Drone Rules Every Commercial Operator Should Know

14 min read Jun 21^st 2026

For commercial drone operators, compliance is not just a box to tick before take-off. The drone rules determine whether a job can be flown under the Open category, needs a CAA Operational Authorisation, requires extra permissions, or should be redesigned before anyone gets near the launch site.

In the UK, the rules are risk-based. That means a paid flight is not automatically more heavily regulated than a recreational flight, but commercial work often involves higher-risk conditions: built-up sites, infrastructure, clients on location, repeated operations, tighter deadlines, more stakeholders and higher expectations around evidence.

This guide focuses on the UK rules commercial operators should understand in 2026. It is not legal advice, and operators should always check the latest Civil Aviation Authority guidance before flying, especially where class marking, authorisations or airspace restrictions are involved.

1. Understand the three UK operating categories

The UK CAA’s framework separates drone operations into three categories: Open, Specific and Certified. The category depends on the risk of the operation, not whether money changes hands. The CAA explains the framework in its rules and categories of drone flying guidance.

Category	Typical use	CAA permission needed?	Commercial relevance
Open	Lower-risk visual line of sight flights within strict limits	No Operational Authorisation if all Open rules are met	Suitable for some surveys, photography and inspections where separation distances, aircraft limits and site conditions fit
Specific	Operations that fall outside Open limits	Yes, normally through an Operational Authorisation or relevant assessment route	Common for professional work in congested areas, near people, with heavier aircraft or more complex sites
Certified	Higher-risk operations closer to traditional aviation risk levels	Yes, with certification and licensing requirements	Relevant to advanced operations such as carriage of people or dangerous goods, rather than most routine commercial work

The key point is simple: do not start by asking, “Is this commercial?” Start by asking, “What category does this operation fit into?”

2. Registration, Flyer ID and Operator ID still matter

Most commercial drone organisations need to manage both pilot competency and operator registration.

The operator is the person or organisation responsible for the drone and how it is used. The operator must normally register and display the Operator ID on the aircraft if the drone has a camera or weighs 250g or more. In a commercial setting, the operator may be a limited company, public body, charity or sole trader.

The remote pilot is the person flying the aircraft. In the UK, pilots usually need a Flyer ID for drones of 250g or more, obtained by passing the CAA online theory test. Flyer IDs and Operator IDs have different renewal periods, so they should be tracked separately.

For professional teams, registration is more than an admin task. If a survey company has ten aircraft, six pilots and a mixture of permanent and freelance crew, someone needs to know which pilots are current, which aircraft display the correct ID, and which credentials are linked to which operating procedures.

3. Insurance is not optional for commercial operations

UK commercial drone operations normally require insurance that meets retained Regulation (EC) 785/2004 requirements. Recreational operators flying smaller drones may not always have the same obligation, but commercial operators should treat aviation insurance as a core compliance requirement.

Clients increasingly expect evidence of cover before allowing a drone team on site. Utilities, emergency services, construction firms and local authorities may also require specific levels of public liability or professional indemnity insurance through procurement or framework agreements.

A practical rule is to keep your insurance certificate with your operational documents and check three things before every job: the policy is in date, the aircraft and activity are covered, and the territorial or operational conditions match the task.

4. Open category flights have strict limits

The Open category can be useful for commercial work, but only if the flight remains inside its limits. The UK Drone Code covers the core requirements, including keeping within visual line of sight, staying below the maximum height limit and flying safely around people.

For most Open category operations, the headline altitude limit is 120 metres, or 400 feet, above the closest point of the earth’s surface. That does not mean every 120 metre flight is automatically safe or permitted. Airspace restrictions, obstacles, terrain, weather, aircraft performance, emergency access and client site rules still matter.

The Open category also contains subcategories, commonly referred to as A1, A2 and A3. These affect how close you can fly to uninvolved people and what type of aircraft can be used. Weight, class marking and legacy aircraft status can affect where an aircraft fits, and UK transition arrangements have changed over time, so operators should validate each aircraft against current CAA guidance before assigning it to a job.

For commercial operators, the Open category is often viable where the site is controlled, the aircraft is lightweight, the crew can maintain separation from uninvolved people, and the client’s deliverable does not require riskier flight profiles. Once any of those assumptions breaks down, the operation may move into the Specific category.

5. An Operational Authorisation is not a blanket permission

If an operation cannot be flown within the Open category, it may require a CAA Operational Authorisation in the Specific category. This is where many professional drone operators sit, especially those working in urban environments, infrastructure inspection, public safety, construction and repeat survey work.

An Operational Authorisation defines what the operator is allowed to do. It may cover certain aircraft, maximum heights, minimum separation distances, pilot competency, operating areas, procedures and risk controls. It is not a general licence to fly anywhere, at any time, in any way.

A Specific category operation will typically rely on a package of evidence, such as:

An operations manual that explains roles, responsibilities and procedures.
Pilot competency evidence, such as a GVC where relevant.
A documented risk assessment and mitigation process.
Maintenance and aircraft management procedures.
Emergency procedures for loss of control, flyaway, injury or airspace conflict.
Insurance that matches the operation.

The General VLOS Certificate, often called the GVC, is a common route for demonstrating remote pilot competency for Specific category applications, but the certificate itself is not the permission. The authorisation held by the operator is what determines the permitted operation.

6. Airspace checks must go beyond “is there an airport nearby?”

Commercial operators need a repeatable airspace workflow. A basic app check is a start, not the end of the process.

Flight Restriction Zones around protected aerodromes are one of the most common issues. If your operation is inside an FRZ, you must obtain permission from the relevant air traffic control unit, flight information service or aerodrome operator before flying. Controlled airspace, temporary restrictions, military activity, police operations, emergency incidents, prisons, nuclear sites and local restrictions may also affect the flight.

There is also an important distinction between airspace permission and land permission. Being allowed to fly in the airspace does not automatically give you the right to take off, land or operate from private land. Commercial operators should obtain landowner or site manager permission where required and document any site-specific constraints.

For infrastructure and emergency work, proximity hazards can be just as important as airspace. Power lines, railway assets, highways, cranes, masts, crowds, livestock, helipads and sensitive facilities can all change the operational risk profile. If the location is complex, the flight plan should identify both aviation and ground risks before the crew arrives.

7. Risk assessments should be operational, not ornamental

A risk assessment that only exists to satisfy a client portal is not doing its job. It should influence how the flight is planned, staffed, briefed and flown.

For Open category work, a formal risk assessment may not always be mandated by the CAA in the same way it is for Specific category authorisations. For commercial work, however, it is still a professional necessity. It helps demonstrate that you have considered foreseeable hazards and taken reasonable steps to control them.

A strong commercial drone risk assessment should be site-specific. It should consider weather, airspace, people, property, aircraft condition, battery performance, take-off and landing areas, emergency landing options, communications, data capture, local permissions and the competence of the crew. For practical guidance, Dronedesk has a dedicated article on building a drone flight risk assessment that works.

The best assessments are also dynamic. If a site changes, the assessment should change. A quiet car park at 07:00 may become unsuitable by 09:30. A utility inspection may need to pause if maintenance staff enter the work area. A public safety deployment may need to adjust if a helicopter joins the incident.

8. Privacy and data protection are part of the job

Drone rules are not only aviation rules. If your aircraft captures identifiable people, vehicles, homes, workplaces or sensitive sites, UK data protection law may apply.

The Information Commissioner’s Office provides guidance on drones and privacy, and commercial operators should be especially careful where imagery is captured in public places, residential areas, workplaces, schools, hospitals or emergency scenes.

Good practice includes minimising unnecessary capture, informing people where appropriate, securing footage, limiting retention, controlling client access and documenting the lawful basis for processing personal data. For planned operations, signage, notices or stakeholder communications may be appropriate. For emergency services, different legal bases may apply, but accountability and audit trails still matter.

Privacy should also shape the flight plan. Sometimes a small change in camera angle, take-off point, altitude or lens setting can reduce personal data capture while still meeting the client’s objective.

9. Maintenance, fleet records and battery discipline are compliance issues

Commercial drone safety depends on aircraft that are fit to fly. That means operators need more than a memory of when a drone was last used.

Fleet records should show aircraft identity, maintenance history, firmware status, repairs, defects, battery cycles, payload compatibility and any operational limitations. Batteries deserve particular attention because performance can degrade through age, storage conditions, temperature and charge cycles.

For growing teams, spreadsheets become difficult to govern because aircraft, batteries, pilots and job records change constantly. If fleet control is becoming a weak point, Dronedesk’s drone fleet management guide explains when operators typically outgrow manual tracking and what to look for in a more structured system.

A commercial drone crew setting up a marked take-off and landing area beside a utility site, with safety cones, a compact drone on a landing mat, battery cases and surrounding infrastructure clearly visible from a slightly elevated angle.

10. Flight logs and occurrence reporting protect your operation

A flight log is evidence. It helps prove what happened, who flew, which aircraft was used, what conditions existed, and whether the operation stayed within the planned parameters.

At a minimum, a commercial flight log should record the date, location, aircraft, pilot, observers or crew, take-off and landing times, batteries, weather, operating category, permissions, issues and post-flight actions. For repeat clients, linking the log to the job, site, risk assessment and deliverables makes later audits far easier.

Some events must also be reported. Serious accidents and incidents may require notification to the Air Accidents Investigation Branch, and aviation safety occurrences may need to be reported through the relevant CAA occurrence reporting route. Loss of control, flyaways, airspace infringements, injury, property damage and near misses should never be treated as informal notes.

Even when a report is not legally required, internal reporting is valuable. It helps identify recurring weaknesses, such as battery management problems, poor site control, inconsistent briefings or equipment defects.

11. Sector-specific drone rules and constraints

Commercial drone rules apply across the board, but the way they show up differs by sector. A roof survey, a powerline inspection and a search and rescue deployment may all involve the same aircraft, yet have very different operational risks.

Sector	Common rule or compliance pressure	Practical operator focus
Surveying and mapping	Site access, privacy, Open versus Specific category limits, repeatable ground control workflows	Confirm land permissions, protect personal data, maintain accurate logs and document deliverables
Utilities and infrastructure	Critical infrastructure sensitivity, proximity to hazards, client permit systems, possible restricted sites	Coordinate with asset owners, define exclusion zones, brief ground teams and manage emergency procedures
Emergency services	Incident command, temporary restrictions, crew safety, evidence handling, public sensitivity	Integrate with command structures, deconflict with helicopters, log decisions and protect captured data
Construction	Principal contractor rules, cranes, workers, moving vehicles, changing site layouts	Align with site inductions, maintain separation from uninvolved people and update risk assessments as the site changes
Media and events	Crowds, permissions, privacy, pressure to get the shot	Avoid overflight of assemblies of people unless properly authorised, agree safe filming boundaries and resist unsafe client requests

The biggest commercial risk is assuming that yesterday’s safe workflow automatically applies to today’s site. Commercial operators need standard procedures, but they also need enough flexibility to respond to each environment.

12. Night operations are allowed only if you can control the risk

Night flying is not automatically banned in the UK, but it must still comply with the applicable operating category, authorisation conditions and safety requirements. Visual line of sight becomes harder at night, depth perception changes, obstacles are less visible and emergency landing areas may be more difficult to assess.

Commercial night operations should include additional planning for aircraft lighting, observer use, site illumination, pilot fatigue, take-off and landing area control, and emergency procedures. If your Operational Authorisation or operations manual includes specific night procedures, those procedures must be followed.

For utilities and emergency services, night flying can be operationally valuable, but it should never be treated as the same risk profile as a daylight flight.

13. Cross-border work needs fresh checks

UK drone rules do not automatically travel with you. If a UK operator is commissioned for work in the EU, Ireland, the Channel Islands, the United States or elsewhere, local aviation rules apply. Registration, remote pilot competency, insurance, data protection, radio requirements and operational authorisations may all differ.

This matters for survey companies and infrastructure specialists that support international clients. A method statement that is compliant in England may not be valid in France, Germany or the US. Build enough time into cross-border projects to confirm the local regulator’s requirements before committing to flight dates.

A practical compliance workflow for commercial drone jobs

A simple workflow helps turn drone rules into repeatable operating discipline. Before accepting or flying a job, work through the following checks:

Define the client objective and the exact flight profile required.
Confirm whether the operation fits Open, Specific or Certified category rules.
Check pilot competency, Operator ID, insurance and aircraft suitability.
Review airspace, FRZs, temporary restrictions and nearby aviation activity.
Confirm landowner, site manager and stakeholder permissions.
Complete or update the site-specific risk assessment and method statement.
Prepare checklists, emergency procedures and crew briefings.
Fly only within the planned limits and authorisation conditions.
Log the flight, record issues and complete any occurrence reporting.
Close out maintenance actions, client records and data handling obligations.

The workflow does not need to be complicated, but it does need to be consistent. Regulators, insurers and clients tend to ask the same question after an incident: can you prove what you planned, what you checked and what actually happened?

Common mistakes commercial operators should avoid

One common mistake is assuming that a lightweight drone removes all compliance duties. Sub-250g aircraft can make some operations easier, but privacy, airspace, land permission, insurance and safe operating practices still apply.

Another mistake is relying on a generic risk assessment. A template can provide structure, but it cannot assess today’s weather, today’s people movement, today’s temporary restriction or today’s site hazards.

Operators also get into difficulty when sales commitments outrun permissions. If a client needs roof imagery inside an FRZ tomorrow morning, the operator still needs the correct approval before flying. Commercial pressure is not a defence for unsafe or unauthorised operations.

Finally, many teams underinvest in record keeping. Flight logs, maintenance records, pilot credentials, checklists and risk assessments are not just paperwork. They are the evidence that a commercial operator is competent, insured, organised and accountable.

Frequently Asked Questions

Do commercial drone operators need CAA permission for every flight? No. In the UK, a commercial flight can be flown in the Open category if it meets all Open category rules. If the operation falls outside those limits, it may require a Specific category Operational Authorisation or another appropriate approval route.

What is the main height limit under UK drone rules? For most Open category drone flights, the limit is 120 metres, or 400 feet, above the closest point of the earth’s surface. Operators must still comply with airspace restrictions, local permissions and any authorisation conditions.

Can a commercial drone fly over people? It depends on the aircraft, subcategory, operating category and whether the people are involved or uninvolved. Overflying assemblies of people is heavily restricted and should not be done unless the operation is clearly permitted and properly risk assessed.

Is a GVC the same as permission to fly commercially? No. A GVC is evidence of remote pilot competency and is often used for Specific category operations, but the operator’s CAA authorisation and the operating conditions determine what can be flown.

Do emergency services have different drone rules? Emergency services may have specific procedures, legal powers or exemptions in certain circumstances, but they are not free from safety, accountability, airspace coordination or data protection responsibilities. Governance and logging are especially important during incidents.

How long should commercial drone operators keep flight records? Follow your Operational Authorisation, operations manual, insurance requirements, client contracts and any applicable legal obligations. Many professional operators keep records for several years because they may be needed for audits, investigations, renewals or client evidence.

Turn drone rules into reliable operating procedures

Knowing the drone rules is only the first step. Commercial operators also need a way to apply them consistently across clients, pilots, aircraft, sites and repeat jobs.

Dronedesk is an all-in-one web platform for drone operations management, with features including client management, fleet management, team management, airspace intelligence, proximity intelligence, flight planning, flight logging, data reporting, configurable checklists and risk assessments. If you want to bring those processes into one operational workflow, explore the Dronedesk features for commercial drone operations.