Click Here to View This Page on Production Frontend
Click Here to Export Node Content
Click Here to View Printer-Friendly Version (Raw Backend)
Note: front-end display has links to styled print versions.
Content Node ID: 432987
The second wave of a new mandatory European aviation regulatory framework for information security management systems (ISMS) comes into effect on Sunday. An extension of existing safety regulations, EASA Part-IS (information security) will establish additional requirements for managing information security risks, focusing on safeguarding operations and strengthening resilience in civil aviation.
Although similar to existing protocols, Part-IS requirements also include a risk-based approach to protect digital assets and operations that—if compromised—could negatively impact aviation safety.
Recognizing that increased reliance on data requires heightened cybersecurity safeguarding EASA is implementing Part-IS in two phases. The first compliance deadline of Oct. 16, 2025, applied to EASA-approved organizations such as airlines, airport operators, air navigation service providers, maintenance organizations, and other industry stakeholders.
The February 22 deadline will also see other bodies such as aviation authorities required to take extra steps toward safeguarding and monitoring data. In practical terms, this will include conducting risk analysis of potential cyber attacks, creating a security plan, training to identify potential problems, and a robust incident response procedure.
According to EASA, an organization may use an existing cybersecurity competency framework to develop its necessary Part-IS competencies. Although no specific risk-assessment framework is mandated, the regulator recommends a combination of methodologies, including assessing potential threats to assets alongside analysis of safety consequences.