EASA Part-IS explained simply: what air carriers need to know

Starting from October 2025 or February 2026 respectively, aviation organizations must comply with the requirements of EASA Part-IS. In this article, our experts Mario Melmer and Paolo Magrini provide their insight into the new regulations, answer the most important questions and present specific measures that will help your company in meeting the requirements of Part-IS.

What is EASA Part-IS exactly?

The Easy Access Rules for Information Security (Part-IS) are a set of regulations issued by the European Aviation Safety Agency (EASA) that deal with the effects of information security on aviation safety.

It's based on the Delegated Regulation (EU) 2022/1645 and the Implementing Regulation (EU) 2023/203. These rules oblige affected organizations - including airlines, maintenance companies and operators of critical infrastructure - to identify and minimize information security risks if they could endanger aviation safety.

  The Easy Access Rules themselves are not an independent legal source, but a user-friendly version of the EU regulations published by EASA.

Who is affected ­­­- when are the deadlines? 

The requirements from Part-IS must be implemented by different authorities and organizations by a specified deadline, depending on their legal basis. 

  Until October 16, 2025:

Organizations that are subject to Delegated Regulation (EU) 2022/1645 must implement Part-IS by this date. These include:

• Manufacturing organizations
• Development organizations
• Airport and aerodrome operators
• Providers of apron management services

  Until February 22, 2026:

Organizations that are subject to Implementing Regulation (EU) 2023/203 must implement the requirements of Part-IS by this date at the latest. These include, among others:

• Aviation authorities
• Authorities that issue airworthiness certificates or approvals
• Maintenance organizations
• Continuing Airworthiness Management Organizations (Continuing Airworthiness Management Organization: Responsible for planning, monitoring and documenting the airworthiness of an aircraft.CAMO)
• Aviation companies
• Aeromedical centers for flight crews
• Operators of flight simulator training devices  (Flight Simulation Training Device: technical system for the training of pilots.FTSD)
• Training organizations for air traffic controllers  (Air Traffic Controller Training Organization. These organizations are responsible for the theoretical and practical training of air traffic controllers in accordance with international and European standards (e.g. EASA).ATCO TO)
• Digital services for safe drone operations in lower airspaceU-Space service provider
• Manufacturers ofTechnologies and services for air navigation and airspace monitoring - e.g. air traffic control, communication and navigation. They ensure safe and efficient air traffic.ATM-/ANSsystems and organizations involved.

What do the regulations require?

Part-IS requires affected organizations to set up and operate a risk-based, structured information security management system (ISMS). The central requirements can be divided into ten subject areas:

1. Information security management system: An ISMS systematically controls information security in a company. It includes all the necessary processes, roles and guidelines.
2. Risk management: Information security risks must be identified, evaluated and controlled by means of appropriate measures - through mitigation, avoidance or justified acceptance.
3. Internal reporting system: Employees should be able to report security-relevant observations or breaches in a confidential and structured manner. This requires an internal, low-barrier reporting system.
4. Incident management: Security incidents must be systematically identified, analyzed, treated and documented. The aim is a rapid response and sustainable elimination of vulnerabilities.
5. Corrective measures: Organizations must rectify identified non-conformities with Part-IS as well as weaknesses in the ISMS through appropriate measures - especially if these could affect flight safety.
6. External reporting system: Reportable incidents and relevant changes to the ISMS must be submitted to the responsible supervisory authority or external partners in a formally correct and timely manner.
7. Assigned activities: When assigning security-relevant tasks to external service providers, information security requirements must be contractually regulated, monitored and integrated into the company's own ISMS.
8. Personnel requirements: Security-critical activities require clearly defined requirements for the qualification, training and security awareness of the personnel deployed.
9. Information Security Management Manual (ISMM): The ISMM documents the principles, procedures and responsibilities of the ISMS. It is used both for internal control and as evidence for the supervisory authority.
10. Continuous improvement: The ISMS must be regularly reviewed and adapted to new threats, technological developments and regulatory requirements.

Do the requirements apply equally to all companies? 

  As a general rule: 

Organizations must fully implement all requirements defined in Part-IS. The specific obligations are set out in the respective annexes to the regulation:

• Annex II and III contain the requirements for organizations such as air carriers, maintenance organizations, training organizations or manufacturers.
• Annex I is aimed exclusively at aviation authorities.

Reduced requirements apply to authorities: They are not obliged to implement the following elements:

• Internal reporting system
• Corrective actions
• External reporting system
• Information security management manual (ISMM)
• Continuous improvement of the ISMS

This simplification takes account of the fact that authorities do not generally perform operational flight safety tasks, but rather monitor them.

What distinguishes Part-IS from ISO 27001? 

Part-IS is largely based on the international standard ISO/IEC 27001 for information security management systems (ISMS). Nevertheless, there are significant differences in the target group, focus and regulatory implementation:

Industry focus
ISO 27001 is an industry-independent standard for information security. Part-IS, on the other hand, is specifically tailored to the aviation industry and focuses on risks that have a potential impact on aviation safety.

• Scope of the ISMS
  While ISO 27001 leaves the scope largely open to definition, Part-IS requires that all processes and systems that have a direct or indirect impact on aviation safety are included.
• Management training
  Managers must be able to understand and reproduce the requirements of Part-IS. They share responsibility for implementation within the company.
• Risk management & incident management
  Both systems require risk management, but Part-IS explicitly requires that all risks and incidents relating to aviation safety are identified, assessed and dealt with.
• External reporting system
  In contrast to ISO 27001, Part-IS requires relevant risks, incidents and ISMS changes to be reported to the responsible supervisory authority.
• Corrective actions
  Part-IS requires that corrective actions are planned and implemented in close cooperation with the supervisory authority - this is not prescribed by ISO 27001.
• Change management
  Changes to the ISMS must either be approved by the authority or processed as part of an officially approved change procedure. ISO 27001 has no comparable external control.
• ISMM - Information Security Management Manual
  Part-IS requires organizations to document or reference the principles, processes and responsibilities of the ISMS in a manual. ISO 27001 requires documentation, but not a dedicated ISMM.
• Technical measures
  Part-IS does not specify any concrete requirements for technical protective measures. These result from the respective risk management. ISO 27001, on the other hand, refers to specific measures in Annex A (e.g. access control, cryptography).

While ISO 27001 is aimed at flexibility and international comparability, Part-IS is a binding, aviation-specific set of rules that is monitored by regulators and focuses on the link between information security and aviation security.

What needs to be done now?

To ensure that you can implement the requirements of Part-IS in a timely and practical manner, two steps are crucial to take:

1. Establish an ISMS or adapt your existing system

• If you have already introduced an information security management system (ISMS), we will analyze existing structures and identify specific gaps and the potential for improvement in regard to Part-IS.
• If you do not yet have an ISMS in place, we will support you in the design, development and introduction of a aviation-specific ISMS tailored to your organization.

2. Document your ISMS in an Information Security Management Manual (ISMM)

• Together with you, we will adapt our well-proven ISMM template individually to your organization - from structure to content.
• This way, you will create the necessary transparency and accountability towards any supervisory authority.

Why is HvS-Consulting the right partner for implementing your Part-IS?

Practical expertise from the aviation industry

Our experts have many years of experience in setting up and auditing information security management systems (ISMS) - especially in the aviation sector.

Driven by the passion of our Managing Director Michael Hochenrieder - himself a pilot and flight instructor - our team has intensively analyzed the requirements of Part-IS. Together with aviation organizations, we have worked out what really matters when it comes to practical implementation.

Tried and tested ISMM template

In close cooperation with aviation customers, we have developed an ISMM template that:

• Fully meets all Part-IS requirements,
• is suitable for companies of all sizes (SMEs and large companies),
• can be seamlessly integrated into existing ISMS processes,
• and at the same time provides ready-made processes for organizations without an ISMS.

The result: an adaptable, audit-proof and ready-to-use tool for your information security documentation.