Expansion of the management systems in the implementing regulations of the EASA Basic Regulation to include information security (Part-IS)

Delegated Regulation (EU) 2022/1645 and Implementing Regulation (EU) 2023/203 on information security in civil aviation, known as Part IS (Information Security), establish mandatory security standards aimed at strengthening information security in aviation and protecting aviation operators against the growing threat of cyberattacks. These regulations are aimed at organisations in the aviation industry as well as aviation authorities.

What does Part-IS include?

The regulation requires the affected organizations in the aviation industry to have elements of an information security management system (ISMS) to identify and minimize information security risks that have an impact on aviation security. This ISMS is designed to help organizations systematically and proactively address security threats, i.e., detect, prevent, and respond to security incidents, and restore integrity and availability after an incident. This includes defining responsibilities and accountabilities, identifying and assessing information security risks, developing appropriate measures, training staff, and monitoring compliance.

The implementation of the ISMS is to be carried out in compliance with proportionality (an EASA Guidance Material (GM) provides detailed information on this) and in integration with existing management systems.

Who is affected by Part-IS and when do the provisions come into force?

On 16 October 2025, the EU provisions on information security (Part-IS) will come into force for airport operators, apron control services, production organisations and design organisations. In a second step, it applies starting 22 February 2026 for air carriers, maintenance organisations, continuing airworthiness management organisations (CAMO), approved training organisations (ATO), aeromedical centres for aircrew and air traffic controllers, operators of flight simulation training equipment, training organisations for air traffic controllers (ATCO TO), air navigation service providers, providers of U-space services as well as the competent authorities, including EASA.

Note: The organisations underlined do not fall within the area of responsibility of Austro Control GmbH.

Affected organizations that can prove by means of a risk assessment that any information security risks of their processes and products do not create additional risks for the organization itself or for others can apply to the competent authority for a derogation in accordance with IS. D/I.OR.200(e).

What effects does Part-IS have on the "aviation system" as a whole?

The EU's Information Security Regulation (Part IS) is expected to have a positive impact on the cybersecurity situation of the aviation industry, but it also requires significant investment in technology and skilled personnel. The regulation requires aviation companies and organizations as well as regulators to prioritize security measures and continuously adapt their IT infrastructures and processes to the increasing requirements of digital security. Compliance with the new information security requirements is monitored by national authorities and EASA, and regular internal audits of the Compliance Monitoring Function ensure that organisations are compliant. In summary, Part-IS increases civil aviation's resilience to cyberattacks and strengthens public confidence in aviation security.

Coordination and cooperation at European and national level

At the European level, EASA has set up a "Part-IS Task Force". In this task force, the authorities coordinate with each other and develop harmonised guidelines on specific topics related to Part-IS. The documents that have already been published are linked on this page.

Austro Control has set up a monthly "Part-IS-Café" for organisations under its oversight, where up-to-date information is passed on in a targeted and structured manner and industry issues are addressed. Participation in these events is free of charge for participants. The content of the cafés is available for download on this page.

In addition, our subsidiary "Austro Control International" offers one-day (fee-based) introductory training courses on Part-IS, which cover the competence requirements according to IS. I/D.OR.240(a)(3).

Applications and requests regarding Part-IS can be send by .

Information and links to Part-IS:

Quick Access Rule Part-IS:
Information Security (IS) | EASA

Tool for Part-IS Compliance assessment:
https://www.easa.europa.eu/community/topics/part-compliance-assessment-tool

Part-IS Task Force Documents:
Part-IS Implementation Task Force - Deliverables | EASA Community

Information on Part-IS at the Swiss Aviation Authority:
EU Regulations on Information Security (Part-IS)

Documents:

EASA TF Guidelines for Derogations, Part-IS TF G-02, July 2024

EASA TF Guidelines Part-IS oversight approach, Part-IS TF G-03, March 2025

Contact

Mail

All Contacts

Part-IS

Title / Subject	No.	Version	valid from
Derogation Request acc. IS.I/D.OR.200(e) of Regulation (EU) 2023/203 or 2022/1645	FO_LFA_ALG_007_EN	1.0	2025-08-2626.08.2025