In a world where aviation safety is increasingly based on digital systems, the PART-IS regulation introduced by the European Union Aviation Safety Agency (EASA) marks a decisive turning point.
This innovation is due to increasing numbers of cybersecurity standards, regulations, and directives- such as NIS2 (Network and Information Systems Security Directive), the Cyber Resilience Act (CRA), and sector-specific regulations. This expanding regulatory framework reflects the need to secure critical infrastructures and technological products in the face of growing threats.
This article explores the PART-IS regulation, its implication, scope, stakeholders involved, essential requirements, and steps involved in complying with it.
What is PART-IS? Why is it essential?
PART-IS was introduced to enhance aviation security by protecting critical information systems in aviation. Its main objective is to ensure that these systems, which include technologies such as avionics communications and air traffic management, are resilient in the face of cyber threats to guarantee the continuity and safety of aviation operations in a sector where any failure can have serious consequences. With the growing integration of digital technologies into aviation operations, from navigation systems to ground infrastructure, the sector’s vulnerability to cyber-attacks has increased considerably.
By requiring aviation industry players to identify and assess the vulnerabilities of their systems, PART-IS is a proactive response to today’s challenges.
Which systems are concerned?
PART-IS applies to all digital systems used in civil aviation. This includes, for example:
- On-board systems, such as Flight Management Systems (FMS)
- Air Traffic Management (ATM) infrastructures
- Predictive maintenance systems
Due to the increasing interconnectivity between these systems, a vulnerability in one component can cause a chain reaction across the entire aviation ecosystem; jeopardising the safety of operations.
Who are the stakeholders?
The implementation of the PART-IS is based on collaboration between several stakeholders. The main players involved include:
- Airline operators, who are responsible for the safety of on-board systems
- Manufacturers, who must incorporate cybersecurity measures into the design of aircraft and equipment
- Air navigation service providers, responsible for protecting traffic management systems
- National authorities, whose role is to supervise and verify regulatory compliance
- Ground service providers
Part-IS will be mandatory from October 2025 for organisations approved by EASA under Delegated Regulation (EU) 2022/1645, i.e. production and design organisations. Maintenance organisations under Delegated Regulation (EU) 2023/203 will have to comply by February 2026.
What are the PART-IS requirements?
The PART-IS regulation imposes fundamental principles for guaranteeing the security of critical systems. The organisations concerned must adopt a rigorous approach to meet these requirements and ensure their compliance.
Risk management (ISMS)
This regulation is part of a proactive approach aimed at identifying, analysing, and mitigating the risks that could compromise the confidentiality, integrity, and availability of sensitive information. Based on a structured framework such as ISO/IEC 27001, the ISMS becomes a central tool for establishing robust security policies, deploying appropriate technical and organisational measures, and raising stakeholders’ awareness of cybersecurity issues.
Risk management, a fundamental pillar of this approach, enables efforts to be prioritised on the basis of identified vulnerabilities, while ensuring continuous improvement through the PDCA (Plan-Do-Check-Act) cycle. Regulations require civil aviation operators and entities to have robust information security governance in line with best practice.
Risk assessment
Organisations must establish a structured methodology for identifying, analysing, and mitigating the cyber risks associated with their information systems. This includes carrying out vulnerability analyses, assessing the impact in the event of a compromise, and implementing appropriate controls.
Continuous monitoring
Real-time monitoring of systems is essential for detecting and responding rapidly to security incidents. This requires the use of advanced tools and the implementation of incident response protocols. All incidents must be reported quickly and accompanied by a clear response plan to limit their impact.
Training and awareness
Staff must be trained in cyber security best practice to reduce the risk of human error. Regular awareness programmes are essential to maintain a high level of vigilance.
Audits and documentation
Compliance with PART-IS is verified through regular audits conducted by EASA or national authorities. Organisations must also maintain full documentation covering safety policies, procedures implemented, and incidents encountered.
What are the key stages in achieving compliance?
Compliance with PART-IS offers a strategic opportunity for companies to strengthen the security of their critical systems and modernise their practices.
With the compliance deadline set for October 2025 for at least part of the perimeter, is an appropriate time to start the compliance process.
To achieve this, we are currently supporting our customers in 3 main areas:
- Firstly, it is essential to precisely define the scope concerned, based on the scope of the approvals issued by the EASA, in order to effectively frame the efforts.
- Next, drawing up an Information Security Management System (ISMS) will help structure the policies and processes required for proactive risk management.
- Finally, carrying out the first risk analyses to identify vulnerabilities and draw up appropriate action plans.
These steps lay the foundations for a solid, long-term information security strategy, which will then have to be nurtured and developed in the spirit of the continuous improvement process advocated by PART-IS.
