EU regulation on information security (Part-IS)

The latest EU regulation on information security in civil aviation, EASA Part-IS, sets out mandatory information security standards to protect aviation operations from cyberthreats. Part-IS is an extension of the existing European Aviation Safety Agency (EASA) safety regulations, and is intended for airlines, airport operators, air navigation service providers, other aviation industry stakeholders, and aviation authorities. The requirements are set out in Commission Delegated Regulation (EU) 2022/1645 and Commission Implementing Regulation (EU) 2023/203.

Part-IS requires all players in the aviation industry to implement strong information security measures to ensure the protection of IT systems and networks. Organisations and regulators must implement technical and organisational measures to minimise the risk of a cyberattack and improve resilience. This includes the use of encryption, access controls and regular IT system updates and maintenance.

Part-IS also requires aviation organisations to set up an Information Security Management System (ISMS) that can for exemple be based on the ISO/IEC 27001 standard. An ISMS is designed to help organisations to address security threats in a systematic and proactive way, i.e. to identify, protect against and respond to security incidents, and to restore integrity and availability after such an incident. This includes defining responsibilities, identifying and assessing information security risks, developing appropriate measures, training staff and monitoring compliance.

On 16 October 2025, Part-IS will come into force for airport operators, apron control services, and aircraft manufacturing and development organisations. From 22 February 2026, Part-IS will also apply to the following: air carriers, maintenance organisations, continuing airworthiness management organisations (CAMO), approved training organisations (ATO), aeromedical centres for flying personnel, operators of flight simulation training devices, air traffic controller training organisations (ATCO TO), aeromedical centres for air traffic controllers, air navigation service providers, providers of U-space services and the relevant oversight authorities, including EASA.

Part-IS will have a positive impact on cybersecurity in aviation, but it also requires significant investment in technology and specialist personnel. It requires aviation organisations and regulators to prioritise security measures and continually adapt their IT infrastructures and processes to meet the increasing demands of digital security. Compliance with the new information security requirements will be monitored by national authorities and EASA, with regular audits carried out Part-IS will make civil aviation more resilient to cyberattacks and increase public confidence in aviation security.

The new EU regulation will promote closer cooperation between EASA, national supervisory authorities and aviation organisations. This will make it easier to share information and coordinate in the event of cross-border security incidents, thereby making the European aviation industry more resilient to cyberthreats and able to respond more quickly to emerging threats.

A new unit was set up at the FOCA to deal with implementation of EASA Part-IS. Since 1 August 2024, the Information Security Unit has been part of the Security Section within Safety Division: Infrastructure. The staff in this unit work across departments and support inspectors in matters relating to information security requirements.