Cybersecurity | EASA Community

Resieri Marcato posted in Cybersecurity

11 months ago Public

I would like to suggest a link anywhere in this page to the guidelines shown in today's Part-IS workshop.

4 likes

Dislike 0
Diego Magrini posted in Cybersecurity

1 year ago Public

Good afternoon EASA folks!
Could I ask a clarification about 2025/011/ED?

The mapping of competencies at Annex II "A. Part-IS7 training for NAA inspectors" mostly references to Part-IS.AR. However NAA's inspectors will audit organisations, therefore reference should be to Part-IS.I.OR and .D.OR.

Am I missing anything?

2 likes

Dislike 0
Ian Yell posted in Cybersecurity

1 year ago Public

Has anyone created, or found, a compliance assessment tool for the internal auditing of Part-IS / ISMS PSOE scores??

5 likes

Dislike 0
Vasileios PAPAGEORGIOU created a topic in Cybersecurity

1 year ago

GNSS Radio Frequency Interference - EASA-IATA Workshop - Registration Deadline Extended!

8 May 2025 •

Vasileios PAPAGEORGIOU

Read more about GNSS Radio Frequency Interference - EASA-IATA Workshop - Registration Deadline Extended!
diomiro certaldi posted in Cybersecurity

1 year ago Public

Looks to me that Organisations need more time to really implement Cybersecurity, at all level as adopted by SMS

3 likes

Dislike 0
Thomas Dall Pedersen posted in Cybersecurity

1 year ago Public

Hi all

Do you know why EASA has elected to use the word "appoint" and not "nominate" in the selection of the person/group being responsible for the ISMS?
I'm referring to IS.I.OR.240(b) Personnel requirements.

I've been through the video from the EASA Part-IS workshop in November '24 and on day 1 at timestamp 5:34:00, Gerrit Neubauer asks if there is any difference from authority perspective between a "nominated person" and a "appointed person".
To this question, Angeliki Karakoliou from EASA replies, that they consider it as being the same.

But, why not just use the term "nominated"?
Can I find references for how EASA interpret those terms other places than in the YouTube video?

The reason for my questions, is the way the regulations set requirements for "nominated persons", but not as much for "appointed persons". Unless of course, those two terms are considered the same.
There are many references to "nominated person" like:
In AMC1 ARO.GEN.330 Changes - organisations, the compentent authority must make sure the nominated person is suitable before acceptence.
In ORO.AOC.135 Personnel requirements, a list of "nominated persons" is described, but no mention of ISMS.

How have you interpreted this and do you know how the authorities will interpret it?

0 likes

Dislike 0
Vasileios Papageorgiou created a topic in Cybersecurity

1 year ago

GNSS Radio Frequency Interference - EASA Workshop

15 Apr 2025 •

Vasileios Papageorgiou

Read more about GNSS Radio Frequency Interference - EASA Workshop
Vasileios Papageorgiou created a topic in Cybersecurity

1 year ago

EUROCAE Working Group 72 & RTCA Special Committee 216 hosted at EASA

3 Apr 2025 •

Vasileios Papageorgiou

Read more about EUROCAE Working Group 72 & RTCA Special Committee 216 hosted at EASA
Marion Choudet commented on Vasileios Papageorgiou's topic in Cybersecurity

1 year ago

Part-IS Oversight Approach Guidelines

10 Mar 2025 •

Vasileios Papageorgiou

4
Read more about Part-IS Oversight Approach Guidelines

Comment

Marion Choudet • 1 year ago

Many thanks for this document which brings clarification for both competent authorities and organizations on the deliverables needed to be compliant on the applicability date. Still I have a question of consistency regarding a particular point. The expectation is for organizations to demonstrate we are at the "present & suitable" level. On page 7, expectation #4 is "The organisation has performed an initial risk assessment (e.g. major risks and related threat
scenarios both internal and at the interfaces).". To perform the initial risk assessment as described, organisations must have an Information Security Risk Assessment process not only present and suitable but fully operating and effective. Could you please provide your view on this point?

0 likes

Dislike 0

Show all 4 comments
Eric Ekstrom posted in Cybersecurity

1 year ago Public

Dear all happy to meet!
I am doing a bachelor thesis in "cybersecurity challenges for airlines".
Is anyone able to help me understand;
- The "air operators" are applicable to (EU) DR 2018/1139. But I don't find it clear that the 'airlines' would be subject to (EU) IR 2023/203. Or would the 'airlines' be subject to 2023/203 through their CAMO organization?

I have more questions and any answers are super appreciated, so please connect here or LinkedIn.
Best regards,
Eric Ekström

1 like

Dislike 0

GNSS Radio Frequency Interference - EASA-IATA Workshop - Registration Deadline Extended!

GNSS Radio Frequency Interference - EASA Workshop

EUROCAE Working Group 72 & RTCA Special Committee 216 hosted at EASA

Part-IS Oversight Approach Guidelines