Get Help

FAQ

EASA Part-IS establishes requirements for managing information security risks within aviation organizations and authorities, focusing on safeguarding operations and aviation safety.

The main requirement is the establish of a management system for Information Security, called an Information Security Management System, or ISMS. This is a mix of policies and procedures aimed at identifying threats, assessing their risk and planning mitigations.

Key requirements in Part-IS include:

  • Risk Management: Organizations must identify, assess, and manage information security risks that could impact aviation safety. This includes a structured approach to mitigating risks and complying with aviation-specific regulatory standards.
  • Establishing an Information Security Management System (ISMS): Organizations are required to implement and maintain an effective system for managing information security, ensuring alignment with organizational objectives and external requirements.
  • Incident Management: Provisions must be in place for the timely detection, response, and recovery from information security incidents, with a focus on minimizing disruption and ensuring operational continuity.
  • Personnel and Resources: Adequate personnel training, clear assignment of roles, and the provision of necessary resources to support information security efforts are essential.
  • Ongoing Improvement: Organizations are expected to regularly review and improve their information security practices to adapt to evolving risks and maintain compliance.

Check out the regulation

Or if you prefer a quicker and more personalised approach, you can ask us directly. We have specialists available to support the implementation of Part-IS for all sectors of the aviation industry.

Ask an expert

EASA Part-IS is made up of 2 major EU Regulations, and because of this there are different applicability dates for different types of organisations.

The Delegated Regulation (officially Regulation (EU) 2022/1645) applies to Airports, Design Organisations and Production Organisations. This becomes applicable on 16 October 2025.

The Implementing Regulation (officially Regulation (EU) 2023/203) applies to National Authorities, Aircraft Operators, Continuous Airworthiness Maintenance Organisations (CAMO), Approved Training Organisations (ATO), Aero Medical Examiners (AME), Maintenance organisations under Part-145, Air Navigation Service Providers (ANSP). This becomes applicable on 22 February 2026.

EASA Part-IS applies to a large number of companies that receive approval from National Aviation Authorities, as well as to the National Aviation Authorities themselves.

In particular, these are the main companies that are touched by EASA Part-IS requirements:
Airports, Design Organisations (DO), National Aviation Authorities, Aircraft Operators, Continuous Airworthiness Maintenance Organisations (CAMO), Approved Training Organisations (ATO), Aero Medical Examiners (AME), Maintenance organisations under Part-145, Air Navigation Service Providers (ANSP).

As part of their compliance and risk management, these companies are also required to evaluate vulnerabilities introduced by dealing with supply chain providers. This means that companies subject to Part-IS may require companies not subject to Part-IS to demonstrate their Information Security practices.

Effectively, the Part-IS requirements will be felt through the entire ecosystem as companies will try to mitigate their risk when dealing with suppliers.

There is no official certification for EASA Part-IS, and National Aviation Authorities will audit organisations subject to the regulation as part of their regular certificate audit programme.

However, if Part-IS is not directly applicable to you, but you are required by your customers to prove you are compliant with Part-IS you can obtain a Part-IS compliance certificate for your existing Information Security Management System (ISMS) or set up a compliant ISMS.

Through Part-IS.eu you can demostrate compliance to your clients and gain trust with a recognised certificate.

Download our Practical Guide

PDF | 0.9MB | 11 pages

No, EASA Part-IS does not require you to have an additional Nominated Person in your organisation.

However as part of implementing the Information Security Management System (ISMS) you will be required to appoint some roles within your organisation.

How you distribute these roles and who covers them is highly variable depending on your organisation size.

Part-IS.eu is able to provide appointed personnel in compliance with section 235 and 240 of Part-IS.I and Part-IS.D. This is particularly valuable for companies that don’t have internal Information Security figures such as a Chief Infomation Security Officer (CISO).

Part-IS.eu Fractional Chief Information Security Officer (fCISO) Service

Part-IS doesn’t require you to implement any specific software. However, when creating your Information Security Management System (ISMS), you may find it easier to do so using a dedicated software.

You may find that you already have a suitable software if your organisation is already running a Safety Management System, for example to manage aviation risks. Such software may be sufficient to include your ISMS, or you may decide to use a specialised ISMS software.

Ultimately how you decide to build and run your ISMS is up to your organisation’s management, as long as it remains compliant with the principles of the Part-IS regulations.

Get our Free Part-IS Guide

  • Regulation concepts broken down
  • Highly practical implementation guidelines
  • No IT Jargon, only what you need to know.
  • Easy step-by-step process to compliance
  • Learn about where you can find support
Download our Practical Guide

PDF | 0.9MB | 11 pages

Upcoming Part-IS Workshops

Our Part-IS workshops are designed to make the complexities of aviation information security accessible to everyone, especially non-IT personnel. These interactive sessions break down the essentials of EASA Part-IS regulation, empowering participants to understand their role in compliance and kickstart their compliance journey.

Full Implementation Workshop

  • Barcelona, Spain
  • 29-30 April 2025

We are taking our full implementation workshop to Barcelona in the beautiful time of Spanish spring. This is the workshop dedicated to non-IT professionals who want to understand Part-IS and start the compliance journey for their organisation.

See Details and Register
About Part-IS.eu

Part-IS.eu is a website operated by RainingBits LTD. This is not an official EU Commission or Government resource. The europa.eu webpage concerning Part-IS can be found here. Nothing found in this portal constitutes legal advice.

Part-IS
© Copyright 2025 NERD.aero by RainingBits LTD

Download our Free Practical Guide

  • Regulation concepts broken down
  • Highly practical implementation guidelines
  • No IT Jargon, only what you need to know.
  • Easy step-by-step process to compliance
  • Learn about where you can find support
Receive it in your inbox!

Download our Free Gap Analysis Checklist

  • Easy to track Regulation references
  • Start your implementation journey
  • See where you are wil Part-IS compliance
  • Still have questions? We are always here for you!
Receive it in your inbox!