Information Security (Part-IS)

Expand all questions

Applicability

To which organisations does Part-IS apply?

Part-IS is applicable to the competent authority responsible for the oversight of Part-66 license holders. I am a Part-66 licenced maintainer, do I also have to comply with Part-IS?

My organisation is not in the list of the organisations that have to comply with Part-IS but it does provide services to such organisations. Does my organisation have to comply with Part-IS?

My organisation holds an EASA Part-145 approval under a Bilateral Agreement with the European Community. Does Part-IS apply in such case?

My organisation is an operator or an entity referred to in the national civil aviation security programmes of Member States laid down in accordance with Article 10 of Regulation (EC) No 300/2008 and complies with the cybersecurity requirements of point 1.7 of the Annex to Implementing Regulation (EU) 2015/1998. As a consequence, is the organisation considered to be fully compliant with Part-IS?

Our organisation is ISO/IEC 27001 certified. Do I still need to comply with Part-IS?

My organisation has to comply with Directive (EU) 2022/2555 (the ‘NIS 2 Directive’). Does it also have to comply with Part-IS or is it considered covered?

Article 5(1) of Implementing Regulation (EU) 2023/203 and Article 4(1) of Delegated Regulation (EU) 2022/1645 refer to the equivalence of requirements between Directive (EU) 2016/1148 (NIS Directive) and Part-IS. Does this mean that if one complies with the NIS Directive or the NIS 2 Directive, they are automatically compliant with Part-IS?

Article 5(1) of Implementing Regulation (EU) 2023/203 and Article 4(1) of Delegated Regulation (EU) 2022/1645 refer to Directive (EU) 2016/1148 (the ‘NIS Directive’) and its relation to Part-IS. As Directive (EU) 2022/2555 (the ‘NIS 2 Directive’) will be applicable from October 2024, does this means that automatically any references to the ’old’ NIS Directive in Part-IS refer now to the NIS 2 Directive?

As the ‘Authority Requirements’ are part of Implementing Regulation (EU) 2023/203, which is applicable from 22 February 2026, does this mean that the applicability date (16 October 2025) of Delegated Regulation (EU) 2022/1645 can be then entirely disregarded?

Does information have to be protected only from digital threats or also from non-digital ones?

Derogation

My organisation would like to apply for a derogation. Is it eligible and if so, what procedure should be followed?

If my organisation receives a derogation, does this mean that it is exempted from compliance with Part IS?

Relationship between Part-IS and certified products

What is the relationship between product and organisation information security, for example, how does an aircraft certified under CS 25.1319 fits in Part-IS?

Reporting

What tool should be used to report information security incidents?

Delegation of tasks

An organisation holds multiple approvals or declarations. Can the different accountable managers delegate the activities under Part-IS to a single person?

Does the organisation need to establish a separate representative for the information security management system (ISMS)?

Competencies

What are the necessary competencies that will need to be developed in order to comply with Part-IS?

Risk assessment

Are there examples of aviation services that may be considered when determining the information security management system (ISMS) scope and interfaces?

Are there examples of threat scenarios that need to be considered for Part-IS?

Integration into existing management systems

Can the Part-IS information security management system (ISMS) requirements be integrated into existing management systems?

Supplementary material

Are the standards referenced in the Acceptable Means of Compliance and Guidance Material (AMC & GM) to Part-IS for free or to be purchased?