Part-IS: 2 years to go

Hi Gregoire, thank you for your feedback on this, it is really important to receive the experiences of professionals and organisations during this implementation journey. The safety impact is "all that matters" for Part-IS so it is good to hear that organisations who have to apply Part-IS fully understand this.

This is indeed a nice tool although there is still room for improvement on this, sometimes depending on the context it takes more time than expected to produce something meaningful but the final outcome seems to be (hopefully) nice :)

Hello Dominique,

Regarding your question about EASA's position on the preservation of personal data and how it aligns with ISO 27001 or its stance on the divergence between the Cloud Act and GDPR, these topics are more aligned with data protection, privacy regulations, and cybersecurity governance than with the specific airworthiness and environmental certification guidelines provided by EASA in this document.

EASA's involvement with data protection and cybersecurity would be to ensure that aviation systems are secure from cybersecurity threats, including those that may impact personal data. However, the specific duration for the preservation of personal data, compliance with GDPR, and the handling of data under jurisdictions like the Cloud Act would typically be addressed within the broader context of EU data protection regulations and cross-border data transfer agreements, rather than solely within aviation-specific regulations.

Concerning the intersection of aviation data and the Cloud Act, this involves complex legal considerations around international data transfers, jurisdiction, and compliance with local laws. Organizations operating in this space need to navigate both sets of laws carefully. EASA, as an aviation safety body, focuses on the safety and airworthiness aspects of aviation. Still, it collaborates with other regulatory bodies and stakeholders on broader issues, including data protection and cybersecurity, to ensure a comprehensive approach to aviation safety and security.

It is important to keep in mind what is the mandate of EASA and what is the main objective of Part-IS. The considerations that you are mentioning are very important but EASA cannot enforce any measures on topics that are not under its mandate. From the Part-IS side, we did our best to ensure that the regulatory package is compatible with those considerations.

In order to tackle the challenges that you are mentioning, the organisations should remain vigilant and respect any EU and national rules in the field of data protection & privacy. After all, merely compliance should not be the only goal of an organisation but instead a holistic protection against threats that can compromise their assets should be the ultimate goal. Security is largely a matter of mentality and culture and it is thus important for organisations to cultivate such a culture in order to be effectively protected.

Good morning Miguel,

Thank you for the information - this is interesting indeed.
For what concerns our activities we are in communication with representatives from the EU member countries and authorities (including AESA) and during the preparation of the AMC and GM we had the opportunity to exchange frequently on the different (or similar) requirements that exist as part of the internal legislations of the EU MS, so such considerations have been taken into account.

Moreover, these discussions continue during the activities of the Part-IS Implementation Task Force, a group consisted mainly by representatives from the safety authorities of the EU MS. Among other activities, we are also trying to map and compare Part-IS requirements with requirements stemming from other rules that have similar objectives or scope. For the time being we are emphasising on EU rules (e.g., NIS2 Directive, AVSEC) but we do exchange as well on national legislations of EU MS as it important to understand what is the case in each MS. Each MS have different internal legislation and thus potentially a different approach but we do try to make our deliverables and guidance compatible with these, based on the feedback that we are receiving. Last but not least, the interplay between Part-IS and 27k is also addressed as part of a dedicated subgroup under this Task Force.