Work securely digitally

Modern Aviation Workplace

Device and application management

Our Modern Aviation Workplace is specifically designed to meet the high mobility, security and compliance requirements of the aviation industry. We create a fully managed, secure and user-centric IT environment that supports operations both on the ground and in the air.
  • Flexibility & mobility
  • Mobile Device Management (MDM)
  • Cloud services
  • Greater security
Contact us now Contact us now

Zero Trust, VPNs and endpoint protection

Non-binding exchange

CONTACT NOW CONTACT NOW
Reliable achievement of compliance - from assessment to audit.

EASA Part-IS

In aviation, cyber security is no longer optional - it is essential. The new EASA Part-IS regulation ensures that all stakeholders in the industry take comprehensive protective measures to secure critical systems and data. CyFort supports you in understanding these requirements and implementing them in a targeted manner so that you can concentrate fully on your core business.
Our EASA Part-IS service begins with a structured gap analysis based on the EASA AMC/GM, NIST SP 800-53 and ISO/IEC 27001 standards. This ensures that your company complies with European aviation regulations while applying globally recognized best practices for information security.
Based on the results, we either support your internal team or implement the necessary measures in full:
  • Gap and risk analysis in accordance with EASA AMC/GM, NIST SP 800-53 and ISO/IEC 27001
  • Creation or revision of your information security manual (ISM)
  • Implementation of an ISMS and support with audits
  • Support with findings, remedial measures and documentation
  • Awareness training for cockpit, cabin and ground staff
The result: Fewer audit findings, improved readiness and a robust security situation.
Who is affected by EASA Part-IS?

Scope of application

The EASA Part-IS Regulation applies to all organizations within the aviation industry that are responsible for the safety and operation of aviation systems.
EASA Part-IS therefore affects all organizations that directly or indirectly influence safety in aviation. These companies must ensure that they continuously protect their information systems and operational processes against cyber threats.

EASA Part-IS is a regulation that addresses information security risks that may impact aviation safety. Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation 2022/1645 within EASA Part-IS provide a set of rules to introduce a modern framework that addresses the risks associated with aviation information security and introduces procedures to ensure the protection of all elements within the scope. By implementing this framework, aviation stakeholders can proactively address cyber threats and ensure a stronger and more resilient infrastructure to maintain the highest security standards in the industry. The aim is to create an environment where cyber security is seamlessly integrated into operational security practices across the aviation sector. For more details, contact us for a no-obligation exchange

Aviation organizations:

  • Air traffic operators, maintenance companies, air navigation service providers, airports, development and production companies as well as training facilities (ATOs) must comply with the regulations on information security.

Information Security Management System (ISMS):

  • The introduction of an information security management system (ISMS) is mandatory for these organizations in order to identify, assess and manage information security risks that could affect flight safety.

Cybersecurity risks:

  • EASA Part-IS addresses cybersecurity risks that may impact critical aviation systems, including flight operations, air traffic management (ATM), air navigation services (ANS) and airport operations.

Incident management:

  • Organizations must establish mechanisms to detect, respond and report cybersecurity incidents that could impact aviation safety.

Control and supervision:

  • The regulation focuses on governance and continuous risk management and ensures that organizations define clear roles, responsibilities and reporting mechanisms for dealing with information security risks.

Companies must comply with the EASA Part-IS within the following deadlines:

  1. 16 October 2025 for organizations falling within the scope of Delegated Regulation (EU) 2022/1645, i.e. air carriers, design and production organizations, maintenance organizations and other entities involved in critical aviation systems.
  2. 22 February 2026 for other organizations covered by Implementing Regulation (EU) 2023/203. This includes other aviation service providers and competent authorities responsible for monitoring compliance.

Organizations are encouraged to begin preparations as early as possible to ensure they meet these deadlines and avoid disruption.

Yes, it is possible to waive certain requirements under EASA Part-IS through a process known as derogation. However, this is only possible for organizations that can demonstrate that their operations do not pose a significant information security risk to aviation safety. To qualify for this waiver:

  1. The organization must perform a documented risk assessment that demonstrates that its activities do not p ose a significant risk to aviation information security.
  2. This risk assessment must be submitted to the competent authority (e.g. the national aviation authority), which examines it and decides whether to grant the exemption.
  3. As a rule, exemptions apply to entities such as design or production organizations that work on non-safety-critical components (e.g. interiors or parts that do not affect the structural integrity or safety of the aircraft).

It is important to note that an exemption is time-limited and will be reviewed on a regular basis. Organizations that receive exemptions must reassess their risk level if their scope of work changes or new cybersecurity threats emerge

Ensuring compliance with EASA Part-IS can be a complex process that requires a tailored approach to each organization’s unique structure and risk exposure. At CyFort, we specialize in helping aviation stakeholders seamlessly integrate the required information security management system (ISMS) into their operations and provide them with a customized path to compliance. With our experience in aviation and cybersecurity, we have successfully guided numerous organizations through the complicated requirements of Part-IS. By conducting thorough risk assessments, establishing robust incident management processes and ensuring continuous improvement, CyFort identifies the optimal solutions tailored to your needs.

Partnering with CyFort allows you to focus on your core business while we work with you to ensure seamless compliance with EASA Part-IS. We work with you to develop customized solutions to protect your systems so that you can maintain security and resilience against cyber threats while remaining fully compliant with regulatory standards.

What is EASA part-IS?

EASA Part-IS is a regulation that addresses information security risks that may impact aviation safety. Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation 2022/1645 within EASA Part-IS provide a set of rules to introduce a modern framework that addresses the risks associated with aviation information security and introduces procedures to ensure the protection of all elements within the scope. By implementing this framework, aviation stakeholders can proactively address cyber threats and ensure a stronger and more resilient infrastructure to maintain the highest security standards in the industry. The aim is to create an environment where cyber security is seamlessly integrated into operational security practices across the aviation sector. For more details, contact us for a no-obligation exchange

What falls within the scope of EASA Part-IS?

Aviation organizations:
  • Air traffic operators, maintenance companies, air navigation service providers, airports, development and production companies as well as training facilities (ATOs) must comply with the regulations on information security.
Information Security Management System (ISMS):
  • The introduction of an information security management system (ISMS) is mandatory for these organizations in order to identify, assess and manage information security risks that could affect flight safety.
Cybersecurity risks:
  • EASA Part-IS addresses cybersecurity risks that may impact critical aviation systems, including flight operations, air traffic management (ATM), air navigation services (ANS) and airport operations.
Incident management:
  • Organizations must establish mechanisms to detect, respond and report cybersecurity incidents that could impact aviation safety.
Control and supervision:
  • The regulation focuses on governance and continuous risk management and ensures that organizations define clear roles, responsibilities and reporting mechanisms for dealing with information security risks.

When do I have to comply with the regulations?

Companies must comply with the EASA Part-IS within the following deadlines:
  1. 16 October 2025 for organizations falling within the scope of Delegated Regulation (EU) 2022/1645, i.e. air carriers, design and production organizations, maintenance organizations and other entities involved in critical aviation systems.
  2. 22 February 2026 for other organizations covered by Implementing Regulation (EU) 2023/203. This includes other aviation service providers and competent authorities responsible for monitoring compliance.
Organizations are encouraged to begin preparations as early as possible to ensure they meet these deadlines and avoid disruption.

Is it possible to opt out of the regulation?

Yes, it is possible to waive certain requirements under EASA Part-IS through a process known as a waiver. However, this is only possible for organizations that can demonstrate that their operations do not pose a significant information security risk to aviation safety. To qualify for this exemption:
  1. The organization must perform a documented risk assessment that demonstrates that its activities do not pose a significant risk to aviation information security.
  2. This risk assessment must be submitted to the competent authority (e.g. the national aviation authority), which examines it and decides whether to grant the exemption.
  3. As a rule, exemptions apply to entities such as design or production organizations that work on non-safety-critical components (e.g. interiors or parts that do not affect the structural integrity or safety of the aircraft).
It is important to note that an exemption is time-limited and will be reviewed on a regular basis. Organizations that receive exemptions must reassess their risk level if their scope of work changes or new cybersecurity threats emerge

How can this be achieved?

Ensuring compliance with EASA Part-IS can be a complex process that requires a tailored approach to each organization's unique structure and risk exposure. At CyFort, we specialize in helping aviation stakeholders seamlessly integrate the required information security management system (ISMS) into their operations and provide them with a customized path to compliance. With our experience in aviation and cybersecurity, we have successfully guided numerous organizations through the complicated requirements of Part-IS. By conducting thorough risk assessments, establishing robust incident management processes and ensuring continuous improvement, CyFort identifies the optimal solutions tailored to your needs. Partnering with CyFort allows you to focus on your core tasks while we work with you to ensure seamless EASA Part-IS compliance. We work with you to develop customized solutions to protect your systems so that you can maintain security and resilience against cyber threats while remaining fully compliant with regulatory standards.
Modern flight operations - lean, safe and always compliant.

Electronic Flight Bag (EFB)

Our solution is based entirely on Microsoft Intune and was developed specifically for the requirements of flight operations:
An Electronic Flight Bag (EFB) is the central platform in the cockpit for flight-critical information and tools. It replaces bulky paper manuals and combines navigation charts, performance calculators and weather apps in a unified, digital workspace. We deliver a fully managed EFB ecosystem - from device procurement and deployment to compliance and global lifecycle support.
  • Zero-touch provisioning and app deployment via Intune
  • Offline availability of applications, manuals and flight data
  • Integrated safety guidelines that meet FAA and EASA requirements
  • Seamless integration with Microsoft Defender and Conditional Access
  • Real-time compliance dashboards for OPS, IT and security teams
Additional functions: Secure backups, shared device mode, global replacement service
Learn more now Learn more now
Why CyFort?

Cooperation

CyFort combines extensive expertise in cyber security with a specialized focus on the aviation industry. Our team brings years of experience in working with safety-critical and regulated organizations and is your competent partner when it comes to implementing EASA Part-IS. With a proven background in safety consulting, we understand the specific challenges and requirements of the industry.

Industry expertise
Aviation

Broad
know-how

Many years of
experience

Efficient
implementation

Comprehensive risk assessment

Identify and minimize your safety risks for maximum aviation safety.

Individual advice

Tailor-made solutions for your specific needs and regulatory requirements.

Ongoing support

We provide you with long-term support for compliance, updates and cyber security strategies.

Cyber specialists in the aviation industry. Get in touch with us

Contact form

Write to us