Civil aviation consists of a complex network of numerous interrelated systems that are increasingly becoming the target of cyber attacks. Part-IS is intended to oblige the organizations involved to take effective measures to protect themselves against information security risks that could affect flight safety.
Our experts Andrea Rupprich and Wienke Schumacher answer the 7 most important questions about Part-IS and, with the help of their insights from implementation and consulting projects, provide tips for your optimal preparation.
- What is Part-IS?
- What are the objectives of Part-IS?
- Who is affected by Part-IS?
- What are the main requirements of Part-IS?
- What impact does Part-IS have on the processes in the company?
- How does an ISMS according to Part-IS differ from an ISMS according to ISO 27001?
- How do you best start implementing Part-IS?
1. What is Part-IS?
Part-IS (Part Information Security) refers to two EU regulations with very similar content.
One is the European Commission's “Implementing Regulation 2023/203” and the other is the European Commission's “Delegated Regulation 2022/1645”. The “Delegated Regulation 2022/1645” applies to manufacturing and design organizations, as well as aerodrome operators and providers of apron control services.
Both have the objective of managing information security risks that could potentially impact aviation safety. In short, Part-IS requires that companies falling within the scope of the regulation must establish an ISMS. Transposition into national law is not necessary.
2. What are the objectives of Part-IS?
Safety risks in the airline industry have always been rigorously managed. Every incident in the aviation industry results in extensive investigations with the aim of improving processes to avoid similar incidents. Despite such efforts, the attacks of September 11 were able to happen. In the final report on the terrorist attacks, the most serious mistake was noted as “a lack of imagination” – people simply did not have enough imagination to come up with such a drastic scenario (exact quote: “The most important failure was one of imagination.”
See 9/11 Report here: National Commission on Terrorist Attacks Upon the United States (911commission.gov).
With the increasing digitalization, the scenario of a “cyber 9/11” is conceivable, in which an attacker no longer even has to board the aircraft, but can cause catastrophic damage by digitally manipulating and remotely controlling it. Part-IS is a measure to counter and guard against precisely this worst-case scenario.
3. Who is affected by Part-IS?
A number of organizations that are already regulated by other aviation regulations are affected. The “Implementing Regulation 2023/203” applies, for one, to:
a) maintenance organizations ("Part-145 organization", technical maintenance of aircraft)
b) continuing airworthiness management organizations ("CAMO organization", monitoring aircraft maintenance activities)
c) air operators subject to Annex III (Part-ORO) to Regulation (EU) No 965/2012 (“AOCs”, i.e. companies that hold an Air Operators Certificate and are able to carry out flight operations on the basis of this)
d) approved training organisations (ATOs)
e) aircrew aero-medical centers
f) flight simulation training device (FSTD) operators (exception for exclusively theoretical training)
g) air traffic controller training organisations (ATCO TOs) and ATCO aero-medical centres
h) organizations subject to Annex III (Part-ATM/ANS.OR) to Implementing Regulation (EU) 2017/373 (these are providers of “Air Traffic Management” and “Air Navigation Systems”, with restrictions, for example, on air traffic in connection with drones)
In addition to these organizations, the relevant authorities, such as the EASA or the LBA in Germany, must also implement Part-IS.
The “Commission Delegated Regulation (EU) 2022/1645” applies to manufacturing and design organizations, as well as aerodrome operators and providers of apron control services.
The audit activities that the relevant authorities already carry out with regard to applicable aviation requirements are extended to include Part-IS.
4. What are the main requirements of Part-IS?
Requirement IS.I.OR.240 Requirements for personnel
Part-IS requires the establishment of a new role, the so-called “Appointed Person Information Security”, which is responsible for compliance with the requirements in the organization. There is also the option of designating a group as APIS. This person is responsible for everything required in Part-IS with regard to InfoSec and represents Part-IS compliance to the authorities. Alternatively, for more complex organizational structures, there is the option of designating a “Common Responsible Person” who can take on this role across organizations.
In addition to the “APIS”, Part-IS requires other already known roles such as those of the Accountable Manager or the Compliance Monitoring Manager.
Requirements IS.I.OR.205 Assessment of the information security risk and IS.I.OR.210 Dealing with the information security risk
The most elaborate requirement is probably the one for risk management. As is usual in an ISMS, information security risks should be identified, evaluated and treated. A specialty of Part-IS is that this must be based on a comprehensive asset inventory. Specifically, the organizations should “identify all elements […] that could be exposed to information security risks.” This includes:
1. the organization's activities, facilities and resources, as well as the services the organization operates, provides, maintains or upholds;
2. the equipment, systems, data and information needed for the elements listed in item 1 to function.
3. the interfaces between organizations that could lead to them being exposed to each other's information security risks.
Finally, for Part-IS, this requires a special consideration of information security risks that could have a negative impact on the safety of flight operations.
Requirement IS.I.OR.250 Information Security Management Manual (ISMM)
Another requirement that is indispensable for Part-IS compliance is the “Information Security Management Manual” (ISMM). This is where all roles, responsibilities and core processes of the implemented Part-IS ISMS are documented. Part-IS strictly defines which aspects must be included in the ISMM. The ISMM ultimately serves as proof of compliance, which must be presented to the relevant authorities as proof that Part-IS has been implemented.
It is possible to incorporate the contents of the ISMM into existing manuals required under aviation law, such as an approved safety management manual for an approved aviation company.
5. What impact does Part-IS have on the processes in the company?
In principle, the existing processes of organizations regulated under aviation law must be expanded to include the management of information security risks. The legal text fits into the existing requirements and ties in with many familiar aspects, for example in the requirements for internal and external reporting or in the specifications for compliance monitoring management (internal audit system).
The difficulty is that Part-IS forces organizations to consider not only safety in the sense of operational safety, but also information security issues. In this context, Part-IS is primarily concerned with intentional or illegal acts that deliberately endanger the life and limb of people. The exclusive assumption of intentional and malicious acts represents a certain change in mindset when considering risks in aviation safety.
6. How does an ISMS according to Part-IS differ from an ISMS according to ISO 27001?
- The requirements for an ISMS according to ISO 27001 are very general in order to be applicable to a wide range of companies. The ISMS according to Part-IS, on the other hand, is very specific – it is designed for a specific application and is aimed at specific companies that are already subject to strict aviation requirements. The use case is formulated somewhat indirectly: “information security risks with a potential impact on aviation safety”.
- The ISMS according to ISO 27001 focuses on a company's information security. Part-IS also deals with information security, but its specific aim is to ensure aviation safety.
- An established ISMS according to ISO 27001 offers companies a head start in terms of expertise, especially when it comes to managing information security risks. However, Part-IS ultimately remains an aviation regulation with very specific requirements that an ISO 27001 ISMS cannot fulfill without additional work, if only because of the specific organization of safety management in the aviation industry, which is characterized by the strict requirements of the authorities. This means that a Part-IS ISMS must be integrated into the existing aviation management systems.
- If a company already has an ISMS, there is an opportunity to implement Part-IS at least in part by harmonizing the two management systems. In this case, it makes sense to look at which measures exist on both sides and how bridges can be built. The ISMS according to ISO 27001 could be designed to optimally support the requirements of Part-IS.
- In particular, the ISMS organization can provide valuable impetus in the areas of asset management, risk management and incident management.
7. How do you best start implementing Part-IS?
In any case, not too late – February 2026 is not that far away and, depending on the size and complexity of your company, a lot of internal coordination may be necessary. Besides, the ISMM content is quite extensive.
There are two key factors to your approach::
- Size/complexity of the company (number of regulated organizations within the company, number of supervisory authorities involved, complexity of the internal organization)
- Is there already an ISMS, and if so, what is the level of maturity and how well is the existing ISMS anchored in the Part-IS regulated organization?
We recommend the following next steps:
- Conduct a gap analysis as the first important step
- Clarify the (target) organization for establishing and maintaining Part-IS compliance
- To get clarity about the scope, collect the relevant assets under Part-IS in a timely manner, for example, to be able to make estimates of the effort required for risk assessments
- It can also be beneficial to start sounding out the relevant authorities at an early stage and to contact the known auditors from the authorities if you have any uncertainties or ideas for implementation
Stay up to date: We will be publishing more articles with detailed information about Part-IS in our news blog. (For example: Part-IS in the context of other standards and regulations, such as ISO 27001 and NIS-2).
Do you have any questions about Part-IS in the meantime or need support? Contact us, we are happy to help.