Aviation has always demanded precision. Every system, every process, every decision carries weight when lives are in the air. That same standard of precision now extends to how organisations manage information security, and IS.I.OR.220 sits at the centre of that requirement.

Under EASA’s Part-IS framework, specifically Commission Implementing Regulation (EU) 2023/203, IS.I.OR.220 defines the obligations every regulated aviation organisation must meet for detecting, responding to, and recovering from information security incidents. It is not a recommendation. It is a regulatory requirement, and the February 2026 compliance deadline for AOC holders, CAMOs, ANSPs, ATOs, and maintenance organisations makes the urgency clear. If you are still assessing your position, our EASA Part-IS compliance deadline guide explains exactly what is expected and when.

This article explains what IS.I.OR.220 demands, why it matters beyond the paperwork, and what genuine compliance looks like in practice.

IS.I.OR.220 has three core pillars, each addressing a distinct phase of the incident lifecycle.

Detection

Under IS.I.OR.220(a), organisations must establish reliable mechanisms to identify information security events before they escalate. This goes beyond basic antivirus software or firewall monitoring. EASA’s Acceptable Means of Compliance (AMC) and Guidance Material make clear that organisations need to collect event data from both internal and external sources, including personnel reports, supplier notifications, open-source intelligence, and security researchers.

Critically, vulnerabilities and incidents are treated as parallel concerns. Both must feed into a detection process capable of correlating events across the organisation’s functional chain and assessing whether aviation safety could be affected. For organisations that do not operate a Security Operations Centre (SOC) or Security Information and Event Management (SIEM) system, the requirement remains: a documented, repeatable process for event collection and evaluation must exist. The ACS AeroScan tool was built specifically to address this detection obligation, scanning your IT infrastructure and delivering structured findings reports that satisfy IS.I.OR.220(a) requirements.

Response

IS.I.OR.220(b) requires that once an incident or exploitable vulnerability is identified, the organisation acts with structure and speed. An incident response plan must be in place before the incident happens, not drafted during the crisis. That plan should define roles, escalation paths, containment measures, and communication protocols.

EASA also requires external reporting of incidents with a potential impact on aviation safety within 72 hours to the competent authority. This obligation, linked directly to IS.I.OR.230, is often where organisations struggle most. Providing a technically detailed debrief to regulators while simultaneously managing an active security event demands preparation that cannot be improvised. Our Part-IS compliance packages include incident response plan development as a core deliverable, ensuring your team has a tested, regulator-ready framework before it is needed.

Recovery

The third pillar under IS.I.OR.220(c) addresses how an organisation restores normal operations after an incident. Recovery is not simply a technical process. It encompasses business continuity planning, documentation of lessons learned, and the introduction of corrective measures to prevent recurrence. EASA expects organisations to investigate root causes where possible, particularly when affected assets have been developed for aviation-specific use. Those findings should feed back into the ISMS to drive genuine improvement.

The risks attached to failing to comply with IS.I.OR.220 span several dimensions.

Regulatory penalties and operational restrictions. Competent authorities across EU member states will verify compliance through audits and inspections. Non-compliance can result in financial penalties, licensing restrictions, or suspension of operational approvals. For an organisation that depends on its certifications to operate, that is an existential risk.

Cascading operational impact. Aviation is a highly interconnected environment. A security incident affecting one organisation’s systems can propagate through a shared functional chain to affect partners, suppliers, and service providers. Without a functioning detection and response capability, a containable event can become an uncontrollable one.

Reputational damage. Trust is foundational in aviation. Partners, regulators, and passengers expect that organisations handling safety-critical systems are managing information security seriously. A publicised breach or a failed audit signals that an organisation is not meeting the standards the industry demands.

Liability exposure. If an incident occurs and post-event investigation reveals that an organisation lacked the required detection or response mechanisms, the question of culpability becomes harder to defend.

IS.I.OR.220 does not operate in isolation. It sits within a broader ISMS structure required under Part-IS, and its effectiveness depends on the quality of the surrounding framework.

The ISMS must be integrated with existing management systems, including the Safety Management System (SMS). EASA specifically encourages this integration because many of the underlying processes overlap: risk assessments, incident reporting, internal audits, and training. When these systems are aligned, the organisation gains a more complete picture of its risk environment and reduces the duplication of effort that comes from managing safety and security in parallel silos. Our Part-IS cheat sheet provides a practical overview of which requirements apply to your organisation type and where the integration points sit.

Risk assessments conducted under IS.I.OR.205 feed directly into the detection and response planning required by IS.I.OR.220. The internal reporting scheme under IS.I.OR.215 provides the mechanism through which incidents flow to the right people at the right time. And the continuous improvement requirements of IS.I.OR.260 close the loop, ensuring that lessons from incidents are embedded back into the ISMS rather than filed and forgotten.

Understanding where IS.I.OR.220 sits within this chain matters because compliance is not a single deliverable. It is an ongoing operational state.

Meeting IS.I.OR.220 on paper and meeting it in practice are two different things. Genuine compliance means:

Documented detection capabilities that are tested, not just described. Event collection mechanisms that pull from all relevant sources, including third-party suppliers in the functional chain.

A written incident response plan that has been exercised through tabletop scenarios or simulation. Response roles that are assigned to specific individuals with clear authority and communication lines.

A recovery process that includes a tested business continuity and disaster recovery plan, documented root cause analysis after incidents, and a structured feedback loop into the ISMS.

Personnel who are trained and assessed on their specific security responsibilities, not just given generic cybersecurity awareness content. A pilot’s threat landscape differs from a maintenance engineer’s. Training should reflect that.

Complete and accessible records of all information security activities, findings, corrective actions, and management reviews. These records are the evidence an organisation presents during a competent authority audit. If you are unsure how your current documentation holds up, an ACS gap analysis will identify exactly where the gaps are and what needs to be addressed.

Organisations that embed IS.I.OR.220 compliance into their daily operations are building something more durable than regulatory adherence. They are building operational resilience.

A mature ISMS with effective incident management capabilities reduces the time to detect threats, limits the damage when incidents occur, and accelerates the return to normal operations. That translates into measurable protection for operational continuity, contract relationships, and organisational reputation.

It also signals to regulators, partners, and customers that information security is taken seriously at every level of the organisation, not just by the IT department. In an industry where trust is earned through demonstrated performance, that signal has tangible value.

The compliance deadline has now passed for organisations in the first wave. For those still working toward full implementation, the time to act is not when the next audit is scheduled. It is now.

IS.I.OR.220 is not a box-ticking exercise. It is a functional requirement that demands organisations know how to spot a threat, act when it materialises, and recover without lasting damage to safety, operations, or trust. Aviation organisations that treat this regulation as a genuine operational standard, rather than a compliance formality, will find themselves better prepared for the threats that are already targeting the sector.

If your organisation is working toward Part-IS compliance and needs structured, practical support, Aero Compliance Solutions provides end-to-end guidance from initial gap analysis through to full ISMS implementation and ongoing compliance monitoring.

Contact the Aero Compliance Solutions team today to discuss where your organisation stands and what it needs to get there.