FAQs on Part-IS are published!
The Frequently Asked Questions (FAQs) published include a set of 22 questions and answers that aim to address common queries and concerns by aviation stakeholders on a number of topics related to Part-IS and its implementation.
Those topics include among others, the applicability of the Rules, the provisions related to the derogation, the delegation of tasks, competencies and other common areas of interest under this regulatory framework.

The questions included in the FAQs have been collected by our cybersecurity team following exchanges with numerous stakeholders and by taking on-board the feedback received during the previous months and especially following the publication of the AMC/GM of Part-IS.
The FAQs, together with the published AMC/GM on Part-IS, aim to provide support and guidance to both organisations and authorities towards the implementation of Part-IS. Depending on the questions that will be received in the future, the FAQs may be further updated.
Do you think that FAQs are a useful tool? Let us know in the comments below!
The image has been generated by utilising OpenAI’s tools following relevant prompts
It is likely that the IS part will lead us towards ISO 27001 because it is the auditable standard that comes closest. For a company of the dimensions you mention, there must be a DPO in HQ management for GDPR compliance, he will be best able to translate the differences between states in terms of information security. Because each authority will interpret the text in the light of its existing texts.You will therefore have as many audits as there are states and in each state : depending on the interpretation.
If you check the GDPR problems, you'll find something revelant : "Currently, in the case of cross-border data transfers, companies trying to use different technology providers encounter a number of difficulties. They are increasingly confused by the ambiguity, overlap and fragmentation of various laws and regulations. requirements in this area. Only an international political solution could help put an end to this imbroglio."
Dear Michal, please consider that Part-IS adds ISMS requirements to the provisions that already exist in the implementing regulation for the domain.
Therefore, a (legal) entity holding multiple approvals obtained in different Member States (for instance an airline group with multiple air operator certificates) will be subject to the same audit scheme as today. During the audit cycle, compliance with the provisions of Part IS will be assessed.
In complex settings, the Common Responsible Person option can help a group streamline some processes and share them across multiple approvals, but it won't affect the audit scheme.