertainties concerning explainability, predictability, and control [ 13, 14 ].

AI-powered drones, in particular, shift the traditional liability model—where a human pilot or operator was clearly accountable—to a more complex ecosystem involving AI agents, software developers, and airport managers [ 15, 16 ]. Legal doctrines remain ill-equipped to handle such distributed responsibility [ 17 ].

Airports are evolving into complex digital ecosystems. Smart gates, biometric systems, and AI-based surveillance introduce new attack surfaces [18]. A 2023 EASA report warned about increasing cyber intrusions into airport control systems, yet legal harmonization is minimal across jurisdictions [19].

The Tallinn Manual 2.0 ofers guidance on state behavior in cyberspace but lacks binding authority and rarely addresses infrastructure autonomy [20]. Furthermore, counter-UAS protocols often involve security services without suficient coordination with civil aviation legal authorities, which creates governance overlaps [21]. The corresponding information is shown in Table 2.

This background (Table 2) highlights the urgent need for interdisciplinary frameworks that link legal, technical, and policy elements of AI-powered drone integration in critical infrastructure like airports [22]. Subsequent sections will propose models for proactive legal governance and international cooperation [23].

Currently, no binding international framework specifically addresses the cybersecurity vulnerabilities of UAS, particularly in the context of airport operations. Despite the technological advancement of unmanned systems and AI modules, international regulatory eforts remain fragmented. The Tallinn Manual 2.0 on the international law applicable to cyber operations provides interpretive guidance on state behavior in cyberspace [20]. However, it does not address the complexities arising from autonomous aviation systems or AI-enabled infrastructure. Similarly, while the Chicago Convention and its Annexes outline basic standards for aviation safety and security, they are largely silent on the cyber-autonomy interface [24].

The absence of targeted regulations leaves states and airports to interpret their obligations individually, leading to inconsistencies in implementation and enforcement. This fragmentation is particularly problematic given the inherently transboundary nature of cyber threats involving UAS, which often traverse multiple jurisdictions and implicate both civil and national security regimes [25].

Comparative Table 3 underscores the systemic lack of coordination and the legal void in which AI-enabled airport environments currently operate.

One of the most challenging legal aspects of AI-powered UAS concerns the attribution of liability in the event of system malfunction, cyber intrusion, or damage caused by autonomous decisionmaking. Traditional aviation law is built upon the notion of a clearly identifiable operator or pilot, typically held accountable under both civil and criminal frameworks [26]. However, the introduction of autonomous systems, operating with varying degrees of human oversight, fundamentally alters this liability paradigm.

Responsibility is now distributed across a complex ecosystem of actors, including AI developers, UAS manufacturers, operators, airport authorities, and third-party service providers such as cloudbased navigation and communication platforms. In the event of a cyber incident or operational failure, determining causality and legal fault becomes dificult, particularly in cases where the AI component functions as a “black box” with limited explainability [27].

Table 4 demonstrate the limitations of existing legal doctrines when applied to autonomous systems whose actions are not always traceable to a single point of human control [ 5 ].

While several international instruments address aspects of cyber behavior or aviation regulation, none are currently equipped to manage the emerging challenges at the intersection of AI, cybersecurity, and unmanned flight. The Chicago Convention, particularly Annex 17 on Security, outlines states’ obligations to prevent unlawful interference with civil aviation. However, it does not explicitly reference cyber intrusions or AI-enabled threats. The Tallinn Manual, despite its interpretive value, remains non-binding and was never designed for application to civil aviation infrastructure. Meanwhile, the European Union’s regulatory eforts, including the Cybersecurity Act and the NIS2 Directive, apply primarily within the EU and do not ensure interoperability with third-country regimes [28].

Figure 2 reveals the partial and uneven legal coverage currently aforded to AI-related cyber threats in aviation, particularly in cross-border contexts where jurisdictional overlaps are inevitable.

The legal regulation of AI-driven drones in airport environments is characterized by fragmentation, conceptual ambiguity, and a notable lack of anticipatory governance (Table 5). Existing frameworks are largely reactive, ofering post-incident remedies rather than preventive or adaptive standards. In particular, the absence of international norms governing cybersecurity in AI-enabled aviation systems and the legal vacuum regarding liability attribution present serious risks to global aviation safety and legal coherence.

In the following sections, we propose normative and institutional responses to these challenges, focusing on the development of harmonized legal standards, AI-specific liability regimes, and multilateral cooperation mechanisms that align cyber diplomacy with aviation security.

Ukraine presents a unique and urgent case of how AI-driven drones are deployed in both military and civilian contexts. Since 2022, the country has experienced an unprecedented surge in the adaptation of commercial drones—such as DJI Mavic, Autel EVO, and FPV quadcopters—for defense purposes. Many of these systems now incorporate basic AI modules, including object recognition, adaptive flight routing, and obstacle avoidance algorithms. These features increase operational eficiency but simultaneously obscure attribution and legal classification [29].

The decentralized and volunteer-based use of AI drones blurs the line between state and non-state actors, complicating the application of International Humanitarian Law (IHL) and the Chicago Convention’s civil-military airspace separation. Furthermore, drones originally developed for agricultural mapping or logistics are now repurposed for reconnaissance and strike operations—raising critical questions about export controls, liability, and post-conflict reintegration of technology into civil aviation [24].

The full-scale war on the territory of Ukraine has turned the country into a testing ground for largescale use of UAS, both in military and civil domains. Airports and critical aviation infrastructure became direct targets of kinetic and cyberattacks involving UAS, revealing systemic legal and institutional vulnerabilities. At the same time, this experience has catalyzed legal innovation, particularly in the domains of counter-UAS regulation, liability, and cybersecurity coordination (Table 6).

In 2022–2024, Ukraine adopted a number of legal acts and institutional reforms aimed at enhancing the resilience of its airspace management and critical infrastructure. The Law of Ukraine “On the National Security of Ukraine” and the Law “On the Basics of Ensuring Cybersecurity of Ukraine” serve as foundational texts outlining a hybrid approach to cyber and physical threats, including those involving AI-driven drones [27]. Additionally, Ukraine’s Resolution of the Cabinet of Ministers No. 954 (2017)—amended after 2022—provides a basic regulatory structure for the operation of unmanned aerial vehicles in civilian contexts, though the wartime experience has shown its limitations [30].

Furthermore, Ukraine’s Strategy for the Development of the Defense-Industrial Complex (2023–2030) directly references UAS and autonomous technologies as strategic assets, prompting the Ministry of Digital Transformation and the Armed Forces to cooperate on cyber protection protocols for dual-use systems [30]. However, the legal integration between civilian aviation regulators (such as the State Aviation Service) and defense structures remains underdeveloped, particularly in terms of jurisdiction, liability distribution, and international legal harmonization.

Cyberattacks on airports in Kyiv, Lviv, and Odesa during 2022–2023 included attempted spoofing of navigation systems and denial-of-service (DoS) attacks on communication networks, frequently linked to hostile drone activity. While international law ofers only fragmented guidance on such hybrid threats, Ukraine’s eforts to collect and document them—often in cooperation with partners such as the EU and NATO—have become part of a broader legal strategy aimed at evidencing violations of both aviation law and humanitarian law [31].

However, due to the martial law and ongoing threats of cyberattacks on infrastructure, including airports, Ukraine faces multiple challenges in ensuring cybersecurity and legal liability in cases of incidents caused by autonomous systems. The lack of clear standards and insuficient interagency coordination results in legal gaps that may be exploited during military conflicts and cyberattacks.

In response, Ukrainian legislators and regulators are actively working to harmonize national regulations with international standards set by ICAO, the EU, and the UN, as well as developing specialized legal mechanisms for liability allocation in the field of AI and UAS, particularly regarding airports and transport security [31].

The Ukrainian experience with UAS deployment in a wartime context ofers invaluable insights for the global legal community. It highlights the urgent need to develop resilient and adaptive regulatory frameworks capable of addressing both conventional and hybrid threats involving autonomous aerial technologies. Lessons learned from Ukraine’s regulatory responses and operational challenges can inform international best practices, contributing to more robust legal standards and cybersecurity measures worldwide. Thus, Ukraine’s practical experience plays a crucial role in shaping future legal trends in the governance of AI-enabled drones and airport security.

In December 2018, London Gatwick Airport experienced the largest recorded drone-related disruption in civil aviation. Over a span of 33 hours, recurring drone sightings near the runway led to the cancellation of more than 1,000 flights, afecting approximately 140,000 passengers. Despite extensive deployment of police and military counter-UAS resources, no device or operator was oficially identified [32].

The incident exposed the legal ambiguity surrounding the use of counter-drone technologies, such as jamming or interception, especially within densely populated airport environments. It also revealed significant gaps in national legislation, including unclear definitions of protected airspace and the absence of rapid attribution mechanisms. In response, the UK government revised its Air Navigation Order, expanding drone exclusion zones and enhancing operator licensing requirements (Table 7) [33]. More recent incidents in Germany, Poland, and Spain reveal a growing sophistication in rogue drone operations. These events, though shorter in duration than Gatwick, demonstrated potential hallmarks of AI-enhanced autonomy: erratic or randomized movement patterns, resistance to spoofing, and apparent pre-programming. Such patterns suggest the use of onboard algorithms to evade detection and maintain persistent presence in sensitive airspace [34].

At Frankfurt Airport, a drone sighting in March 2022 prompted a 30-minute suspension of departures. Authorities noted radar interference, possibly related to electronic countermeasures or spoofing-resistant systems.

In Warsaw (2023), a UAS entered a geo-fenced restricted area, causing several flights to reroute. Analysts noted behavior consistent with real-time adaptive routing, likely enabled by AI-based environmental mapping.

Madrid-Barajas Airport reported two unauthorized drones in June 2023. One device was able to maintain flight near terminal perimeters while evading conventional tracking systems, raising concerns about onboard decision-making and spoofing immunity [35].

The obtained information is shown in Table 8.

Across both war and peace contexts, a shared challenge is the lack of standardized legal responses to AI-enabled UAS threats. In Ukraine, the fusion of AI with dual-use drones operates in a legal grey zone, often outside conventional IHL frameworks. In civil settings like Gatwick, Frankfurt, or Madrid, attribution and technological sophistication outpace current aviation law. The common thread is the absence of international norms for defining and regulating autonomous or semi-autonomous drones.

There is also a notable lack of legal clarity regarding state obligations, especially when AI acts as an intermediate agent between the operator and the outcome. Moreover, AI-powered drones strain existing air navigation and cyber protection regimes, which remain largely reactive and nationally fragmented.

These insights point to the urgent need for harmonized international standards, technical-legal coordination, and anticipatory governance frameworks.

A primary obstacle in regulating AI-enabled aviation systems is the absence of universally accepted definitions that precisely capture the technical and legal nuances of AI autonomy, decision-making capabilities, and intentionality. Concepts such as “autonomy,” “algorithmic intent,” and “machine learning liability” remain largely undefined within existing aviation and cybersecurity law. Clear and harmonized terminological frameworks are critical for delineating responsibilities, enabling consistent application of liability standards, and facilitating international legal cooperation [ 5, 11 ].

Developing these definitions should be a priority for standard-setting bodies such as the International Civil Aviation Organization (ICAO), the European Union Aviation Safety Agency (EASA), and international cybersecurity institutions. These definitions must be grounded in technical realities yet suficiently flexible to accommodate rapid technological evolution [ 9 ].

The inherently transnational nature of airspace and cyber-infrastructure requires enhanced international cooperation to address the cybersecurity risks posed by AI-driven UAS operations. Existing international instruments, including the Chicago Convention and the Tallinn Manual on cyber operations, provide important foundations but lack specific provisions addressing AI-enabled drones and their unique threat profiles [24].

Multilateral diplomatic eforts should focus on establishing binding international agreements or protocols that define state responsibilities for preventing and responding to cyberattacks involving autonomous systems. Additionally, coordination mechanisms between civil aviation authorities, cybersecurity agencies, and defense sectors should be institutionalized to streamline incident response, information sharing, and counter-UAS measures [ 9 ].

Given the rapid pace of AI innovation, the legal framework must adopt a principle of preventive regulation—anticipating and mitigating risks before they manifest in catastrophic incidents. This approach requires continuous monitoring of technological developments and dynamic updating of regulatory standards to reflect emerging threats [35].

Moreover, responsibility for AI-driven cybersecurity cannot rest solely with one stakeholder. Instead, it must be distributed across states, operators, AI developers, manufacturers, and airport authorities. Legal mechanisms should incentivize cooperation and accountability among all parties, including through clearly defined liability regimes and mandatory cybersecurity certifications for AI systems used in critical aviation infrastructure [ 9 ].

To ensure resilience, international and national regulators should develop comprehensive standards covering AI system design, data protection, operational transparency, and cyber threat detection within airport environments. These standards must address vulnerabilities specific to AI algorithms, such as adversarial attacks, data poisoning, and automated decision errors, which can compromise flight safety and airport security [ 5 ].

Certification processes should incorporate rigorous testing and validation of AI modules used in UAS and airport systems, accompanied by continuous oversight to adapt to newly discovered threats. Collaboration with industry experts and academia will be essential for creating standards that are both practically feasible and legally enforceable.