A quick guide based on EASA guidance and local notices
As the aviation industry developed, significant technological advancements made unlawful interference and cyber threats more likely. In some cases, it also worsened the severity of impact should an attack be successful. As a result, the risk rating of such technological advancements has been negatively affected. Therefore, a shift towards regulated information security and the need for robust protection of critical data has long been required.
Part-IS (Information Security) represents this significant step forward in the regulation of information security within the aviation sector. In force since 22nd February 2026, it sets out comprehensive requirements for organisations involved in civil aviation to safeguard information systems and ensure resilience against cyber incidents.
Who is Part-IS applicable to?
For an organisation looking to set up in an EASA state, the applicability of Part-IS must be considered. Reference must be made to Article 2 of Regulations (EU) 2024/1109, wherein the different types of organisations that fall within the scope of Part-IS are listed and must therefore apply Part-IS regulations to their organisational manuals.
Some low-complexity organisations may be exempt from the regulation altogether. Other organisations may be granted approval by the competent authority for a derogation (Refer to IS.I.OR.200 (e) and IS.D.OR.200 (e) and their respective Acceptable Means of Compliances or AMCs). A derogation allows exemption of the majority of the regulation but requires such approved organisations to provide justification and continual monitoring. Derogations are normally granted with specific conditions and may be revoked if those conditions are disregarded.
What does Part-IS provide for my organisation?
The EASA website details the rationale behind the rules, their scope, and the resources available to help stakeholders navigate this evolving landscape. By adhering to Part-IS, aviation organisations not only protect their own operations but also contribute to the safety and reliability of the wider European airspace and aviation infrastructure.
Information security is increasingly vital in aviation, as digitalisation and interconnected systems expose operators to new vulnerabilities. Part-IS addresses these challenges by prescribing a systematic approach to risk management, incident reporting, and continuous improvement.
Where do I begin?
EASA regulations regarding Part-IS should be the primary focus of an organisation looking to comply with Part-IS regulations. EASA simplifies this by issuing Easy Access rules, which make the reading of such regulations more user-friendly.
Additionally, the Maltese competent authority (Transport Malta) has issued local notices to guide Maltese registered organisations on how to apply Part-IS regulations to their existing manuals. Refer to OAN-04-25 for AOCs, NCCs and SPO Operations. Refer to PEL Notice 98 for ATOs, AeMCs, FSTD Operations. Such guidance was intended for existing organisations in the lead up to Part-IS, but some details in these notices may assist startups to get some details, e.g. Submission of Documents can hint at what documents will be requested by the authorities.
Ultima
tely, guidance from the competent authority of your organisation must be sought. EASA leaves certain guidance open to interpretation, which means that competent authorities are allowed certain freedom to make their own local regulation. This means different member states might have different levels of complexity, despite the same baseline EASA framework. In summary, organisations must not only comply with EASA’s rules but also pay close attention to any additional regulations or guidance issued by their own competent authority.
For information in an expertly guided format, yet still user-friendly, please do not hesitate to contact us at Phoenix Wise Solutions. As ever, we are delighted to be of assistance wherever necessary.
Capt. Paul Borg Cutajar
External Consultant to PWSL in Aviation Compliance