Who’s Responsible for the Sky: The Regulatory Model for Drone Defence and CUAS Responsibility

As drone threats continue to escalate in frequency, complexity, and intent, the focus is no longer just on detection. The real question now facing governments, aviation bodies, and critical infrastructure operators is: Who holds responsibility when the sky is no longer safe?

Across the globe, different nations have taken markedly different approaches to the regulatory model for drone defence. Some rely on national regulators to lead, others place the burden on air navigation service providers (ANSPs), while in many cases, individual airports or operators are left to take matters into their own hands. This patchwork reflects not just differing political structures, but a more fundamental uncertainty: when a drone appears, who acts, and who decides what happens next?

Recent incidents across multiple airports, oil and gas facilities, and border regions in 2025 have exposed the limitations of current drone threat regulation. These events challenge long-held assumptions about where CUAS responsibility lies and raise urgent questions about the operational hand-offs between detection, verification, and resolution. The gaps between these steps, and between the organisations responsible for each, are now as much a risk as the drone itself.

A Patchwork of Responsibility

Global airspace security governance currently falls into three broad models. In countries like Japan, national regulators take the lead, setting policy, securing funding, and overseeing operational delivery. This centralised approach provides clarity and control, with the government owning both the mandate and the resources.

Elsewhere, ANSP (Air navigation service provider) drone defence has become an established part of the airspace safety framework. Air navigation service providers such as DFS in Germany or Airways in New Zealand already manage the safety and coordination of airspace and are seen as natural custodians of drone-related threat management. Their technical credibility and national coverage make them strong candidates, though questions remain about how effectively CUAS integrates with other security agencies.

A third model places the burden on individual airports or site operators, as is common in the UK and Italy. In these cases, airport drone regulation requires local funding, operation, and incident response. This can encourage agility and tailored deployment but often comes at the cost of consistency, authority, and coordination with national frameworks.

Each approach offers advantages, yet none is immune to breakdowns when responsibility must quickly transition from one actor to another. In practice, the challenge is not only about who funds the technology, it’s about who owns the moment of decision when a threat is confirmed.

Between Detection and Decision

Many CUAS deployments are technically sound but operationally incomplete. They focus heavily on detection, often deploying RF, radar, and optical sensors, without establishing the clear chains of ownership required for real-time response. In complex airspace or multi-agency environments, this gap can be fatal.

When an alert is triggered, someone must validate it. When a threat is confirmed, someone must suspend operations. And most critically, someone must decide when it is safe to resume. Yet across many high-risk sectors, these responsibilities remain ambiguous. The chain of command for drone detection ownership is rarely as well-defined as it is for traditional air traffic control.

The issue isn’t just procedural, it’s human. Without pre-defined interfaces between regulators, ANSPs, airport operations, police, and private CUAS providers, decisions fall to individuals under pressure. What should be a structured process instead becomes an improvised reaction. It’s not only about who owns the tech, it’s who owns the outcome.

A String of Incidents, and a Pattern of Gaps

In 2025 alone, multiple drone-related incidents have disrupted operations at airports, energy facilities, and international border sites. The details vary, but the operational challenges are strikingly consistent. In several cases, drones were detected days before disruptions occurred, likely as part of reconnaissance. In others, airspace was closed, yet decision-makers hesitated to reopen it due to lack of verification, authority, or consensus.

One high-profile case emerged in East Anglia, where a drone was spotted over a US Air Force base, triggering a significant security response. The incident, still under investigation, raised concerns around the interface between UK police, the Ministry of Defence, and American military authorities. According to BBC reports, the drone was first seen near RAF Lakenheath, prompting a coordinated but delayed response. The situation underscored how overlapping jurisdictions, without clearly rehearsed hand-offs, can slow reaction times and create ambiguity in crisis.

In other recent European incidents, national armed forces were called to take operational control after civilian agencies reached the limits of their authority. Military units provided rapid command structures and situational oversight, but their involvement also exposed how fragmented regulatory responsibilities remain. When airspace governance falls between institutions, the default response becomes military, a last resort rather than a planned mechanism. This highlights the urgent need for drone threat regulation that clearly defines when, and under whose authority, control should transition between civil and defence actors.

These challenges aren’t hypothetical. They are playing out in real-world scenarios where the stakes are high, and trust in operational readiness is paramount. Detection alone is not defence, and without governance, even the best systems leave their operators exposed.

From Equipment to Governance

As governments and infrastructure operators invest in more sophisticated CUAS platforms, the most critical layer is often the least visible: drone defence policy framework. Systems only work when the people who operate them know their roles, understand escalation pathways, and are authorised to act.

Addressing this means more than updating procurement strategies. It demands a shift in how CUAS is viewed, from a sensor problem to a shared operational challenge. What’s needed is:

• A formal delineation of roles and responsibilities across all relevant actors.
  
• Pre-agreed interfaces between site operators, regulators, law enforcement, and airspace managers.
  
• Legal and procedural frameworks for response authorisation, including effectors where appropriate.
  
• Joint training, simulations, and post-incident reviews so that decisions under pressure follow practised pathways.
  

These principles underpin models for layered CUAS solutions, but they must also shape the institutional relationships that govern how those solutions are used.

What Responsibility Should Look Like

No single organisation can own every aspect of CUAS deployment, detection, and decision-making. But the absence of clear ownership is no longer sustainable. National regulators should define minimum expectations and operational standards. ANSPs and site operators must be prepared not only to deploy systems but to act on their alerts. And law enforcement or military bodies must be integrated into planning and escalation workflows from the outset.

Efforts by bodies like EUROCAE, RTCA, and ISO are essential in creating common terminology and expectations. But these frameworks must become embedded in day-to-day operations, not just referenced in procurement documents. OSL has seen how multi-agency coordination at airports can reduce response times and improve decision-making, but only when responsibilities are rehearsed, not assumed.

As Legh-Smith cautions, “You can’t outsource safety. Ownership must be felt, not just funded.”

Conclusion: Responsibility Cannot Be Retrofitted

The question of CUAS responsibility is no longer theoretical. It’s being tested every week in real deployments, real threats, and real decision points.

Recent incidents have shown that detection systems alone are not enough. What matters is the ability to act, confidently, legally, and with clear authority. When responsibility is vague, operators hesitate. When it is shared without clarity, decisions slow. And when it is assumed but not structured, safety suffers.

Securing airspace is not only a matter of technology, it’s a matter of trust, coordination, and readiness. For that, the sky needs more than radar, it needs governance.