Skip to main content

Commercial drones: the current legal framework

Commercial drones: the current legal framework

The International Civil Aviation Organisation (ICAO) sets the rules covering drones at UN level. The ICAO permits drone operations provided a national authority specifically authorises their use in the relevant airspace. Neither the EU nor the US has yet harmonised rules for using drones commercially. Any commercial drone use depends on legislation at state or regional level. 


There are no EU-wide regulations on RPAS. The European Aviation Safety Agency (EASA) is responsible for unpiloted aircraft that have a maximum take-off weight of over 150kg. Member states are responsible for unpiloted aircraft below this weight. Many member states have their own regulations in place or are developing them.


Under US federal law, you need an airworthiness certificate to operate a civil drone, or an exemption for the aircraft and a pilot certificate for the operator. The operation must also comply with state law – about a dozen states have enacted statutes dealing with drones, and more are considering enacting them.

The emerging legal framework


The EU Commission presented a strategy to support the growth of the drone market in Europe in a Communication adopted in April 2014. It aims to ensure drones are integrated safely and securely into the European aviation system from 2016 onwards. The Commission will achieve this by creating a common safety regulatory framework (ie a single European market for civil drones) and by developing the technologies needed to enable it, such as ‘sense and avoid’ and ‘command and control communication link’. 

The Commission also addresses measures to ensure its citizens are protected (privacy, insurance, etc) and to support market development and European industries. Various measures have already been taken at EU level – studies on third-party liability and insurance requirements have been commissioned, for example, as well as data protection and ethical risks.

The Commission has defined six actions to integrate drones into European airspace: 

  • strict EU-wide rules on safety authorisations; 
  • tough controls on privacy and data protection; 
  • controls to ensure security; 
  • a clear framework for liability and insurance; and 
  • streamlining R&D and supporting new industry. 

There must also be regulations to protect drones from physical, electronic or cyber attacks. 


The EASA introduced the ‘Concept of Operations for Drones’ on 12 March 2015, in which it proposes not simply to transpose the system put in place for piloted aviation, but to establish a new one that is proportionate, progressive and risk-based. The rules should then be complemented by industry standards. It introduces three categories of operations, each with an associated regulatory regime: open, specific and certified.


In this category, operators will not need to get national aviation authority certification provided the flight is compatible with the existing limitations (eg distance from aerodromes and people). Drones must stay within a direct visual line of sight of 500m and must not fly more than 150m above ground or water, or within specified reserved areas. This category is for simple and low-risk experience-gathering operations.


In the specific category, operators have to obtain an operations authorisation with special limitations from a competent national aviation authority. This reflects the more significant aviation risks posed to people.


If the aviation risk level is similar to piloted aviation, the operation falls into the certified category. The difference between the specific and certified categories is still open at this stage. In the certified category, operating RPAS commercially will require various certificates, including airworthiness, environmental and noise.

Data protection and privacy

The Commission calls for tough controls on privacy and data protection because almost all drones are capable of collecting large quantities of data, including photographs. 

A comprehensive study prepared for the Commission found that the existing regulatory framework is largely adequate to address the privacy, data protection and ethical impact of drones, but calls for public authorities to step up their communication and education activities in this area – and for more enforcement.

Third-party liability and insurance

A study carried out for the Commission to assess the existing third-party liability and insurance regime concluded that there is no harmonised third-party liability regulation at either EU or international levels. Because drones are aircraft, all RPAS operators should be required to have insurance for third-party liability. 

There seems to be a lack of insurance available in the member states because insurers have no information on the number of accidents and the damage actually caused, and are not able to price insurance. Insurance premiums are usually based on piloted aviation. The Commission is determined to ensure that adequate regulatory provisions for liability and third-party insurance are in place.


The Federal Aviation Administration (FAA) develops regulations, policy, procedures, guidance material and training to support safe and efficient drone operations in national airspace. Congress passed the FAA Modernization and Reform Act in 2012, which requires the FAA to have regulation in place to safely integrate drones into national airspace by 30 September 2015. Congress’s main aim was to enable more public and civilian users to use unpiloted aerial vehicles. The act specifically asked the FAA to designate test sites and restricted its ability to regulate remotely controlled aircraft flown for purely recreational use within sight of the operator. 

The FAA recently proposed a rule on the ‘Operation and Certification of Small Unmanned Aircraft Systems’. The proposed framework, published in February 2015, would allow small drone operations (up to 55lbs/25kg) for non-recreational purposes – such as crop monitoring, R&D, power line and pipeline inspections, and aerial photography – without requiring certification of airworthiness, exemption or a Certificate of Waiver to permit commercial operations in low-risk, controlled environments. 

This modest proposal, which operates on a case-by-case basis, comes with a lot of restrictions attached – mandatory line-of-sight operation and no operations above third parties, for example. It therefore seems increasingly unlikely that the FAA will meet the September 2015 deadline set by Congress for heavier drones, which have not been its focus over the last months.


The FAA’s safety concerns led to a long-lasting near total ban on commercial UAS use outside experimental areas. Under pressure from Congress and a growing number of stakeholders, this seems to be changing now. The shift away from the need for initial permits or exemptions towards a regulatory framework is still stuck in the drafting process, but new rules integrating drones into the national airspace are expected this year.

Data protection and privacy

In the US, the privacy issue is still discussed with a strong focus on governmental aerial vehicles. However, the Obama administration recently issued an executive order instructing the Department of Commerce through the National Telecommunications and Information Administration to initiate within 90 days a ‘multi-stakeholder engagement process to develop a framework regarding privacy, accountability, and transparency for commercial and private UAS use.’ 

Third-party liability and insurance

It is inevitable that the take-off of drones will give rise to many legal questions about insurance and third-party liability as well. The insurance industry has pointed out that the legal risks in particular need further assessment before insurance plans can be reliably priced and offered to commercial customers. This, in turn, will be a major precondition for widespread business use of drone technology in the years to come, and a stable legal framework is thus indispensable. 

It seems unlikely that federal legislation alone can offer sufficient solutions to the vast number of insurance-related issues because many of them (such as privacy, trespass, negligence and recklessness) are at least partially governed by state and local law, and judicial interpretations. Still it is striking that, thus far, the FAA has remained largely silent on questions of third-party liability faced by drone operators.