What is it about?

Contents

In aviation, cyber security is no longer optional - it is essential. The new EASA Part-IS regulation ensures that all stakeholders in the industry take comprehensive protective measures to secure critical systems and data. CyFort supports you in understanding these requirements and implementing them in a targeted manner so that you can concentrate fully on your core business.
Discover what EASA Part-IS means for you and how we can help you integrate compliance and cyber resilience into your processes.
CyFort supports you in implementing the five steps of the cybercycle and thus creating a robust security concept that optimally prepares your organization for threats and ensures rapid responsiveness.
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover
With EASA Part-IS, the aviation industry is creating uniform standards for cyber security to minimize such risks and increase safety for all.

EASA Part-IS is a regulation that addresses information security risks that may impact aviation safety. Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation 2022/1645 within EASA Part-IS provide a set of rules to introduce a modern framework that addresses the risks associated with aviation information security and introduces procedures to ensure the protection of all elements within the scope. By implementing this framework, aviation stakeholders can proactively address cyber threats and ensure a stronger and more resilient infrastructure to maintain the highest security standards in the industry. The aim is to create an environment where cyber security is seamlessly integrated into operational security practices across the aviation sector. For more details, contact us for a no-obligation exchange

Aviation organizations:

  • Air traffic operators, maintenance companies, air navigation service providers, airports, development and production companies as well as training facilities (ATOs) must comply with the regulations on information security.

Information Security Management System (ISMS):

  • The introduction of an information security management system (ISMS) is mandatory for these organizations in order to identify, assess and manage information security risks that could affect flight safety.

Cybersecurity risks:

  • EASA Part-IS addresses cybersecurity risks that may impact critical aviation systems, including flight operations, air traffic management (ATM), air navigation services (ANS) and airport operations.

Incident management:

  • Organizations must establish mechanisms to detect, respond and report cybersecurity incidents that could impact aviation safety.

Control and supervision:

  • The regulation focuses on governance and continuous risk management and ensures that organizations define clear roles, responsibilities and reporting mechanisms for dealing with information security risks.

Companies must comply with the EASA Part-IS within the following deadlines:

  1. 16 October 2025 for organizations falling within the scope of Delegated Regulation (EU) 2022/1645, i.e. air carriers, design and production organizations, maintenance organizations and other entities involved in critical aviation systems.
  2. 22 February 2026 for other organizations covered by Implementing Regulation (EU) 2023/203. This includes other aviation service providers and competent authorities responsible for monitoring compliance.

Organizations are encouraged to begin preparations as early as possible to ensure they meet these deadlines and avoid disruption.

Yes, it is possible to waive certain requirements under EASA Part-IS through a process known as derogation. However, this is only possible for organizations that can demonstrate that their operations do not pose a significant information security risk to aviation safety. To qualify for this waiver:

  1. The organization must perform a documented risk assessment that demonstrates that its activities do not p ose a significant risk to aviation information security.
  2. This risk assessment must be submitted to the competent authority (e.g. the national aviation authority), which examines it and decides whether to grant the exemption.
  3. As a rule, exemptions apply to entities such as design or production organizations that work on non-safety-critical components (e.g. interiors or parts that do not affect the structural integrity or safety of the aircraft).

It is important to note that an exemption is time-limited and will be reviewed on a regular basis. Organizations that receive exemptions must reassess their risk level if their scope of work changes or new cybersecurity threats emerge

Ensuring compliance with EASA Part-IS can be a complex process that requires a tailored approach to each organization’s unique structure and risk exposure. At CyFort, we specialize in helping aviation stakeholders seamlessly integrate the required information security management system (ISMS) into their operations and provide them with a customized path to compliance. With our experience in aviation and cybersecurity, we have successfully guided numerous organizations through the complicated requirements of Part-IS. By conducting thorough risk assessments, establishing robust incident management processes and ensuring continuous improvement, CyFort identifies the optimal solutions tailored to your needs.

Partnering with CyFort allows you to focus on your core business while we work with you to ensure seamless compliance with EASA Part-IS. We work with you to develop customized solutions to protect your systems so that you can maintain security and resilience against cyber threats while remaining fully compliant with regulatory standards.

What is EASA part-IS?

EASA Part-IS is a regulation that addresses information security risks that may impact aviation safety. Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation 2022/1645 within EASA Part-IS provide a set of rules to introduce a modern framework that addresses the risks associated with aviation information security and introduces procedures to ensure the protection of all elements within the scope. By implementing this framework, aviation stakeholders can proactively address cyber threats and ensure a stronger and more resilient infrastructure to maintain the highest security standards in the industry. The aim is to create an environment where cyber security is seamlessly integrated into operational security practices across the aviation sector. For more details, contact us for a no-obligation exchange

What falls within the scope of EASA Part-IS?

Aviation organizations:
  • Air traffic operators, maintenance companies, air navigation service providers, airports, development and production companies as well as training facilities (ATOs) must comply with the regulations on information security.
Information Security Management System (ISMS):
  • The introduction of an information security management system (ISMS) is mandatory for these organizations in order to identify, assess and manage information security risks that could affect flight safety.
Cybersecurity risks:
  • EASA Part-IS addresses cybersecurity risks that may impact critical aviation systems, including flight operations, air traffic management (ATM), air navigation services (ANS) and airport operations.
Incident management:
  • Organizations must establish mechanisms to detect, respond and report cybersecurity incidents that could impact aviation safety.
Control and supervision:
  • The regulation focuses on governance and continuous risk management and ensures that organizations define clear roles, responsibilities and reporting mechanisms for dealing with information security risks.

When do I have to comply with the regulations?

Companies must comply with the EASA Part-IS within the following deadlines:
  1. 16 October 2025 for organizations falling within the scope of Delegated Regulation (EU) 2022/1645, i.e. air carriers, design and production organizations, maintenance organizations and other entities involved in critical aviation systems.
  2. 22 February 2026 for other organizations covered by Implementing Regulation (EU) 2023/203. This includes other aviation service providers and competent authorities responsible for monitoring compliance.
Organizations are encouraged to begin preparations as early as possible to ensure they meet these deadlines and avoid disruption.

Is it possible to opt out of the regulation?

Yes, it is possible to waive certain requirements under EASA Part-IS through a process known as derogation. However, this is only possible for organizations that can demonstrate that their operations do not pose a significant information security risk to aviation safety. To qualify for this waiver:
  1. The organization must perform a documented risk assessment that demonstrates that its activities do not pose a significant risk to aviation information security.
  2. This risk assessment must be submitted to the competent authority (e.g. the national aviation authority), which examines it and decides whether to grant the exemption.
  3. As a rule, exemptions apply to entities such as design or production organizations that work on non-safety-critical components (e.g. interiors or parts that do not affect the structural integrity or safety of the aircraft).
It is important to note that an exemption is time-limited and will be reviewed on a regular basis. Organizations that receive exemptions must reassess their risk level if their scope of work changes or new cybersecurity threats emerge

How can this be achieved?

Ensuring compliance with EASA Part-IS can be a complex process that requires a tailored approach to each organization's unique structure and risk exposure. At CyFort, we specialize in helping aviation stakeholders seamlessly integrate the required information security management system (ISMS) into their operations and provide them with a customized path to compliance. With our experience in aviation and cybersecurity, we have successfully guided numerous organizations through the complicated requirements of Part-IS. By conducting thorough risk assessments, establishing robust incident management processes and ensuring continuous improvement, CyFort identifies the optimal solutions tailored to your needs. Partnering with CyFort allows you to focus on your core tasks while we work with you to ensure seamless EASA Part-IS compliance. We work with you to develop customized solutions to protect your systems so that you can maintain security and resilience against cyber threats while remaining fully compliant with regulatory standards.
Who is affected by EASA Part-IS?

Scope of application

The EASA Part-IS Regulation applies to all organizations within the aviation industry that are responsible for the safety and operation of aviation systems.
EASA Part-IS therefore affects all organizations that directly or indirectly influence safety in aviation. These companies must ensure that they continuously protect their information systems and operational processes against cyber threats.

Non-binding exchange

CONTACT NOW CONTACT NOW
Why CyFort?

Cooperation

CyFort combines extensive expertise in cyber security with a specialized focus on the aviation industry. Our team brings years of experience in working with safety-critical and regulated organizations and is your competent partner when it comes to implementing EASA Part-IS. With a proven background in safety consulting, we understand the specific challenges and requirements of the industry.

Industry expertise
Aviation

Broad
know-how

Many years of
experience

Efficient
implementation

Comprehensive risk assessment

Identify and minimize your safety risks for maximum aviation safety.

Individual advice

Tailor-made solutions for your specific needs and regulatory requirements.

Ongoing support

We provide you with long-term support for compliance, updates and cyber security strategies.

Cyber specialists in the aviation industry. Get in touch with us

Contact form

Write to us