V-DIG Audit: Ryanair

Audit Phase: V-DIG (Vendor, Digital Infrastructure & Governance) Target Entity: Ryanair Holdings plc Audit Date: 2026-05-01

Enterprise Technology Stack & Vendor Relationships

Ryanair operates one of the most digitally self-sufficient models in European aviation, with a strategy centred on direct distribution, proprietary systems, and selective third-party vendor relationships.

• Ryanair’s core booking and reservation platform is built on a proprietary system, and the airline has historically resisted distribution through Global Distribution Systems (GDS) such as Amadeus, Sabre, and Travelport. This stance has been a recurring source of commercial and legal dispute, including litigation against screen-scraping and OTA intermediaries who access Ryanair’s inventory without authorisation ¹.

• The airline uses Navitaire (now an Amadeus company) as its passenger service system (PSS), which underpins reservation, check-in, and departure control functions across its network. Navitaire’s NewSkies platform is widely used by low-cost carriers globally.

• Ryanair Labs, the airline’s in-house technology division based in Dublin, is responsible for building and maintaining the ryanair.com website, mobile applications, and internal tooling. Labs operates as a product engineering organisation rather than a traditional IT department, employing software engineers, data scientists, and UX designers directly ².

• For payment processing, Ryanair works with major card networks and third-party payment service providers. The airline has pursued ancillary revenue maximisation through its digital checkout, including dynamic pricing on extras, seat selection, and priority boarding.

• Ryanair has used Salesforce for customer relationship management functions, consistent with enterprise CRM adoption across the European travel sector.

• The airline’s crew management, rostering, and operations systems involve vendor relationships typical of large carriers, though specific third-party contracts beyond Navitaire have not been publicly disclosed in detail.

Surveillance, Biometrics & Retail Technology

• Ryanair introduced a facial biometric verification process for customers booking through third-party online travel agencies (OTAs) and screen-scrapers. Passengers who book via intermediaries are required to complete an identity verification step — including submission of facial imagery — before check-in can proceed. Ryanair states this is a fraud-prevention measure designed to confirm the passenger’s identity matches the booking ³.

• This biometric verification requirement has been applied specifically to passengers whose bookings originate from OTAs such as eDreams, Kiwi.com, and Lastminute.com, rather than directly from ryanair.com. The practical effect is to create friction for OTA-sourced bookings and incentivise direct booking behaviour ⁴.

• The European Consumer Organisation (BEUC) and multiple national consumer bodies have raised concerns about the biometric identity verification practice, questioning its proportionality, lawfulness under the General Data Protection Regulation (GDPR), and whether passengers are genuinely informed of their options ⁵.

• Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), launched an investigation into Ryanair’s biometric verification practices. The AEPD inquiry focused on whether the collection of facial biometric data meets GDPR Article 9 requirements for processing special category data, including whether valid explicit consent is obtained ⁶.

• Ryanair’s retail technology stack on ryanair.com and its app deploys extensive behavioural tracking, personalisation, and upsell mechanics. The airline’s digital funnel is engineered to maximise ancillary revenue per booking through dynamic pricing of bags, seats, insurance, and car hire. Third-party analytics and advertising technology vendors are embedded in the checkout flow, though specific vendor identities at the code level are not consistently disclosed in public-facing documentation.

• No public evidence identified of Ryanair deploying in-cabin surveillance technology, facial recognition at boarding gates operated by the airline itself, or CCTV analytics beyond standard airport-operator infrastructure.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

• Ryanair has publicly committed to a cloud-first strategy, with Amazon Web Services (AWS) identified as a primary cloud infrastructure provider. The airline has described migrating significant portions of its technology workload to AWS, including ryanair.com, its booking engine, and data analytics platforms ⁷.

• Ryanair Labs engineers have published technical content describing use of AWS services including compute, storage, and data pipeline infrastructure. The airline has presented at AWS events and is referenced in AWS case study materials as a major European customer ⁸.

• Microsoft Azure is also present in Ryanair’s technology environment. The airline uses Microsoft 365 for productivity and collaboration tooling across its corporate workforce, which implies Azure Active Directory and associated identity management services.

• No public evidence identified of Ryanair participation in any sovereign cloud programme, national cloud initiative, or government-directed data localisation arrangement in any of its operating markets.

• Ryanair operates across 40+ European countries. Its primary data processing entities are incorporated in Ireland, meaning EU GDPR applies as the baseline legal framework for data residency and cross-border data transfers. The Irish Data Protection Commission (DPC) is Ryanair’s lead supervisory authority under the GDPR one-stop-shop mechanism.

• No public evidence identified of Ryanair having data centre or cloud infrastructure relationships with Chinese, Russian, or other non-Western hyperscalers.

Defence, Intelligence & Security Sector Technology Relationships

• No public evidence identified of Ryanair holding contracts, frameworks, or partnerships with defence ministries, intelligence agencies, or military procurement bodies in any jurisdiction.

• No public evidence identified of Ryanair technology subsidiaries or R&D programmes with dual-use, defence, or national security applications.

• Ryanair’s security obligations are those common to all commercial air carriers: compliance with EU Aviation Safety Agency (EASA) regulations, national civil aviation authority requirements, and bilateral air service agreement security annexes. These are regulatory obligations, not discretionary defence relationships.

• No public evidence identified of Ryanair personnel or corporate entities appearing on export control lists, sanctions registers, or debarment databases maintained by EU, US (OFAC, BIS), or UK (OFSI) authorities.

AI, Algorithmic & Autonomous Systems

• Ryanair has publicly described the use of machine learning and algorithmic pricing across its revenue management systems. Dynamic fare pricing at Ryanair is driven by demand forecasting models that adjust seat prices in real time based on route, load factor, time to departure, and competitive signals. This is consistent with industry-standard revenue management practice at large low-cost carriers.

• Ryanair Labs has publicly stated its use of data science and ML tooling for personalisation on ryanair.com, including recommendation engines for ancillary products presented during the booking flow ².

• The airline has explored the use of AI-assisted customer service tooling, including chatbot and virtual assistant features within its app and website, to reduce contact centre volume. These deployments are consistent with customer-facing automation trends across European travel retail.

• In 2024, Ryanair’s CEO Michael O’Leary discussed the potential for AI to further reduce operational costs and increase ancillary conversion rates in investor-facing communications, signalling executive-level attention to AI deployment as a commercial lever ⁹.

• No public evidence identified of Ryanair deploying AI systems in safety-critical aviation operations (e.g., autonomous flight systems, AI-assisted air traffic management) beyond standard avionics and flight management systems supplied by aircraft manufacturers (Boeing, Airbus) and their tier-one avionics suppliers.

• No public evidence identified of Ryanair participating in EU AI Act regulatory sandboxes, high-risk AI system registries, or AI governance standards bodies.

Technology Ecosystem & R&D Footprint

• Ryanair Labs is headquartered in Dublin, Ireland, and operates as the airline’s internal technology product organisation. Labs has grown significantly since its founding and employs several hundred technology professionals. It is presented by Ryanair as a competitive differentiator enabling the airline to build and own its digital stack rather than rely on third-party aviation IT vendors ².

• Ryanair Labs has an additional engineering hub in Madrid, Spain, expanding its European technology talent footprint beyond Ireland.

• The airline has engaged in university partnerships and graduate recruitment pipelines in Ireland, consistent with its position as one of Ireland’s largest private-sector employers. No formal R&D tax credit filings or publicly disclosed academic research partnerships have been identified in available sources.

• Ryanair is a member of industry bodies including the International Air Transport Association (IATA) and participates in IATA technology and digitalisation working groups, including those related to digital identity, ONE Order (the proposed replacement for paper tickets and PNRs), and NDC (New Distribution Capability) standards — though Ryanair’s relationship with NDC is complex given its preference for direct distribution.

• The myRyanair digital identity platform, through which passengers create accounts and store personal data, is a significant proprietary data asset. The platform supports loyalty mechanics, stored payment credentials, and personalised offers, and represents Ryanair’s attempt to own the customer relationship end-to-end.

• No evidence of significant patent portfolio, university spin-out relationships, or participation in EU Horizon research programmes has been identified in publicly available sources.

Civil Society Scrutiny & Regulatory History

• GDPR and data protection: Ryanair’s biometric verification requirement for OTA-sourced passengers has attracted the most significant data protection scrutiny. The AEPD (Spain) investigation is the most concrete regulatory action publicly identified ⁶. Broader complaints have been filed with data protection authorities in multiple EU member states by consumer organisations coordinated through BEUC ⁵.

• Consumer rights enforcement: Ryanair has been subject to repeated enforcement actions by national consumer protection authorities across Europe regarding fare transparency, refund practices, and ancillary fee disclosure. Italy’s Autorità Garante della Concorrenza e del Mercato (AGCM) has fined Ryanair on multiple occasions for misleading commercial practices related to advertised fares and baggage fees ¹⁰.

• OTA and distribution disputes: Ryanair has pursued litigation against multiple OTAs and screen-scrapers for accessing its booking systems without authorisation. Courts in several jurisdictions have ruled both for and against Ryanair in these cases, with outcomes depending on national contract law and computer misuse legislation. The airline’s use of biometric verification as a deterrent against OTA bookings has itself been characterised by critics as an anti-competitive tool ⁴.

• European Parliament and Commission scrutiny: Ryanair’s labour practices, particularly its use of Irish employment contracts for crews based in other EU member states to minimise social contributions, have attracted European Parliament questions and Commission attention. While primarily a labour matter, the digital and HR systems enabling this model have been noted in civil society reporting ¹¹.

• COVID-19 refund controversy: During 2020–2021, Ryanair was among the airlines most heavily criticised for issuing vouchers rather than cash refunds for cancelled flights, in breach of EU Regulation 261/2004. National enforcement bodies and the European Commission pursued the airline, resulting in eventual compliance. Consumer organisations documented the scale of complaints ¹².

• Advertising Standards: Ryanair has faced rulings from the UK Advertising Standards Authority (ASA) regarding misleading fare advertising claims, including claims about being the “greenest” airline and fare price representations ¹³.

• Environmental claims: Ryanair’s green marketing has been challenged by civil society organisations and advertising regulators. The ASA upheld complaints against Ryanair environmental advertising in 2020 and subsequent years, finding that headline claims about CO₂ emissions per passenger were misleading without adequate qualification ¹³.

• No public evidence identified of Ryanair being subject to cybersecurity breach notifications under NIS Directive or NIS2 obligations, though as a critical infrastructure operator in the transport sector, Ryanair falls within NIS2 scope as of October 2024.

End Notes