14 October 2025
The Government’s much-awaited National Policy Framework for Unmanned Aircraft Systems (UAS) (more commonly known as drones) has been published by the Department of Transport at a time when Ireland’s skies—and headlines—are increasingly abuzz with drone activity and debate.
In this article we offer an overview of the National Policy Framework while clarifying the current legal landscape surrounding drones —particularly in relation to regulatory oversight and data protection.
Following extensive public and stakeholder consultation, the National Policy Framework seeks to set out a ten-year roadmap for the development of the sector for UAS. The National Policy Framework is structured around three pillars:
The Government’s stated overarching goals are to ensure public safety and privacy, enable economic growth, and position Ireland as a leader in drone innovation and services.
A National UAS Policy Framework Monitoring Group, chaired by the Department of Transport and comprising multiple authorities and stakeholders, will be tasked with overseeing implementation of the National Policy Framework. The Monitoring Group will be divided between the Department of Transport (overseeing Airspace and Planning) Irish Aviation Authority (overseeing Compliance and Enforcement) and the UAS Enterprise and Innovation Leadership Group (overseeing Enterprise and Innovation)
Ireland’s laws on UAS are shaped by EU regulations set down by the European Commission working in conjunction with the European Union Aviation Safety Agency (EASA), in particular,
Commission Implementing Regulation (EU) 2019/947 of 24 May 2019 on the rules and procedures for the operation of unmanned aircraft (EU Reg 2019/947) which governs the operation of UAS in Ireland and is applicable since 31 December 2020 in all EU member states; and
The rules governing UAS in Ireland are implemented and enforced by the Irish Aviation Authority (IAA) in accordance with Article 18 of EU Reg 2019/947. The IAA oversees certification and operational compliance, maintains registers of UAS and their operators, and provides training and licences to pilots where applicable.
EU rules classify UAS operations into three categories:
Drone operators in the ‘open’ category must register themselves with the IAA if their drone:
All operators within the specific category must be registered.
This registration is valid for a period of two years and is recognised across all EU member states. Each operator only needs to register once, regardless of how many drones they operate.
Certified unmanned aircraft must be registered with the IAA, just like manned aircraft. In contrast, drones classified under the 'open' or 'specific' categories generally do not require registration with the IAA. However, registration is required for drones in these categories if both of the following conditions are met:
Since January 2024, drones in the specific category must be equipped with remote identification systems, enhancing transparency and accountability.
Remote pilots of drones must complete the UAS Proof of Online Training course via the IAA’s My Safety Regulatory System platform. This course includes a series of questions and, upon successful completion, allows pilots to operate drones in the ‘open’ category A1 and A3 subcategories.
To fly in the ‘open’ category A2 or the ‘specific’ category, remote pilots must undergo additional training including a theoretical exam and practical test provided by an approved drone training organisation.
For operations in the ‘specific’ category, a Remote Pilot Licence may be required depending on the risk assessment.
For drones in the ‘certified’ category, remote pilots must hold a valid manned aviation pilot’s licence appropriate to the type of operation.
A UAS Geographical Zone is a designated area of airspace where specific rules or restrictions apply to the operation of drones.
Under EU Reg 2019/947, the IAA is responsible for designating such UAS Geographical Zones and a map showing the current zones can be viewed on the IAA website.
The National Policy Framework sets out an additional working group on UAS Geographical Zones to be established to ensure transparent procedures for zone designation, involving local authorities and relevant state agencies.
The exponential growth of drone activity, particularly in urban centres like Dublin, has necessitated a rethinking of airspace management. A “U-Space” refers to the digital and automated ecosystem and services designed to support the safe, efficient, and secure integration of drones into airspace within a UAS Geographical Zone, particularly in areas with high drone traffic.
EU Regulations 2021/664, 665, and 666 set the legislative framework for the safe operation of UAS in the U-space airspace, for the safe integration of UAS into the aviation system and for the provision of U-space services.
Necessary U-space services include:
Dublin City Council has committed to establishing a foundational U-space within 1–3 years, recognising the city's growing density of drone operations. A National U-space Steering Group, led by the Department of Transport, is tasked with overseeing implementation.
The DPC has also developed guidelines for UAS operators, both professional and recreational, on the use of UAS and data processing in a non-law enforcement setting (the Drone Guidance).
The Drone Guidance states that data controllers operating UAS which process or collect personal data must comply with all applicable data protection laws and the data protection principles, unless the activity with the drone can be considered to be purely a household or personal activity.
Where this household/personal activity allowance does not apply to the use of drones by individuals, or where drones are being operated commercially by undertakings, any personal data processing via such drones must have a legal basis.
Whilst consent may provide a legal basis in some circumstances, in the majority of cases individuals and undertakings will likely have to rely on legitimate interests in order to process any personal data collected by the UAS when operating, provided that the interests of the data controller are balanced with, and not overridden by, those of the individuals whose personal data are being processed.
When a data controller seeks to rely on legitimate interests in this regard, they should ensure that sufficient safeguards are implemented such as the use of automated blurring software which automatically blurs faces, bodies and license plates, for example. It should be remembered in this regard that even pseudonymised data still attracts the application of the GDPR.
The Drone Guidance also highlights the potential necessity for data controllers to conduct a data protection impact assessment (where drone usage is, for example, likely to result in a high risk to the rights and freedoms of individuals) and to prepare a privacy policy to ensure that any drone usage within a premises or area is transparent.
The Drone Guidance further notes that the implementation of privacy notices may not be enough where drones are used in public areas where the recording perimeter cannot be easily identified. In such scenarios, the DPC recommends the utilisation of signage outside the venue/perimeter to signal that drones are in operation.
In respect of undertakings primarily, it should be ensured that they have sufficient data protection policy documentation, including a specific drones policy, and procedures in place in respect of any data processing implicated through the use of drones. Undertakings should also ensure that they are storing any drone footage securely and are adhering to the principle of data minimisation.
Ireland’s enforcement regime is robust and multi-agency in nature. The IAA, An Garda Síochána, and the Data Protection Commission (DPC) share responsibilities for investigating and prosecuting offences under aviation and data protection laws.
The Irish Aviation Authority Unmanned Aircraft Systems (Drones) Order 2023 (S.I. No. 24 of 2023) came into effect in February 2023 and expands on the IAA’s and An Garda Síochána’s powers to enforce laws governing UAS under the Irish Aviation Authority Act 1993.
The IAA is authorised to initiate summary proceedings before the District Court, where the maximum penalties include a fine of up to €5,000, imprisonment for a term not exceeding six months, or both. In cases of greater severity, prosecution may be pursued on indictment by the DPP with potential penalties of a fine not exceeding €500,000, imprisonment for a term of up to three years, or both.
The National Policy Framework also proposes the introduction of fixed charge offences for breaches of regulations, enabling on-the-spot fines for offenders.
As regards enforcement in respect of alleged infringements of data protection laws, any person may make a complaint to the DPC in respect of the processing of their personal data by a drone operator and, in response, the DPC may commence an inquiry (either with or without an accompanying investigation) in respect of such a complaint.
The DPC may also launch an inquiry in relation to a data processing activity of its “own volition” in order to ascertain whether an infringement of data protection law has occurred or is occurring. The DPC also has the power to conduct audits and to order the provision of, or access to, information.
The DPC can issue a variety of corrective measures to offending data controllers, or processors, where it is determined that an infringement is taking place or has taken place. This includes the issuing of warnings and reprimands to data controllers/processors as well as the capacity to order data controllers/processors to bring their processing into compliance with data protection law.
Importantly, the DPC can direct the imposition of temporary or definite bans on data processing activities and can also impose administrative fines on undertakings (and in some circumstances fines on individuals, although this is extremely rare in practice). The DPC also retains the right to initiate summary proceedings to prosecute specific offences, primarily relating to unauthorised disclosure of personal data, committed in respect of the Data Protection Act 2018 (as amended).
Individuals are also capable of litigating alleged breaches of data protection law by undertakings or individuals directly before the courts in Ireland.
The European UAS services market is projected to reach €15 billion annually by 2030, with significant job creation potential. With a strong aviation heritage, favourable tax environment, and agile regulatory approach, Ireland is well-positioned to take a leading role un UAS.
While the National Policy Framework is a welcome signal of the Government’s focus on drones, more detail on their governance will be required to satisfy the interests of both businesses and the public.
