Information security in civil aviation, the regulatory framework that links cybersecurity to aviation safety.
Part-IS (Information Security) is the EASA framework that requires civil aviation organizations to identify, manage and report information security risks with a potential impact on aviation safety. In short: cybersecurity becomes an integral part of aviation safety management.
It is not an optional recommendation but a European regulatory requirement for organizations under EASA oversight.
It targets precisely those information security risks that can affect the safety of aviation operations.
It requires an information security management system (ISMS), not isolated, one-off measures.
Safety-impacting security incidents must be detected, handled and reported to the authority.
It is a requirement specific to civil aviation that cannot be automatically covered by ISO certifications or other general security standards.
Civil aviation is ever more connected, and Part-IS directly targets the organizations across this ecosystem.
Airlines and operators must manage the information security risks that can affect the safety of operations.
Check-in, baggage, access control, ground operations and airport systems are increasingly dependent on digital infrastructure.
Air traffic management and air navigation services rely on critical, interconnected systems that are essential for safety.
Technical data and systems must be protected so they do not affect airworthiness and safety.
IT, OT, software and outsourced-service suppliers can introduce risks into the aviation ecosystem.
Digitized ground operations become a relevant part of Part-IS risk management. Added through the recent 2025 revisions, with later applicability.
Part-IS is introduced through two regulations of the European Commission, complementary to the NIS2 directive.
Applicable to Part-21, Part-M, Part-145 and similar organizations (design, production, maintenance). Applicable from 16 October 2025.
Applicable to air operators, airports, ATM/ANS service providers and competent authorities. Applicable from 22 February 2026.
Regulation (EU) 2022/1645 becomes applicable (design, production, maintenance).
Regulation (EU) 2023/203 becomes applicable (operators, airports, ATM/ANS, authorities).
In 2025, EASA published a new revision of the Easy Access Rules for Information Security, clarifying and extending the framework (including for ground handling):
The main obligations an organization must meet.
The organization must set policies, roles, responsibilities and resources for managing information security.
Part-IS requires identifying the systems, data, processes and interfaces that can affect operational safety.
Information security risks must be assessed, prioritized and treated with appropriate measures.
Information security must be linked to aviation safety, not treated as a separate IT requirement.
Organizations must be able to identify, manage, escalate and report incidents with a potential safety impact.
Suppliers, partners and outsourced services must be included in Part-IS risk management.
The system must be verified, updated and continuously improved, including through staff training.
A practical introduction to EASA Part-IS, focused on requirements, risks, responsibilities and the link between cybersecurity and safety.
We explain, in terms the organization understands, what the EASA requirements involve and how they apply in practice.
Participants learn to recognize the systems, data and processes that can generate safety risks.
The course shows how information security risks are identified, assessed and prioritized.
We explain why Part-IS is not just about IT, but about protecting operational safety.
Participants understand the basic steps for detection, escalation, reporting and coordination during an incident.
The course covers the impact of suppliers, partners and external interfaces on Part-IS compliance.
We help participants communicate cyber risk in a clear, practical way that is relevant for decisions.
Part-IS introduces requirements specific to aviation organizations, but the real challenge is understanding how to apply them in practice. Our course is built precisely to turn these requirements into clear, operational, easy-to-apply language.
Our EASA-approved course, Part-IS Familiarisation Training for Cybersecurity, prepares your organization for compliance and audit. An 8-hour eLearning program, in English.
Manage your consent per category. Essential cookies are always on; the rest run only with your consent. Privacy Policy
Strictly necessary
Required for the site to work (login, security, your choices). Cannot be turned off.
Preferences
Remember settings like language or layout for a better experience.
Analytics
Anonymous statistics that help us understand how the site is used.
Marketing
Used to make communication and any ads more relevant.