EASA Part-IS

EASA Part-IS is a regulation that addresses information security risks that may impact aviation safety. Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation 2022/1645 within EASA Part-IS provide a set of rules to introduce a modern framework that addresses the risks associated with aviation information security and introduces procedures to ensure the protection of all elements within the scope. By implementing this framework, aviation stakeholders can proactively address cyber threats and ensure a stronger and more resilient infrastructure to maintain the highest security standards in the industry. The aim is to create an environment where cyber security is seamlessly integrated into operational security practices across the aviation sector. For more details, contact us for a no-obligation exchange

Aviation organizations:

• Air traffic operators, maintenance companies, air navigation service providers, airports, development and production companies as well as training facilities (ATOs) must comply with the regulations on information security.

Information Security Management System (ISMS):

• The introduction of an information security management system (ISMS) is mandatory for these organizations in order to identify, assess and manage information security risks that could affect flight safety.

Cybersecurity risks:

• EASA Part-IS addresses cybersecurity risks that may impact critical aviation systems, including flight operations, air traffic management (ATM), air navigation services (ANS) and airport operations.

Incident management:

• Organizations must establish mechanisms to detect, respond and report cybersecurity incidents that could impact aviation safety.

Control and supervision:

• The regulation focuses on governance and continuous risk management and ensures that organizations define clear roles, responsibilities and reporting mechanisms for dealing with information security risks.

Companies must comply with the EASA Part-IS within the following deadlines:

1. 16 October 2025 for organizations falling within the scope of Delegated Regulation (EU) 2022/1645, i.e. air carriers, design and production organizations, maintenance organizations and other entities involved in critical aviation systems.
2. 22 February 2026 for other organizations covered by Implementing Regulation (EU) 2023/203. This includes other aviation service providers and competent authorities responsible for monitoring compliance.

Organizations are encouraged to begin preparations as early as possible to ensure they meet these deadlines and avoid disruption.

Yes, it is possible to waive certain requirements under EASA Part-IS through a process known as derogation. However, this is only possible for organizations that can demonstrate that their operations do not pose a significant information security risk to aviation safety. To qualify for this waiver:

1. The organization must perform a documented risk assessment that demonstrates that its activities do not p ose a significant risk to aviation information security.
2. This risk assessment must be submitted to the competent authority (e.g. the national aviation authority), which examines it and decides whether to grant the exemption.
3. As a rule, exemptions apply to entities such as design or production organizations that work on non-safety-critical components (e.g. interiors or parts that do not affect the structural integrity or safety of the aircraft).

It is important to note that an exemption is time-limited and will be reviewed on a regular basis. Organizations that receive exemptions must reassess their risk level if their scope of work changes or new cybersecurity threats emerge

Ensuring compliance with EASA Part-IS can be a complex process that requires a tailored approach to each organization’s unique structure and risk exposure. At CyFort, we specialize in helping aviation stakeholders seamlessly integrate the required information security management system (ISMS) into their operations and provide them with a customized path to compliance. With our experience in aviation and cybersecurity, we have successfully guided numerous organizations through the complicated requirements of Part-IS. By conducting thorough risk assessments, establishing robust incident management processes and ensuring continuous improvement, CyFort identifies the optimal solutions tailored to your needs.

Partnering with CyFort allows you to focus on your core business while we work with you to ensure seamless compliance with EASA Part-IS. We work with you to develop customized solutions to protect your systems so that you can maintain security and resilience against cyber threats while remaining fully compliant with regulatory standards.