Introduction
By 22 February 2026, every organisation in scope of Commission Implementing Regulation (EU) 2023/203 must be running an Information Security Management System that meets EASA Part-IS. Most of the conversation around Part-IS has concentrated on the technical pillars — risk assessments, incident response, supply-chain assurance, the 72-hour external reporting clock. Far less attention has been paid to a single sentence in IS.I.OR.240(i) that asks the most awkward question of all:
“The organisation shall ensure that the identity and trustworthiness of the personnel who have access to information systems and data subject to the requirements of this Regulation are appropriately established.”
Twenty-five words. No criminal-record check is mandated. No periodicity is set. No definition of “trustworthiness” is provided. And yet, when an EASA inspector or a competent authority auditor opens this section of your Information Security Management Manual, they will expect a coherent, defensible procedure that holds up against three realities at once:
- The regulation expects “appropriate” assurance of trustworthiness.
- EU and Member State law sharply restricts what an employer can lawfully do to obtain that assurance.
- Aviation safety demands that the residual insider risk — malicious, negligent, or compromised — must still be controlled.
For organisations operating in jurisdictions where comprehensive background checks are simply not lawful, this triangle can feel impossible. It is not. But solving it requires a shift in mindset: from vetting harder to mitigating smarter.
This article sets out a practical implementation framework, with specific attention to compensating controls when local law restricts deep background checks.
Why “More Vetting” Is Rarely the Right Answer in Europe
A common reflex when implementing Part-IS is to import a US-style insider-threat programme — comprehensive criminal-record checks, credit checks, social-media surveillance, continuous user behaviour analytics. This approach fails in Europe for three reasons.
First, GDPR Article 10 prohibits private processing of conviction data unless there is a Union or Member State legal base providing safeguards. Importantly, this restriction extends to processing the absence of a conviction — meaning even a routine “no criminal record” letter in a personnel file requires legal justification.
Second, Member State law varies enormously. A criminal-record check that is routine in the UK (DBS Basic) is restricted in Germany, narrowly available in France with no employer copy-keeping, prohibited as a generic measure in Spain by the AEPD, and only candidate-applied in the Netherlands (the VOG). Designing one screening procedure for a multi-state operation without legal-basis analysis per state is a fast route to data protection sanctions.
Third, ECtHR jurisprudence — particularly Bărbulescu v. Romania (2017) and López Ribalda v. Spain (2019) — has established a six-factor proportionality test that any employee monitoring must satisfy: prior notification, scope, legitimate reason, less-intrusive alternatives, consequences for the employee, and adequate safeguards.
The conclusion is uncomfortable but unavoidable: in most EU jurisdictions, the lawful “vetting envelope” is significantly narrower than the operational risk would justify. Part-IS does not pretend otherwise. AMC1 IS.I.OR.240(i) deliberately uses the phrase “due diligence” rather than “vetting”, and adds the qualifier “where permitted by national law” to its mention of background checks. EASA expects organisations to do what is lawful — and to compensate, robustly, for what is not.
A Five-Step Implementation Framework
Step 1: Tier Your Roles by Safety Impact and Access
Trustworthiness is not a binary attribute. The IS.I.OR.205 risk-assessment principle — proportionality — requires that screening depth scale with role criticality and access rights. Build a three-tier matrix:
Tier 1 — Critical privileged access. System administrators, IT/OT engineers with production rights, certifying staff with EFB or data-loader authorities, ATCO/ATSEP with operational system access, developers releasing safety-impacting software, members of the Insider Risk Working Group itself.
Tier 2 — Trusted operational access. Pilots, dispatchers, MRO engineers with read/write access to airworthiness data, planners with access to flight-following and crew systems, training-department staff handling Part-FCL records.
Tier 3 — Limited or no safety-relevant system access. Administrative, finance, marketing personnel whose access is bounded to non-safety-critical systems.
The point of tiering is twofold. It tells you where to concentrate your due-diligence budget — and it tells you where the heaviest compensating controls must sit when due diligence is constrained.
Step 2: Map Your Lawful Vetting Envelope, Member State by Member State
For each country in which you employ personnel, document — and have your DPO or external counsel sign off — what is lawful for each Tier:
- Identity verification (eIDAS-aligned)
- Right-to-work check
- Employment-history verification (the Reg (EU) 2015/1998 standard of five years with explanation of any gap exceeding 28 days is a defensible benchmark)
- Educational and qualification verification
- Professional reference checks
- Criminal-record disclosure (national instrument, retention rules, employer copy-keeping)
- Financial/credit checks
- Social-media checks (post-WP29 Opinion 2/2017)
- Psychometric assessment (DPIA-triggering in France)
Maintain this as a living register. National regimes change; CNIL, AEPD and Garante decisions move the line every year. Annual review is the minimum.
The output of Step 2 is honesty: you now know, before designing the procedure, exactly what tools you have available in each jurisdiction. From this point on, design proceeds on facts rather than assumptions.
Step 3: Document Due Diligence Proportionate to Role and Tier
For each Tier, define a minimum due-diligence package that is both lawful and proportionate. A defensible default:
| Element | Tier 3 | Tier 2 | Tier 1 |
|---|---|---|---|
| Identity verification | ✓ | ✓ | ✓ |
| Right-to-work | ✓ | ✓ | ✓ |
| 5-year employment history | — | ✓ | ✓ |
| Qualification verification | — | ✓ | ✓ |
| Two professional references | — | ✓ | ✓ |
| Criminal-record check (where lawful) | — | Risk-based | ✓ |
| Financial check (where lawful) | — | — | Risk-based |
| Documented role-specific competence assessment | — | ✓ | ✓ |
Two procedural points cannot be skipped. First, every check must be completed and documented before access is granted — provisional access pending checks is one of the most common audit findings. Second, the legal basis for each item must be specified in your privacy notice (typically Article 6(1)(b) GDPR for contractual necessity, Article 6(1)(f) for legitimate interest, with Article 10 safeguards for any criminal-data processing). Consent should not be relied on as the lawful basis in the employment relationship — the Article 29 Working Party’s 2017 opinion on data processing at work is unambiguous on this point.
Step 4: Build the Compensating Controls Layer That Does the Heavy Lifting
This is where most procedures fail — or shine. If your lawful due diligence cannot fully assure trustworthiness, the residual risk must be carried by technical and organisational compensating controls. For organisations in privacy-strict jurisdictions, this layer is not optional. It is the procedure.
Role-Based Access Control with least privilege is the foundational control. Every access right granted to every individual must be justified by current role; reviews are quarterly for privileged accounts and at least annual for general accounts. This is ISO/IEC 27002:2022 control A.5.18 and NIST SP 800-53 AC-6, and it directly limits the blast radius of any insider — malicious or compromised.
Segregation of duties ensures that no single individual can both initiate and authorise a change to a safety-impacting system. The developer is not the deployer. The mechanic who makes the entry is not the certifying staff who signs the CRS. The flight-software engineer is not the release manager. Document conflicts in an SoD matrix and enforce them in your IAM rule set.
Four-eyes (dual authorisation) sits on top of SoD for the highest-impact actions: production push to AOC software, ATM configuration changes, EFB content release, airworthiness data import. Build the requirement into the change-management workflow itself, not into procedural manuals where it can be quietly bypassed.
Privileged Access Management with Just-in-Time elevation turns standing administrative rights into time-bounded, recorded, vaulted privilege. The “always-on domain admin” is a Part-IS finding waiting to happen. Modern PAM tooling — combined with passwordless authentication for privileged sessions — closes one of the largest compromised-insider attack surfaces.
Centralised, tamper-evident logging with SIEM use cases tuned for insider scenarios — anomalous data exfiltration volumes, after-hours access, repeated authentication failures, sudden access to systems outside normal role pattern, USB write events on engineering workstations — provides the detection layer without crossing into intrusive content monitoring.
Joiner-mover-leaver hygiene is the operational glue. On joiner: checks → training → access, in that order. On mover: access rebuilt from zero, not added incrementally — the single biggest source of privilege creep. On leaver: privileged access revoked at T-0, all other access at T+24h maximum (T-0 for involuntary departures), federation tokens invalidated, physical credentials returned, mobile-device wipe executed, and the leaver ticket closed only when every system has confirmed.
Contractor and third-party equivalence must mirror these standards in contract — Part-IS does not allow you to outsource the obligation. Right-to-audit, sub-contracting controls, JML synchronisation, and incident-notification timelines aligned to IS.I.OR.220 and IS.I.OR.230 belong in every contract with anyone whose personnel touch your systems.
When deep vetting is lawful, these controls are belt-and-braces. When it is not, they are the procedure. Either way, they are auditable and they are effective.
Step 5: Use Detection — Within the Bărbulescu Envelope
Detection of anomalous behaviour is permitted under EU law, but only within strict bounds. User and Entity Behaviour Analytics (UEBA) on safety-relevant systems is generally defensible if you can demonstrate:
- Prior transparent notification of the nature and extent of monitoring (in privacy notice and policy)
- Proportionate scope — flow data preferred over content
- A legitimate documented reason tied to aviation-safety risk
- That less-intrusive alternatives have been considered and rejected
- Adequate safeguards including DPIA, role-segregated review, and access logging
- Works council co-determination where applicable (Germany §87(1)6 BetrVG, France L2312-38 Code du Travail, Italy Article 4 Statuto dei Lavoratori, Netherlands WOR Article 27)
Content inspection (DLP), keystroke logging, screen capture and continuous productivity scoring are lawful only on documented suspicion of serious misconduct, time-limited and targeted. Continuous covert surveillance is not lawful in any EU jurisdiction. Sentiment analysis is an Article 9 GDPR risk and should be avoided.
The principle: detection is permitted where it is necessary, proportionate, transparent and safeguarded. Borrow the governance of US insider-threat programmes — multidisciplinary working groups, clear decision authority, escalation thresholds — but not their intrusive techniques.
Wrap Everything in Just Culture
Aviation’s most powerful asset in addressing insider risk is the just-culture model under Regulation (EU) 376/2014. Article 16 of that regulation protects reporters from sanction for honest error, while excluding gross negligence, wilful violations and destructive acts.
Part-IS connects to this framework deliberately: AMC1 IS.I.OR.200(a)(1)(i) requires the IS policy to encourage just culture and the reporting of vulnerabilities and anomalous events; IS.I.OR.215 establishes the internal reporting scheme; IS.I.OR.230 chains external IS reporting into 376/2014 and inherits its Article 16 protections.
The operational consequence: the compromised insider (the colleague who clicked the phishing link and reported it) and the negligent-but-not-grossly-negligent insider sit inside just-culture protection. The malicious insider and conduct meeting the “serious disregard of an obvious risk” test sit outside. Your investigation procedure must distinguish these archetypes before any sanction, ideally through a collegiate determination involving Security, HR, Legal, Compliance Monitoring and the DPO.
A confidential, no-blame internal IS reporting channel — pseudonymised, with strict separation of investigation from line management, and a clear bridge to law-enforcement reporting where the threshold is crossed — is the practical mechanism that turns staff from passive participants in insider risk into active mitigators of it. Phishing simulations, when run under legitimate-interest with DPIA, transparent notice and aggregated (never per-individual punitive) reporting, are the most cost-effective training reinforcement available.
A 90-Day Implementation Plan
For organisations starting from scratch, a realistic sequence:
Days 1–30. Convene an Insider Risk Working Group (Security, HR, Legal, IT, Compliance Monitoring, DPO). Complete the role-tiering exercise. Produce the Member-State legal-basis register with DPO sign-off. Draft the Personnel Trustworthiness Procedure.
Days 31–60. Reissue privacy notices and contractual clauses. Update the ISMM to name the IS.I.OR.240(b)(c)(d) post-holders and document the Compliance Monitoring independence from the IS function. Build the role-permissions matrix and SoD matrix. Stand up or upgrade PAM for Tier 1 roles.
Days 61–90. Roll out initial Part-IS training (general awareness for all, role-specific for Tier 1 and Tier 2). Launch the confidential reporting channel. Conduct the first quarterly privileged-access review. Run the first phishing simulation under documented legitimate interest. Add a Part-IS thread to the annual Compliance Monitoring Programme.
A first internal audit of the trustworthiness procedure should follow within six months — this is the moment to discover the gaps before the competent authority does.
Common Pitfalls
A short catalogue of the procedure-killers I have seen most often in early Part-IS work:
- The CMM also being the IS Manager. This violates the AMC independence requirement. Where the organisation is too small to staff both, the IS function audit must be conducted by a different qualified person.
- Provisional access pending checks. A frequent shortcut, an unfailing audit finding.
- One screening procedure for all Member States. The legal envelope varies; the procedure must too.
- Reliance on consent as the GDPR lawful basis in the employment context. Almost never valid.
- Per-individual phishing-test punishment. Erodes just culture and legitimate-interest defensibility in one move.
- No re-vetting trigger on role change. The mover process is where privilege creep happens.
- No DPIA on UEBA, monitoring or psychometrics. Article 35 GDPR is not optional.
- No bridge defined between IS reporting and law-enforcement reporting. Mid-investigation ambiguity is unmanageable; define the threshold up-front.
- Forgetting the leaver. Especially the involuntary leaver. Especially in OT and shared-service environments.
A Closing Thought
Part-IS deliberately leaves the trustworthiness mechanism unprescribed. The temptation is to read this as a gap. It is the opposite: it is the regulator’s recognition that the EU legal envelope for personnel screening is narrower than US frameworks assume, and that compliance is therefore won not by adopting more aggressive vetting but by documenting the proportionality reasoning — why these checks for these roles in this Member State, why these compensating controls cover the residual, why these monitoring measures pass the Bărbulescu test, and how just culture protects the colleague who flags an anomaly.
The Compliance Monitoring Manager who builds the procedure on those four documented foundations will satisfy both the EASA competent authority and the Member State Data Protection Authority — and will have a procedure that withstands the harder test, which is the day a real insider event lands on the desk.
Trustworthiness, in the Part-IS sense, is not something you read off a background-check certificate. It is something you engineer.
Disclaimer:
This article reflects the regulatory position as of May 2026, based on Regulation (EU) 2022/1645, Regulation (EU) 2023/203, and the Easy Access Rules for Information Security (December 2025 revision, ED Decisions 2025/013/R, 2025/014/R and 2025/015/R). It is provided for professional information only and does not constitute legal advice.
