If you work in aviation—whether you’re part of an airline, an airport, or a company that designs or maintains aircraft—you’ve probably heard of EASA Part-IS. But what is it, and why does it matter? In simple terms, EASA Part-IS is a set of rules from the European Union Aviation Safety Agency (EASA) to keep aviation safe from cyber threats. This guide explains what Part-IS is, who needs to follow it, and how to get ready, all in plain language for anyone to understand.

What Is EASA Part-IS?

EASA Part-IS is a regulation focused on cybersecurity in aviation. It’s designed to protect the systems and data that keep planes, airports, and air traffic control running safely. Think of it as a rulebook for making sure hackers or technical glitches can’t cause problems that might lead to accidents or delays.

The “Part-IS” stands for “Information Security.” It covers things like:

• Protecting computers and networks used in aviation.
• Spotting and stopping cyber attacks.
• Recovering quickly if something goes wrong.

These rules were created because aviation relies heavily on technology—like flight control systems, booking platforms, and communication networks—and a cyber attack could put safety at risk.

Why Is Part-IS Important?

Aviation is one of the safest ways to travel, but cyber threats are growing. Hackers could try to mess with flight schedules, steal sensitive data, or even interfere with navigation systems. Part-IS helps prevent these risks by making sure every organization in aviation has a plan to stay secure.

Following Part-IS also:

• Keeps passengers and crew safe.
• Helps companies avoid fines or legal trouble.
• Builds trust with customers by showing you take security seriously. 

Who Needs to Follow Part-IS?

Not every aviation organization has to follow Part-IS, but many do. If your company works in any of these areas, you’re likely included:

• Airlines (air carriers that fly passengers or cargo).
• Airports (including those managing runways or passenger areas).
• Aircraft designers and manufacturers (companies that build planes or parts).
• Maintenance organizations (those that fix or service aircraft).
• Air traffic control (groups managing airspace and navigation).

If your organization uses computers or data that could affect flight safety, Part-IS probably applies to you. Smaller companies or those working on non-critical parts (like airplane seats) might be able to get an exemption, but they’d need to prove their work doesn’t impact safety.

Key Dates for Compliance

Part-IS has two important deadlines you need to know:

• October 16, 2025: This is when most aviation organizations (like airlines, airports, and manufacturers) must fully comply with Delegated Regulation (EU) 2022/1645. This covers the main rules for protecting systems and data.
• February 22, 2026: This deadline applies to other organizations and authorities (like national aviation agencies) under Implementing Regulation (EU) 2023/203. It includes extra rules for oversight and monitoring.

Start preparing now because setting up a cybersecurity plan takes time!

What Do You Need to Do?

To follow Part-IS, your organization needs to build an Information Security Management System (ISMS). This is a set of plans, policies, and tools to keep your systems safe. Here’s a simple breakdown of what’s required:

1. Understand Your Risks:
   • Look at your systems (like computers, networks, or software) and figure out where a cyber attack could cause problems.
   • For example, could a hack stop planes from taking off or mess with navigation?
2. Create a Security Plan:
   • Write down how you’ll protect your systems. This might include using strong passwords, updating software, or locking down sensitive data.
   • Decide who in your company is responsible for cybersecurity.
3. Watch for Problems:
   • Set up ways to spot cyber attacks, like alerts for unusual activity on your network.
   • Train your team to recognize suspicious emails or links.
4. Respond to Incidents:
   • Have a plan for what to do if something goes wrong, like a hacker getting into your system.
   • This might mean shutting down affected systems or calling in experts to help.
5. Work with Authorities:
   • Share your security plan with EASA or your national aviation authority (like the CAA in the UK).
   • Be ready for audits or inspections to prove you’re following the rules.
6. Keep Training:
   • Make sure your employees know how to handle cyber threats.
   • Regular training helps everyone stay sharp.

How Does Part-IS Relate to Other Rules?

If your organization already follows other cybersecurity rules—like the EU’s NIS Directive or ISO/IEC 27001—you might be halfway there! Part-IS is similar to these standards but focuses specifically on aviation safety. For example:

• ISO/IEC 27001: This is a global standard for cybersecurity. Part-IS aligns with it, so if you’re certified, you can use that work to help meet Part-IS requirements. Just make sure your risks include aviation safety.
• NIS Directive: This EU rule covers cybersecurity for critical industries. Part-IS is more specific to aviation, but EASA is working to ensure compliance with one can help with the other.

Check with EASA or a cybersecurity expert to see how your existing efforts match up with Part-IS.

Tips for Getting Started

Getting ready for Part-IS might sound overwhelming, but you can break it down into manageable steps:

• Do a Gap Analysis: Compare what you’re doing now with what Part-IS requires. This helps you see what’s Stereotypes like “We’ve got a lot of work to do.”
• Hire Experts like ACS: If cybersecurity isn’t your strength, bring in a consultant who knows aviation and Part-IS.
• Use EASA’s Guidance: EASA provides Acceptable Means of Compliance (AMC) and Guidance Material (GM) on their website. These are like cheat sheets to help you follow the rules.
• Start Small: Begin with simple steps, like updating software or training staff, and build from there.
• Talk to Your Authority: Reach out to EASA or your national aviation authority for advice on what applies to you.

What Happens If You Don’t Comply?

If you miss the deadlines or ignore Part-IS, you could face:

• Fines: EASA or national authorities can issue penalties for non-compliance.
• Restrictions: You might lose your ability to operate or get certifications.
• Reputation Damage: A cyber attack due to poor security could harm your business and trust with customers.

Plus, not following Part-IS could put safety at risk, which is the last thing anyone in aviation wants.

Benefits of Following Part-IS

Complying with Part-IS isn’t just about avoiding trouble—it’s good for your business too! Benefits include:

• Safer Operations: Protecting your systems keeps flights and passengers safe.
• Stronger Reputation: Customers and partners trust companies that take security seriously.
• Better Resilience: A good ISMS helps you bounce back quickly from problems.
• Future-Proofing: Cybersecurity is only getting more important, so you’ll be ready for what’s next.

Where to Learn More

Want to dive deeper? Here are some great resources:

• EASA Website: Check out the Part-IS section at www.easa.europa.eu for official rules and guidance.
• Web Manuals: They offer templates and tools to help with Part-IS compliance (webmanuals.aero).
• Cybersecurity Consultants: Companies like CyFort (cyfort.ch) specialize in Part-IS for aviation.
• EASA Events: Attend conferences, like the EASA-FAA International Aviation Safety Conference (June 10–12, 2025, in Cologne), to learn from experts.

EASA Part-IS is all about keeping aviation safe from cyber threats. By building a strong cybersecurity plan, you’re not only following the rules but also protecting your business and passengers. Start preparing now for the 2025–2026 deadlines, and don’t be afraid to ask for help from EASA, consultants, or industry resources. With the right steps, you can make compliance straightforward and keep safety first.