Civil Aviation Cybersecurity: EASA Part-IS Sets New Information Security Obligations
In Short
The Situation: The aviation industry is increasingly reliant on digital systems, from air traffic management to ground operations and predictive maintenance. This digital transformation has significantly broadened the sector's attack surface.
The Development: The European Union Aviation Safety Agency ("EASA") has adopted Delegated Regulation (EU) 2022/1645 and Implementing Regulation (EU) 2023/203, collectively known as Part-IS, introducing binding information security requirements across the EU civil aviation sector and mandating a structured Information Security Management System ("ISMS") aligned with aviation safety objectives. Depending on the entity, the rules apply from October 16, 2025, or February 22, 2026. Part-IS covers a wide range of stakeholders, including maintenance organizations, air operators, and air navigation service providers.
Looking Ahead: Part-IS is a significant regulatory milestone for EU aviation, embedding information security into core safety oversight. Affected organizations should assess the maturity of their information security capabilities, align governance policies, review contracts with critical suppliers, and monitor forthcoming EASA guidance.
Against the backdrop of intensifying cyber threats affecting aviation systems, EASA has adopted two texts, Delegated Regulation (EU) 2022/1645 and Implementing Regulation (EU) 2023/203, establishing the regulatory framework known as Part-IS ("Information Security.")
Scope and Applicability
Part-IS applies broadly across the aviation ecosystem, with applicability determined by the relevant regulation.
Entities covered by Commission Delegated Regulation (EU) 2022/1645 include, in particular, aerodrome operators, design and production organizations, and apron management service providers. For these entities, Part-IS applies from October 16, 2025.
Entities covered by Commission Implementing Regulation (EU) 2023/203 extend to the wider aviation population and include maintenance organizations and continuing airworthiness management organizations, both commercial and non-commercial air operators, approved training organizations and flight simulation training device operators, air navigation service providers, air traffic controller training centers, and the relevant competent authorities, including EASA itself. For these entities, Part-IS applies from February 22, 2026.
In practice, most regulated aviation stakeholders operating within the EU will be required to comply.
Core Requirements
Part-IS requires organizations to establish, implement, and maintain an ISMS proportionate to their size, complexity, and risk exposure.
Key obligations notably include:
- Identification, assessment, and mitigation of information security risks with potential safety impact;
- Clear governance arrangements, including management accountability and defined roles and responsibilities;
- Capabilities for incident detection, response, and recovery;
- Reporting obligations to the competent authority of certain incidents and vulnerabilities;
- Integration of information security processes with existing Safety Management Systems; and
- Consideration of supply-chain and third-party risks where relevant.
EASA and competent national authorities oversee compliance. Non-compliance may trigger a range of sanctions, including mandatory corrective action plans, revocation of certificates or approval, as well as administrative fines up to 4% of the annual income or turnover or periodic penalty payments up to 2.5% of the average daily income or turnover of the organization concerned.
Articulation with the NIS 2 Directive
Pursuant to EASA's guidance, compliance with Part-IS does not exempt organizations classified as "essential" or "important" entities under NIS 2 Directive from having to comply with the NIS 2 Directive requirements. (Read the Jones Day Alert on NIS 2 Directive.)
Next Steps
EASA and national authorities recognize that ISMS implementation is a progressive journey and expect organizations to follow the PSOE ("Present, Suitable, Operational, Effective") model, achieving at least the "Present" and "Suitable" levels by the applicability date (February 22, 2026).
More specifically, the EASA guidance explains that, by the applicability date, organizations need to:
- Establish the fundamental elements of the ISMS;
- Define personnel roles and responsibilities and conduct an initial risk assessment identifying their activities, facilities and resources, the services they maintain, as well as the applicable systems and interfaces;
- Define a security policy, a risk management process, and change management policies; and
- Put in place procedures for incident management and internal reporting of events.
Pursuant to EASA's guidance, organizations will have an additional 18-month period from the applicability date (February 22, 2026) to reach the "Operational" and "Effective" levels of the PSOE model, i.e., to reach full compliance with Part-IS.
Four Key Takeaways
- EASA Part-IS marks a pivotal shift by requiring that information security be treated as an essential component of aviation safety. Regulated entities should move beyond viewing cybersecurity as a standalone IT issue and integrate a structured ISMS into existing operational safety protocols.
- The framework applies to nearly the entire aviation ecosystem and mandates clear governance structures with defined roles and direct management accountability for information security.
- Compliance with Part-IS does not exempt in-scope entities classified as "essential" or "important" under NIS 2 Directive from having to comply with the NIS 2 Directive requirements.
- Affected organizations must have met or meet requirements by October 16, 2025, or February 22, 2026, depending on their classification under the Delegated or Implementing Regulations. An additional 18-month period is provided to reach full compliance.
