EASA Part-IS: A Guide to Regulation (EU) 2023/203 & 2022/1645

In the modern aviation landscape, a network firewall is just as critical as an engine firewall.

For decades, aviation safety has focused on physical risks: fatigue, corrosion, and weather. But with the introduction of EASA Part-IS (Information Security), the regulator has officially recognized that a cyber-attack can bring down an aircraft just as effectively as a mechanical failure.

If you are a Nominated Person or Compliance Manager, this guide covers everything you need to know about the complex new regulatory landscape before the February 22, 2026 deadline.

1. What is EASA Part-IS?

Part-IS is not a single rule; it is a suite of requirements designed to protect the aviation system from information security risks. Unlike generic standards like ISO 27001, which focus on data privacy, Part-IS is strictly safety-centric.

Its goal is simple but demanding: You must demonstrate that you can Identify, Protect, Detect, and Respond to cyber threats that could endanger flight safety.

2. The “Two Regulations” Confusion

The most common question we get is: “Is my deadline October 2025 or February 2026?” The answer depends on which specific regulation applies to your approval type. Part-IS is split into two legal acts:

A. The Delegated Regulation (EU) 2022/1645

Applies to: Design Organisations (DOA), Production Organisations (POA), and Aerodrome Operators.
The Annex: Known as Part-IS.D.OR.
Deadline: October 16, 2025 (Already passed for many).

B. The Implementing Regulation (EU) 2023/203

Applies to: Air Operators (AOC), Maintenance (Part-145), CAMOs, and Flight Schools (ATO).
The Annex: Known as Part-IS.I.OR.
Deadline: February 22, 2026.

3. The 3 Pillars of Compliance (Part-IS.I.OR)

For most operators (AOC/145), compliance falls under Part-IS.I.OR. Your Information Security Management System (ISMS) must be built on three pillars:

Pillar 1: Risk Management (IS.I.OR.205 & 210)

You can no longer rely on a generic IT risk register. You must map your “Critical Assets”—systems like the Electronic Flight Bag (EFB), Load Control Software, or Maintenance Laptops.

The Requirement: You must assess the “Safety Consequence” of a cyber-attack. For example, if a hacker corrupts your NavData, what is the risk of a Catastrophic accident?
The Output: A risk treatment plan that reduces these risks to an acceptable level.
Read More: How to Conduct a Part-IS Risk Assessment

Pillar 2: Incident Response (IS.I.OR.220)

Prevention is not enough. You must have a system to detect and respond to attacks in real-time.

The Scenario: A pilot notices their GPS position jumping erratically (Spoofing).
The Response: Do they know how to disconnect the GPS and revert to raw data? Do they know how to report it to the CMM?
Reporting: You must also have an External Reporting Scheme (IS.I.OR.230) to notify EASA of significant incidents within 72 hours.

Pillar 3: Competence & Training (IS.I.OR.240)

This is often the major stumbling block. IS.I.OR.240 requires that all personnel with access to critical information systems are competent.

Why it matters: A generic “Don’t click phishing links” video is insufficient. Pilots need to know about GPS Spoofing. Mechanics need to know about Bridging Attacks via USB data loaders.
Check Your Status: The IS.OR.240 Competence Checklist

EASA Part-IS regulation structure overview

4. Do I need a separate ISMS Manual?

Not necessarily. EASA allows you to integrate Part-IS into your existing Management System (Part-ORO.GEN.200 or Part-145.A.200). However, the ISMS processes (Risk Assessment, Reporting, Training) must be clearly identifiable and audited by your Compliance Monitoring team.

5. Conclusion: The Clock is Ticking

With the February 22, 2026 deadline fast approaching, the time for “gap analysis” is over. You must now move to implementation.

If you have your manuals written but are struggling to prove Staff Competence (IS.I.OR.240), Raven can help. Our EASA Part-IS Awareness Training is the industry standard for role-specific cybersecurity training, designed specifically for Pilots, Engineers, and Operational Staff.

FAQ

What is the Part-IS deadline for airlines?

For Air Operators (AOC), the deadline is February 22, 2026, under Implementing Regulation (EU) 2023/203.

Does Part-IS apply to Part-145 maintenance?

Yes. Part-145 organizations must comply with Part-IS.I.OR by February 2026. This includes protecting maintenance data and training staff on bridging attacks.

What is the difference between Part-IS.D.OR and Part-IS.I.OR?

Part-IS.D.OR applies to Design/Production organizations (Deadline: Oct 2025).
Part-IS.I.OR applies to Ops/Maintenance organizations (Deadline: Feb 2026).

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.