Definition
Part-IS is the common name for the European Union's aviation information-security framework, built on two acts adopted under the EASA Basic Regulation (Regulation (EU) 2018/1139): Delegated Regulation (EU) 2022/1645 and Implementing Regulation (EU) 2023/203. Its scope is deliberately narrow but important — it does not regulate information security in general, but specifically the information-security risks that could have an impact on aviation safety. The premise is that a cyber incident affecting the systems an organization relies on to operate, maintain, or train can create a safety hazard just as a mechanical or human failure can, and so it must be identified and managed within the same safety-oriented discipline the rest of the EASA framework already uses.
The central obligation of Part-IS is that each affected organization must establish, implement, and maintain an Information Security Management System, or ISMS. An ISMS is a structured, documented set of policies, roles, and processes for managing information-security risk on an ongoing basis rather than treating security as a one-off IT project. In practice the ISMS a Part-IS organization must run mirrors the logic of its Safety Management System: it requires the organization to identify its information-security risks, assess them for their potential safety impact, apply and record mitigations, detect and respond to information-security incidents, and report the incidents that meet the reporting threshold to the competent authority. Roles and responsibilities for information security have to be assigned, and the system has to be monitored and continuously improved.
Part-IS is closely related to ISO/IEC 27001, the international standard for information-security management systems, and organizations that already hold or align with ISO/IEC 27001 will find much of the structure familiar. The two are not identical, however: ISO/IEC 27001 protects the confidentiality, integrity, and availability of information broadly, while Part-IS narrows the lens to information security with a potential effect on aviation safety and ties incident reporting into the EASA occurrence-reporting system rather than a purely commercial framework. EASA has indicated that an existing ISO/IEC 27001 implementation can support Part-IS compliance but does not by itself satisfy it.
Applicability is phased. The provisions covering organizations in the scope of the delegated act — including aerodrome operators and design and production organizations — became applicable on 16 October 2025. The provisions of the implementing act, Regulation (EU) 2023/203, become applicable on 22 February 2026 and reach a much wider set of organizations, including air carriers, Part-145 maintenance organizations, continuing-airworthiness management organizations (CAMO), Approved Training Organisations (ATO), operators of flight simulation training devices, air traffic controller training organizations, air navigation service providers, and the competent authorities themselves. This phasing is what brings ATOs and other approved organizations firmly within the information-security regime by the February 2026 date, extending an obligation that began with design, production, and aerodrome operators out across the training and operational community.
Why It Matters for Flight Schools
For an Approved Training Organisation, Part-IS reframes information security as a safety matter rather than a purely commercial IT concern, and it arrives on a firm date: the implementing regulation applies from 22 February 2026. A modern flight school runs on digital systems — training records, scheduling and dispatch, electronic technical logs, maintenance data, and student and instructor personal data — and Part-IS asks the organization to consider how the loss, corruption, or compromise of those systems could affect the safety of its operations, and to manage that risk on the same continuous basis it already manages safety hazards.
Because the ISMS Part-IS requires runs on the familiar identify–assess–mitigate–report cycle, an organization that already operates a mature Safety Management System has a strong foundation to build on rather than a wholly separate system to invent. The practical work is to extend hazard identification and risk assessment to information-security risks, define who is accountable for them, establish how information-security incidents are detected and reported to the competent authority, and keep the records that demonstrate the ISMS is live and effective when the authority reviews it.
How Aviatize Handles This
Aviatize's Safety Management module gives an organization the identify–assess–mitigate–report backbone that a Part-IS Information Security Management System needs, so information-security risks can be logged, assessed for their safety impact, assigned an owner, and tracked to closure alongside the operational hazards the school already manages. Incident records and their reporting status are retained as a dated audit trail.
Aviatize's Compliance & Auditing and Digital Data & Records modules support the documentation and evidence side — holding the policies, role assignments, and records that show the ISMS is established and maintained — so that when a competent authority examines the organization's information-security management, the required trail is in one place rather than scattered across systems.
Frequently Asked Questions
- What is EASA Part-IS?
- Part-IS is the EU's aviation information-security framework, introduced by Delegated Regulation (EU) 2022/1645 and Implementing Regulation (EU) 2023/203 under the EASA Basic Regulation. It requires affected organizations to manage information-security risks that could have an impact on aviation safety by running an Information Security Management System (ISMS) covering risk assessment, incident detection, response, and reporting.
- When does Part-IS apply to flight schools and ATOs?
- The delegated act applied from 16 October 2025 to organizations such as aerodrome operators and design and production organizations. The implementing act, Regulation (EU) 2023/203, applies from 22 February 2026 and covers a wider group including Approved Training Organisations (ATO), air carriers, maintenance organizations, and CAMOs — so most flight schools fall under Part-IS by that February 2026 date.
- How is Part-IS related to ISO/IEC 27001?
- Both require a structured information-security management system, and an existing ISO/IEC 27001 implementation gives an organization a strong head start. They differ in scope: ISO/IEC 27001 protects information broadly, while Part-IS focuses on information security with a potential effect on aviation safety and ties incident reporting into the EASA framework. EASA has indicated ISO/IEC 27001 can support but does not by itself satisfy Part-IS.