EASA Part-IS – ORO Amendment 29 & SPA Amendment 17 – Mandatory Changes for 2026

Category: EASA Regulation – Information Security & Operational Requirements
Title: EASA Part-IS – ORO Amendment 29 & SPA Amendment 17 – Mandatory Changes for 2026
Date of Issue: December 2025
Applicability: NCC & CAT Fixed-Wing Operators, Operators with PBN/RNP, RVSM and ETOPS Approvals

---

Summary of Change

EASA has released three regulatory packages that materially change how operators must manage digital systems and operational data:

1. Part-IS (Information Security) – introduces a mandatory Information Security Management System (ISMS), including risk assessment, incident reporting, supplier oversight and a new Information Security Management Manual (ISMM).
2. AMC/GM to Part-ORO — Issue 2 / Amendment 29 – aligns SMS and ISMS requirements and strengthens expectations for digital-process oversight within OM-A, OM-B and OM-D.
3. AMC/GM to Part-SPA — Issue 1 / Amendment 17 – updates data-integrity requirements for PBN/RNP/RNP AR, RVSM and ETOPS operations, with emphasis on digital navigation and performance data workflows.

All changes originate directly from the newly published AMC/GM documents, including the Information Security – December 2025 package (ED Decisions 2025/013/R, 014/R, 015/R).

---

Impact on Operators

The new requirements shift operational oversight from “systems used” to “data relied upon”. Any digital process influencing operational decisions must now be assessed, validated and documented.

Key operator impacts include:

• ISMS becomes a mandatory core system, not an add-on to SMS.
• Digital systems must undergo structured risk assessment.
• NAV-data chains, performance data, EFB workflows and OCC tools must be demonstrably controlled.
• Supplier oversight becomes a regulatory obligation; cloud-based systems included.
• SPA approvals (PBN/RNP/RNP AR, RVSM, ETOPS) now depend on documented data-integrity controls.
• Manuals must reflect updated responsibilities, data flows and competence requirements.

Authorities will review ISMS integration and digital-data governance during 2026 audits.

---

Affected Manuals

OM-A: Management system, ISMS responsibilities, data-flow descriptions, integration with SMS.
OM-B: Navigation-data processes, performance and W&B workflows, configuration control, SPA-related digital dependencies.
OM-D: Training & competence requirements linked to information security.
ISMM (new mandatory manual): Required under IS.I.OR.250; defines all ISMS processes, controls and responsibilities.

---

TRS Recommendation

1. Start ISMS implementation immediately – policy, scope, digital-system mapping.
2. Conduct an ISAP-based risk assessment – required by the AMC/GM.
3. Update OM-A/B/D + ISMM as a single, consistent package.
4. Validate NAV-data and performance workflows – required for SPA compliance.
5. Establish supplier-oversight mechanisms – contracts, service documentation, verification steps.
6. Prepare audit evidence early – authorities will expect complete documentation in 2026.

TRS provides a structured ISMM Template, aligned with the AMC/GM requirements, to accelerate implementation.

---

Official Source

• EASA Easy Access Rules – Information Security (December 2025), including ED Decisions 2025/013/R, 2025/014/R, 2025/015/R.

• AMC/GM to Part-ORO – Issue 2 / Amendment 29.

• AMC/GM to Part-SPA – Issue 1 / Amendment 17.

Further Information

For operators requiring support with ISMS implementation, manual revisions, or compliance, TRS Aviation Consulting provides dedicated assistance.