Kyanite Blue
FAQ

EASA Part-IS Requirements: Frequently Asked Questions for Aviation Operators

EASA Part-IS — Commission Implementing Regulation (EU) 2023/203 — entered into force in February 2023 and created the first binding pan-European cybersecurity framework for civil aviation. Airlines, MROs, airports, and ATM providers across the EU (and UK operators with EASA certificates) face ISMS requirements, incident reporting obligations, and the need to demonstrate documented compliance. Despite the significance of these obligations, many aviation operators still have fundamental questions about scope, requirements, and how to build a compliant programme. This FAQ page addresses the most common questions Kyanite Blue receives from aviation operators navigating EASA Part-IS.

EASA Part-IS applies to all EU-regulated aviation entities — airlines, MROs, airports, and ATM providers — with full ISMS implementation required from February 2025.

Scope: Which Organisations Must Comply with EASA Part-IS

EASA Part-IS applies to organisations regulated under specific EASA implementing regulations:

  • Air Operators (Part-ORO/EU-OPS): Airlines holding EASA Air Operator Certificates
  • Approved Maintenance Organisations (Part-145): MROs with EASA Part-145 approval
  • Continuing Airworthiness Management (Part-CAMO): CAMO organisations managing aircraft continuing airworthiness
  • Aerodromes (Part-ADR): Airport operators with EASA aerodrome certificates
  • Air Traffic Management (Part-ATM/ANS): ANSP providers and ATM service organisations
  • Training Organisations (Part-ATO): Approved training organisations in scope of the implementing regulations
  • UK operators: UK-based organisations holding EASA certificates for EU operations are subject to Part-IS for their EASA-regulated activities

ISMS Requirements: What Part-IS Requires in Practice

The Part-IS ISMS requirement is the core obligation. In practice, it requires:

  • Scope definition: Define the boundaries of your ISMS — what systems, processes, and locations are in scope
  • Risk assessment: Formal risk assessment identifying threats to information security and their potential impact on aviation safety
  • Control selection and implementation: Select and implement security controls proportionate to identified risks
  • Documentation: Document policies, procedures, and controls — the ISMS must be evidenced in writing
  • Incident response: Define and test procedures for identifying, responding to, and recovering from information security incidents
  • Reporting: Establish processes for reporting incidents to the competent authority (NAA) where they may affect aviation safety
  • Management review: Regular management review of the ISMS to ensure it remains effective and proportionate

Compliance Evidence: What Auditors Will Look For

National Aviation Authorities conducting Part-IS oversight inspections will typically examine:

  • ISMS scope document: A written statement of what is in scope of the ISMS and why
  • Risk assessment records: Documented risk assessment methodology, risk register, and evidence of regular review
  • Information security policy: A management-approved policy stating the organisation's approach to information security
  • Control documentation: Evidence that identified controls are implemented and operating effectively
  • Incident register: A log of information security events and incidents, including how they were handled
  • Training records: Evidence that personnel with security responsibilities have received appropriate training
  • Management review minutes: Board or senior management review of the ISMS — demonstrating governance engagement

Frequently Asked Questions

Does EASA Part-IS require ISO 27001 certification?

No. Part-IS requires an ISMS that meets its requirements — not ISO 27001 certification specifically. However, ISO 27001 provides a well-structured framework that maps closely to Part-IS requirements and certification provides strong evidence of ISMS implementation to auditors. Many larger operators are pursuing ISO 27001 certification as the most efficient way to demonstrate Part-IS compliance. Smaller operators may implement a proportionate ISMS aligned to Part-IS requirements without pursuing certification.

What are the penalties for failing to comply with EASA Part-IS?

National Aviation Authorities can suspend, restrict, or revoke EASA certificates — Air Operator Certificate, Part-145 approval, aerodrome certificate — for organisations that fail to demonstrate Part-IS compliance. This is an existential commercial risk for aviation organisations whose business depends on their EASA certificate. Additionally, a cybersecurity incident at a non-compliant organisation will face significantly greater regulatory exposure.

How does EASA Part-IS relate to NIS2 for aviation operators?

Part-IS and NIS2 are complementary but distinct frameworks. Part-IS is an aviation safety regulation creating ISMS requirements for EASA-regulated entities. NIS2 is a cybersecurity directive classifying aviation as critical infrastructure and requiring minimum security measures and incident reporting for essential entities (airlines above size thresholds, airports, ATM providers). Operators subject to both must comply with both — but the requirements are broadly aligned. ISMS implementation under Part-IS substantially satisfies the NIS2 security measure requirements, though NIS2 incident reporting timelines (24 hours for early warning) are more demanding than Part-IS.

What is the Part-IS incident reporting requirement?

Part-IS requires operators to report information security incidents that may affect aviation safety to their National Aviation Authority. The regulation specifies reporting when incidents could affect the safety of civil aviation operations — a threshold that is broadly interpreted to capture significant operational disruptions as well as direct safety-affecting events. The specific reporting timelines and formats are established by NAA guidance — operators should check their NAA's published Part-IS incident reporting procedures.

Can a small MRO or training organisation achieve Part-IS compliance proportionately?

Yes — Part-IS explicitly requires proportionality. A small approved training organisation (ATO) or single-aircraft CAMO has very different risk profile and system complexity than a major airline. The ISMS required of smaller organisations should reflect their actual risk — a simpler risk assessment, fewer documented controls, and a less complex incident response procedure is appropriate. The key is that whatever the organisation does is documented and evidenced. EASA guidance materials include examples for different organisation sizes.

Get EASA Part-IS compliance support

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides