Title: EASA Part-IS Compliance Requirements
Date of Issue: July 2025
Applicability: CAT & NCC Operators
Overview
EASA has introduced a new regulatory framework, Part-IS, to ensure aviation organisations manage information security risks that could impact flight safety. Part-IS is therefore considered a safety regulation.
This framework will become legally binding for most air operators, including Commercial Air Transport (CAT) and Non-Commercial Complex (NCC) operators, under the Implementing Regulation (EU) 2023/203.
Compliance Deadline: 22 February 2026
Who Is Affected?
The regulation applies to the following organisations:
- Air Operators holding an AOC (CAT operations)
- NCC Operators
- Approved Training Organisations (ATO)
- Part-CAMO organisations
- Part-145 maintenance organisations (with some exclusions)
- Operators of FSTD, medical examiners, ATCO training organisations, etc.
What Must Be Done – Step by Step
Step 1: Conduct a Gap Analysis
Compare your current management system with the Part-IS baseline
Focus areas:
- Roles and responsibilities
- Existing cyber protection measures
- Interfaces with IT, third parties, CAMO, Maintenance
Step 2: Create your Information Security Documentation
This is your core document and must include:
- Scope and boundaries of your Information Security Management System (ISMS)
- Information security policy
- Identified threats and initial risk assessments
- Mitigation and response procedures
- Reporting structures (internal + external)
- Change management, recordkeeping, external interfaces
- Compliance monitoring procedure
The required documentation does not have to be a standalone manual. As is part of the Safety Management System (SMS) it can also be included as a dedicated section within OM A Chapter 3, or any other company SMS documentation.
Step 3: Staff Preparation and Training
Inform and train:
- Accountable Manager
- Nominated Persons
- Cybersecurity-responsible staff
Prepare reporting procedures.
Step 4: Compliance Monitoring and Readiness Review
- Conduct an internal audit and risk re-assessment
- Document findings and actions
TRS Recommendations
TRS recommends to:
- Assess your organisation’s current level of information security preparedness
- Develop and submit Part-IS documentation well before the compliance deadline
- Plan a structured implementation in line with the Part-IS “Present, Suitable, Operating, Effective” model
We assist our clients in:
- Developing and aligning documentation with Part-IS requirements
- Conducting implementation audits