Airbus Protect Explains Part-IS: an EASA regulation on Information Security for Civil Aviation Safety

The need for business and aviation resilience is imperative to manage external risks on highly interconnected systems. Part-IS is the latest mandatory regulation by The European Union Aviation Safety Agency (EASA).

The Part-IS objective is to improve Information Security Management Systems (ISMS) by enabling the aviation ecosystem to mitigate and respond to cyber threats, collaboratively enhancing cyber resilience to secure aviation safety. 

Airbus has a long heritage working in the aviation regulatory landscape, actively contributing to several security working groups since their inception. Airbus remains a key player in the standardisation group that discusses cybersecurity directives. Specialising in safety, cybersecurity and sustainability, Airbus Protect supports businesses to achieve and maintain Part-IS compliance.

What’s at Stake for the aviation industry?

Aerospace and aviation have been exposed to unprecedented crisis situations like COVID-19, armed conflict and climate change. There is a high demand for cyber and information security when protecting assets, people, data and networks. The need for cyber resilience stems from the vulnerability of highly interconnected systems that are dependent on intact networks of databases, systems and communication channels. 

Cyber threats and malicious acts have risen in recent years across all domains. With many standards, regulations and directives already in place (ISO ICAO, IATA and ECSCG to name a few), EASA made sure that Part-IS does not contradict ISO27001, NIST, NIS2 or other key standards applicable to the aerospace and aviation ecosystem.

Part-IS is a collaborative framework allowing the overall ecosystem to manage information security risks with a potential impact on aviation safety, with the aim of achieving aviation resilience. This regulation incorporates best practices for the civil aviation ecosystem, ensuring end-to-end coverage from design to operations and maintenance until decommissioning. Part-IS is the first (european level) regulation to require the implementation of an ISMS and it addresses the aviation ecosystem holistically, focusing on securing all safety-critical systems and processes.

It’s Crunch Time 

Organisations within the scope of Commission Delegated Regulation (EU) 2022/1645 for DOA (Design Organisation Approval) and POA (Production Organisation Approval) have to comply with Part-IS by October 2025. Remaining approved organisations must comply with Commission Implementing Regulation (EU) 2023/203 by February 2026. 

Failing to implement an Information Security Management System (ISMS) in a timely manner, or neglecting to demonstrate continuous improvement and robust governance, can lead to severe consequences for aviation companies. These include substantial regulatory fines, restrictions on operations, and potentially even the suspension of essential certifications. For this reason, operators should understand that these aren’t just deadlines to meet. Instead, they represent the point at which the ISMS should be completely up and running, and fully integrated into their daily activities.

Although EASA is not the primary regulating authority for the UK (this is the UK CAA), Part-IS will be indirectly applicable where a UK company has subsidiaries in the EU holding EASA approvals (or vice versa). Additionally, the CAA is currently developing the “UK ISMS Regulation”, which is firmly based on Part-IS and is likely to have strong alignment in terms of expectations and implementation.

Regulations and Standards Lay the Foundation for Business & Safety 

In an increasingly digitalised industry, where critical flight, air traffic control, and maintenance systems rely heavily on interconnected IT and operational technology (OT), the integrity and availability of information are paramount. By mandating a standardised Information Security Management System (ISMS), Part-IS ensures all aviation stakeholders establish robust controls and processes to identify, assess, and mitigate cyber threats before they can compromise data essential for safe flight operations.

This framework explicitly links cybersecurity with aviation safety, recognising that a cyberattack can lead to direct safety hazards, operational disruptions, and significant financial and reputational damage. By requiring organisations to adopt a proactive, risk-based approach to information security, including incident management and continuous improvement, Part-IS not only helps prevent security breaches but also builds resilience, allowing for swift recovery should incidents occur. Ultimately, it breaks the silos between Safety and Cybersecurity teams within aviation organisations. Adherence to these regulations fosters a strong security culture across the sector, protecting the entire aviation ecosystem and ensuring public trust in safe air travel.

Focusing on Aircraft Critical Safety Data and Connected Systems

The core of the regulation is the civil aviation Information Security Management System (ca-ISMS). A traditional ISMS focuses on protecting information assets in general, encompassing data within governance, risk and event management (identify and manage risks, detect events, identify, respond and recover from incidents), continuous improvement and reporting.

Part-IS goes beyond outlining general best practices and prescribes specific requirements in several key areas within the aviation sector. This includes flight planning and operations systems, design and production, maintenance records, and air traffic control communication infrastructure. For example, Part-IS suggests guidance methodologies for risk assessment (EUROCAE ED-201A), ensuring a thorough and standardised evaluation of potential threats and vulnerabilities to critical aviation systems and data. Similarly, Part-IS requires procedures for incident response, ensuring timely and effective action in case of a security breach. Due to the interdependence in the aviation ecosystem, cybersecurity must go beyond safeguarding digital information and must include interconnected networks, websites, services, computers and portals. 

Although the effort involved in establishing an ISMS from scratch is not insignificant, it does afford the opportunity to integrate it with the Safety Management System (SMS). Where there is pre-existing cybersecurity compliance or indeed an ISMS as part of ISO27001 certification, the focus will be on the determination of any safety-related security risks. The overall aim should be to have a single ISMS that incorporates Part-IS requirements, serving both business and operations.

The Part-IS framework is concerned with the life cycle of aviation products, parts, and appliances. This encompasses design, production, maintenance, operation and decommission. The regulation emphasises the implementation of a robust ISMS to mitigate risks associated with:

• Unauthorised Access
• Data Breaches
• Manipulation of Safety-Critical Information

This risk-based approach requires organisations to identify and assess the potential safety impact of information security threats and vulnerabilities. Crucially, Part-IS does not dictate a one-size-fits-all ISMS framework. Instead, it outlines core principles that organisations must adhere to. 

These principles form the pillars of a successful ISMS and can be summarised as follows:

Risk Management:

• Proactive identification of threats and vulnerabilities specific to the organisation’s IT infrastructure, data assets, and overall operations
• Assessing the likelihood and severity of a safety impact caused by potential security incidents
• Implementing a hierarchy of controls (preventive, detective, corrective) to mitigate identified risks involving technical measures like firewalls and access controls, and administrative controls like policies and procedures.

Organisational Security:

• Establishing a clear information security policy that outlines the organisation’s commitment to information security and defines employee roles and responsibilities
• Appointing an Accountable Manager who is responsible for appointing individuals or a team to oversee the compliance monitoring process
• To ensure objectivity and effectiveness, compliance monitoring functions should maintain independence from the operational departments they are monitoring.
• Personnel involved in compliance monitoring require specific aviation qualifications, experience, regulatory knowledge, and/or information security expertise.
• Developing and implementing comprehensive procedures that address various information security aspects, including data classification, access control, incident reporting, and record-keeping
• Conducting regular security awareness training programmes to educate all personnel on information security best practices and how to identify and report suspicious activity
• Identify and manage interfaces with safety-critical stakeholders that could result in the mutual exposure to information security risks

Asset Management:

• Classifying information assets based on their criticality to the organisation’s operations and safety. This classification determines the strength and level of security measures required to protect each asset
• Implementing an asset inventory system to maintain a comprehensive record of all safety-critical information assets, including hardware, software and data
• Enforcing controls to safeguard sensitive assets, such as data encryption and restricted access

Incident Management and Reporting:

• Establishing a well-defined process for detection, response, and recovery from security events, specifically considering information security incidents with potential impact on aviation safety. This includes procedures for preserving evidence, containing the incident and implementing corrective actions to prevent future occurrences
• Maintaining a communication plan to ensure timely and transparent communication with stakeholders during and after an incident
• Organisations must establish mechanisms to report information security incidents to the competent authority within specified timelines. This is a crucial component of compliance.
• Maintaining updated records and documentation is essential to demonstrate compliance during audits and inspections by competent authorities.

Business Continuity and Disaster Recovery (BCDR):

• Developing a BCDR plan that outlines how the organisation will maintain critical operations and information availability in the event of disruptions caused by natural disasters, cyber attacks or other unforeseen circumstances
• The plan should address data backup and recovery procedures, alternative work sites, and communication strategies
• Regularly testing the BCDR plan to ensure its effectiveness and identify areas for improvement

Compliance Monitoring and Improvement

• As threats evolve, protection and prevention strategies should change alongside them. EASA’s Part-IS regulation mandates that aviation businesses are expected to continuously review their information systems and security posture. This can be done through regular audits and security tests. If an incident takes place, Part-IS asks that companies analyse these events, update their risk assessments and upgrade defences accordingly. 
  • Corrective Actions: Implementing actions to address identified non-conformities and deficiencies.
  • Preventive Measures: Implementing measures based on leading indicators and trend analysis to prevent future compliance failures.
  • Adaptation to Evolving Threats: Regularly updating policies, procedures, and controls to adapt to the dynamic and evolving cyber threat landscape.
  • Lessons Learned: Incorporating lessons learned from incidents, audits, and reviews to refine the ISMS.

Challenges Faced by the Part-IS Community 

While Part-IS provides a clear framework, achieving compliance can be challenging due to several factors:

Complexity of the regulation: The regulation can be intricate, with technical language and overlapping requirements across different subparts.

Existing mechanisms and set-ups to be aligned to achieve a fully integrated ISMS: The ISMS needs to be integrated into the existing governance model and organisation with clear lines of reporting and decision making. EASA encourages the integration of the ISMS with existing Safety Management Systems (SMS) and Quality Management Systems (QMS) to achieve a holistic and efficient approach to risk management.

Resource constraints: Organisations, especially smaller ones, may lack the dedicated personnel or expertise required to develop and implement a comprehensive ISMS.

Ensuring supplier compliance: the EASA-approved organisation needs to demonstrate the compliance of their supply chain. This not only requires contract amendments but to ensure that the suppliers effectively implement information security measures. 

Setting up the right team with appropriate tools to ensure 24/7 risk management: There are numerous options when managing compliance and risks. With limited specialist availability or at high cost, a make or buy evaluation will be helpful (tools, security operation centres, penetration testing, internal audits, etc). 

Legacy systems: Integrating new security controls with existing IT infrastructure, particularly legacy systems, can be complex and time-consuming. Some systems are integrated without source code and documentation.

Maintaining awareness: Keeping personnel informed about evolving threats and security best practices requires ongoing training and communication efforts.

Airbus Protect can support the aviation industry by providing their expertise in risk management to support achieving compliance to Part-IS. 

Lean Implementation – A Roadmap to Compliance 

Airbus Protect has developed a series of work packages built upon each other than ensure smooth adherence to Part-IS:

1. Gap Assessment – conduct a maturity evaluation based on best practice benchmarks and Part-Is requirements 
2. Training & Awareness – build common understanding on Part-IS and the requirements of merging the safety management systems (SMS) with the information security management system (ISMS) to enable personnel to take ownership
3. Strategic Advisory – empowerment to define best fit of a governance & organisation (RACI, PArt-IS framework) implementation action plan. 
4. Risk Assessment & Treatment – map the security for safety relevant processes, IT and assets with potential impact on safety to achieve risk management readiness. 
5. Documentation Uplift – ensure all documentation meets the Part-IS requirements
6. Part-IS pre audit – conduct evidence-based compliance audit. Evaluation the operational implementation and technical security maturity.
7. Continuous improvement – ensure continuing monitoring

What Lies Ahead?

EASA is laying the grounds to secure the future of aviation with R&D initiatives. The importance of cybersecurity continues to rise. EASA and its ecosystem partners need to work closely together to prevent, to anticipate and to protect future connected avionics and flight systems to ensure secure and safe operations.  

All interconnected actors of the civil aviation ecosystem involved in aviation safety now jointly address information security through Part-IS. With Part-IS, all stakeholders comply with one regulation, implement the same framework, all target the same objective and move in the same direction. This is what ensures aviation resilience. 

Airbus Protect and How We Can Help?

Airbus Protect specialises in safety, cybersecurity and sustainability with deep expertise in civil aviation regulatory compliance. As a risk management company, Airbus Protect delivers end-to-end consulting services, training programmes and software solutions, supporting businesses to achieve and maintain Part-IS compliance in a number of ways:

Gap Analysis

Identifying gaps you need to close and develop a gap closure action plan to achieve Part-IS compliance 

Governance Risk and Compliance 

Ensuring you have a lean, efficient, and empowered ca-ISMS setup with the necessary Safety Management System (SMS) integration. 

Implementation

Advise and support you on implementing the necessary Part-IS compliance requirements according to your maturity. 

Training & Awareness 

As previously mentioned, upskilling your teams to understand the importance of Part-IS and severity of non-conformity to the regulation is critical to achieve compliance. Airbus Protect offers a variety of training packages for all levels within your organisation.