In modern aviation, safety relies as much on the protection of data, networks, and digital infrastructure as it does on physical systems and procedures. This is exactly why EASA Part-IS has been introduced. No longer just a rulebook for IT departments, this new regulation is a framework that recognises information security as an integral part of aviation safety management.
However, several misconceptions exist, which this article seeks to address. First, that this regulation is “just another compliance box to tick” for the IT department – in reality, its reach is wider and deeper. Second, that it only applies to larger aviation organisations – no, it impacts the entire aviation eco-system. And third, that existing certifications, such as ISO 27001, will cover you for Part-IS. While such frameworks are useful, Part-IS goes further. It is aviation-specific and designed to integrate into the safety framework, not sit alongside it.
Part-IS spans all digital systems — not only traditional IT, but also the operational technologies that underpin safe flight operations. It requires a culture of continuous vigilance, where risks are treated with the same rigour as other safety concerns. Let’s dig a little deeper into this groundbreaking regulatory framework.
What is Part-IS?
Part-IS stands for Information Security and is part of the European Union’s regulatory framework for aviation cybersecurity. Formally established under Regulation (EU) 2023/203 on 1 February 2023, it supplements earlier rules like Commission Implementing Regulation (EU) 2017/373.
It builds on Regulation 2022/1645 but now elevates information security into a full “Part” of aviation regulation - on a par with other established domains such as Part-ATM (air traffic management) or Part-MET (meteorology).
Why Part-IS matters
- Joint aviation legal and regulatory framework: Part-IS is a proactive step to ensure that information security risks are managed systematically across the European aviation system, recognising the interconnectivity and domino effect of security incidents and impacts.
- Reputation and trust: A cybersecurity incident affecting safety can damage operations and public confidence, which is critical in aviation.
- Business continuity: Cyber failures can disrupt operations as much as mechanical faults. Effective risk management improves resilience.
- Integration of safety and security: Part-IS brings cybersecurity into the same framework as Safety Management Systems (SMS), reinforcing the point that digital protection is inseparable from physical safety.
More than documentation
The biggest mistake organisations can make is treating Part-IS as “just another IT compliance requirement”.
Part-IS is designed to safeguard aviation operations against information security threats that could compromise safety. Rather than introducing new safety rules, it integrates cybersecurity into the existing risk-management practices already familiar to aviation organisations.
To meet the objectives of Part-IS, organisations must go beyond simply having technical controls in place — they need to demonstrate the capability to actively manage cyber risks through a structured framework. This requires implementing and integrating an Information Security Management System (ISMS) that provides a structured approach to managing risks, policies, and processes. Through an ISMS, organisations show that they can:
- Identify and manage risks affecting aviation data and ICT systems.
- Detect and categorise security events and incidents.
- Respond to and recover quickly and effectively from information security incidents.
- Establish clear governance, roles, and accountability for information security.
- Integrate cybersecurity into the overall aviation safety culture.
- Continuously improve security measures based on lessons learned and evolving threats.
- Ensure resilience of critical ICT systems to maintain safe operations under adverse conditions.
- Manage risks across the supply chain and with third-party providers impacting aviation safety.
In essence, Part-IS ensures that cybersecurity risks are treated with the same level of rigour as other operational risks in aviation.
Scope of coverage – who needs to comply, and by when?
When it comes to Part-IS, a common misconception is that it’s only meant for the “big fish” in aviation — airports, ANSPs, or major airlines. In reality, its scope extends far more widely, covering ICT systems and data across all approved organisations in civil aviation. This includes smaller but critical operators, such as medical aircrew (e.g., hospital helicopter services), private air ambulance operators, flight training schools, and flight simulation providers.
Part-IS applies broadly across the entire aviation ecosystem, with phased implementation dates:
This also includes:
- Maintenance organisations (Part-145, excluding small Part-ML scope)
- Air operators (Part-ORO)
- Training organisations (ATOs, including those with FSTDs)
- Aircrew and ATCO aero-medical centres
- ANSPs and related service providers (Part-ATM/ANS.OR)
- U-space providers, manufacturers of ATM/ANS components, and more.
By the first applicability date, organisations must show:
- A functioning ISMS assessed as “present and suitable”
- An initial Information Security Management Manual (ISMM)
- A documented procedure for managing ISMS changes
- An initial risk assessment covering activities, resources, data, and external interfaces
- Evidence of compliance monitoring and corrective actions
Key requirements
At the heart of Part-IS is the requirement for every organisation to establish an Information Security Management System (ISMS) aligned with existing safety management practices.
Overview of Part-IS requirements:
Challenges we are seeing on the ground
While awareness of Part-IS is growing, several practical challenges are emerging:
- Integrating cybersecurity with existing SMS without overburdening staff
- Managing risks across supply chains and contractors
- Integration of legacy systems with current cybersecurity measures
- Building a culture of incident reporting, not just technical fixes
- Resource constraints, especially for smaller organisations
- Keeping pace with evolving cyber threats in a slow-moving regulatory environment
Next steps?
Part-IS represents a much-needed step forward for the aviation industry: the integration of information security into the established safety framework. More than a compliance exercise, Part-IS is about creating a culture where safety and security are inseparable.
Understanding Part-IS is only the starting point. The next step involves turning that understanding into action by performing gap analyses, assigning clear responsibilities, embedding ISMS processes into daily operations, and fostering security awareness across every level of the organisation.
In our next blog, we’ll dive into practical strategies for moving from awareness to actionable planning for implementation - helping organisations achieve compliance efficiently and confidently, well before deadlines loom.
In the meantime, for more information and support on Part-IS for your organisation, contact one of the specialists in our aviation team.
