What is it about?
Contents
In aviation, cyber security is no longer optional - it is essential. The new EASA Part-IS regulation ensures that all those involved in the industry take comprehensive protective measures, to secure critical systems and data. CyFort supports you in understanding these requirements and implementing them in a targeted manner so that you can concentrate fully on your core business.
Discover what EASA Part-IS means for you and how we can help you integrate compliance and cyber resilience into your processes.
CyFort supports you in implementing the five steps of the cybercycle and thus creating a robust security concept that optimally prepares your organization for threats and ensures rapid responsiveness.
- Identify
- Protect
- Detect
- Respond
- Recover
With EASA Part-IS, the aviation industry is establishing uniform standards for cybersecurity to minimize such risks and enhance safety for everyone.
What is EASA part-IS?
EASA Part-IS is a regulation that addresses information security risks that could impact flight safety. The Implementing Regulation (EU) 2023/203 and the Delegated Regulation 2022/1645 of the Commission within EASA Part-IS provide a framework for establishing a modern approach to managing information security risks in aviation. They introduce procedures to ensure the protection of all elements within its scope. By implementing this framework, aviation stakeholders can proactively address cyber threats and ensure a stronger and more resilient infrastructure, maintaining the highest safety standards in the industry. The goal is to create an environment where cybersecurity is seamlessly integrated into operational safety practices across the aviation sector. For further details, contact us for a non-binding consultation.
What falls within the scope of EASA Part-IS?
Aviation Organizations:
- Aviation operators, maintenance organizations, air navigation service providers, airports, development and production companies, and training organizations (ATOs) must comply with information security regulations.
- The implementation of an Information Security Management System (ISMS) is mandatory for these organizations to identify, assess, and manage information security risks that could impact flight safety.
- EASA Part-IS addresses cybersecurity risks that could impact critical aviation systems, including flight operations, air traffic management (ATM), air navigation services (ANS), and airport operations.
- Organizations must establish mechanisms for detecting, responding to, and reporting cybersecurity incidents that could affect flight safety.
- The regulation focuses on governance and continuous risk management, ensuring that organizations define clear roles, responsibilities, and reporting mechanisms for handling information security risks.
When do I have to comply with the regulations?
Companies must comply with EASA Part-IS within the following deadlines:
- October 16, 2025, for organizations falling under the scope of the Delegated Regulation (EU) 2022/1645, i.e., aviation companies, construction and production organizations, maintenance organizations, and other entities involved in critical aviation systems.
- February 22, 2026, for other organizations covered by the Implementing Regulation (EU) 2023/203. This includes additional aviation service providers and competent authorities responsible for overseeing compliance with the regulations.
Organizations are encouraged to begin preparations as early as possible to ensure they meet these deadlines and avoid disruptions.
Is it possible to opt out of the regulation?
Yes, there is an option for organizations to be exempt from certain requirements under EASA Part-IS through a process known as an exception procedure. However, this is only available to organizations that can demonstrate that their operations do not pose a significant information security risk to flight safety. To qualify for this exception:
- The organization must conduct a documented risk assessment showing that its activities do not pose a significant threat to information security in aviation.
- This risk assessment must be submitted to the competent authority (e.g., the national aviation authority), which will review it and decide whether to grant the exemption.
- Typically, exceptions apply to entities such as construction or production companies working on non-safety-critical components (e.g., interior fittings or parts that do not affect the structural integrity or safety of the aircraft).
How can this be achieved?
Ensuring compliance with EASA Part-IS can be a complex process that requires a tailored approach to the unique structure and risk exposure of each organization. At CyFort, we specialize in assisting aviation stakeholders with the seamless integration of the required Information Security Management System (ISMS) into their operations, offering a customized path to regulatory compliance. With our expertise in aviation and cybersecurity, we have successfully guided numerous organizations through the intricate requirements of Part-IS. By conducting thorough risk assessments, establishing robust incident management processes, and ensuring continuous improvement, CyFort identifies the optimal solutions tailored to your needs. Partnering with CyFort allows you to focus on your core activities while we work with you to ensure seamless compliance with EASA Part-IS. Together, we will develop bespoke solutions to protect your systems, helping you maintain security and resilience against cyber threats while fully adhering to regulatory standards.
Who is affected by EASA Part-IS?
Scope of application
The EASA Part-IS Regulation applies to all organizations within the aviation industry that are responsible for the safety and operation of aviation systems.
Air operators
Training Organizations (ATOs)
Maintenance Companies
Airports
Production Organizations
Air operators
For air transport operators, cyber security is crucial to ensure the safety and continuity of flight operations. CyFort helps you meet EASA Part-IS requirements and protects your fleet and passengers from potential threats.
Training Organizations (ATOs)
Training facilities play a key role in preparing personnel for security requirements. CyFort helps you implement the necessary standards and security practices for your training programs and protect your IT infrastructure from threats.
Maintenance Companies
Maintenance organizations are responsible for the safety and integrity of aircraft and their systems. CyFort helps you develop a reliable information security strategy to protect your systems from cyber risks and comply with regulatory requirements.
Airports
Security gaps in the IT infrastructure are a significant risk for airports. CyFort helps you build a comprehensive security management system that ensures compliance with EASA Part-IS and protects operations – from baggage handling to passenger communications.
Production Organizations
Manufacturers and development companies must design their products securely and protect information about critical systems. CyFort helps you integrate cybersecurity measures into your development processes to ensure compliance and minimize risks to safety-critical components.
EASA Part-IS therefore affects all organizations that directly or indirectly influence aviation safety. These companies must ensure that they continuously protect their information systems and operational processes against cyber threats.
Why CyFort?
Cooperation
CyFort combines extensive expertise in cyber security with a specialized focus on the aviation industry. Our team has years of experience in working with safety-critical and regulated organizations and is your competent partner when it comes to the implementation of EASA Part-IS. With a proven background in safety consulting, we understand the specific challenges and requirements of the industry.
Contact form