Applicability

Expand all questions

To which organisations does Part-IS apply?

Part-IS is applicable to the competent authority responsible for the oversight of Part-66 license holders. I am a Part-66 licenced maintainer, do I also have to comply with Part-IS?

My organisation is not in the list of the organisations that have to comply with Part-IS but it does provide services to such organisations. Does my organisation have to comply with Part-IS?

My organisation holds an EASA Part-145 approval under a Bilateral Agreement with the European Community. Does Part-IS apply in such case?

My organisation is an operator or an entity referred to in the national civil aviation security programmes of Member States laid down in accordance with Article 10 of Regulation (EC) No 300/2008 and complies with the cybersecurity requirements of point 1.7 of the Annex to Implementing Regulation (EU) 2015/1998. As a consequence, is the organisation considered to be fully compliant with Part-IS?

Our organisation is ISO/IEC 27001 certified. Do I still need to comply with Part-IS?

My organisation has to comply with Directive (EU) 2022/2555 (the ‘NIS 2 Directive’). Does it also have to comply with Part-IS or is it considered covered?

Article 5(1) of Implementing Regulation (EU) 2023/203 and Article 4(1) of Delegated Regulation (EU) 2022/1645 refer to the equivalence of requirements between Directive (EU) 2016/1148 (NIS Directive) and Part-IS. Does this mean that if one complies with the NIS Directive or the NIS 2 Directive, they are automatically compliant with Part-IS?

Article 5(1) of Implementing Regulation (EU) 2023/203 and Article 4(1) of Delegated Regulation (EU) 2022/1645 refer to Directive (EU) 2016/1148 (the ‘NIS Directive’) and its relation to Part-IS. As Directive (EU) 2022/2555 (the ‘NIS 2 Directive’) will be applicable from October 2024, does this means that automatically any references to the ’old’ NIS Directive in Part-IS refer now to the NIS 2 Directive?

As the ‘Authority Requirements’ are part of Implementing Regulation (EU) 2023/203, which is applicable from 22 February 2026, does this mean that the applicability date (16 October 2025) of Delegated Regulation (EU) 2022/1645 can be then entirely disregarded?

Does information have to be protected only from digital threats or also from non-digital ones?