Security Bloggers Network 
SBN

EASA Part IS

by Avivit on December 11, 2024

What is EASA?

EASA stands for the European Union Aviation Safety Agency. It is a regulatory body established by the European Union to ensure a high and uniform level of safety in civil aviation across Europe. The EASA framework provides a comprehensive set of rules and guidelines governing the design, production, operation, and maintenance of aircraft, as well as the certification of aviation personnel, organizations, and equipment.

EASA has established a comprehensive Information Security (IS) regulatory framework, known as Part-IS, to address information security risks that could impact aviation safety. This framework mandates that aviation organizations implement robust Information Security Management Systems (ISMS) to safeguard sensitive information and ensure the integrity of aviation operations.

Background of EASA’s Information Security Framework

EASA’s Part-IS framework was developed to enhance the resilience of the aviation sector against evolving information security threats. It aligns with international standards such as ISO/IEC 27001 but includes specific provisions tailored to the aviation context. Organizations already certified under ISO/IEC 27001 may need to adapt their ISMS to address these aviation-specific requirements. 

The framework is relevant to various entities within the aviation industry, including:

  • Air Operators: Entities holding an Air Operator Certificate (AOC).
  • Approved Training Organizations (ATOs): Those approved under Part-ORA.
  • Continuing Airworthiness Management Organizations (CAMOs): Approved under Part-CAMO.
  • Maintenance Organizations: Approved under Part-145.
  • Design and Production Organizations: Approved under Part-21.
  • Air Navigation Service Providers (ANSPs): Certified under the applicable regulations.
  • Aerodrome Operators: Managing certified aerodromes.

Understanding Applicability and Key Regulations of Part-IS

The applicability of Part-IS may differ for organizations operating under specific Bilateral Agreements. These agreements might modify the requirements or obligations for certain entities. Organizations should carefully review the terms of their agreements to understand how Part-IS applies to them.

The Part-IS framework is primarily governed by two key regulations:

Commission Delegated Regulation (EU) 2022/1645: Sets the requirements for managing information security risks that could affect aviation safety, applicable to designated organizations.

Commission Implementing Regulation (EU) 2023/203: Explains how these information security risk management requirements should be applied by organizations and overseen by competent authorities.

To support compliance, EASA provides Acceptable Means of Compliance (AMC) and Guidance Material (GM), offering practical advice and examples for meeting these regulatory standards.

For organizations already subject to other information security rules—such as the NIS Directive or national civil aviation security programs—it’s essential to evaluate how those existing obligations align with Part-IS. EASA provides guidance to help organizations determine if compliance with these other frameworks can also satisfy Part-IS requirements.

Implementation Timeline

The applicability dates for Part-IS regulations are as follows:

  • Commission Delegated Regulation (EU) 2022/1645: Applicable from October 16, 2025.
  • Commission Implementing Regulation (EU) 2023/203: Applicable from February 22, 2026.

Organizations should plan their compliance efforts accordingly to meet these deadlines. Consult with us to help plan your compliance journey

Acceptable Means of Compliance (AMC) and Guidance Material (GM)

The European Union Aviation Safety Agency (EASA) provides two key types of non-binding materials to assist organizations in complying with aviation regulations:

Acceptable Means of Compliance (AMC): These are non-mandatory guidelines that illustrate methods to achieve compliance with the requirements set out in the Basic Regulation and its Implementing Rules. While following an AMC is not compulsory, doing so offers a presumption of compliance with the associated regulatory requirements. Organizations may choose alternative methods to meet the regulations but must then demonstrate to the competent authorities that these methods are equally effective. 

Guidance Material (GM): This non-binding material provides explanations and interpretations to support the understanding and application of the Basic Regulation, Implementing Rules, AMCs, and Certification Specifications. GMs aim to clarify regulatory expectations and offer insights into best practices, aiding organizations in effectively implementing and adhering to the regulations. 

What are the requirements for EASA?

Key Requirements for EASA Part-IS Compliance

  1. Scope Identification
    Organizations must determine whether they are subject to Part-IS based on their role in aviation operations. Entities typically covered include:
    • Air operators (holders of Air Operator Certificates).
    • Maintenance organizations (Part-145).
    • Continuing Airworthiness Management Organizations (CAMOs).
    • Approved Training Organizations (ATOs).
    • Air navigation service providers (ANSPs).
    • Aerodrome operators.
    • Design and production organizations (Part-21).
  2. Implement an Information Security Management System (ISMS)
    Develop an ISMS aligned with the specific requirements of Part-IS. The ISMS should include:
    • Policies and Procedures: Clearly defined rules and practices for information security.
    • Controls: Technical and organizational measures to mitigate risks.
    • Incident Management Process: A structured approach to detect, report, and respond to security incidents.
  3. Risk Assessment and Management
    Conduct regular risk assessments to identify vulnerabilities and threats to information systems that could impact aviation safety. The assessment should result in actionable plans to mitigate identified risks.
  4. Personnel Training and Awareness
    Provide targeted training to employees to ensure they understand their responsibilities under the ISMS and are equipped to address information security risks effectively.
  5. Continuous Monitoring and Improvement
    Monitor the ISMS to ensure it remains effective and up-to-date with evolving threats. This includes updating policies and controls as necessary and conducting regular reviews.
  6. Compliance with Reporting Obligations
    Organizations must establish mechanisms to report information security incidents to the competent authority within the specified timelines. Incident reporting is a critical component of compliance.
  7. Integration with Safety and Security Frameworks
    Align the ISMS with existing Safety Management Systems (SMS) to ensure a holistic approach to risk management. This integration reduces redundancies and strengthens organizational resilience.
  8. Engagement with Competent Authorities
    Organizations must interact with EASA or their National Aviation Authority (NAA) to:
    • Submit the ISMS for review and approval.
    • Demonstrate compliance through audits and inspections.
    • Report incidents and significant changes in their ISMS.

Actionable Steps for Compliance

  1. Gap Analysis: Assess current information security practices against EASA Part-IS requirements to identify deficiencies.
  2. Develop ISMS Documentation: Prepare and maintain the necessary documentation, including policies, risk assessments, and incident response plans.
  3. Adopt a Risk-Based Approach: Prioritize security measures based on the potential impact of risks on aviation safety.
  4. Conduct Regular Training: Ensure personnel are trained on ISMS policies and incident reporting protocols.
  5. Prepare for Audits: Maintain updated records and documentation to demonstrate compliance during audits or inspections.

Complementary Guidance Materials

EASA provides Acceptable Means of Compliance (AMC) and Guidance Material (GM) to help organizations implement Part-IS. While AMCs offer methods to meet the requirements, GMs provide clarifications and detailed insights to guide compliance efforts. Organizations can also refer to related standards, such as ISO/IEC 27001, to structure their ISMS.

Why should you be EASA compliant?

Benefits of EASA Information Security Compliance

Achieving compliance with EASA’s information security regulations offers several advantages:

  • Enhanced Safety: Protects aviation operations from information security threats, thereby ensuring passenger and operational safety.
  • Regulatory Adherence: Ensures legal compliance, avoiding potential fines or operational restrictions.
  • Reputational Integrity: Demonstrates a commitment to security, fostering trust among stakeholders and customers.
  • Operational Resilience: Improves the organization’s ability to respond to and recover from security incidents, minimizing disruptions.

Non-compliance can lead to significant risks, including financial penalties, operational limitations, reputational damage, and increased vulnerability to security incidents.

How to achieve compliance?

By leveraging Centraleyes, organizations can efficiently align with EASA’s Part-IS requirements, enhancing their information security posture and ensuring compliance with regulatory standards. Contact the Centraleyes team to request the implementation of EASA Part IS to our nextgen automated Risk and Compliance platform.

The Centraleyes platform simplifies achieving compliance with EASA by offering a robust suite of features that integrate seamlessly with organizational workflows. With its user-friendly built-in questionnaires, Centraleyes simplifies the identification, assessment, and mitigation of cybersecurity risks.

The platform’s integrated risk register allows organizations to track their compliance efforts and manage security tasks effectively. By providing tools for determining appropriate controls, assigning responsibilities, and monitoring task completion, Centraleyes equips organizations with everything they need for robust cybersecurity risk management. In doing so, organizations can efficiently navigate the complexities of compliance and strengthen their overall cybersecurity posture.

Read more: https://www.easa.europa.eu/en

The post EASA Part IS appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Avivit. Read the original post at: https://www.centraleyes.com/easa-part-is/

Avivit