Part-IS: 2 years to go

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU • 22 February 2024
in community Cybersecurity

Part-IS: 2 years to go

-

Being a member of this community we are sure that you know very well (or at least we hope) that on the 22nd of February 2026, the Implementing Regulation (EU) 2023/203 will become applicable.

So don't forget that you "only" have two years starting from today to get ready for the implementation of Part-IS.

Countdown

Well, actually, don't forget that there is also the Delegated Regulation (EU) 2022/1645 that becomes applicable on the 16th of October 2025 if you are one of the organisations listed under Article 2 of that rule..

How to quickly check under which regulation your organisations falls into? Well, a quick solution is to have a look at the relevant FAQ here.

Would you be interested in participating in a pilot project? Then don't waste any time and contact your competent authority!

Have you already started the implementation journey? If yes what is your experience so far? Let us know in the comments below.

 

Comments (10)

Grégoire LEWIS
Grégoire LEWIS

Thanks Vasileios for reminding this important milestone.

The Part-IS journey began months ago for us at Thales (at least, in the Airspace Mobility Solutions domain I am working in).

As an OEM supplier, we are helping our ANSP (Air Navigation Services Providers) customers getting ready for EASA Part-IS.

We are currently working with some of them which are considering Part-IS and what we're finding is that "safety impact" is the new specific focus.

So... our journey with ANSPs just began but it is pretty interesting (to me at least) to support them in their experience, showing the path towards EASA Part-IS compliance, giving them the evidence they ask for and to guide them through the process.

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU

Hi Gregoire, thank you for your feedback on this, it is really important to receive the experiences of professionals and organisations during this implementation journey. The safety impact is "all that matters" for Part-IS so it is good to hear that organisations who have to apply Part-IS fully understand this.

Grégoire LEWIS
Grégoire LEWIS

And by the way, I am also playing with the AI image creator to tune images of aviation + cyber, and results could be fun, like yours :-)

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU

This is indeed a nice tool although there is still room for improvement on this, sometimes depending on the context it takes more time than expected to produce something meaningful but the final outcome seems to be (hopefully) nice :)

Dominique  SAVEL
Dominique SAVEL

Hello, I have few questions : There are numerous references to ISO 27001 in the Easy Access Rules for Information Security, but I cannot find data on the GDPR for which, for example, 27001 is a tool. Will EASA position itself in terms of the duration of preservation of personal data ? Since as indicated, it is the human who will be a heart of the IS.
Furthermore, the existing digital data used in aviation is mainly and contractually under the “umbrella” of the Cloud Act (Clarifying Lawful Overseas Use of Data Act), which diverges in more than one way from the European line of GDPR. How does EASA position itself on this point in terms of risk assessment? Beyond personal data, this is data that is hosted in another jurisdiction.

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU

Hello Dominique,

Regarding your question about EASA's position on the preservation of personal data and how it aligns with ISO 27001 or its stance on the divergence between the Cloud Act and GDPR, these topics are more aligned with data protection, privacy regulations, and cybersecurity governance than with the specific airworthiness and environmental certification guidelines provided by EASA in this document.

EASA's involvement with data protection and cybersecurity would be to ensure that aviation systems are secure from cybersecurity threats, including those that may impact personal data. However, the specific duration for the preservation of personal data, compliance with GDPR, and the handling of data under jurisdictions like the Cloud Act would typically be addressed within the broader context of EU data protection regulations and cross-border data transfer agreements, rather than solely within aviation-specific regulations.

Concerning the intersection of aviation data and the Cloud Act, this involves complex legal considerations around international data transfers, jurisdiction, and compliance with local laws. Organizations operating in this space need to navigate both sets of laws carefully. EASA, as an aviation safety body, focuses on the safety and airworthiness aspects of aviation. Still, it collaborates with other regulatory bodies and stakeholders on broader issues, including data protection and cybersecurity, to ensure a comprehensive approach to aviation safety and security.

Dominique  SAVEL
Dominique SAVEL

Thank you very much for your response Vasileios. I find it very difficult to understand how EASA presents a regulation on information security that does not address data protection, privacy regulations, and cybersecurity governance in all its aspects. One of the digital characteristics of aeronautics is that it is particularly exposed to problems with data stored and exchanged between the European Union and outside it. The approach appears incomplete, with legal considerations being the basis of compliance. In the context that you present the work is therefore much simpler, and so I thank you, but I doubt the effectiveness in terms of security.

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU

It is important to keep in mind what is the mandate of EASA and what is the main objective of Part-IS. The considerations that you are mentioning are very important but EASA cannot enforce any measures on topics that are not under its mandate. From the Part-IS side, we did our best to ensure that the regulatory package is compatible with those considerations.

In order to tackle the challenges that you are mentioning, the organisations should remain vigilant and respect any EU and national rules in the field of data protection & privacy. After all, merely compliance should not be the only goal of an organisation but instead a holistic protection against threats that can compromise their assets should be the ultimate goal. Security is largely a matter of mentality and culture and it is thus important for organisations to cultivate such a culture in order to be effectively protected.

Miguel F. del Pino
Miguel F. del Pino

Good morning Vasileios

Like Grégoire and Dominique, the reminder is appreciated.
In Spain, apart from the use of 27k, since 2010 we have had the National Security Scheme as a working framework to which the ANSP are obliged to comply https://ens.ccn.cni.es/es/

To a large extent, the requirements of the ENS and the Part-IS are traceable as well as those of the 27k, although I do not know how EASA has assessed the internal legislations of the EU member countries. Is there any validation plan for these frameworks by AESA to validate compliance with Part-IS?

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU

Good morning Miguel,

Thank you for the information - this is interesting indeed.
For what concerns our activities we are in communication with representatives from the EU member countries and authorities (including AESA) and during the preparation of the AMC and GM we had the opportunity to exchange frequently on the different (or similar) requirements that exist as part of the internal legislations of the EU MS, so such considerations have been taken into account.

Moreover, these discussions continue during the activities of the Part-IS Implementation Task Force, a group consisted mainly by representatives from the safety authorities of the EU MS. Among other activities, we are also trying to map and compare Part-IS requirements with requirements stemming from other rules that have similar objectives or scope. For the time being we are emphasising on EU rules (e.g., NIS2 Directive, AVSEC) but we do exchange as well on national legislations of EU MS as it important to understand what is the case in each MS. Each MS have different internal legislation and thus potentially a different approach but we do try to make our deliverables and guidance compatible with these, based on the feedback that we are receiving. Last but not least, the interplay between Part-IS and 27k is also addressed as part of a dedicated subgroup under this Task Force.


Please log in or sign up to comment.