EASA PART-IS: What Operators Need to Know and How to Implement It
Aviation safety has always been a key regulatory priority in Europe. But in today's digital age, it’s no longer enough to focus solely on physical security. Cyberattacks on critical IT systems, unauthorized access to sensitive data, and potential network vulnerabilities can compromise not only information security but also the safety of an entire aviation operation. To address these threats, the European Union Aviation Safety Agency (EASA) introduced Part-IS (Information Security), a regulatory framework that requires operators in the aviation sector to implement measures to secure their information systems.
This article provides an overview of what Part-IS is, why it’s needed, what’s required from operators, and how they can implement it practically—especially when using cloud-based tools and external service providers.
Note: Skylift Aviation GmbH’s e-learning systems are fully compliant with EASA Part-IS, providing a secure and reliable platform for training in line with regulatory requirements.
What is EASA Part-IS and Why Is It Needed?
EASA Part-IS is a regulatory framework designed for operators in the aviation sector to ensure cybersecurity. The core objective is to protect the confidentiality, integrity, and availability of critical information, which includes operational data, safety-critical information, customer data, and other sensitive information essential for the safe and efficient operation of an aviation company.
The need for Part-IS arises from the increasing threat of cyberattacks and data breaches. A successful attack could not only disrupt business operations but also compromise safety. Therefore, Part-IS requires aviation companies to identify risks, implement preventive measures, and maintain emergency response plans to react swiftly in the event of a cyber incident.
Compliance with EASA Part-IS Cybersecurity for Aviation
To comply with EASA Part-IS, operators must establish a systematic approach to information security that involves several steps:
Appointing an Information Security Manager (ISM): The operator must appoint an ISM responsible for cybersecurity within the organization. This person should have a solid understanding of both cybersecurity and the company’s operations and act as the central point of contact for all security-related issues.
Conducting a Risk Assessment: Operators are required to identify and assess risks to their information systems. This assessment includes:
Identifying critical IT systems and sensitive data
Evaluating threats and vulnerabilities
Assessing the potential impact of a security incident
Based on this assessment, operators should develop prioritized measures to mitigate identified risks.
Developing an Information Security Management System (ISMS): An ISMS serves as an organizational and technical framework for managing information security. It includes policies, standards, and procedures for:
Access controls
Data protection and encryption
Network security
Employee training and awareness
The ISMS should be regularly reviewed and updated to respond to new threats.
Implementing an Incident Management and Response Plan: Operators must develop procedures to respond appropriately to cyber incidents. This includes:
Incident detection and reporting
Clear roles and responsibilities for incident response
Data recovery and business continuity capabilities
Operators should also ensure that significant incidents affecting safety or operations are reported to the relevant authorities.
Continuous Monitoring and Audits: Continuous monitoring of IT systems is essential to detect potential threats early. Regular audits and reviews help identify security gaps and ensure all systems meet compliance standards.
A Practical Approach to Implementing Part-IS
A practical approach to implementing EASA Part-IS combines organizational and technical measures, ensuring that compliance is manageable and effective for the operation. The following steps offer guidance for structured implementation:
Integrate Cybersecurity into the Safety Management System (SMS): Cybersecurity should be treated as part of the overall safety strategy. Integrating it into the SMS ensures that all safety risks, including cyber risks, are systematically monitored and assessed.
Establish a Culture of Security Awareness: Raise awareness among all employees and stakeholders about the importance of cybersecurity. Regular training programs ensure that everyone in the organization understands how they can contribute to information security.
External Providers and Cloud Services: What Operators Need to Know: Using cloud services and external providers presents specific challenges. Operators cannot fully transfer the responsibility for data security to the service provider
Security Requirements for Cloud Services
Select certified providers: Choose providers that meet recognized security standards, such as ISO/IEC 27001.
Service Level Agreements (SLAs): Ensure that SLAs specify security measures aligned with Part-IS requirements and that the provider performs regular audits and security checks.
Encryption and Access Controls: Sensitive data should be encrypted, and access controls should be implemented to prevent unauthorized access.
Guidelines for Specific Tools
Microsoft SharePoint: Implement multi-factor authentication and role-based access controls. Encrypt data and monitor activities regularly.
Webmanuals and IQSMS: These tools offer document management and safety management functions. Ensure that user permissions are managed and all changes and accesses are logged.
VPN Solutions: Use VPNs to secure access to cloud systems and protect data traffic between locations and devices.
Regular Monitoring and Adaptation: The cybersecurity landscape is constantly evolving. Operators should therefore regularly review and adapt their security measures. This includes:
Security checks and audits: Conduct internal and external security reviews to identify potential vulnerabilities.
Continuous improvement of the ISMS: Use audit results to continuously optimize the ISMS and keep it up-to-date.
Note: Skylift Aviation GmbH ensures that its e-learning systems are fully compliant with EASA Part-IS, providing secure, robust, and regulation-aligned training solutions for aviation operators.
Summary: Achieving Effective Part-IS Compliance for Aviation Companies
EASA Part-IS challenges aviation companies to elevate their information security to a new level. Implementation requires a combination of technical measures, organizational adjustments, and a clear understanding of responsibilities when using cloud-based tools. A systematic approach to information security, which considers cybersecurity as an integral part of the overall safety strategy, is essential.
Checklist for EASA Part-IS Compliance
Appoint an Information Security Manager: Ensure accountability for cybersecurity.
Conduct Risk Assessments: Identify risks and prioritize actions.
Implement an ISMS: Establish comprehensive security management.
Develop Incident Management: Create clear response processes for security incidents.
Conduct Regular Audits and Monitoring: Continuously identify and close security gaps.
Ensure Security Requirements for Cloud Services: Use SLAs, certifications, and encryption.
With this structured approach and a strong security culture, aviation companies can meet EASA Part-IS requirements, strengthen their IT security, and create a solid foundation for safe and compliant operations.
ABOUT
Skylift Aviation GmbH was founded in 2016 in Vienna, Austria, and has extensive experience in all business challenges of the aviation sector. The Skylift Aviation team comprises highly motivated and experienced experts in all relevant disciplines. Our large network of partners ensures outstanding service quality in almost all areas of aviation. With our extensive experience in the aviation industry, we help our clients maximise the value of their operating model, realise growth ambitions, and gain insights that lead to sustainable competitive advantage.