Transport Malta's Part-IS Guidelines: Essential Information Security Requirements for Aviation Organizations

George Spiteri

Transport Malta's Part-IS Guidelines: Essential Information Security Requirements for Aviation Organizations

 

The aviation industry stands at a critical juncture where cybersecurity and aviation safety converge. Transport Malta's Civil Aviation Directorate (TM-CAD) has issued comprehensive guidance through Information and Advisory Notice (IAN) 28 and Operations Advisory Notice (OAN) 04/25, establishing mandatory Information Security Management Systems (ISMS) requirements that will fundamentally transform how aviation organizations operate. With the February 22, 2026 compliance deadline approaching, organizations must act decisively to implement these groundbreaking Part-IS regulations.

 

Understanding Part-IS: The New Cybersecurity Paradigm in Aviation

 

Part-IS, formally known as Commission Implementing Regulation (EU) 2023/203, represents the European Union's most significant aviation cybersecurity initiative to date. This regulation recognizes that information security directly impacts aviation safety, requiring organizations to implement proportionate measures that safeguard critical aviation operations while improving operational efficiency.

The regulation defines information security as "the preservation of confidentiality, integrity, authenticity and availability of network and information systems." More critically, it introduces the concept of "information security risk" as the potential threat to organizational civil aviation operations, assets, individuals, and other organizations due to information security events.

 

Comprehensive Scope of Part-IS Application

 

Transport Malta's guidance clarifies that Part-IS affects a broad spectrum of aviation organizations operating under Malta's authority. The regulation applies to organizations covered by multiple EU aviation regulations, including:

  • Part-CAMO organizations (Continuing Airworthiness Management Organizations)
  • Part-145 maintenance organizations
  • AOC holders (Air Operator Certificate)
  • NCC operations (Non-Commercial Operations with Complex Motor-Powered Aircraft)
  • SPO operations (Specialized Operations)
  • Training organizations and FSTD operators
  • Aero-medical centres
  • Air navigation service providers

This comprehensive scope ensures that virtually every aspect of Malta's aviation ecosystem will operate under enhanced cybersecurity protocols by 2026.

 

Critical Implementation Timeline and Submission Requirements

 

Transport Malta has established a structured timeline that organizations must follow to achieve compliance. The most critical dates include:

 

September 22, 2025: ISMS Documentation Submission Deadline

Organizations must submit their complete ISMS approval applications at least five months before the February 22, 2026 compliance deadline. This timeline allows TM-CAD sufficient time for review, assessment, and addressing queries. Late applications will result in compliance findings being issued at the deadline date.

 

October 30, 2025: Independent Organization Deadline

CAMO and Part-145 organizations that do not operate under a common management system with an AOC or ATO must submit all required documentation to the Airworthiness Inspectorate by this date.

 

February 22, 2026: Full Compliance Requirement

All organizations must have their ISMS "present and suitable" by this date, with full operational implementation required.

 

Comprehensive Document Submission Requirements

 

Transport Malta has specified detailed documentation requirements that organizations must submit through the Centrik portal. These include:

 

Core ISMS Documentation

 

  • Information Security Management Manual (ISMM): Can be standalone or integrated with existing Safety Management documentation
  • Management of Change documentation: Formal assessment of Part-IS implementation impact
  • Compliance Checklist CAD/OPS/Part-IS: Available through Centrik portal and TM website
  • Risk Assessment documentation: Comprehensive analysis of Part-IS elements and their associated risks
  • Personnel competence assessments: Evaluating staff capabilities against Part-IS requirements

 

Personnel and Training Requirements

 

  • Common Responsible Person application: When applicable for multi-approval organizations
  • Training needs analysis and certificates: Demonstrating personnel competence in information security
  • Manpower plan: Covering personnel requirements for Part-IS activities

 

Operational and Compliance Documentation

 

  • Amended Audit Plan: Updated to incorporate ISMS oversight
  • Audit checklists covering Part-IS: Comprehensive compliance monitoring tools
  • Data retention policy: Organizational approach to information security data management
  • Contracting documentation: Agreements and role assignments for outsourced Part-IS activities

 

Essential Elements of Information Security Management Systems

 

Transport Malta's guidance emphasizes that ISMS implementation should leverage existing Safety Management System (SMS) frameworks, allowing organizations to build upon established management structures.

 

Core ISMS Components

 

  • Security Policy and Governance Structure Organizations must establish comprehensive security policies defining scope, objectives, and governance frameworks. This includes appointing competent security personnel, potentially including Chief Information Security Officers, Cybersecurity Programme Directors, or Information Security Managers.
  • Risk Assessment and Treatment Framework The foundation of any effective ISMS begins with comprehensive asset identification. Organizations must identify all relevant hardware, software, network, and computing resources used to create, process, transmit, store, or receive operational inputs and outputs. Additionally, organizations must identify operating environments such as offices, public access areas, and access-controlled rooms where these assets operate.
  • Incident Management and Response Capabilities Organizations must implement robust systems for detecting, responding to, and recovering from security incidents. This includes both internal and external reporting schemes that ensure appropriate stakeholders receive timely information about security events that could impact aviation safety.

  • Continuous Monitoring and Improvement Part-IS requires organizations to establish Key Performance Indicators (KPIs) for information security, implement measurement and monitoring systems, and maintain continuous improvement processes that enhance security posture over time.

     

Personnel Competence and Trustworthiness Requirements

 

A critical aspect of Part-IS implementation involves ensuring that personnel responsible for information security possess both the necessary competence and trustworthiness. Transport Malta's guidance references established frameworks such as the NICE (National Initiative for Cybersecurity Education) based on the NIST Cybersecurity Framework.

 

Competence Development Framework

Organizations should use existing cybersecurity competence frameworks as initial guidance, while recognizing that aviation-specific adaptations may be necessary. The regulation's Appendix II maps main tasks to competencies derived from NIST CSF, providing a baseline for identifying competence gaps.

However, organizations must recognize that standard cybersecurity frameworks typically focus on protecting conventional information technologies. Aviation organizations may need to adapt these competencies to address specialized aviation technologies and integrated processes unique to their operations.

 

Trustworthiness and Due Diligence

Part-IS requires organizations to establish criteria for evaluating the trustworthiness of personnel responsible for information security. This due diligence process must be properly defined in the ISMM, implemented systematically, and documented comprehensively.

 

Strategic Contracting and Outsourcing Opportunities

 

Recognizing that many aviation organizations may lack internal cybersecurity expertise, Part-IS explicitly permits contracting specific ISMS functions to qualified service providers. This approach can provide access to experienced personnel and specialized expertise, particularly valuable for smaller organizations or those with limited internal security capabilities.

 

Contractible ISMS Activities

 

Organizations may contract various ISMS functions, including:

 

  • Information security monitoring and surveillance
  • Incident response and recovery services
  • Risk assessment and vulnerability analysis
  • Compliance monitoring and audit support
  • Specialized security training and competence development

 

Contracting Requirements and Risk Management

 

When outsourcing ISMS activities, organizations must formalize arrangements through written executed agreements with contractors. Critical requirements include:

  • Pre-assessment of contractors: Evaluating competence, capability, and manpower resources
  • Security risk management: Identifying and managing risks associated with contracted services
  • Compliance integration: Including contractors in organizational compliance monitoring plans
  • Role definition: Clearly specifying assigned roles and information security responsibilities

 

Derogation Possibilities and Risk-Based Approaches

 

Transport Malta recognizes that some organizations may operate in environments with minimal information security risks. The regulation provides derogation possibilities under specific circumstances, allowing organizations to demonstrate that their activities, facilities, and resources do not pose information security risks with potential aviation safety impacts.

 

Derogation Assessment Process

 

Organizations seeking derogations must follow directions provided in AMC1 IS.I.OR.205(a) and AMC1 IS.I.OR.205(b) to perform documented information security risk assessments. These assessments must demonstrate to TM-CAD that organizational operations pose no information security risks to themselves or other organizations.

The derogation process requires comprehensive documentation and thorough risk analysis, making it suitable primarily for organizations with genuinely minimal cybersecurity exposure.

 

Integration with Existing Management Systems

 

A key advantage of Part-IS implementation lies in its compatibility with existing aviation management systems. Organizations already operating under AOC management systems can leverage implemented tools, policies, and documentation to ensure consistency and avoid duplication.

 

Management System Integration Strategies

 

For AOC-Related Organizations Part-CAMO and Part-145 organizations operating under common AOC management systems should utilize existing AOC Management System tools, policies, and documentation. This approach ensures consistency across organizational functions while minimizing implementation complexity.

 

For Independent Operations Independent CAMO and Part-145 organizations must develop standalone ISMS frameworks, though they can still leverage SMS principles and structures to guide implementation.

 

Documentation Integration Approaches

The ISMM may be submitted either as a separate document or integrated within existing Safety Management Manuals (MSM). When integrating documentation, organizations must ensure that all items listed in IS.I.OR.250(a) are clearly indicated or cross-referenced under appropriate title headings or index/LEPs.

 

Assessment and Oversight Framework

 

Transport Malta will monitor ISMS effectiveness and maturity using concepts similar to EASA's Management System Assessment Tool (MSAT). This approach ensures consistent oversight while allowing organizations to demonstrate continuous improvement in their information security capabilities.

 

Review and Feedback Process

 

Upon submission, TM-CAD will review and assess all documents to ensure compliance with Part-IS requirements. The assessment focuses on verifying that organizational ISMS documentation, risk management, training, and audit processes meet regulatory standards. Organizations can expect initial feedback within four weeks of submission.

 

Ongoing Oversight Requirements

 

Transport Malta will conduct first oversight audits on organizational ISMS between six months to one year from the implementation date. This timeline allows organizations to establish operational experience with their ISMS while providing regulatory oversight to ensure continued compliance.

 

Implementation Strategy and Best Practices

 

Successful Part-IS implementation requires strategic planning, systematic execution, and sustained commitment to cybersecurity excellence. Organizations should consider the following implementation framework:

 

Phase 1: Comprehensive Gap Analysis and Planning

Begin with thorough assessment of current information security practices against Part-IS requirements. Identify all organizational assets, operating environments, and potential vulnerabilities. Develop implementation timelines that align with Transport Malta's submission deadlines.

 

Phase 2: Documentation Development and System Design

Create comprehensive ISMM documentation, either standalone or integrated with existing management systems. Establish risk assessment processes, incident response procedures, and continuous monitoring capabilities. Ensure coordination between different organizational functions and approval types.

 

Phase 3: Personnel Development and Competence Assurance

Assess current personnel capabilities against Part-IS competence requirements. Develop training programs or engage external service providers to address competence gaps. Implement trustworthiness evaluation processes and maintain documentation of personnel qualifications.

 

Phase 4: Implementation, Testing, and Continuous Improvement

Deploy ISMS frameworks, conduct testing and validation activities, and establish continuous monitoring processes. Prepare for Transport Malta oversight activities and maintain commitment to ongoing improvement in information security capabilities.

 

Conclusion: Securing Aviation's Digital Future

 

EASA's Part-IS requirements represent a fundamental shift in aviation safety and security management. By integrating information security management with traditional aviation safety frameworks, these regulations create comprehensive protection against modern cybersecurity threats while maintaining operational excellence.

Organizations that embrace Part-IS implementation as an opportunity to enhance their operational resilience will emerge stronger and better positioned for future growth. The regulation's flexibility in allowing integration with existing management systems, outsourcing of specialized functions, and risk-based approaches provides multiple pathways to achieve compliance while optimizing organizational capabilities.

Success in this evolving regulatory environment requires proactive engagement with Transport Malta's guidance, strategic planning that leverages existing organizational strengths, and sustained commitment to cybersecurity excellence. Organizations that begin implementation immediately and maintain close coordination with their assigned inspectors will achieve smooth compliance while establishing robust foundations for long-term operational security.

The February 22, 2026 deadline may seem distant, but the complexity of ISMS implementation and the September 2025 submission requirements make immediate action essential. By working systematically through Transport Malta's comprehensive guidance and leveraging available resources and expertise, aviation organizations can successfully navigate these requirements while strengthening their contribution to Malta's position as a leading aviation jurisdiction.

 

References:

EASA Ground Handling Regulation Course Training
EASA Ground Handling Regulation Course & Training

Enhance your expertise in ground handling operations and compliance.

Learn More
UPCOMING COURSES

EASA Part-M and Part-CAMO Regulations Training

Dates: 16th & 17th February 2026, Time: 09:00 - 16:00 CET

Enrollment Fee: 700 €

Details
Enrol

EASA Part-21 & Part-26 Training for CAMOs & AMOs

Dates: 18th February 2026, Time: 09:00 - 16:00 CET

Enrollment Fee: 500 €

Details
Enrol

Aircraft weight and balance Airbus and Boeing

Dates: 26th & 27th February 2026 09:00 - 16:00 CET

Enrollment Fee: 1200 €

Details
Enrol

Aircraft Maintenance Management

Dates: 23rd, 24th, 25th March 2026, Time: 09:00 - 16:00 CET

Enrollment Fee: 1500 €

Details
Enrol

Stores and Incoming Inspection

Dates: 13th April 2026, Time: 09:00 - 16:00 CET

Enrollment Fee: 350 €

Details
Enrol

Advanced Safety Management System (Air Operators and CAMOs)

Dates: 14th & 15th April 2026, Time: 09:00 - 16:00 CET

Enrollment Fee: 700 €

Details
Enrol

EASA Ground Handling Regulation Training Course EU 2025/20

Dates: 22nd, 23rd & 24th April 2026, Time: 09:00 - 16:00 CET

Enrollment Fee: 1500 €

Details
Enrol
Aviation Safety Training Catalog
Explore our Aircraft and Aviation Safety training catalog
Training Catalog
Request Information

Our Services

Auditing Safety and Compliance Monitoring
Training Services Training Services
Aircraft Maintenance Consulting Part-145 Consultancy Services
Airworthiness Consulting CAMO Consultancy Services