EASA Part-IS: Aviation Cybersecurity Rules for Airlines and Approved Organisations
EASA Part-IS — the European Union Aviation Safety Agency's cybersecurity regulation — entered into force in January 2023, creating the first binding, pan-European cybersecurity framework for civil aviation. Airlines holding EASA Air Operator Certificates, approved maintenance organisations, aerodrome operators, and air traffic management providers must now demonstrate documented information security management systems, incident reporting processes, and trained personnel. For UK operators with EU operations or EASA certificates, Part-IS applies directly — and the obligations are more prescriptive than many operators anticipated.
EASA Part-IS entered into force January 2023 — binding cybersecurity requirements now apply to all EU-regulated airlines, MROs, and ATM providers.
What EASA Part-IS Requires
Part-IS (Commission Implementing Regulation (EU) 2023/203) introduces an Information Security Management System (ISMS) requirement for all regulated aviation entities. Key obligations include:
- Establishing, implementing, and maintaining a documented ISMS proportionate to the size and nature of the organisation
- Identifying and assessing information security risks to safety-critical systems and services
- Implementing security controls addressing identified risks — including access management, network security, and supply chain risk
- Defining and testing incident response and recovery procedures
- Reporting information security incidents that may affect aviation safety to the competent authority
- Ensuring personnel with security responsibilities are appropriately trained and qualified
- Maintaining records demonstrating ISMS implementation and operation
The Relationship Between Part-IS and Aviation Safety
Part-IS is distinct from general IT security frameworks because it is explicitly safety-focused. EASA's position is that cybersecurity incidents can have direct consequences for flight safety — a compromised ATC system, a spoofed navigation signal, or a ransomware attack on maintenance systems could all affect airworthiness. The ISMS required by Part-IS must therefore consider safety implications, not just operational or commercial risk. This makes Part-IS more demanding than a standard ISO 27001 implementation for aviation operators.
Implementation Timeline and Compliance Deadlines
Part-IS entered into force on 22 February 2023, with a phased implementation timeline. Organisations were required to have identified their ISMS scope and completed an initial risk assessment within 12 months. Full ISMS implementation, including documented controls and tested incident response, was required by February 2025. National Aviation Authorities across EU member states are conducting oversight inspections to verify compliance. UK operators with EASA certificates face the same timeline — and UK CAA is monitoring equivalent compliance through CAP 1753.
How Kyanite Blue Supports EASA Part-IS Compliance
Our ISMS implementation support for aviation operators covers the full Part-IS lifecycle: scope definition, risk assessment, control selection and implementation, incident response design, and ongoing managed security monitoring. Coro provides the technical controls — endpoint protection, email security, identity management — that form the operational layer of your ISMS. Panorays handles third-party risk assessments for software and technology vendors. Hadrian maps your external attack surface to identify exposed systems before regulators or attackers do.
Frequently Asked Questions
Does EASA Part-IS apply to UK airlines after Brexit?
UK airlines operating solely under UK AOC and CAA regulation are not directly bound by EASA Part-IS. However, UK airlines holding EASA certificates (for EU operations), UK MROs with EASA Part-145 approvals, and UK operators working within EU airspace under specific arrangements remain subject to Part-IS requirements. The UK CAA's own cybersecurity framework under CAP 1753 is broadly aligned with EASA Part-IS, so compliance with one significantly supports compliance with the other.
Does Part-IS require ISO 27001 certification?
Part-IS requires an ISMS that meets its specific requirements — it does not mandate ISO 27001 certification. However, ISO 27001 provides a well-documented framework that maps closely to Part-IS requirements and can substantially reduce the effort of demonstrating compliance to National Aviation Authorities. Many larger operators are pursuing ISO 27001 certification as evidence of their Part-IS ISMS.
What are the consequences of failing to comply with EASA Part-IS?
National Aviation Authorities can suspend, restrict, or revoke EASA certificates (AOC, Part-145 approval, etc.) for organisations that fail to demonstrate Part-IS compliance. This makes Part-IS non-compliance an existential commercial risk. Additionally, if a cybersecurity incident with safety implications occurs at a non-compliant organisation, regulatory and legal exposure increases significantly.
Get EASA Part-IS compliance support
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.