To which organisations does Part-IS apply?
This Regulation applies to the following organisations (Article 2 of Regulation (EU) 2023/203):
- maintenance organisations subject to Section A of Annex II (Part-145) to Regulation (EU) No 1321/2014, except those solely involved in the maintenance of aircraft in accordance with Annex Vb (Part-ML) to Regulation (EU) No 1321/2014;
- continuing airworthiness management organisations (CAMOs) subject to Section A of Annex Vc (Part-CAMO) to Regulation (EU) No 1321/2014, except those solely involved in the continuing airworthiness management of aircraft in accordance with Annex Vb (Part-ML) to Regulation (EU) No 1321/2014;
- air operators subject to Annex III (Part-ORO) to Regulation (EU) No 965/2012, except those solely involved in the operation of any of the following:
- ELA 2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012;
- single-engine propeller-driven aeroplanes with a maximum operational passenger seating configuration (MOPSC) of 5 or less that are not classified as complex motor-powered aircraft, when taking off and landing at the same aerodrome or operating site and operating under visual flight rules (VFR) by day;
- single-engine helicopters with an MOPSC of 5 or less that are not classified as complex motor-powered aircraft, when taking off and landing at the same aerodrome or operating site and operating under VFR by day.
- approved training organisations (ATOs) subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011, except those solely involved in training activities of ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012, or solely involved in theoretical training; organisations satisfying both exceptions are also exempted.
- aircrew aero-medical centres subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011;
- flight simulation training device (FSTD) operators subject to Annex VII (Part-ORA) to Regulation (EU) No 1178/2011, except those solely involved in the operation of FSTDs for ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012;
- air traffic controller training organisations (ATCO TOs) and ATCO aero-medical centres subject to Annex III (Part ATCO.OR) to Regulation (EU) 2015/340;
- organisations subject to Annex III (Part-ATM/ANS.OR) to Implementing Regulation (EU) 2017/373, except the following service providers:
- air navigation service providers holding a limited certificate in accordance with point ATM/ANS.OR.A.010 of that Annex;
- flight information service providers declaring their activities in accordance with point ATM/ANS.OR.A.015 of that Annex;
- U-space service providers and single common information service providers subject to Implementing Regulation (EU) 2021/664; and
- approved organisations involved in the design or production of air traffic management/air navigation services (ATM/ANS) systems and ATM/ANS constituents subject to Implementing Regulation (EU) 2023/1769.
Moreover, this Regulation applies to the following organisations (Article 2 of Delegated Regulation (EU) 2022/1645):
- production organisations and design organisations subject to Subparts G and J of Section A of Annex I (Part 21) to Regulation (EU) No 748/2012, except design and production organisations that are solely involved in the design and/or production of ELA2 aircraft as defined in Article 1(2), point (j) of Regulation (EU) No 748/2012; and
- aerodrome operators and apron management service providers subject to Annex III ‘Part Organisation Requirements (Part-ADR.OR)’ to Regulation (EU) No 139/2014.
Part-IS is applicable to the competent authority responsible for the oversight of Part-66 license holders. I am a Part-66 licenced maintainer, do I also have to comply with Part-IS?
No. The rationale for requiring Part-66 competent authorities to comply with Part-IS is that there is a risk that, for example, information relating to approved Part-66 licences held by competent authorities could be compromised. This would have a potential impact on the availability and/or integrity of the information held, a risk that needs to be considered.
My organisation holds an EASA Part-145 approval under a Bilateral Agreement with the European Community. Does Part-IS apply in such case?
Under a Bilateral Agreement, the applicability of EASA regulations, including Part-IS, might be subject to the terms of that agreement. Bilateral Agreements often include provisions for mutual recognition of certain certification standards, but they may not automatically include all aspects of EASA regulations like Part-IS.
To determine whether Part-IS applies to your organization under the Bilateral Agreement, you should review the specific terms of the Bilateral Agreement to understand which EASA regulations are recognised and applicable.
My organisation is an operator or entity referred to in the national civil aviation security programmes of Member States laid down in accordance with Article 10 of Regulation (EC) No 300/2008 and complies with the cybersecurity requirements of point 1.7 of the Annex to Implementing Regulation (EU) 2015/1998. As a consequence, is the organisation considered to be fully compliant with Part-IS?
No, as required by Article 4(2) of Delegated Regulation (EU) 2022/1645 and Article 5(2) of Implementing Regulation (EU) 2023/203 and in addition to those requirements, point IS.OR.230 needs to be complied with in order to have legal compliance with the requirements stemming from Part-IS. Compliance with Part-IS will be verified by the competent authority that is identified in Article 6 of the Implementing Regulation and Article 5 of the Delegated Regulation.
My organisation is ISO/IEC 27001 certified. Do I still need to comply with Part-IS?
The requirements for an information security management system (ISMS) that are specified by Part-IS are in most parts consistent and aligned with ISO/IEC 27001; however, Part-IS introduces provisions that are specific to the context of aviation safety. If an ISO/IEC 27001-based ISMS is already operated by an entity for a different scope and context, it can be adapted and extended to the scope and context of Part-IS based on an analysis of the scope and gaps. In order to take credit from ISO/IEC 27001 certifications to achieve compliance with Part-IS, aviation safety needs to be included in the organisational risk management, with the relevant risk acceptance level determined by the applicable requirement(s) (see figure below). Moreover, for a mapping between the main tasks required under Part-IS and the clauses and associated controls in ISO/IEC 27001, refer to Appendix II of the published Acceptable Means of Compliance and Guidance Material (AMC & GM) to Part-IS.
My organisation has to comply with Directive (EU) 2022/2555 (the ‘NIS 2 Directive’). Does it also have to comply with Part-IS or is it considered covered?
According to the Guidelines provided by the European Commission on ‘sector-specific Union legal acts’, Part-IS does not fall under the category of ‘Lex Specialis’ (refer to Article 4 of the NIS 2 Directive). This is mainly due to the specific scope of the information security management system (ISMS) legislation as compared to the broader approach of the NIS 2 Directive. However, EASA is working with the European Commission to have Part-IS compliance ‘credited’ in the context of NIS 2 compliance. This can be achieved either during the incorporation of the Directive into national legislation or during the implementation phase. Further guidance on this topic will be provided in 2025.
Article 5(1) of Implementing Regulation (EU) 2023/203 and Article 4(1) of Delegated Regulation (EU) 2022/1645 refer to the equivalence of requirements between Directive (EU) 2016/1148 (NIS Directive) and Part-IS. Does this mean that if one complies with the NIS Directive or the NIS 2 Directive, they are automatically compliant with Part-IS?
No. Compliance with NIS requirements does not imply compliance with all Part-IS requirements. Compliance with the security requirements of Article 14 of Directive 2016/1148 (the ‘NIS Directive’) or Article 21 of Directive (EU) 2022/2555 (the ‘NIS 2 Directive’) must be equivalent in effect with the corresponding requirements of Part-IS.OR. This equivalence in effect with Part-IS will be verified by the competent authority that is identified in Article 6 of Implementing Regulation (EU) 2023/203 and Article 5 of Delegated Regulation (EU) 2022/1645. Supporting material for performing this assessment is currently under development by the European Commission, the European Union Aviation Safety Agency (EASA), and the Member States' authorities, and is expected to be provided to the authorities concerned by 2025/Q4.
Article 5(1) of Implementing Regulation (EU) 2023/203 and Article 4(1) of Delegated Regulation (EU) 2022/1645 refer to Directive (EU) 2016/1148 (the ‘NIS Directive’) and its relation to Part-IS. As Directive (EU) 2022/2555 (the ‘NIS 2 Directive’) will be applicable from October 2024, does this means that automatically any references to the ’old’ NIS Directive in Part-IS refer now to the NIS 2 Directive?
Yes, according to Article 44 of Directive (EU) 2022/2555 (the ‘NIS 2 Directive’):
‘Directive (EU) 2016/1148 is repealed with effect from 18 October 2024.
References to the repealed Directive shall be construed as references to this Directive and shall be read in accordance with the correlation table set out in Annex III.’
As the ‘Authority Requirements’ are part of Implementing Regulation (EU) 2023/203, which is applicable from 22 February 2026, does this mean that the applicability date (16 October 2025) of Delegated Regulation (EU) 2022/1645 can be then disregarded?
Regulatory deadlines cannot be disregarded. Therefore, organisations within the scope of Delegated Regulation (EU) 2022/1645 have to comply with it by 16 October 2025. However, as the Authority Requirements will only be applicable as of 22 February 2026, it is possible that before that date Competent Aviation Authorities (CAAs) might not be fully in compliance with the Authority Requirements. National Aviation Authorities (NAAs) have nevertheless to enforce the Delegated Regulation during the four months between the two applicability dates as an oversight obligation stemming from Article 62 of the Basic Regulation. However, a lenient approach is advised to be followed until the Implementing Regulation becomes applicable. More information on guidelines on the oversight approach by the authorities.
At the same time, we would recommend that all affected parties, authorities, and organisations integrate Part-IS into their processes as early as possible, as the objective is to ensure adequate protection of the aviation ecosystem and not merely compliance.
Does information have to be protected only from digital threats or also from non-digital ones?
The use of the term ‘information security’ in Part-IS, as opposed to ‘cybersecurity’, is deliberate and significant. This terminology is chosen to encompass a broader range of risks associated with information systems. Unlike ‘cybersecurity’, which primarily focuses on protecting data from digital threats in cyberspace, ‘information security’ is extended beyond the digital realm to include analogue threats. This comprehensive approach acknowledges that vulnerabilities and threats to information systems can arise in both digital and physical formats, thereby necessitating a wider scope of protective measures and considerations.
Why are there two sets of rules (Implementing Regulation and Delegated Regulation), and what is the difference between them?
Further to the changes introduced in the EU legislative process by the Lisbon Treaty, the European Commission has been given the power to adopt delegated acts in certain areas following a simpler and faster process. In all other cases, the adoption of implementing acts requires to follow the Comitology process, which includes a vote by Member States.
According to Article 128 of the Basic Regulation, the European Commission has been given the power to adopt delegated acts in the areas of Initial Airworthiness and Aerodromes.
For this reason, two acts have been issued to introduce Part-IS requirements: Delegated Regulation (EU) 2022/1645 and Implementing Regulation (EU) 2023/203. Their applicability scope reflects the delegations conferred in Article 128 of the Basic Regulation.
The two acts were scheduled to be issued simultaneously, but issues during the publication process led to a delay of the publication of the Implementing Regulation and, consequently, to the staggered applicability dates.
Is Part-IS applicable to Declared Organisations, and if so, to which Declared Organisations?
The following Declared Organisations have to comply with Part-IS requirements:
- Non-Commercial Operations with Complex Aeroplanes (NCC) Organisations — Air Operations (Air OPS),
- Specialised Operations (SPO) Organisations — Air OPS,
- Apron Management Service Providers — Aerodromes (ADR), and
- Ground Handling Service Providers.
The following Declared Organisations are out of scope and do not have to comply with Part-IS requirements:
- Declared Training Organisations (DTOs) — Aircrew.
- Part-ML (Light) Organisations, and
- Declared Design Organisation Approval (DOA) Holders.
How is Part-IS applied and its application overseen in organisations under a declaratory regime (i.e. Declared Organisations, where no approval in advance is required)?
Given their status, Declared Organisations (DOs) shall not seek approval in advance of their information security management manual (ISMM) and of their procedure for management of changes. Delegated Regulation (EU) 2022/1645 has been amended by Delegated Regulation (EU) 2025/22, while the amendment of Implementing Regulation (EU) 2023/203 is currently pending. For more details on DOs and their oversight regime, please refer to Subpart DEC of Annex III (Part-ORO) to Regulation (EU) No 965/2012 (Air OPS Regulation).
If the Member State decides to designate another entity to fulfil the assigned role and responsibilities of the competent authority according to Article 6(2) of Implementing Regulation (EU) 2023/203, which authority will Annex I (Part-IS.AR) to that Regulation apply to? To the designated entity or to the competent authority identified in Article 6(1)?
The applicability of Part-IS.AR (authority requirements) is specified in the implementing rules for each specific domain under the relevant authority requirements (e.g. for authorities designated in accordance with Annex II (Part-145) to Commission Regulation (EU) No 1321/2014, see point 145.B.200). This applicability has been introduced by means of an amendment to the already existing authority requirements for the establishment of a management system. Therefore, these requirements apply regardless of how roles and responsibilities are allocated to an independent and autonomous entity designated by the Member State under Article 6(2) of Part-IS.AR.
At the same time, there are no provisions for the implementation of an ISMS derived from Part-IS that apply to the independent and autonomous entity designated by the State in accordance with Art. 6.2 of Part-IS.
If the competent authority identified in Article 6(1) of Implementing Regulation (EU) 2023/203 decides to allocate certain tasks related to oversight under Part-IS to a qualified entity, which entity has to comply with Part-IS?
Delegation to a qualified entity refers to specific oversight tasks resulting from the authority requirements (e.g. for authorities designated in accordance with Annex II (Part-145) to Commission Regulation (EU) No 1321/2014, see point 145.B.205). The authority requirements of Part-IS shall be met by the competent authority designated in the implementing rule for the domain (which is identical to the one referred to in Article 6(1), if the delegation under Article 6(2) is not exercised by the Member State).
Where the competent authority delegates certification or oversight tasks, its information security management manual (ISMM) shall also cover the activity delegated to the qualified entity (e.g. for Part-145, see point 145.B.205(c)(3)).
Does the ELA2 exemption cover also ELA1 aircraft?
ELA1 aircraft fall below the ELA2 threshold; therefore, organisations dealing only with ELA1/ELA2 aircraft are also exempted from complying with the Part-IS requirements.
A production organisation under Annex I (Part-21), Subpart G to Commission Regulation (EU) No 748/2012 approval designs and manufactures parts for ELA1/ELA2 aircraft. Is the ELA2 exemption applicable to that organisation if it can clearly demonstrate that it is exclusively involved in the development and/or production of ELA1 or ELA2 aircraft, or is the exemption limited to the aircraft manufacturer?
The exemption contained in Article 2(1) of Delegated Regulation (EU) 2022/1645 only refers to Design or Production Organisations (DPOs) that are solely involved in the design and/or production of ELA2 aircraft. DPOs designing and/or producing parts to be installed in this category of aircraft are not included in the exemption.
Further to a risk assessment, it is possible for such organisations to ask for a derogation in accordance with point IS.D.OR.200(e) of Annex II (PART-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203.
Do TCO operators have to comply with Part-IS?
The operator as such (the AOC holder) does not have to comply with Part-IS. However, if that airline holds other EASA certificates for their maintenance (Part-145) or training (ATO or FSTD) branch, then Part-IS is applicable to the part of the organisation covered by such certificates.