The European Commission published the Implementing Regulation (EU) 2023/203 of October 27, 2022. With this publication, the regulatory framework paving the way for a cyber-resilient aviation system has been completed.
Implementing Regulation (EU) 2023/203 lays down rules for the identification and management of information security risks in aviation organisations and aviation competent authorities, including EASA. This regulation follows the Delegated Regulation (EU) 2022/1645 published on September 23, 2022, applicable to approved design and production organisations, as well as aerodrome operators and apron management service providers.
Part-IS introduces requirements for the identification and management of information security risks which could affect information and communication technology systems and data used for civil aviation purposes. It sets requirements for detection of information security events, identifying those which are considered information security incidents, and responding to, and recovering from, those information security incidents to a level commensurate with their impact on aviation safety.
Part-IS provisions will be applicable from October 16, 2025 for organisations in the scope of the delegated act and from February 22, 2026 for all other organisations and competent authorities covered by the implementing act.
