Which are the necessary competencies that will need to be developed in order to comply with Part-IS?
In order to develop the list of competencies, an organisation may use, as initial guidance, an existing cybersecurity competency framework such as the National Initiative for Cybersecurity Education (NICE) based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
In Appendix II to the published Acceptable Means of Compliance and Guidance Material (AMC & GM) to Part-IS, the main tasks of Part-IS are listed and mapped to the competencies derived from the NIST CSF. More information may be found in the AMC & GM to Part-IS. Moreover, entities may utilise the material of the European Cybersecurity Skills Framework (ECSF) that is published by ENISA. EASA has therefore produced a document with the objective of providing a high-level case study of the application of the ECSF in aviation for the implementation of Part-IS.
How to assess competence when using the provisions of IS.I.OR.235 of Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 or point IS.D.OR.235 of the Annex (Part-IS.D.OR) to Commission Delegated Regulation (EU) 2022/1645 to subcontract information security activities when the organisation does not have the necessary knowledge?
Documentation of qualifications can be used in this regard as well as the experience (track of records, customers) of the organisation providing the services. For more information, see FAQ n.139300.