🛡️ EASA Part‑IS Regulations: Safeguarding Aviation Through ISMS

1. What is EASA Part‑IS?

EASA Part‑IS is a European regulatory framework mandating an Information Security Management System (ISMS) within aviation entities. Its primary goal is to protect information and communication systems whose compromise could pose a safety risk. Rooted in Delegated Regulation (EU) 2022/1645 and Implementing Regulation (EU) 2023/203, Part‑IS sets mandatory standards for risk assessment, incident reporting, governance, and continuous improvement—aligned but specifically tailored for aviation safety.

2. Who Must Comply and When?

Part‑IS applies in two phases:

• From 16 October 2025: Organizations under Delegated Regulation (EU) 2022/1645—such as airports, design & production organizations, and apron management services—must fully implement a functioning ISMS.
• From 22 February 2026: This extends to other aviation players, including air carriers, maintenance & training organizations, air traffic management providers, and aviation authorities, per Implementing Regulation (EU) 2023/203.

3. Core Mandates of the Regulation

Part‑IS requires implementation of a comprehensive ISMS encompassing:

• Risk management: Identify, assess, and treat information security risks using a structured framework (often based on ISO/IEC 27001). (riskinsight-wavestone.com)
• Governance & accountability: Define clear policies, leadership roles, and integration within broader safety management systems. (aviathrust.com)
• Incident response: Set up processes for detection, reporting (internally and to authorities), response, and recovery. (seguridadaerea.gob.es)
• Training & audits: Ensure staff competence and continuous ISMS effectiveness through awareness programs and regular internal audits. (riskinsight-wavestone.com)

4. Integration & Guidance

EASA encourages ISMS integration within existing safety, quality, and compliance systems (e.g., SMS), following a Plan–Do–Check–Act lifecycle. Detailed support—such as Acceptable Means of Compliance (AMC) and Guidance Material (GM)—helps organizations align practices specifically with aviation contexts. (centraleyes.com)

5. Official Enforcement and Oversight

Compliance will be verified by EASA and designated national competent authorities through oversight audits, documentation reviews, and site inspections under the new regulatory provisions. (linkedin.com)

📍 Official Publication Source

The official announcement is featured in EASA's Newsroom under the title "Part‑IS regulation published, completing regulatory framework for cyber‑resilient aviation", released on 2 February 2023. It clearly defines both applicability dates: 16 October 2025 and 22 February 2026.

You can find it on the EASA website in its Newsroom section.

✍️ Why it Matters

• Safety-first: Digital threats are now fundamental aviation safety concerns.
• Legal duty: Non-compliance risks regulatory sanctions and potential grounding.
• Resilience: A robust ISMS enhances operational stability and protects public confidence.