Applicability

Expand all questions

To which organisations does Part-IS apply?

Part-IS is applicable to the competent authority responsible for the oversight of Part-66 license holders. I am a Part-66 licenced maintainer, do I also have to comply with Part-IS?

My organisation holds an EASA Part-145 approval under a Bilateral Agreement with the European Community. Does Part-IS apply in such case?

My organisation is an operator or entity referred to in the national civil aviation security programmes of Member States laid down in accordance with Article 10 of Regulation (EC) No 300/2008 and complies with the cybersecurity requirements of point 1.7 of the Annex to Implementing Regulation (EU) 2015/1998. As a consequence, is the organisation considered to be fully compliant with Part-IS?

My organisation is ISO/IEC 27001 certified. Do I still need to comply with Part-IS?

My organisation has to comply with Directive (EU) 2022/2555 (the ‘NIS 2 Directive’). Does it also have to comply with Part-IS or is it considered covered?

Article 5(1) of Implementing Regulation (EU) 2023/203 and Article 4(1) of Delegated Regulation (EU) 2022/1645 refer to the equivalence of requirements between Directive (EU) 2016/1148 (NIS Directive) and Part-IS. Does this mean that if one complies with the NIS Directive or the NIS 2 Directive, they are automatically compliant with Part-IS?

Article 5(1) of Implementing Regulation (EU) 2023/203 and Article 4(1) of Delegated Regulation (EU) 2022/1645 refer to Directive (EU) 2016/1148 (the ‘NIS Directive’) and its relation to Part-IS. As Directive (EU) 2022/2555 (the ‘NIS 2 Directive’) will be applicable from October 2024, does this means that automatically any references to the ’old’ NIS Directive in Part-IS refer now to the NIS 2 Directive?

As the ‘Authority Requirements’ are part of Implementing Regulation (EU) 2023/203, which is applicable from 22 February 2026, does this mean that the applicability date (16 October 2025) of Delegated Regulation (EU) 2022/1645 can be then disregarded?

Does information have to be protected only from digital threats or also from non-digital ones?

Why are there two sets of rules (Implementing Regulation and Delegated Regulation), and what is the difference between them?

Is Part-IS applicable to Declared Organisations, and if so, to which Declared Organisations?

How is Part-IS applied and its application overseen in organisations under a declaratory regime (i.e. Declared Organisations, where no approval in advance is required)?

If the Member State decides to designate another entity to fulfil the assigned role and responsibilities of the competent authority according to Article 6(2) of Implementing Regulation (EU) 2023/203, which authority will Annex I (Part-IS.AR) to that Regulation apply to? To the designated entity or to the competent authority identified in Article 6(1)?

If the competent authority identified in Article 6(1) of Implementing Regulation (EU) 2023/203 decides to allocate certain tasks related to oversight under Part-IS to a qualified entity, which entity has to comply with Part-IS?

Does the ELA2 exemption cover also ELA1 aircraft?

A production organisation under Annex I (Part-21), Subpart G to Commission Regulation (EU) No 748/2012 approval designs and manufactures parts for ELA1/ELA2 aircraft. Is the ELA2 exemption applicable to that organisation if it can clearly demonstrate that it is exclusively involved in the development and/or production of ELA1 or ELA2 aircraft, or is the exemption limited to the aircraft manufacturer?

Do TCO operators have to comply with Part-IS?