EASA Part-IS Is Not an IT Problem: What Aviation Organisations Get Wrong About Information Security Compliance

George Spiteri

EASA Part-IS Is Not an IT Problem: What Aviation Organisations Get Wrong About Information Security Compliance

If your organisation has assigned EASA Part-IS to your IT department and considers the matter handled, you are heading for an oversight finding. I have been part of enough audit conversations over the last 18 years to recognise the pattern: a regulation lands, the title contains the words “information security,” and the operational side of the business hands the file to whoever runs the servers. With Part-IS, that reflex is wrong, and the regulation itself says so.

This article is for aviation Accountable Managers, Compliance Monitoring Managers, Safety Managers, post-holders and operational leadership in CAMOs, Part-145 maintenance organisations, AOC holders, Approved Training Organisations, ATM/ANS providers, ground handling service providers, design and production organisations, and any other entity now in scope of Part-IS. It sets out — using direct references to the published regulations, the Easy Access Rules and the EASA FAQs — what Part-IS actually is, the most common misconceptions held about it, and what your organisation needs to do to demonstrate that it understands the difference.

 

What EASA Part-IS Actually Is

 

Part-IS is the EASA regulatory framework for the management of information security risks with a potential impact on aviation safety. That eight-word qualifier is the entire point of the regulation, and it is the line that most non-aviation interpretations of the rules walk straight past.

 

Part-IS consists of two legally binding instruments:

 

  • Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022, applicable since 16 October 2025 to design organisations, production organisations, aerodrome operators and apron management service providers within the scope of Regulation (EU) No 139/2014. The scope was subsequently extended to ground handling service providers by Commission Delegated Regulation (EU) 2025/22, with the substantive obligations on those organisations applying from 27 March 2031.

     

  • Commission Implementing Regulation (EU) 2023/203 of 27 October 2022, applicable since 22 February 2026 to Part-145 maintenance organisations, Continuing Airworthiness Management Organisations (CAMOs), Air Operators (Part-ORO), Approved Training Organisations (ATOs), aircrew aero-medical centres, FSTD operators, ATCO training organisations, ATM/ANS organisations, and U-space service providers.

     

The consolidated reference document — the Easy Access Rules for Information Security (Regulations (EU) 2023/203 and 2022/1645), with its most recent revision published by EASA in December 2025 — combines both regulations with their Acceptable Means of Compliance (AMC) and Guidance Material (GM), as amended by ED Decision 2023/010/R and the more recent ED Decisions 2025/013/R, 2025/014/R and 2025/015/R.

 

In plain terms: every covered organisation must establish, implement, maintain and continuously improve an Information Security Management System (ISMS) to identify, assess, treat, monitor and report information security risks that could affect aviation safety. The full scope of the organisational requirements runs from IS.I.OR.100 (Scope) through IS.I.OR.260 (Continuous Improvement), with parallel provisions in Part-IS.D.OR for Delegated Regulation entities.

 

That is what Part-IS is. Now to what it is not.

 

Misconception 1: “Part-IS Is a Cybersecurity Regulation”

It is not. Part-IS is an aviation safety regulation that addresses information security as a safety risk vector. The distinction matters legally, organisationally and operationally.

A pure cybersecurity regulation — for example, the NIS2 Directive (Directive (EU) 2022/2555) — is concerned with the resilience of digital infrastructure for its own sake. Part-IS is concerned only with information security risks insofar as their realisation could compromise the safety of an aircraft, an air operation, a maintenance action, a continuing-airworthiness decision, or an ATM/ANS service.

This is why the Easy Access Rules require every Part-IS scope assessment to begin not with an inventory of IT assets, but with the question: which of our information assets, systems and interfaces, if compromised in their confidentiality, integrity, authenticity or availability, could result in an aviation safety consequence? It is worth being precise about that property set. Part-IS does not adopt the classical CIA triad of generic information security work; it requires CIAA — confidentiality, integrity, authenticity and availability — with authenticity made explicit by EASA at IS.I.OR.245(d) of Part-IS.I.OR (and IS.D.OR.245(d) of Part-IS.D.OR). The four properties matter for distinct reasons. Confidentiality matters when leaked information could enable an attack. Integrity matters when corrupted data could mislead a maintenance, flight or airworthiness decision. Authenticity matters when forged or impersonated information — a falsified part certificate, a maintenance entry that purports to come from a certifying engineer who never made it, an EAD that appears to come from the competent authority but does not — could be acted on as if genuine. Availability matters when systems being unavailable would force unsafe workarounds.

A pure-IT scoping that catalogues servers, workstations and network segments will miss exactly the assets that matter most under Part-IS: the Continuing Airworthiness records, the airworthiness review documentation, the type-certificate-data interfaces, the load and trim software, the Electronic Flight Bag, the maintenance task cards, the deferred-defect database, the supplier-supplied parts certification trail, the Operations Manuals on tablets in the cockpit. Some of these sit in IT systems. Several do not. All of them are Part-IS in scope.

 

Misconception 2: “Our IT Team Owns Part-IS”

Part-IS does not assign responsibility to the IT function, and it cannot. The regulation places accountability where it has always sat in EASA management-system regulation: on the Accountable Manager.

Under IS.I.OR.240, the organisation must have an Accountable Manager who has the authority and responsibility to ensure that all information security activities are carried out in accordance with the applicable requirements. The Accountable Manager appoints the person responsible for information security, who is accountable for the day-to-day management of the ISMS. That person, depending on the organisation's structure, can be the Compliance Monitoring Manager, the Safety Manager, a dedicated information security manager, or another suitably competent appointee. What that person cannot be, by the structure of EASA management-system regulation, is “whoever runs IT” without that role being formally appointed and assessed for competence in the aviation regulatory and risk-management context.

The reason is operational, not bureaucratic. An IT manager — even a highly competent one — typically does not have visibility of the aviation safety risk picture. They will not, by training, recognise that a corrupted Mass and Balance file is a different category of risk from a corrupted HR database; that a delayed deferred-defect-list update on a flight-deck tablet is not just a “system availability issue” but a potential aviation safety event; that a supplier breach affecting type-certificate data is reportable under EU 376/2014 as well as IS.I.OR.230. This judgement requires aviation regulatory competence, not IT competence. Part-IS recognises this by placing the appointment under the Accountable Manager, alongside the Safety Manager and the Compliance Monitoring Manager — not under whoever holds an IT director title.

This is also why IS.I.OR.240 contains explicit personnel competency requirements. Whoever is appointed must have demonstrable competence in both information security and aviation safety management — an intersection that very few people hold by default and which most organisations underestimate when staffing the role.

 

Misconception 3: “We Have ISO/IEC 27001, So We Are Covered”

You are not. ISO/IEC 27001 is a generic information security management standard. Part-IS is an aviation-safety-specific regulation that builds on the structural ideas of an ISMS but adds aviation-specific scope, aviation-specific risk criteria, aviation-specific reporting obligations, and aviation-specific authority oversight.

The EASA FAQs on Part-IS make the relationship explicit. An existing ISO/IEC 27001 ISMS can be adapted and extended to the scope and context of Part-IS, based on a gap analysis between the two scopes. It cannot be substituted for compliance. The differences that an ISO 27001-based ISMS will not, by itself, satisfy include:

  • The aviation-safety scope criterion. ISO 27001 lets the organisation define its own scope. Part-IS does not — the scope must include all information assets and processes whose compromise could impact aviation safety.
  • The protection-property set. ISO/IEC 27001 is built on the classical confidentiality, integrity and availability (CIA) triad. Part-IS extends this to CIAA — adding authenticity as an explicit fourth property in IS.I.OR.245(d) — reflecting aviation’s particular need to verify that information genuinely originates from the source it claims to come from.
  • The five-step risk assessment methodology of IS.I.OR.205, with explicit identification of elements, interfaces, threat scenarios, likelihood/severity assessment, and risk treatment criteria framed in aviation safety terms.
  • The 72-hour external reporting obligation under IS.I.OR.230, which is far more prescriptive than the generic incident-handling clauses of ISO 27001.
  • The integration requirements with the existing Safety Management System and Compliance Monitoring System. Part-IS is not a parallel management system — it is required to interface with the SMS and the compliance monitoring function.
  • The competent authority oversight regime under Part-IS.AR, which has no equivalent in ISO 27001 because ISO is a voluntary certification, not a regulated oversight obligation.

If your organisation already operates a 27001-aligned ISMS, that is genuinely useful starting material. It is not a substitute deliverable.

 

Misconception 4: “Part-IS Is the Same as NIS2”

Part-IS and the NIS2 Directive are complementary, not overlapping. NIS2 (Directive (EU) 2022/2555) targets the cybersecurity resilience of essential and important entities across the EU economy, including the transport sector. Part-IS targets information security risks with potential impact on aviation safety, regulated by aviation authorities under the EASA framework.

An aviation organisation can be in scope of both. Where that occurs, the EASA FAQs and the Easy Access Rules confirm that a single, well-structured ISMS can be designed to satisfy both regulatory regimes — but the scopes, the reporting authorities and the timelines are not identical. NIS2 reporting goes to the national CSIRT or competent NIS authority. Part-IS reporting under IS.I.OR.230 goes to the EASA competent authority and, where the incident is also a safety event, may engage Regulation (EU) 376/2014 occurrence reporting in parallel.

Treating Part-IS as “the aviation version of NIS2” tends to result in either over-scoping (applying NIS2-grade controls to non-safety-relevant systems) or under-scoping (assuming NIS2 compliance discharges the Part-IS obligation). Both fail audits, and in different ways.

 

Misconception 5: “Our SMS Already Handles It”

Your SMS does not handle it, but it is the most natural integration partner for the ISMS. This distinction is worth labouring because it is where I see the most thoughtful organisations get this wrong.

Part-IS is structurally modelled on the safety management system framework that EASA-regulated organisations already operate under. The processes look familiar: hazard identification, risk assessment, risk treatment, incident reporting, internal investigation, corrective action, continuous improvement. The temptation, in a well-run organisation, is to map information security risks into the existing SMS risk register and consider the obligation discharged. Part-IS does not allow this.

The Easy Access Rules permit — and in fact encourage — the integration of the ISMS into an overarching management system that also contains the SMS, the compliance monitoring function and quality management. What they do not permit is the absorption of information security risks into the SMS without the distinct ISMS structure being identifiable, documented and auditable. Practically, this means a Part-IS-compliant organisation must be able to show:

  • An ISMS scope statement distinct from the SMS scope statement.
  • An information security risk register that is either separate from the safety risk register or clearly differentiated within an integrated register.
  • Information security policies, procedures and controls that address the IS.I.OR requirements.
  • Information security training and awareness records that are distinct from generic safety training records.
  • An Information Security Management Manual (ISMM) under IS.I.OR.250, which is a distinct compliance document — even if it is bound and published alongside the Safety Management Manual.

Integration is the right architectural choice for almost every organisation. Conflation is not.

 

Misconception 6: “Once We Hit the Deadline, We Are Done”

The deadline is the start, not the end. IS.I.OR.260 explicitly requires a continuous improvement process for the ISMS. The Acceptable Means of Compliance refer to a maturity progression — typically described in EASA oversight context as the Present, Suitable, Operational, Effective (PSOE) implementation framework — under which the competent authority assesses whether the ISMS is not just documented but actively functioning, generating risk assessments that are reviewed, producing incident reports that are investigated, driving training that is delivered and refreshed, and feeding management reviews that result in change.

I have seen organisations sail through a first oversight visit on the strength of well-drafted documentation, only to fail a follow-up visit eighteen months later because the ISMS had not produced a single management review minute, a single risk-register update, or a single staff awareness refresher in the intervening period. Part-IS compliance is a living obligation, not a project deliverable.

 

Misconception 7: “Penetration Testing Equals Compliance”

Penetration testing is one possible technical control among many. It is not, on its own, a Part-IS compliance demonstration.

The IS.I.OR organisational requirements address governance, scope, risk assessment, risk treatment, internal reporting, incident response, corrective actions, external reporting, contracted-activities oversight, personnel competence, recordkeeping, the ISMM, change management and continuous improvement. Penetration testing addresses, at most, a slice of risk assessment and a slice of the verification of selected technical controls. An organisation whose Part-IS evidence pack consists primarily of penetration test reports has built a security testing function, not an Information Security Management System.

This misconception is particularly common in organisations that contract their IT to an external provider and rely on the provider's annual penetration testing as their primary security assurance. Under IS.I.OR.235 (Contracting), oversight of contracted activities is the organisation's obligation, not the contractor's. Receiving a penetration test report from a supplier does not discharge that obligation. The organisation must demonstrate its own oversight process — supplier pre-assessment, contractual cyber clauses, structured monitoring, and the right of access for the competent authority. That is a management activity, not a technical artefact.

 

Misconception 8: “Small Organisations Are Exempt”

There is no general small-organisation exemption in Part-IS. Article 4(2) of Delegated Regulation (EU) 2022/1645 and Article 5(2) of Implementing Regulation (EU) 2023/203 establish the applicability across the listed organisation types, and the scope is defined by the type of approval held, not by the size of the organisation. A small Part-145 maintenance organisation with three certifying staff is in scope to the same extent — though not necessarily to the same depth of implementation — as a large MRO with three thousand.

What the regulation does provide for is proportionality, not exemption. The AMC and GM, particularly as updated by the December 2025 ED Decisions, allow the depth of ISMS implementation to be commensurate with the size, nature and complexity of the organisation and the safety relevance of its information assets. A small CAMO will not be expected to operate a full Security Operations Centre. It will, however, be expected to have an ISMM, a documented risk assessment, a defined Accountable Manager and information security appointee, an incident response and reporting procedure, contracted-activities oversight, and a continuous improvement loop.

This proportionality is widely misunderstood as license to do less. It is not. It is license to do appropriately, which in many small organisations turns out to require more thought, not less, because the lack of dedicated specialists places more demand on integration, role clarity and procedural discipline.

 

The Accountable Manager Test

If you are an Accountable Manager and you would like a thirty-second test for whether your organisation has correctly understood Part-IS, ask yourself the following:

If the competent authority arrives tomorrow and asks me, in person, three questions — who is your appointed information security person, what aviation safety scenarios drove your last risk assessment, and what corrective action has resulted from your ISMS in the last six months — can I answer all three without referring the inspector to my IT manager?

If the answer is no, your organisation has misclassified Part-IS as an IT problem. The corrective action is structural, not technical: the appointment, the competence, the accountability and the integration with your existing aviation management system all need to be re-anchored where the regulation places them.

Where IT Genuinely Contributes

None of the above means that IT is irrelevant to Part-IS. IT is essential. The point is that IT is a contributor to Part-IS, not the owner of it.

In a properly architected Part-IS implementation, the IT function is responsible for the technical controls — access management, network segmentation, endpoint protection, logging, backup integrity, vulnerability management, patching cycles, secure development practices for in-house systems. The IT function is also a primary input source for the risk assessment, providing technical context to scenarios that the aviation side may not be able to articulate alone. And IT is typically the first detector of incidents, feeding the IS.I.OR.220 incident response process.

What IT cannot do is decide aviation safety relevance, decide regulatory scope, decide reporting categorisation, or sign the ISMM. Those decisions sit with the Accountable Manager and the appointed information security person, with input from Safety, Compliance Monitoring, the post-holders, and the IT function in support.

What a Part-IS-Mature Organisation Looks Like

A Part-IS-mature organisation has the following observable characteristics:

  • An Accountable Manager who can articulate, in their own words, the aviation safety rationale for the organisation's information security programme.
  • An appointed person responsible for information security whose competence file references both information security and aviation safety management, and who reports directly to the Accountable Manager.
  • An ISMS scope statement that lists information assets and processes by their aviation safety relevance, not by IT system inventory.
  • A risk register populated with scenarios written in operational aviation language and addressing all four CIAA properties (confidentiality, integrity, authenticity, availability) — not generic CIA-triad descriptions copy-pasted from a 27001 template.
  • An ISMM that interfaces explicitly with the Safety Management Manual, the Compliance Monitoring procedures and the Maintenance Organisation Exposition or Operations Manual as appropriate.
  • Records of internal reporting, external reporting, supplier oversight, training delivery, management review and corrective action, demonstrating that the system is alive.
  • A contracted-activities matrix under IS.I.OR.235 that names every relevant supplier, the cyber clauses in their contract, the oversight cadence, and the date of the last assessment.
  • A continuous improvement loop that has produced at least one tangible change in the last twelve months.

If your organisation has all of these, the regulation has been understood. If it has none of them and the documentation pack consists of an ISO-template policy document and a third-party penetration test report, the regulation has not.

 

Where to Take This Next

If you have read this far, you already have a clearer view of Part-IS than most aviation organisations currently demonstrate at first oversight. The next questions are practical ones: how do you scope the ISMS, how do you write a risk assessment that an inspector will accept, how do you structure the ISMM, how do you train your staff to a level that satisfies IS.I.OR.240, and how do you integrate Part-IS with the SMS and Compliance Monitoring functions you already have.

These are the questions our EASA Part-IS Aviation Information Security Management training course is built to answer. The course covers all 14 IS.I.OR organisational requirements clause-by-clause, the IS.I.OR.205 risk assessment methodology in worked-example form, the IS.I.OR.220 incident response and the 72-hour external reporting obligation, contracted-activities oversight under IS.I.OR.235, the structure of the ISMM, and competent authority oversight including PSOE-level expectations and common findings. It is delivered live online in 16 hours across four sessions, in a format designed for Safety Managers, Compliance Monitoring Managers, Accountable Managers, and the appointed person responsible for information security in your organisation.

 

About the Author

Ing. George Spiteri is the founder of Aviathrust and the lead instructor on the Aviathrust EASA Part-IS Aviation Information Security Management training course. An engineer by profession with 18 years of experience across Aircraft Maintenance, Airworthiness Management, Training, Safety and Compliance, George has built Aviathrust to support EASA-regulated organisations — particularly small and mid-sized CAMOs, Part-145 maintenance organisations, AOC holders and ATOs — in achieving and maintaining regulatory compliance in a way that is operationally realistic and proportionate to organisational resource. He delivers training and consultancy on Part-CAMO, Part-145, Part-66/147, Part-21, Part-26, Part-IS and Safety Management System implementation across the EASA regulatory framework, from Aviathrust’s base in Malta and online to organisations across Europe and beyond.

For training enquiries, in-house Part-IS delivery, gap analysis support or competent authority oversight preparation, contact us and let's discuss.

 

References:

 

1. Commission Delegated Regulation (EU) 2022/1645 of 14 July 2022 supplementing Regulation (EU) 2018/1139, as regards requirements for the management of information security risks with a potential impact on aviation safety. 

2. Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139, as regards requirements for the management of information security risks with a potential impact on aviation safety. 

3. Commission Delegated Regulation (EU) 2025/22 amending Commission Delegated Regulation (EU) 2022/1645 as regards requirements on information security for organisations providing ground handling services. Available via EUR-Lex.

4. Commission Implementing Regulation (EU) 2025/2293 on requirements applicable to organisations subject to a declaration, and correcting accordingly the existing regulatory framework. Available via EUR-Lex.

5. EASA Easy Access Rules for Information Security (Regulations (EU) 2023/203 and 2022/1645) — Revision from December 2025. European Union Aviation Safety Agency. 

6. ED Decision 2023/010/R of the EASA Executive Director providing for AMC & GM to support the Part-IS regulatory package implementation — Part-IS.AR. European Union Aviation Safety Agency.

7. ED Decision 2025/013/R, 2025/014/R and 2025/015/R of the EASA Executive Director on the management of information security risks, amending the AMC & GM to the Articles of Regulations (EU) 2022/1645 and 2023/203, to Part-IS.I.OR and Part-IS.D.OR, and to Part-IS.AR respectively. European Union Aviation Safety Agency, December 2025.

8. EASA Frequently Asked Questions — Information Security (Part-IS). European Union Aviation Safety Agency. 

9. EASA Information Security regulatory page — overview of Regulations (EU) 2023/203 and 2022/1645, AMC & GM, and related publications. 

10. EASA Opinion No 03/2021 — Management of information security risks. European Union Aviation Safety Agency.

11. Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation. 

12. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). 

13. Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security. Available via EUR-Lex.

14. Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security. Available via EUR-Lex.

15. ISO/IEC 27001 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements. International Organization for Standardization. 

16. Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency (EASA Basic Regulation). 

EASA Part-IS Aviation Information Security Management training course
Aviation Information Security Management per EASA Part-IS Regulations
View course details
EASA Part IS Information Security Course
Aviation Information Security Management per EASA Part-IS

Enhance your understanding on EASA Information Security Management Systems.

Learn More
EASA Ground Handling Regulation Course Training
EASA Ground Handling Regulation Course & Training

Enhance your expertise in ground handling operations and compliance.

Learn More
UPCOMING COURSES

EASA Part-M and Part-CAMO Regulations Training

Dates: 6th, 7th, 8th, 9th July 2026, Time: 15:00 - 19:00 CET

Enrollment Fee: 700 €

Details
Enrol

Aircraft weight and balance Airbus and Boeing

Dates: 27th and 28th July 2026 08:00 - 16:00 CET

Enrollment Fee: 1200 €

Details
Enrol

Audit, Non-Conformity, Root Cause Analysis & CAPA in Aviation

Dates: 20th July 2026, Time: 09:00 - 17:00 CEST

Enrollment Fee: 300 €

Details
Enrol

Airbus aircraft structure repair and maintenance. Basic

Dates: 13th, 14th, 15th, 16th July 2026 09:00 - 17:00 CEST

Enrollment Fee: 1500 €

Details
Enrol
Aviation Safety Training Catalog
Explore our Aircraft and Aviation Safety training catalog
Training Catalog
Request Information

Our Services

Auditing Safety and Compliance Monitoring
Training Services Training Services
Aircraft Maintenance Consulting Part-145 Consultancy Services
Airworthiness Consulting CAMO Consultancy Services