EASA Part-IS (Information Security) is a regulatory framework introduced by the European Union Aviation Safety Agency to manage cybersecurity risks impacting aviation safety. It compels aviation organisations (airlines, maintenance, airports, etc.) to detect, manage, and respond to security threats to ensure operational safety, integrating security with safety management systems. It requires a structured Information Security Management System (ISMS) capable of detecting, responding to, and reporting cyber incidents that could impact safety or operations.

The first major applicability date is 16 October 2025, which applies primarily to design and production organisations (Part-21 DOA and POA), airport operators, apron management service providers, and certain ATM/ANSP entities under Delegated Regulation (EU) 2022/1645. By this date, affected organisations must have a fully implemented and operational Information Security Management System (ISMS) that meets Part-IS requirements.

The second and most widely referenced deadline is 22 February 2026, which applies to the majority of aviation service providers under Implementing Regulation (EU) 2023/203, including air operators (AOC holders), Part-145 maintenance organisations, CAMOs, Approved Training Organisations, aeromedical centres, and flight simulation training organisations. By this February 2026 deadline, organisations must not only have documented policies in place but must be able to demonstrate effective implementation, risk management, incident response capability, staff training, and readiness for oversight by their competent authority.  

This article outlines what Part-IS requires, where organisations typically face challenges, and how Smarttech247 supports aviation clients in aligning detection, response, and governance to regulatory expectations.

‍

Who Must Comply With Part-IS

Part-IS applies to most organisations operating under the EASA regulatory system. If you operate under Part-21, Part-145, Part-CAMO, Part-ORO, manage an aerodrome, provide ATM/ANS services, or deliver approved training, you are very likely in scope.

For the majority of organisations involved in European civil aviation, cybersecurity is now a regulated obligation. It sits alongside safety, airworthiness, and operational oversight — no longer just an IT issue, but a core compliance requirement.

‍

What Compliance Involves

Part-IS requires a functioning Information Security Management System aligned to aviation safety risk.

In practical terms, organisations must:

• Define scope and accountability
• Assess information security risks, including safety impact
• Document the framework within an Information Security Management Manual
• Implement detection, escalation, and reporting processes
• Review and audit the effectiveness of those controls

From the applicability date onward, this must be operational and defensible under oversight.

‍

Why MDR Matters For Compliance

Part-IS requires timely detection, structured escalation, and documented response.

That means your detection and response capability directly influences whether you meet regulatory expectations.

MDR performance affects:

• How quickly incidents are identified
• How they are classified
• Whether escalation reaches compliance and accountable management
• Whether reporting timelines are met
• Whether investigation records withstand audit

You can outsource monitoring.
Responsibility still sits with the approval holder.

Under Part-IS, MDR becomes part of your compliance infrastructure.

‍

Detection Alone Isn’t Enough

Many MDR services are positioned as helping organisations meet regulatory expectations. In practice, most are designed primarily for technical threat containment.

Part-IS goes further.

It requires organisations to assess whether incidents have safety implications, escalate them through defined governance channels, meet formal reporting obligations, and retain documentation that can withstand regulatory scrutiny.

If detection and response outputs are not deliberately integrated into your ISMS and escalation model, you can have a technically effective response and still create regulatory exposure.

Strong security operations matter. Regulatory alignment matters just as much.

‍

Strengthening Cyber Risk Management

Part-IS requires risk assessment and ongoing risk monitoring.

MDR contributes by:

• Providing threat intelligence

• Identifying recurring attack patterns

• Feeding real data back into risk assessments

• Supporting continuous improvement

MDR transforms cyber risk from a theoretical exercise into measurable, operational data — strengthening your ISMS and supporting continuous improvement.  

‍

How MDR Supports Part-IS Compliance

‍

‍

Common Gaps we see at Smarttech247

As an MDR provider working with aviation organisations, we consistently see several recurring gaps between documented compliance and operational reality. One of the most common is overconfidence in policy maturity. Many organisations have high-level information security policies in place, but they are generic, not aviation-specific, and not clearly mapped to operational systems that support airworthiness or flight operations. On paper, the ISMS looks complete — in practice, it is not embedded.

We also frequently encounter “tick-the-box” 24/7 monitoring claims. In some cases, organisations believe they have round-the-clock MDR, but what they actually have is automated alert forwarding without human triage, investigation, or response capability. Automation alone is not continuous monitoring. Similarly, some organisations claim to operate a full Security Operations Centre, yet lack a properly configured SIEM or are not ingesting critical telemetry from endpoints, cloud platforms, identity systems, or operational technology. Monitoring only part of the environment creates blind spots regulators will question.

Two additional high-risk areas are supply chain exposure and asset management. Third-party access is often insufficiently monitored, and compromised credentials or vendor connections go undetected. At the same time, many organisations do not maintain an accurate, real-time asset inventory — making it impossible to confidently assess risk or confirm that all critical systems are being monitored. Without visibility, compliance becomes theoretical rather than demonstrable.

‍

Summary of compliance gaps

• Generic, paper-based policies: ISMS documentation exists but is not operationally embedded or tailored to aviation-critical systems.

• “Tick-the-box” 24/7 MDR: Automated alerts without continuous human monitoring, investigation, and response capability.

• No properly configured SIEM: Organisations claim to run a SOC but lack centralised log aggregation and correlation.

• Incomplete telemetry coverage: Critical data sources (endpoints, identity systems, cloud, OT environments) are not being monitored.

• Weak supply chain visibility: Third-party access and vendor connections are insufficiently monitored, creating hidden exposure.

• Poor asset management: No accurate, real-time inventory of systems — making risk assessment and monitoring incomplete.

• Monitoring gaps regulators will question: Controls may be documented, but evidence of effective, continuous implementation is missing.

‍

ISO 27001 Is a Starting Point

If you are ISO/IEC 27001 certified, you already have structure in place.

But ISO is sector-agnostic. Part-IS anchors information security to aviation safety and regulatory oversight. Risk assessments must consider safety impact. Governance must align to approval obligations.

ISO provides the framework. Part-IS determines how that framework is judged within aviation.

‍

What Happens If You Don’t Comply?

Part-IS was introduced because aviation is vulnerable to security risks, from cyber attack to human error. Its objective is to ensure organisations can detect, respond to, and recover from information security incidents in a way that protects operational continuity and public safety.

After the applicability date, this is enforceable regulation.

Failure to implement Part-IS can result in:

• Regulatory findings during audit
• Mandatory corrective action plans
• Increased oversight
• Financial penalties, depending on jurisdiction
• Operational restrictions, including suspension or limitation of approvals
• Reputational damage, particularly if an incident occurs alongside governance deficiencies

In aviation, approvals depend on ongoing compliance. If systemic weaknesses are identified, authorities can restrict or suspend activities until they are resolved.

The risk is not just a breach. It is a breach combined with clear governance failure.

‍

How Smarttech247 Helps You Meet Part-IS

By their applicable compliance date — 16 October 2025 for some organisations and 22 February 2026 for others — in-scope organisations must be able to demonstrate that their Information Security Management System is not merely documented, but effectively implemented and operational. In oversight terms, this generally means reaching a level of maturity where controls are clearly defined, appropriately resourced, risk-based, and capable of withstanding competent authority review. While expectations are applied proportionately based on size, complexity, and operational risk, all organisations must show that cybersecurity is functioning in practice.

Detection tools alone do not satisfy Part-IS. The regulation requires organisations to embed detection, response, governance, and reporting into their existing regulatory and safety framework. Cybersecurity must operate as a managed, accountable system — integrated into oversight and decision-making — rather than as a standalone IT function.

Smarttech247 provides capabilities that directly support those obligations:

‍

24/7 Managed Detection and Response
Our core MDR service keeps watch around the clock, proactively hunting threats and coordinating response actions. This supports Part-IS obligations around incident detection, escalation, and documented response workflows.

‍

VisionX – Centralised MDR Platform
VisionX brings detection, alerts, investigations, and reporting into a unified dashboard with context and executive-ready insights. It’s designed to give you visibility and structured evidence.

‍

Information Security Consulting
Our expert security consulting team help organisations translate Part-IS requirements into a practical security governance model: map escalation paths to regulatory reporting triggers, align detection outputs to risk frameworks, and embed security into safety management processes.

‍

Threat Intelligence & Reporting
Smarttech247’s contextual threat intel helps our security analysts prioritise risks that matter to aviation operations, improving risk assessment and informing structured reporting outputs that regulators and auditors expect.

‍

Offensive Security
When needed, offensive security exercises validate whether your controls work as designed. This supports risk assessments and continuous improvement activities within your ISMS.

‍

Smarttech247s capabilities are not just technical outputs. They are integrated into a framework that supports Part-IS compliance maturity — from detection and escalation to audit-ready reporting.

Organisations that unify these capabilities early will move more confidently through the maturity curve from baseline documentation to operational and effective compliance.