Good morning Vasileios,
here in Germany, we have to state that small and medium-sized companies in particular have not yet really realized that they need to do something.
Many companies believe that their activities do not pose any information risks to aviation. To make matters worse, the national authorities have also shown little to no activity so far.
From my experience as a former accountable manager for a small operator (AOC, 145, ATO), I know that many of the requirements of PART-IS have already been implemented, but rather out of common sense and therefore not documented in a proper way.
We are trying to persuade these smaller companies to at least have a risk analysis carried out using a checklist. Even if there are hardly any or no risks for aviation, companies can identify and mitigate general information security risks, as these can, in the worst case, ruin the company, for example through scams.
We are also convinced that potential clients will in future increasingly insist on the introduction of an information security management system, since they usually provide internal information for the execution of the order and must therefore ensure that it is handled carefully.