Getting Ready for EASA Part-IS

 

The European Union Aviation Safety Agency (EASA) has released its new rules (EASA Part-IS) related to the control of information security risks that may have an impact on aviation safety. This guide is designed to help make sure that your organisation is on the right path to meeting its EASA Part-IS compliance requirements.

Key Takeaways

  1. EASA Part-IS requires businesses in the aviation sector to establish robust information security management systems in order to protect public safety.
  2. The first businesses in scope for the new regulations will need to comply by the 16 October 2025.
  3. Challenges include proving that your organisation takes a risk-based approach to the management of information security risks and complying with incident reporting requirements.

What is EASA Part-IS?

Given the threat of cyber attacks and the potential for significant disruption or actual bodily harm in the aviation sector, EASA – the body responsible for aviation safety within the EU – has published its Part-IS information security management system requirements.

Recognising the vulnerable nature of the aviation sector to security risks ranging from cyber attack to human error, the main objective of EASA Part-IS is to establish a structured regulatory framework for the implementation of robust information security management systems (ISMS) “for detecting, responding to, and recovering from information security incidents”. It is intended that the rules will help build resilience within the aviation sector and, in turn, protect public safety. Non-compliance could lead to financial penalties and/or operational restrictions related to issues such as licensing suspension, as well as the organisation’s own reputational damage.

The regulations apply to all aviation organisations operating in the EU from air operators, to maintenance, training, design, production, airport operators and to the authorities responsible for their certification and oversight.

When Will EASA Part-IS be Applicable?

EASA Part-IS is made up of two major regulations with different introduction dates. The Delegated Regulation (EU) 2022/1645 which is applicable to organisations like airports, and design and production, comes into effect on the 16 October 2025. The Implementing Regulation (EU) 2023/203 comes into effect on the 22 February 2026 for aviation organisations such as national authorities, aircraft operators, and training.

What are the Main Requirements of EASA Part-IS?

EASA Part-IS mandates the establishment of an ISMS, with a focus on the following elements:

Policies and Procedures

The development of comprehensive policies and procedures in relation to EASA Part-IS that show a structured approach to the management and mitigation of information security risks. The policies should cover all possible scenarios such as the handling of sensitive data, mobile device use, and remote working.

Mapped Dependencies

Identify and document the dependencies between each area of the business as well as external suppliers.

Risk Assessment and Treatment

Conduct a thorough risk assessment to identify those information risks that could have an impact on aviation safety.

Incident Detection, Response and Recovery

There must be mechanisms in place for the detection, response and recovery from incidents related to an organisation’s information assets.

Personnel Training

A comprehensive training plan for employees must be in place to ensure they are all able to follow the organisation’s information security management system (ISMS) procedures.

Reporting and Continuous Improvement

EASA Part-IS requires businesses to keep comprehensive records relating to security incidents and any actions taken.

What are the Key Challenges in Meeting Compliance?

Aside from the differences inherent in a country-by-country approach to the interpretation and implementation of new EU rules, it is likely that key compliance challenges will include:

  • Proving that you take a risk-based approach to the management of your information security risks and demonstrating the strength and efficacy of that approach.
  • Implementing the personal training and awareness component of the new rules and the ongoing maintenance of that training and awareness.
  • The obligations from the reporting of information security incidents and the provision of incident details from a technical standpoint. That can be onerous given regulators will be asking for a full debrief of the technical nuances of a cyber attack within 72 hours, when the organisation might still be dealing with the operational crisis.

How Aon Can Help

Our global team of risk professionals helps organizations make decisions with clarity and confidence in a complex digital environment. With decades of experience, Aon helps clients be better advised throughout their cyber lifecycle. We can offer help, support, and advice in relation to effective compliance with EASA Part-IS – this is typically provided in three phases:

1

Gap Analysis

Review current status and adherence

Includes reviewing an organisation’s business context and operations, and insight into the appropriateness of current cyber controls and how aligned they are to the controls within scope.

2

Roadmap Development

Develop an actionable plan

Includes a review of the initial gap analysis to determine actions and prioritisation required within a roadmap for meeting the controls outlined in EASA Part-IS.

3

Implementation

Implement the plan

Specific activities include facilitated workshops to support the understanding of the mandatory controls; development of a risk management framework; and, creation/update of mandatory documentation.

Questions Every Aviation Business Needs to Answer in Relation to EASA Part-IS

 

  1. Is your organisation in scope for EASA Part-IS?
  2. Do you have a process in place to regularly and accurately identify and evaluate your existing risk exposure in relation to information security?
  3. How does that risk identification process inform your governance procedures and controls?
  4. Do you have an effective roadmap in place to address risk issues identified under EASA Part-IS?
  5. Can you identify and report on information security events not just on a first party basis, but also what’s happening in your broader environment on a third-party basis?
  6. Do your contractual reviews with suppliers recognise the need for information sharing related to an information security incident?
  7. Does your information security approach effectively dovetail into your wider approach for safety, quality and business resilience?

Contact Us

If you would like to find out more about how Aon can help your organisation prepare for EASA Part-IS, please complete the form below. A member of our team will be in touch shortly.



General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon UK is authorised and regulated by the Financial Conduct Authority (FCA). Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.

FP.AGRC.2025.345.SD.