Aviation organisations operating under EASA regulations are facing one of the most significant compliance shifts in recent years. EASA Part-IS, introduced through Implementing Regulation (EU) 2023/203, requires organisations to implement a formal Information Security Management System and to meet specific reporting obligations under IS.I.OR.215, IS.I.OR.230, IS.D.OR.215, and IS.D.OR.230.
For many organisations, the technical side of Part-IS gets the most attention. Reporting, however, is where gaps most commonly appear during audits. Whether you are an AOC holder, a CAMO, a Part-145 maintenance organisation, or an ANSP, understanding exactly what your reporting obligations are and how to meet them is no longer optional.
This guide breaks down the internal and external reporting requirements under Part-IS, explains what compliance looks like in practice, and outlines a structured approach to building a reporting process that holds up under regulatory scrutiny.

Part-IS establishes two layers of reporting that organisations must manage. The first is internal reporting, which governs how information security events, risks, and incidents are captured, assessed, and escalated within the organisation. The second is external reporting, which covers how and when organisations must notify their competent authority about information security incidents that could impact aviation safety.

IS.I.OR.215 and IS.D.OR.215 define the requirements for organisations to establish processes for identifying, recording, and acting on information security events that have a potential safety impact. IS.I.OR.230 and IS.D.OR.230 expand on this by establishing the obligations around reporting those events externally to the relevant national authority.

The distinction matters. Internal reporting is about operational awareness and risk management. External reporting is about transparency with your regulator and demonstrating that your ISMS is functioning as intended.

Most reporting failures are not caused by a lack of intent. They happen because organisations do not have clearly defined processes in place before an incident occurs. When an information security event happens, teams are often unclear on what qualifies as a reportable event, who is responsible for documenting it, what the escalation path looks like, and how quickly an external report must be submitted.

Part-IS does not allow for ambiguity here. If your organisation cannot demonstrate a functioning reporting process during an audit, that gap becomes a finding. Repeated findings or a failure to report a safety-impacting event can lead to regulatory action and, in serious cases, restrictions on operational activities.

The good news is that building a compliant reporting process is achievable with the right structure in place.

Start with a Gap Analysis

Before you can build a reporting framework, you need to understand what your current processes look like and where they fall short. A structured gap analysis maps your existing workflows against Part-IS requirements, identifies roles and responsibilities that are undefined, and highlights any weaknesses in how information security events are currently captured.

If you have not yet completed a formal gap analysis against Part-IS, this is the foundation everything else depends on. The ACS compliance services include gap analysis as a core component of both the Core and Pro packages, giving organisations a clear starting point.

Define What Constitutes a Reportable Event

One of the most common sources of confusion is the question of what actually triggers a reporting obligation. Not every IT issue is a reportable information security event under Part-IS. The regulation requires organisations to report events that have, or could have, an impact on aviation safety.

Your ISMS documentation must include clear criteria that help staff at every level make this determination quickly and consistently. This includes defining thresholds for internal escalation and the conditions under which an external report to the competent authority is required.

Standardise Your Reporting Templates and Processes

Consistency is critical. Once you have defined what constitutes a reportable event, your organisation needs standardised templates for capturing and documenting incidents. These templates should record the nature of the event, the systems or functional chains affected, the potential safety impact, the immediate actions taken, and the timeline of the response.

External reports submitted to your competent authority must also follow a defined format and timeline. Building this into your ISMS documentation removes the risk of ad hoc reporting that is difficult to audit or defend.

Assign Clear Accountability

Reporting processes fail when no single person owns them. Part-IS requires organisations to assign accountability for information security within the organisation, and this should extend directly to the reporting function. Whoever holds responsibility for ISMS oversight should have clear authority to initiate both internal escalation and external reporting.

This does not mean one person handles everything. It means your process defines who does what, in what order, and within what timeframe.

Leverage Technology to Support Reporting

Manual reporting processes are prone to delays and errors, particularly in organisations where information security sits alongside other operational responsibilities. Aviation-specific tools that automate event detection, generate structured reports, and maintain an auditable record of all reporting activity significantly reduce the burden on your team.

The ACS AeroScan tool was built specifically to support this. It scans your IT infrastructure, identifies vulnerabilities, generates actionable reports, and provides the kind of continuous monitoring that makes Part-IS reporting processes sustainable beyond the initial compliance deadline.

Train Your People

Reporting is only as effective as the people responsible for it. Regular training ensures that staff across your organisation understand what Part-IS requires, how to identify a potential information security event, and what steps to take when one occurs. Training should not be a one-time exercise. It should be part of your ongoing ISMS operation and reflected in your competence records.

Build in Continuous Improvement

Part-IS compliance is not a point-in-time achievement. Your reporting processes should be subject to regular review, internal audit, and improvement based on real-world experience. If a report was submitted late, that is a process failure worth examining. If an event was initially categorised incorrectly, your criteria need to be reviewed.

Continuous improvement is what separates organisations that maintain compliance from those that pass an audit once and drift back into non-compliance.

Organisations that do not have functioning reporting processes are exposed on two fronts. The first is regulatory: auditors will identify gaps, issue findings, and potentially escalate if the same issues appear repeatedly. The second is operational: without effective internal reporting, information security risks go unmanaged, and the potential for a safety-impacting incident increases.

The February 2026 compliance deadline for operators has now passed. Organisations that are still working toward full compliance should be treating reporting process development as an urgent priority, not a background task.

Aviation organisations that build robust Part-IS reporting frameworks do more than satisfy a regulatory requirement. They create an internal culture of information security awareness, improve their ability to detect and respond to threats before they escalate, and demonstrate to their competent authority that their ISMS is operating as designed.

When reporting is embedded into daily operations rather than treated as a box-ticking exercise, organisations are better positioned to make informed decisions, maintain stakeholder trust, and operate with confidence in an increasingly complex threat environment.

If your organisation needs support building or reviewing its Part-IS reporting processes, the team at Aero Compliance Solutions is ready to help. Contact us today to discuss where you are in your compliance journey and what a practical path forward looks like.