The Top 5 Part-IS Challenges for Aviation Organizations

The implementation phase for EASA’s new information security regulations has reached a critical juncture. With the October 16, 2025 deadline for design and production organizations now in the rear-view mirror, the industry is witnessing the reality of compliance firsthand. Meanwhile, the final countdown is on for air operators and maintenance organizations, who are racing against the clock to meet their February 22, 2026 compliance date.

While the regulatory objective remains clear—protecting aviation safety from cyber threats—the practical application has proven difficult. Whether you are a Design Organization (DOA) currently refining your established system, or an operator scrambling to finalize your manual before February, the friction points are identical.

In this article, we break down the 5 main PART-IS challenges that organizations are battling right now and offer insights on how to navigate this complex regulatory landscape.

1. Integrating ISMS with Existing Safety Management Systems (SMS)

One of the most significant PART-IS challenges is the requirement to integrate the new Information Security Management System (ISMS) with existing Safety Management Systems (SMS).

For decades, aviation safety has focused on physical risks—mechanical failures, weather, and human error. Cybersecurity, conversely, has largely been the domain of IT departments focused on data confidentiality. Merging these two worlds is difficult because they speak different languages.

• The Conflict: SMS looks at “safety hazards” (accidental), while ISMS looks at “security threats” (malicious).
• The Pain Point: Safety managers often lack cybersecurity expertise, and IT security teams may not understand aviation safety risk management.
• The Risk: Siloed departments failing to communicate, leading to a “paper compliance” system that doesn’t actually reduce safety risks.

2. Managing Supply Chain and Third-Party Risks

Modern aviation is a highly interconnected ecosystem. An airline or maintenance organization relies on hundreds of vendors, from software providers to parts manufacturers. Under Part-IS, you are not just responsible for your own security; you must manage the risks posed by your suppliers.

This presents one of the most logistical PART-IS challenges:

• Visibility: How do you audit the cybersecurity posture of a supplier halfway across the world?
• Contractual leverage: Small operators may struggle to force large vendors to comply with new security stipulations.
• Interconnectivity: A breach in a third-party maintenance software can easily cascade into your own safety-critical systems.

3. The “Legacy Tech” Problem

Aviation is an industry built on longevity. Aircraft designed in the 1980s are still flying, and the Operational Technology (OT) supporting them often runs on legacy infrastructure.

Many of these systems were designed in an era before hyper-connectivity, meaning they were never built with cybersecurity in mind. Retrofitting these legacy systems to meet modern PART-IS challenges and requirements is technically difficult and expensive.

• Patching: You cannot simply “patch” a safety-critical avionics system like you would a laptop.
• Obsolescence: Some critical maintenance tools run on outdated operating systems that are no longer supported, creating vulnerabilities that are hard to mitigate without replacing entire systems.

4. The Talent and Competence Gap

EASA requires that personnel involved in information security management be “competent.” However, there is a global shortage of cybersecurity professionals—and an even scarcer supply of professionals who understand aviation.

Finding a “Unicorn” employee who understands both ISO 27001 (information security) and EASA Part-145 or Part-CAMO (aviation regulation) is one of the most frustrating PART-IS challenges for HR departments. Recruitment is expensive, and competition for talent is fierce.

Consequently, most organizations cannot rely solely on hiring new experts; they must focus on bringing their existing workforce up to speed.

Bridging the Gap: To support organizations in this process, we have introduced our EASA Part-IS Awareness Training.

This course is designed to help your current employees—from safety managers to operational staff—quickly grasp the fundamentals of the new regulation. While it doesn’t replace the need for specialized security roles, it ensures your wider team understands their responsibilities, closing the knowledge gap and ensuring the entire organization is moving in the same direction.

5. Resource Constraints for Smaller Organizations

While major airlines may have dedicated cybersecurity teams, Small to Medium-sized Enterprises (SMEs)—such as smaller MROs, CAMOs, or aerodrome operators—are feeling the pressure.

For these entities, PART-IS challenges are often financial and resource-based. Implementing a robust ISMS requires:

• New software and monitoring tools.
• External consultants or auditors.
• Staff hours diverted from operations to compliance.

The regulation applies proportionality, but even a “scaled-down” ISMS is a heavy lift for a company with no prior cybersecurity framework.

How to Overcome These PART-IS Challenges

Understanding the pain points is half the battle. To move forward, organizations should focus on:

1. Cross-Departmental Collaboration: Create a task force that sits between Safety, Quality, and IT.
2. Gap Analysis: Conduct a brutally honest assessment of where you stand today versus the regulation.
3. Start with Critical Assets: Don’t try to boil the ocean. Identify the systems that directly impact flight safety and secure those first.
4. Leverage External Expertise: If you can’t hire full-time staff, look for managed security service providers (MSSPs) who specialize in aviation.

Conclusion

The implementation of Part-IS is a necessary evolution in aviation safety, but it is not without its hurdles. The PART-IS challenges—from legacy systems to the skills gap—are real and pressing. However, by treating this not as a “tick-box” exercise but as a strategic upgrade to your safety culture, you can ensure resilience against the next generation of aviation threats.

The deadline is approaching. Is your organization ready?