Part-IS Information Security Regulations for Safety

EASA framework for cyber resilient aviation

Uninterrupted connectivity is a foremost consideration across the aviation industry where more digitised, data, AI, and ML- driven networks, with IT systems, cloud, and platforms require the highest cyber and information security. This is especially relevant between aircraft, helicopters and airlines and other operator’s Integrated Operations Control Centres (IOCCs), MROs, airports, and ATMs where information security is of the utmost importance.

Part-IS (Commission Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation 2022/1645) is the latest EASA regulation to identify and manage information security (IS) risks with potential impact on Aviation Safety.

This regulation will provide a comprehensive framework for governance, risk and event management, continuous improvement, and reporting. This will enable the aviation ecosystem to mitigate and respond to cyber threats with the overall goal of collaboratively enhancing cyber resilience to secure Aviation Safety.

One big challenge will be the efficient and lean Safety Management System (SMS) and Civil Aviation Information Security Management System (ca-ISMS) integration into quality and business resilience management.

What to comply with?

Part-IS compliance requires the establishment of the following framework to identify, manage, and mitigate cyber and information security risk with an impact on aviation safety:

Governance and continuous improvement system with documented processes, roles, and responsibilities, empowered and embedded in your organisation
Civil Aviation Information Security Management System (ca-ISMS) integrated into your safety, quality, and business resilience management
Management mechanism and processes to detect, manage, respond, and mitigate cyber and information security risks
Continuous improvement processes (technical and organisational)
Established reporting system to share and learn as well as to inform the authorities

Want to know if you need to implement Part-IS?

Contact our Part-IS experts

Who needs to comply with Part-IS?

Part-IS will be obligatory from October 2025 for EASA approved organisations, within the scope of Delegated Regulation (EU) 2022/1645, and by February 2026 for other organisations. Exceptions and derogations apply.

Aircraft operators Part-ORO and Part-ORA
CAMO Part-ORO and Part-ORA
CAMO Helicopter
operators Part-145 and Part-M
CAMO MROs Part ATM/ANS ATM/ANS Competent authorities responsible for certifying and overseeing compliance. Governments
and Institutions Part-ADR Airports Training organisations
Aircrew aero-medical centres
Part-ORA
ATC training organisations
Part-ATCO Training and service
providers Part 21 J and Part 21 G Design and
production

Why Airbus Protect?

Aviation is in our DNA

For over three decades we have been working in cyber, information security, and safety.

Since the A380 / A350 programme, Airbus Protect has been engaged in aircraft safety & security assurance for Airbus contributing and shaping the building blocks of a sustainable and resilient security for safety risk management.

We have been part of shaping this standard

We have extensive experience in safety and cybersecurity auditing, governance and compliance as well as, risk management in aerospace and aviation. We further contribute to the enhancement of standards and risk mitigation in different internal and external working groups.

We know the gaps you have to close

Part-IS incorporates different cybersecurity standards / directives like NIST, ISO27k, NIS2 therefore some requirements of the new EASA framework like the establishment of an information security management system (ISMS) may sound familiar, however, this may not be the case as Part-IS introduces provisions that are specific to the context of Aviation Safety.

Our offer:

Supporting you in gaining compliance

Our safety and security experts work hand in hand with you to implement Part-IS and assist you in achieving the next level: beyond compliance.

Trainings and Awareness

Prepare your teams for Part-IS with a dedicated training and awareness programme, as well as engagement with serious games to establish a security for safety culture.

Gap Analysis

Identify the gaps you need to close and develop a gap closure action plan to achieve Part-IS compliance.

Governance Risk and Compliance

Ensure you have a lean, efficient, and empowered ca-ISMS setup with the necessary Safety Management System (SMS) integration.

Implementation

Advise and support you on implementing the necessary Part-IS compliance requirements according to your maturity.

Compliance Pre-Audit

Perform a compliance trial run in accordance with Part-IS. Provide a report that outlines our findings, conclusions, and recommendations.

Beyond Compliance Risk Management

Mature your risk mitigation abilities by establishing a high-performance risk management plan scaled to your specific business environment and needs.

SMS - ISMS - Quality-Management System Integration

Ensure you have a lean, efficient, and empowered ISMS integrated into your SMS, quality and business resilience management.

Security Operations Centre (SOC)

Ensure a suitable Security Operations Centre setup. Support and prepare a make or buy decision.

Vulnerability Identification and Management

Integrate IDR, Pentest, and Red-teaming capabilities

Automation of Compliance and Risk Management

Support in the specification of requirements and selection of compliance and risk management tools.

Culture and Human Factors

Integrating human factors management into your culture.

Crisis and Business Continuity Management

Strengthen crisis management and attack mitigation.

Fence

Discover Fence, our security risk management software

FENCE

Our software, Fence, supports businesses with their compliance assessments. It enables you to follow up identified risks and their best suited treatment plans, providing graphics and indicators.