EASA Part-145 + Part-IS Management Personnel: The Post-22-February-2026 Compliance Reality — and How to Fix a Late or Misaligned Structure

George Spiteri

EASA Part-145 + Part-IS Management Personnel: The Post-22-February-2026 Compliance Reality — and How to Fix a Late or Misaligned Structure

EASA's revised Work Instruction WI.CAO.00115-007, approved on 7 November 2025, fundamentally changes how Foreign Part-145 Approved Maintenance Organisations (AMOs) must structure their management team. Issue 007 integrates Part-IS (Information Security) postholders into the Part-145 organisation chart for the first time, introduces the new role of Common Responsible Person (CRP), and set a hard deadline of 22 February 2026 for postholders to comply.

That deadline has now passed. If your organisation submitted late, missed it, or applied a structure that EASA later questioned, you are now operating outside the boundaries of WI.CAO.00115-007 — and the remediation path is narrower than the preparation path was. This article walks through what changed, the seven EASA-accepted organisation structures, the new résumé regime that replaced EASA Form 4, the independent-auditor trap that many small organisations are walking straight into, and the practical steps to bring a non-compliant Part-145 AMO back into alignment.

 

Key takeaways

  • WI.CAO.00115-007 (Issue 007, 07/11/2025) endorses Regulation (EU) 2023/203 and Regulation (EU) 2022/1645, introducing Part-IS postholders into the Part-145 management framework.
  • Three new nominated persons may now appear on a Part-145 organisation chart: Compliance Monitoring Manager Part-IS, Information Security Manager (ISM), and optionally an Information Technology Manager.
  • A fourth role, the Common Responsible Person (CRP), can be appointed at corporate level under IS.I.OR.240(d) when an organisation holds several approvals or handles information security at group level.
  • EASA accepts seven distinct organisation structures — Examples 1a, 1b, 1c, 2, 3a, 3b and 3c — depending on size and corporate complexity.
  • When a small AMO assigns Compliance Monitoring, Safety and Information Security to the same person (Example 3c), the annual internal audit of that combined function must be conducted by an independent auditor.
  • The EASA Form 4 was deleted in Issue 006 (10 November 2022) and replaced by a written résumé issued on FO.CAO.00156. Issue 007 keeps this approach and adds résumé requirements for the new Part-IS roles.
  • The deadline for Part-IS postholder compliance was 22 February 2026. Organisations that missed it are exposed during their next EASA oversight visit.

 

What changed in WI.CAO.00115-007 (Issue 007)

The work instruction's own change log is unambiguous about what Issue 007 brings: it endorses Regulation (EU) 2023/203 and 2022/1645 to introduce Part-IS into the Part-145 management personnel framework. To appreciate the scale of the shift, it is worth recalling that Issue 006 — published in November 2022 — was already a substantial revision. That issue endorsed Regulation (EU) 2021/1963 (the regulation that introduced SMS into Part-145), deleted the EASA Form 4 in favour of a written résumé, replaced the Quality Manager title with Compliance Monitoring Manager, and endorsed the Safety Manager as a nominated person.

Issue 007 builds on top of that foundation. Where Issue 006 added the Safety Manager, Issue 007 adds — depending on how the organisation chooses to structure itself — up to four further roles in the Part-145 management hierarchy:

  • Compliance Monitoring Manager Part-IS (CMM-IS) — nominated person. May be the same individual as the Compliance Monitoring Manager Part-145, or a separate appointee.
  • Information Security Manager (ISM) — nominated person, structurally equivalent to the Safety Manager. Required in every Part-145 + Part-IS organisation regardless of size.
  • Information Technology Manager — optional. Only appears as a nominated person when the ISM reports directly to the Accountable Manager (Option 2 in the EASA diagrams).
  • Common Responsible Person (CRP) — optional, corporate-level. Available under IS.I.OR.240(d) where the organisation holds several EASA approvals or handles information security at group level.

None of these roles dilute the Accountable Manager's accountability. As Issue 007 reiterates, the delegation of activities to a CRP does not imply delegation of accountability — that remains, always, with the Accountable Manager.

The new management personnel inventory — who needs a résumé and who doesn't

EASA distinguishes sharply between roles that require a résumé (and therefore formal acceptance by the competent authority) and roles that do not. The distinction matters for two reasons: it determines what documentation must accompany every initial Part-145 application or change-of-postholder submission, and it dictates which positions become a compliance finding during oversight if the evidence file is incomplete.

RoleFrameworkRésumé required?Nominated person?
Accountable ManagerPart-145YesYes
Base / Line / Workshop / Maintenance ManagerPart-145YesYes
Compliance Monitoring Manager (Part-145)Part-145YesYes
Safety ManagerPart-145YesYes
Responsible NDT Level IIIPart-145YesYes
Other Managers (Engineering, Logistic, etc.)Part-145No*No
Deputy nominated personnelPart-145No*No
Compliance Monitoring Manager (Part-IS)Part-ISYesYes
Information Security ManagerPart-ISYesYes
Information Technology Manager (optional)Part-ISYes (if appointed as NP)If appointed
Common Responsible Person (optional)Part-ISYes (if appointed)If appointed

* EASA does not process applications for these positions. However, the Maintenance Organisation Exposition (MOE) must make clear who deputises for each nominated person during lengthy absence, and the organisation is responsible for ensuring the deputy demonstrates an equivalent level of qualifications and experience.

The seven EASA-accepted organisation structures

Issue 007 presents seven worked examples of how to combine Part-145 and Part-IS roles. They are not optional templates — they are the structures EASA will accept. Any organisation chart submitted to EASA should map clearly onto one of them. Choosing the wrong one, or constructing a hybrid that EASA does not recognise, is one of the most common reasons for a stalled or rejected MOE amendment.

Decision tree — which structure fits your organisation?

 

Examples 1a, 1b, 1c — large organisations

The Example 1 family represents large maintenance organisations with distinct Base, Line and Workshop maintenance functions, separate Engineering, Logistic and NDT functions, and a full Compliance Monitoring and Safety apparatus. The three variants differ only in how the Common Responsible Person is positioned:

  • Example 1a (no CRP) — the Information Security Manager and (optionally) the Information Technology Manager report directly to the Accountable Manager, alongside the Part-145 nominated persons. This is the cleanest structure when the organisation holds a single approval and has no group-level information security function.
  • Example 1b (CRP — Option A) — the CRP is appointed at corporate level under IS.I.OR.240(d) and exchanges information directly with the Accountable Manager. The ISM, however, still reports operationally to the AM rather than to the CRP.
  • Example 1c (CRP — Option B) — the CRP not only coordinates with the AM but also has the ISM (and optionally the Information Technology Manager) reporting directly to it. This is the structure favoured by multi-AOC groups, MRO networks, and design-and-maintenance groups where information security is genuinely managed at corporate level.

 

Example 2 — medium organisation

Example 2 consolidates the Base, Line and Workshop Maintenance functions under a single Maintenance Manager, and groups Compliance Monitoring (covering both Part-145 and Part-IS) with the Safety Manager role into a single nominated person. The Information Security Manager remains a distinct nominated person, with Information Technology Manager as an option. This is the structure most commonly adopted by medium-sized Part-145 organisations whose corporate complexity does not justify a CRP, but whose maintenance volume justifies a single accountable Maintenance Manager rather than three.

Examples 3a, 3b, 3c — small organisations under AMC 145.A.30(b).2

The three small-organisation structures cover the realistic reality of many Foreign Part-145 AMOs: limited staffing, no group-level information security function, and a need to combine roles in one or two people. EASA accepts three variants:

  • Example 3a — three separate nominated persons: a Maintenance Manager, a combined Compliance Monitoring & Safety Manager covering both Part-145 and Part-IS, and a separate Information Security Manager.
  • Example 3b — the Maintenance Manager holds the additional position of Information Security Manager. Two nominated persons total.
  • Example 3c — the Compliance Monitoring Manager (Part-145 + Part-IS) & Safety Manager additionally holds the Information Security Manager role. Two nominated persons total, but with a critical caveat (see next section).

The Common Responsible Person — what it is, and when to actually use it

The Common Responsible Person is the most genuinely new concept in Issue 007. It is described in IS.I.OR.240(d) and is positioned, in Aviathrust's reading, as an answer to a real industry problem: a group of companies operating multiple EASA approvals — for example a parent organisation holding a Part-145 plus a Part-CAMO plus a Part-21 DOA — should not have to invent independent Part-IS governance per certificate. The CRP allows one corporate-level role to coordinate information security policy and resource mobilisation across the group, while leaving the Accountable Manager of each approved organisation fully accountable.

EASA is specific about the CRP's profile. The person should hold high-level authority at corporate level, with appropriate competence and authority to take corresponding decisions and to control and mobilise the needed financial means and resources across the different organisations. In other words: this is a board-adjacent role, not an IT department lead. A CISO at group level with budgetary authority and direct reporting access to the executive committee will typically fit. A Part-145 Compliance Monitoring Manager who happens to have a security background will typically not.

Two options exist for how the CRP relates to the rest of the Part-145 structure:

  • Option A (Example 1b) — the CRP coordinates with the Accountable Manager, but the Information Security Manager and (if appointed) Information Technology Manager still report operationally to the AM. The CRP's role here is governance, not line management.
  • Option B (Example 1c) — the ISM (and IT Manager) report through the CRP. The CRP becomes both governance node and the operational supervisor of the information security function.

The choice between Option A and Option B is essentially a question of where the budget lives. If information security spending is approved at corporate level and the local Part-145 AM has no veto over it, Option B is the honest picture. If the AM owns the budget and the CRP is a coordinating force only, Option A reflects reality. Submitting an org chart that does not reflect the real reporting line is one of the fastest ways to lose credibility during an EASA oversight visit.

CMM Part-145 vs CMM Part-IS — one person or two?

Issue 007 explicitly permits both options. The organisation may nominate two separate persons for the positions of Compliance Monitoring Manager Part-145 and Compliance Monitoring Manager Part-IS, or may nominate the same person for both. The right answer is rarely obvious without analysis, but four considerations dominate:

  1. Audit workload. The Part-IS audit programme is a complete additional layer on top of the existing Part-145 audit programme. Each ISMS process, supplier-security control, incident-response procedure, and personnel-trustworthiness measure becomes auditable. A single CMM may simply not have the available time.
  2. Competence asymmetry. Auditing a Part-145 workshop is not the same skill as auditing an ISMS. The Part-IS CMM needs working knowledge of information security risk management, NIS 2 equivalence assessments where relevant, and the structure of ISO/IEC 27001 (with which Part-IS is broadly aligned). Many traditional CMMs do not yet have this competence.
  3. Independence of audit. If the CMM also operates the ISMS function (because they wear an ISM hat), then the CMM cannot independently audit the ISMS. This is the independent-auditor trap discussed below.
  4. Visibility to EASA. A single CMM covering both gives EASA one point of contact and one signature on the compliance monitoring programme. Two separate CMMs require clear demarcation in the MOE/ISMM and may invite oversight questions about coordination.

Information Security Manager competencies under ECSF

Where Issue 007 differs most visibly from any previous Part-145 work instruction is in its treatment of the Information Security Manager's competence requirements. Rather than enumerating qualifications and experience inline — as the work instruction does for every other nominated person — it points outward, to the European Cybersecurity Skills Framework (ECSF) published by ENISA.

ECSF identifies tasks and skills applicable to the Chief Information Security Officer (CISO) profile, which Issue 007 maps directly onto the Part-IS Information Security Manager in the Part-145 domain. The Part-145 organisation has to assess and identify the different tasks and skills relevant to its own operation and then demonstrate how the proposed ISM achieves the competence for each of those tasks — by experience, training, or both. The outcome of this assessment is recorded and provided as part of the résumé package submitted to EASA.

Practically, this means the ISM résumé carries more analytical weight than any other Part-145 résumé. It is not a chronological CV with an attached list of training certificates; it is a competence demonstration that maps the candidate's experience against an external framework. Organisations that submit traditional CVs for the ISM role are routinely sent back to perform the ECSF mapping properly.

 

The independent auditor pitfall that small organisations are walking into

Issue 007 contains a paragraph that small organisations routinely miss. When the same person holds the Compliance Monitoring function (covering Part-145 and Part-IS) and the Information Security Manager role — as in Example 3c — the annual internal audit of the compliance monitoring function, including the information security aspect of the ISMS, must be conducted by an independent auditor.

EASA defines "independent auditor" as an appropriately qualified internal or external person not involved in the ISMS-related processes. The examples given in Issue 007 are:

  • A person employed by the maintenance organisation but working in another department — production, for example — who is qualified to audit but not involved in ISMS processes; or
  • A person contracted by the maintenance organisation on a part-time basis or under a short-term contract based on 145.A.30(d), specifically to perform audits on the Compliance Monitoring and Information Security procedures.

EASA is at pains to point out that the second option is not subcontracting of the compliance monitoring function. Subcontracting CMM responsibilities to an external organisation is not permitted; what is permitted is contracting an independent auditor to perform a discrete audit task. The functional accountability for compliance monitoring remains with the nominated CMM.

The new résumé regime replacing EASA Form 4

For years, applicants to EASA for Part-145 nominated person acceptance submitted an EASA Form 4 — a structured one-pager listing qualifications, experience and signatures. Issue 006, published in November 2022, deleted the Form 4 and replaced it with a written résumé issued on form FO.CAO.00156, available for download from the EASA website. Issue 007 keeps this approach and extends the résumé regime to cover the new Part-IS roles.

A résumé is required for the Accountable Manager, every nominated person under Part-145 (including the Responsible NDT Level III), and every nominated person under Part-IS. It is not required for "Other Managers" such as the Engineering Manager or Logistic Manager, and it is not required for deputy nominated personnel — however the MOE must make clear who deputises for whom, either by named individual or by procedure, and the organisation remains responsible for the deputy's qualifications.

The résumé is signed by the proposed postholder and is submitted alongside the EASA Form 2 and a draft Maintenance Organisation Exposition. The evidence of training and experience referenced in the résumé is attached. EASA's assigned inspector reviews the résumé, and may complement the documental review with an interview — mandatory during initial approval, and at the inspector's discretion for changes of nominated persons, except in cases of simultaneous replacement of multiple postholders, where the interview becomes mandatory.

Post-deadline reality — what to do if you missed 22 February 2026

The deadline for Part-IS postholder compliance under WI.CAO.00115-007 was 22 February 2026. That date has passed. The realistic compliance status of the Foreign Part-145 community varies widely:

  1. Organisations that submitted on time, in the correct structure, and received EASA acceptance. These organisations should now be operating their Part-IS function and accumulating audit evidence for the first oversight cycle. The 18-month implementation period that follows the entry-into-force date provides additional buffer for full ISMS maturity, but the postholder structure itself should be in place.
  2. Organisations that submitted on time but in the wrong structure. EASA's response in this situation is generally a finding requiring restructure, not an outright suspension. The remediation is an MOE/ISMM amendment selecting the correct structure (1a through 3c), with new résumés where required, within a corrective action plan timeframe agreed with the inspector.
  3. Organisations that submitted late or have not yet submitted. These organisations are now operating outside the bounds of Issue 007. The risk during the next EASA audit is real: a finding against 145.A.30 in combination with IS.I.OR.240 is normally treated as a Level 1 or significant Level 2 finding, depending on operational impact and on whether the AMO can demonstrate that interim risk controls were in place.
  4. Organisations that proposed Part-IS roles but used unaccepted hybrids. The most common failure mode we have observed in advisory work is an organisation that names an "IT Manager" as the Part-IS focal point without nominating an ISM, or assigns the CMM-IS to a person without ECSF-aligned competence. Both patterns are not aligned with one of the seven accepted structures and will not survive review.

The remediation pattern is the same in every case: identify which of the seven structures the organisation should adopt, prepare résumés on FO.CAO.00156 for the nominated persons, draft or amend the MOE and ISMM accordingly, and present the package as an MOE amendment to the assigned inspector together with a corrective action plan if there is already an open finding.

Frequently asked questions

What is WI.CAO.00115-007?

WI.CAO.00115-007 is the EASA Work Instruction governing management personnel of Foreign Part-145 Approved Maintenance Organisations — that is, Part-145 AMOs with their principal place of business outside the EU. Issue 007, approved on 7 November 2025 and applicable from 15 November 2025, endorses Regulation (EU) 2023/203 and 2022/1645 to introduce Part-IS postholders into the Part-145 management structure.

What is the deadline for Part-IS postholder compliance under WI.CAO.00115-007?

The deadline was 22 February 2026. Organisations were expected to ensure that their postholders meet the requirements of WI.CAO.00115-007 as part of the Part-IS application package by that date.

What is a Common Responsible Person under Part-IS?

The Common Responsible Person (CRP) is a corporate-level role provided for under IS.I.OR.240(d). It allows an organisation that holds several EASA approvals or that handles information security at group level to delegate the operational activities of information security management to a single high-level position, while the Accountable Manager of each approved organisation retains full accountability. The CRP is optional — not every organisation needs one.

Can one person be both the Compliance Monitoring Manager Part-145 and the Compliance Monitoring Manager Part-IS?

Yes. Issue 007 explicitly permits the organisation to nominate the same person for both roles, or two separate persons. The decision depends on audit workload, competence asymmetry, audit independence, and organisational visibility to EASA.

Does a small Part-145 organisation need a separate Information Security Manager?

Not necessarily. Examples 3b and 3c in WI.CAO.00115-007 permit the ISM role to be held by the Maintenance Manager (Example 3b) or by the combined Compliance Monitoring & Safety Manager (Example 3c). However, in Example 3c the annual internal audit of the compliance monitoring function must be performed by an independent auditor, since the CMM cannot independently audit functions they themselves operate.

What replaced EASA Form 4 for nominated person acceptance?

EASA Form 4 was deleted in Issue 006 of WI.CAO.00115 (10 November 2022) and replaced by a written résumé issued on form FO.CAO.00156 "Management Personnel Résumé," available for download from the EASA website. Issue 007 keeps this approach and extends it to the new Part-IS roles.

What is the European Cybersecurity Skills Framework (ECSF) and why does it apply to the ISM?

The ECSF is a framework published by ENISA (the European Union Agency for Cybersecurity) that identifies the main tasks and skills associated with cybersecurity roles, including the Chief Information Security Officer (CISO) profile. WI.CAO.00115-007 maps the Part-IS Information Security Manager onto the ECSF CISO profile and requires the Part-145 organisation to assess and document how the proposed ISM meets each applicable task and skill — by experience, training, or both. The assessment is provided as part of the ISM résumé package.

Is Part-IS compliance monitoring subcontractable?

The function itself is not subcontractable in the sense that the accountability cannot be transferred away from the organisation. EASA confirms that responsibility for performing tasks pertinent to Part-IS can be transferred to a subcontractor, but accountability stays with the organisation. Contracting an independent auditor under 145.A.30(d) to perform discrete audit tasks — for example, the annual audit of a combined CMM/ISM function — is not subcontracting of compliance monitoring; it is a discrete audit task that satisfies the independence requirement.

How Aviathrust supports Part-145 + Part-IS structures

Aviathrust supports Foreign Part-145 AMOs through three complementary services that map directly onto the WI.CAO.00115-007 lifecycle: Part-145 consultancy for initial structure design and MOE amendment, EASA Part-IS Information Security Management course for postholder competence development against ECSF, and independent compliance auditing that satisfies the independent-auditor requirement for small organisations operating under Example 3c. If your organisation is uncertain which of the seven structures applies, or has already received an EASA finding against Issue 007, the practical next step is a short consultation call to walk through the structure decision and the documentation gap.

 

References

EASA Work Instruction WI.CAO.00115-007, "EASA Foreign Part-145 — Management Personnel," Issue 007, approval date 07/11/2025 · Commission Implementing Regulation (EU) 2023/203 · Commission Delegated Regulation (EU) 2022/1645 · Part-IS.I.OR (Annex II to Implementing Regulation (EU) 2023/203) · AMC1 145.A.30(b).2 · EASA Form FO.CAO.00156 "Management Personnel Résumé" · ENISA European Cybersecurity Skills Framework (ECSF), User Manual.

EASA Part-IS Aviation Information Security Management training course
Aviation Information Security Management per EASA Part-IS Regulations
View course details
EASA Part IS Information Security Course
Aviation Information Security Management per EASA Part-IS

Enhance your understanding on EASA Information Security Management Systems.

Learn More
EASA Ground Handling Regulation Course Training
EASA Ground Handling Regulation Course & Training

Enhance your expertise in ground handling operations and compliance.

Learn More
UPCOMING COURSES

EASA Part-M and Part-CAMO Regulations Training

Dates: 6th, 7th, 8th, 9th July 2026, Time: 15:00 - 19:00 CEST

Enrollment Fee: 450 €

Details
Enrol

Aircraft weight and balance Airbus and Boeing

Dates: 27th and 28th July 2026 08:00 - 16:00 CEST

Enrollment Fee: 1000 €

Details
Enrol

Aircraft Maintenance Management

Dates: 24th, 25th, 26th August 2026, Time: 09:00 - 16:00 CEST - FULLY BOOKED

Enrollment Fee: 700 €

Details
Enrol

EASA Part-145 Regulations

Dates: 5th, 6th August 2026, Time: 09:00 - 16:00 CEST

Enrollment Fee: 450 €

Details
Enrol

Advanced Safety Management System (Air Operators and CAMOs)

Dates: 3rd, 4th August 2026, Time: 09:00 - 16:00 CEST

Enrollment Fee: 450 €

Details
Enrol

Stores and Incoming Inspection

Dates: 25th June 2026, Time: 09:00 - 16:00 CEST

Enrollment Fee: 350 €

Details
Enrol

Audit, Non-Conformity, Root Cause Analysis & CAPA in Aviation

Dates: 20th July 2026, Time: 09:00 - 17:00 CEST

Enrollment Fee: 300 €

Details
Enrol

EASA Part-21 & Part-26 Training for CAMOs & AMOs

Dates: 18th June 2026 09:00 - 17:00 CEST

Enrollment Fee: 250 €

Details
Enrol

Aviation Information Security Management per EASA Part-IS Regulations

Dates: 14th July 2026 & 15th July 2026 09:00 - 17:00 CEST

Enrollment Fee: 650 €

Details
Enrol
Aviation Safety Training Catalog
Explore our Aircraft and Aviation Safety training catalog
Training Catalog
Request Information

Our Services

Auditing Safety and Compliance Monitoring
Training Services Training Services
Aircraft Maintenance Consulting Part-145 Consultancy Services
Airworthiness Consulting CAMO Consultancy Services