Beyond the IT Department: Why EASA Part-IS is Every Manager’s Business

Under the new Part-IS (Information Security) regulations, a digital flaw is now legally treated with the same gravity as a mechanical flaw. If you are a manager in a Part-145, Part-CAMO, or Air Operations environment, here is why this is no longer just an “IT problem.”

1. The End of the “Digital Silo”

Historically, if a server went down or an email was phished, it was a headache for the IT team. Under Part-IS, if that server carries maintenance records or flight planning data, it is now a safety hazard.

• The Change: EASA now requires a formal link between your Information Security Management System (ISMS) and your Safety Management System (SMS).
• The Goal: To ensure that a “Cyber Event” is triaged by people who understand flight safety, not just people who understand firewalls.

2. Accountability Has a New Name

One of the most significant updates in the Part-IS framework is the clarity on Management Accountability.

• The Accountable Manager is now legally responsible for the “Information Security” of the organization.
• You cannot “outsource” this responsibility to a third-party IT provider. While you can hire experts to manage the tech, the liability for a safety-impacting breach stays with the certificate holder.

3. The “Extended Enterprise” (Your Vendors are Your Weak Link)

In a modern aviation environment, we are all connected. Your CAMO uses cloud software; your Part-145 uses digital manuals; your pilots use EFBs.

• The Risk: A hacker doesn’t need to break into your office if they can break into your software provider’s office.
• The Requirement: Part-IS mandates “Supply Chain Oversight.” You must now prove that your digital partners meet the same high security standards that you do.

4. Moving from “Paper” to “Practice”

EASA has introduced the PSOE Model (maturity framework) to measure how well companies are doing:

• Present: Do you have the manuals?
• Suitable: Do the manuals fit your size?
• Operational: Are people actually following the rules?
• Effective: Is the system actually stopping threats?

Since February 22, 2026, most organizations must be at least “Present” and “Suitable.” The “Paper” exercise is over—the “Operational” phase has begun.

Three Questions Every Aviation Manager Should Ask Today:

1. Do we have a list of our “Critical Assets”? (Which software, if deleted today, would ground our fleet?)
2. Is our CISO talking to our Safety Manager? (Do they even have each other’s phone numbers?)
3. How fast can we report? (If we discover a breach on Friday night, can we notify the Authority by Monday morning to meet the 72-hour rule?)

Part-IS Awareness Training

Checking the competence of your team is one of the main requirements of Part-IS. Raven’s “EASA Part-IS Awareness Training” is designed to train personnel working in Part-145, AOC and CAMOs who have never dealt with cybersecurity before.