Introduction
If you manage a Continuing Airworthiness Management Organization (CAMO), you have less than a month to ensure full compliance with EASA Part-IS—a groundbreaking cybersecurity regulation that treats information security breaches with the same severity as physical safety hazards.
As of 22 February 2026, EASA Part-IS is not a future concern; it is active law. CAMOs that have not yet implemented a formal Information Security Management System (ISMS) face regulatory action, potential certificate suspension, and operational disruption.
This article explains what Part-IS requires, why it matters for aviation safety, and how to achieve compliance before the deadline.
What Is EASA Part-IS?
EASA Part-IS is the European Union's comprehensive regulation on information security for aviation organizations. It is codified in:
- Commission Implementing Regulation (EU) 2023/203 (primary regulation)
- Commission Implementing Regulation (EU) 2022/1645 (amendments)
Part-IS is a direct response to the growing sophistication of cyber threats targeting aviation, including ransomware attacks on maintenance management systems, data breaches affecting flight safety records, and social engineering targeting maintenance personnel.
The Core Principle
Unlike previous cybersecurity guidelines that treated IT security as a non-safety matter, Part-IS explicitly recognizes that information and communication systems are essential to aviation safety.
A ransomware attack that renders a CAMO's maintenance database inaccessible is not merely an IT incident—it is a safety event. If a CAMO cannot access its aircraft maintenance records, cannot generate required maintenance plans, or cannot track airworthiness directives, that organization cannot safely operate.
What Part-IS Requires: The Five Core Pillars
EASA Part-IS mandates an Information Security Management System (ISMS) built on five core pillars:
1. Governance and Organization
Establish clear information security governance, including:
- Information Security Officer (ISO) or equivalent role responsible for ISMS
- Information Security Committee (for larger organizations) to oversee policy, budgeting, and incident response
- Executive accountability: Leadership (CEO, COO) must publicly commit to information security and ensure adequate resources
2. Risk Management
Conduct a formal Information Security Risk Assessment (ISRA) covering:
- Asset inventory: All IT systems, databases, networks, and data related to aircraft maintenance and airworthiness
- Threat identification: Ransomware, phishing, insider threats, supply chain attacks, and emerging vectors
- Vulnerability analysis: Known CVEs in systems, unpatched software, weak access controls
- Impact analysis: If a particular system is compromised, what is the safety impact?
- Risk scoring: Prioritize risks based on likelihood and impact
3. Control Implementation
Implement technical, organizational, and operational controls aligned with ISO/IEC 27001 standards, including:
Technical Controls:
- Multi-factor authentication (MFA) for all users accessing safety-critical systems
- Encryption of data at rest and in transit (TLS/HTTPS)
- Network security (firewalls, segmentation)
- Patch management (critical patches within 72 hours)
- Backup and recovery systems
- Continuous monitoring and logging
4. Event Management and Response
Establish a formal process for managing cybersecurity incidents:
- Detection: 24/7 monitoring and alerting
- Reporting: Internal escalation to Information Security Officer and senior management
- Investigation: Root cause analysis
- Containment: Immediate action to limit damage
- Notification: To regulators if incident affects safety
- Documentation: Detailed incident records for audit
5. Continuous Improvement
Treat information security as an ongoing discipline:
- Annual review of ISMS effectiveness
- Tracking of cybersecurity metrics and KPIs
- Internal audits of ISMS effectiveness
- Trend analysis and adaptation
Common Gaps and Implementation Challenges
Gap 1: Weak Access Controls
Solution: Implement role-based access control (RBAC). Define job roles and assign system permissions accordingly. Audit access regularly.
Gap 2: Missing Multi-Factor Authentication (MFA)
Solution: Implement MFA for all staff accessing safety-critical systems. Use authenticator apps rather than SMS.
Gap 3: Insufficient Patch Management
Solution: Establish a formal patch management process with SLAs. Test patches before deploying to production.
Gap 4: No Incident Response Plan
Solution: Develop a documented incident response plan. Conduct annual tabletop exercises to test procedures.
Practical Roadmap to Compliance
Week 1: Governance and Awareness
- Designate an Information Security Officer
- Secure executive commitment and budget allocation
- Notify all staff that Part-IS compliance is a priority
- Initiate security awareness training
Week 2-3: Risk Assessment
- Conduct an Information Security Risk Assessment
- Classify systems by safety criticality
- Prioritize high-risk items for immediate remediation
Week 3-4: Control Implementation
- Implement MFA for critical systems
- Review and tighten access controls
- Deploy encryption for data at rest and in transit
- Establish a patch management process
Key Takeaways
- Part-IS is active law. As of 22 February 2026, CAMOs must comply. There is no transition period remaining.
- Information security is now a safety obligation. Treat cybersecurity with the same rigor as mechanical maintenance.
- An ISMS is required. Implement a formal Information Security Management System aligned with ISO/IEC 27001.
- Five pillars matter: Governance, risk management, control implementation, event management, and continuous improvement.
- CAMOs face specific requirements. Protect Safety-Critical Information Systems and manage supply chain risk.
- Common gaps are fixable. MFA, access control, and patch management are standard practices.