With Regulations (EU) 2022/1645 and (EU) 2023/203, the European Aviation Safety Agency (EASA) has undergone a fundamental change in perspective. Information security is no longer understood exclusively as an IT or compliance issue, but as an integral part of flight safety. The regulation thus takes into account the increasing digitalization and networking of safety-critical processes in civil aviation.
EASA Part-IS Information Security marks the first time that the systematic assessment of information security risks in terms of their potential impact on flight safety has become a regulatory focus. EASA Part-IS requires aviation organizations to record, assess, and control information security risks not only from a technical or organizational perspective, but also explicitly in terms of safety. The regulation thus goes beyond established standards such as ISO/IEC 27001, which primarily address the classic protection goals of confidentiality, integrity, and availability.
Digital dependencies as a safety risk
The expansion of risk assessment is logical. Today, flight operations processes are largely based on digital information flows, for example in flight planning, navigation, maintenance, or at interfaces between airports, airlines, and air traffic control. If such information is falsified, provided late, or blocked, this can have immediate safety-critical implications for flight operations—regardless of the technical cause.
EASA Part-IS takes these dependencies into account by explicitly placing information security in the context of safety management. This affects a large number of organizations relevant to flight operations, including airport operators, air traffic control organizations, airlines, maintenance companies, development and manufacturing companies, and competent authorities. For them, an effective, documented information security management system becomes a regulatory requirement.
ISMS, safety management, and practical implementation
A key element of Part-IS is the close integration of the information security management system with existing safety and management systems. In the future, risk analyses must take into account how information security incidents can affect safety-related processes. Scenarios such as manipulated maintenance data or incomplete ATC information illustrate how closely information security and aviation safety are linked. In practice, this requires more intensive cooperation between IT, operational areas, and safety management.
EASA also emphasizes preventive principles such as "security by design" and "security in safety." Information security is understood as an ongoing management task that requires clear responsibilities, robust processes, and continuous improvement mechanisms. Existing ISMSs in accordance with ISO/IEC 27001 or BSI basic protection can form a solid foundation for this, but must be expanded to include the dimension relevant to flight operations. In practice, it is clear that the integration of existing management systems in particular poses a key challenge – an issue that is also a regular focus at AviaCert.
With Part-IS, the European Union has made it unmistakably clear that information security is a central component of aviation safety. The new requirements pose additional challenges for aviation organizations, but they are necessary to ensure the long-term resilience and safety of an increasingly digitized air transport system.
Support in the implementation of Part-IS
Aviation organizations are now faced with the question of how to integrate the requirements of Part-IS into existing structures in an efficient and compliant manner. Early classification of regulatory requirements, evaluation of existing management systems, and structured implementation can help reduce implementation costs and audit risks.
Author: Florian Glaser, Aviation Technology and Logistics Engineer, AviaCert GmbH