How to Prepare Your Organization for EASA’s Part-IS

The aviation industry’s reliance on digital systems has transformed cybersecurity from a pure IT concern into a critical operational safety issue. To address these evolving risks, the European Aviation Safety Agency (EASA) has introduced Part-IS (Information Security), a regulatory framework that will reshape how the industry and authorities safeguard aviation information.

At Web Manuals, we recently co-hosted a webinar with Maite Arteta Fernández, Director of International Coordination at aviation consultancy Time to Fly, to unpack the regulation, highlight its implementation challenges, and share best practices for compliance.

What is EASA Part-IS?

Part-IS is designed to protect the confidentiality, integrity, availability, and authenticity of information that could impact aviation safety. It applies cybersecurity principles within the context of aviation operations, ensuring that threats that could have a safety impact to ops, such as phishing, ransomware, and data breaches are managed with the same rigor as other safety risks.

The regulation stems from ICAO’s 2016 recommendations on cybersecurity, and EASA has split its implementation into two main phases:

Phase 1 – Published 2022, enforced from October 2025. Applies to:

• Part-21 design & production organizations
• Aerodrome operators
• Apron management service providers

Phase 2 – Published 2023, enforced from February 2026. Applies to:

• CAMOs
• Part-145 maintenance organizations
• ATOs
• ATCs
• Aviation authorities

Key takeaway: Don’t wait for the final enforcement date. Part-IS requires documented, approved procedures, which must be submitted to your national authority in advance. Some authorities have set earlier deadlines in order to be compliant by the final deadline.

Who Needs to Comply and Who’s Exempt?

Some organizations are automatically exempt (for example, small Part-145 entities servicing only Part-ML aircraft). Others may request a derogation by demonstrating a low cybersecurity risk through a risk assessment.

Even if granted a derogation, remember that organizations must still:

1. Protect the confidentiality of information received from other organizations.
2. Conduct security assessments.
3. Train personnel on cybersecurity awareness.

Because national authorities interpret and enforce the rules differently, it’s vital to consult your own regulator early and review any published guidance.

Prepare before implementing

Part-IS follows a familiar three-tier structure: Implementing Rules, Acceptable Means of Compliance (AMC), and Guidance Material (GM). Its requirements integrate with your existing Management System processes, meaning you can often build on what’s already in place rather than starting from scratch.

Before diving into the practical steps, Maite points out that it’s essential to lay the groundwork for a smooth Part-IS rollout. Start by asking yourself two key questions:

1. What is my perimeter?
2. Who does what?

Part-IS sits at the crossroads of your management system and IT operations, so you need clarity on boundaries and responsibilities from the outset.

To define your perimeter, take a blank sheet of paper and map your processes to reveal your risk landscape:

• Are they digital or paper-based?
• Managed in-house or outsourced?
• Do they require specialized equipment?
  

Then perform an audit. Make a gap analysis to identify what you already have in place, what’s missing, and how you’ll bridge the gap. This action plan will form the foundation of your implementation strategy.

Importantly, Part-IS only addresses information security risks that could impact aviation safety. If you’re already ISO 27001 certified, you’re ahead, but ISO covers all risks, while Part-IS narrows its scope to aviation-related threats.

Remember: Part-IS isn’t a standalone system; it’s an add-on to your existing framework. Everyone in the organization has a role to play.

Step-by-Step Guide to Implement Part-IS

Maite recommends a 7-step approach to get a clear and structured plan for implementing the regulations:

1. Appoint key roles: Assign to your Accountable Manager the new tasks and responsibilities related to overseeing resources and holding final responsibility for Part IS. Do the same for the Compliance Monitoring Manager regarding the oversight and surveillance of Part IS. Finally, appoint a new key role: the Part IS Responsible Person, in charge of day-to-day implementation and risk management.
2. Integrate Part-IS into your Safety Policy: Adapt your existing safety policy to include Part-IS commitments. This ensures consistency and avoids creating another standalone document.
3. Identify, assess, and treat risks: Map your operational perimeter, list potential threats, and assess their probability, severity, and current controls. Focus on the most critical risks to optimize resources.
4. Document your procedures: Include policies, governance, compliance monitoring, safety processes, reporting schemes, and subcontractor management in your manuals. You can update existing documentation or create a dedicated Part-IS manual.
5. Manage contracted activities: Instead of trying to focus on all subcontractors at the same time, Maite recommends classifying suppliers by risk level and frequency of use. Adjust contracts, train key partners, and prioritize high-risk, high-use subcontractors to achieve early progress.
   
6. Train your entire team: Tailor cybersecurity training to different roles. Use scenario-based examples, not generic IT slides, to make it practical and relevant.
7. Implement the change and follow it: After authority approval, integrate Part-IS into daily operations. Track performance, audit regularly, and refine processes as threats evolve.

Stay Ahead of These Common Challenges

The IT vs. Management System Language Gap

In many organizations, IT teams focus on networks, firewalls, and technical defenses, while safety and compliance teams concentrate on procedures, audits, and reporting. Without intentional alignment, these groups may talk past each other.

Solution: Create a joint working group including IT, safety, compliance, and documentation leads. Map responsibilities clearly: who tracks incidents, who updates manuals, who manages audits. Use plain language to bridge technical and procedural perspectives.

Low Cyber Awareness Among Operational Staff

Pilots, mechanics, and front-line staff are often the first line of defense against cyber threats, yet they may not see themselves as part of the cybersecurity chain.

Solution: Use aviation-specific, role-relevant examples. Show fake maintenance orders, simulated phishing emails, or operational data tampering scenarios. Integrate this training into onboarding and recurrent programs.

Unaligned Subcontractors

Your cybersecurity is as strong as your weakest supplier. A non-compliant subcontractor can become the entry point for a cyber incident.

Solution: Segment suppliers by criticality and usage frequency. For critical, frequently used partners, define minimum cybersecurity expectations in contracts and provide direct training. For others, use self-assessment questionnaires or lighter oversight measures.

Unclear Responsibilities

When no one owns Part-IS tasks, they fall between IT, compliance, and operations, leading to delays or incomplete implementation.

Solution: Map every Part-IS requirement to a responsible person or team. In larger organizations, consider appointing department-specific Part-IS liaisons to ensure actions are completed at the local level.

Why Start Now?

Implementing Part-IS isn’t just a compliance exercise. It’s a cultural shift that strengthens resilience and aligns cybersecurity with aviation safety. Organizations that act early will avoid last-minute authority bottlenecks, secure supplier alignment, and reduce exposure to growing cyber threats.

By leveraging digital tools like Web Manuals and consulting experts like Time To Fly, you can accelerate compliance, reduce manual workload, and keep your documentation aligned with evolving regulations.

The October 2025 and February 2026 deadlines are closer than they seem. The time to start is now.

To help you on this path, we have created a Guide to EASA Part-IS implementation, featuring a 7-step approach from the experts at Time To Fly, which is available for free download.

Tools & Support for a Smoother Rollout

• Web Manuals Part-IS Library: Link regulations directly to your manuals; receive alerts when rules change.
• Web Manuals’ Part IS Manual Template: Available in Web Manuals Store. This template follows an ISO 27000 approach, providing operators with a structured framework for managing information security risks in line with international standards. It includes the core elements needed to demonstrate compliance while aligning with industry best practices.

• Time to Fly’s Part-IS Manual Template: Available in Web Manuals Store. This version is built on a Management System approach, making it directly compatible with the existing Safety and Compliance frameworks already used by most operators. It ensures smooth integration into the organization’s overall Management System, with a focus on practicality, regulatory compliance, and continuous improvement.

• Open Audit Program: Audit Web Manuals for Part-IS compliance as part of your supplier oversight.
• Time to Fly Consulting: Gap analysis, action plan development, and manual updates.
• Time to Learn Training: Role-specific Part-IS training from awareness to advanced.