Skip to main content

EASA Part-IS

Information security in civil aviation, the regulatory framework that links cybersecurity to aviation safety.

What is EASA Part-IS?

Part-IS (Information Security) is the EASA framework that requires civil aviation organizations to identify, manage and report information security risks with a potential impact on aviation safety. In short: cybersecurity becomes an integral part of aviation safety management.

Mandatory

It is not an optional recommendation but a European regulatory requirement for organizations under EASA oversight.

Safety-linked

It targets precisely those information security risks that can affect the safety of aviation operations.

Systemic

It requires an information security management system (ISMS), not isolated, one-off measures.

Reportable

Safety-impacting security incidents must be detected, handled and reported to the authority.

Aviation-specific

It is a requirement specific to civil aviation that cannot be automatically covered by ISO certifications or other general security standards.

Why it matters, and for whom

Civil aviation is ever more connected, and Part-IS directly targets the organizations across this ecosystem.

Air operators

Airlines and operators must manage the information security risks that can affect the safety of operations.

Airports and aerodromes

Check-in, baggage, access control, ground operations and airport systems are increasingly dependent on digital infrastructure.

ATM/ANS providers

Air traffic management and air navigation services rely on critical, interconnected systems that are essential for safety.

Maintenance, design and production

Technical data and systems must be protected so they do not affect airworthiness and safety.

Critical suppliers

IT, OT, software and outsourced-service suppliers can introduce risks into the aviation ecosystem.

Ground handling

Digitized ground operations become a relevant part of Part-IS risk management. Added through the recent 2025 revisions, with later applicability.

The legal framework

Part-IS is introduced through two regulations of the European Commission, complementary to the NIS2 directive.

Regulation (EU) 2022/1645

Applicable to Part-21, Part-M, Part-145 and similar organizations (design, production, maintenance). Applicable from 16 October 2025.

Regulation (EU) 2023/203

Applicable to air operators, airports, ATM/ANS service providers and competent authorities. Applicable from 22 February 2026.

16 Oct 2025

Regulation (EU) 2022/1645 becomes applicable (design, production, maintenance).

22 Feb 2026

Regulation (EU) 2023/203 becomes applicable (operators, airports, ATM/ANS, authorities).

The 2025 revisions

In 2025, EASA published a new revision of the Easy Access Rules for Information Security, clarifying and extending the framework (including for ground handling):

  • Commission Implementing Regulation (EU) 2025/2293, on requirements applicable to organisations subject to a declaration, correcting the existing framework.
  • Commission Delegated Regulation (EU) 2025/22, amending Regulation 2022/1645 on information security for ground-handling service providers.
  • ED Decision 2025/013/R, amending the AMC & GM to the Articles of Regulations (EU) 2022/1645 and 2023/203.
  • ED Decision 2025/014/R, amending the AMC & GM to Part-IS.I.OR and Part-IS.D.OR.
  • ED Decision 2025/015/R, amending the AMC & GM to Part-IS.AR.
See the EASA announcement

What Part-IS requires in practice

The main obligations an organization must meet.

Clear governance and accountability

The organization must set policies, roles, responsibilities and resources for managing information security.

Identifying critical assets and risks

Part-IS requires identifying the systems, data, processes and interfaces that can affect operational safety.

Risk assessment and treatment

Information security risks must be assessed, prioritized and treated with appropriate measures.

Integrating security with safety

Information security must be linked to aviation safety, not treated as a separate IT requirement.

Incident detection and reporting

Organizations must be able to identify, manage, escalate and report incidents with a potential safety impact.

Controlling external interfaces

Suppliers, partners and outsourced services must be included in Part-IS risk management.

Monitoring and continuous improvement

The system must be verified, updated and continuously improved, including through staff training.

What our course offers

A practical introduction to EASA Part-IS, focused on requirements, risks, responsibilities and the link between cybersecurity and safety.

Clarifying Part-IS requirements

We explain, in terms the organization understands, what the EASA requirements involve and how they apply in practice.

Understanding relevant assets and risks

Participants learn to recognize the systems, data and processes that can generate safety risks.

A practical approach to risk management

The course shows how information security risks are identified, assessed and prioritized.

The link between cybersecurity and safety

We explain why Part-IS is not just about IT, but about protecting operational safety.

Incident readiness and reporting

Participants understand the basic steps for detection, escalation, reporting and coordination during an incident.

Understanding ecosystem risks

The course covers the impact of suppliers, partners and external interfaces on Part-IS compliance.

A common language for teams and management

We help participants communicate cyber risk in a clear, practical way that is relevant for decisions.

Part-IS introduces requirements specific to aviation organizations, but the real challenge is understanding how to apply them in practice. Our course is built precisely to turn these requirements into clear, operational, easy-to-apply language.

Ready for Part-IS?

Our EASA-approved course, Part-IS Familiarisation Training for Cybersecurity, prepares your organization for compliance and audit. An 8-hour eLearning program, in English.

See the EASA-approved course