INFORMATION SECURITY
MANAGEMENT SYSTEM
GUIDELINES
PART-IS
Information Security is a new challenge for aviation safety. In response, new European regulations have been established: Part-IS.
Part-IS (Regulations (EU) 2023/203 and (EU) 2022/1645) is the latest EASA regulation to identify and manage Information Security (IS) risks with a potential impact on aviation safety, providing a regulatory framework for governance, risk and incident management, continuous improvement and event reporting. It enables the aviation ecosystem to mitigate and respond to cyber threats.
Part-IS defines information security as ‘the preservation of the confidentiality, integrity, authenticity and availability of networks and information systems’.
Who must comply with Part-IS?
Part-IS will be mandatory from October 2025 for organisations approved by EASA, under Delegated Regulation (EU) 2022/1645, and by February 2026 for other organisations.
What needs to be complied with?
Part-IS compliance requires the following framework to be in place to identify, manage and mitigate cyber and information security risks impacting aviation security:
• An information security policy, governance, roles and responsibilities that are documented, empowered and integrated into your organisation
• An Information Security Management System (ISMS)
• An incident management mechanism and process (detection, management, response and mitigation of cybersecurity and information security risks)
• A continuous improvement process (technical and organisational)
• A system for sharing information relating to risks and vulnerabilities, and a system for reporting to the Authorities.
At R&R Consulting, expert in EASA / EMAR certification, and animating the SMS User Group, we support our clients in their challenges to certify their organisation and their products and we can support you to securing your ISMS implementation and ensuring compliance.
For more information on how we can support you in this area, please contact us at: [email protected]
Part-IS (Regulations (EU) 2023/203 and (EU) 2022/1645) is the latest EASA regulation to identify and manage Information Security (IS) risks with a potential impact on aviation safety, providing a regulatory framework for governance, risk and incident management, continuous improvement and event reporting. It enables the aviation ecosystem to mitigate and respond to cyber threats.
Part-IS defines information security as ‘the preservation of the confidentiality, integrity, authenticity and availability of networks and information systems’.
Who must comply with Part-IS?
Part-IS will be mandatory from October 2025 for organisations approved by EASA, under Delegated Regulation (EU) 2022/1645, and by February 2026 for other organisations.
What needs to be complied with?
Part-IS compliance requires the following framework to be in place to identify, manage and mitigate cyber and information security risks impacting aviation security:
• An information security policy, governance, roles and responsibilities that are documented, empowered and integrated into your organisation
• An Information Security Management System (ISMS)
• An incident management mechanism and process (detection, management, response and mitigation of cybersecurity and information security risks)
• A continuous improvement process (technical and organisational)
• A system for sharing information relating to risks and vulnerabilities, and a system for reporting to the Authorities.
At R&R Consulting, expert in EASA / EMAR certification, and animating the SMS User Group, we support our clients in their challenges to certify their organisation and their products and we can support you to securing your ISMS implementation and ensuring compliance.
For more information on how we can support you in this area, please contact us at: [email protected]
Back to "Guidelines"