What Are the EU’s New EAR Information Security Rules for Aviation?
Table Of Contents:
Recent revisions to EU-wide cybersecurity regulations for the aviation industry could drive uptake of IT industry standards like ISO 27001.
The first Easy Access Rules (EAR) for Information Security (Part IS) from the European Union Aviation Safety Agency (EASA) set out “requirements for the management of information security risks with a potential impact on aviation safety”. Previous cybersecurity rules were limited to OEMs – unlike the EAR (Part IS), which apply across the whole aviation sector. Compliance deadlines of October 2025 and February 2026 will apply to different types of organisation, as defined in supporting EU laws.
These include: maintenance organisations, airworthiness management providers, air operators, aero-medical centres, air-traffic controller training organisations, and flight simulation device operators. Also on the list are airports, communication infrastructure providers, navigation infrastructure organisations, air towers and surveillance outfits.
The rules are designed to ensure that information security risks are effectively managed within the aviation industry, an important factor in safety overall. Alignment with US aviation standards has already been agreed, and regular updates to Easy Access Rules (Part IS) are planned, making them a set of regulations that will evolve over time.
Detect, Protect, Respond and Recover
Running an information security management system (ISMS) is key for aviation organisations that need to become compliant with the rules. Other important components cover security monitoring, audits and measures pointing organisations towards greater cyber-security maturity. They are:
⦁ Establish and operate an ISMS
⦁ Implement and maintain an information security policy
⦁ Identify, review and remediate information security risks
⦁ Threat detection for events related to aviation security
⦁ Take remedial actions to address findings notified by a competent authority
⦁ Security reporting
⦁ Compliance monitoring
⦁ Introduce a continuous improvement process
Ken Munro is CEO at Pen Test Partners, a firm of UK-based penetration testers with clients in the aviation sector. He tells ISMS.online that adopting ISO 27001 will help aviation sector organisation to comply with the new EU-wide regulations.
“The EAR (Part IS) do indeed follow existing standards such as ISO 27001 pretty closely, so organisations with existing compliance frameworks should find mapping fairly straightforward,” he explains.
However, differing levels of cybersecurity best practice adoption across the sector could prove a challenge for some.
“Our experience in the aviation sector as a whole indicated very variable levels of security maturity. Some of this is understandable: would we expect a tiny regional airport to have the same level of maturity as a large hub airport? The challenge here is that the traveller and their baggage is screened at the point of check-in, not transfer, which may expose connecting flights,” Munro explains.
“Similarly, would we expect a large airline to have the same level of maturity as a small regional operator? They will have similar flight safety regimes, but the same degree of cybersecurity regime is less likely.”
Finding a way to fortify these weak links in the chain across the aviation sector is therefore a challenge.
Turbulence Ahead?
The new rules give some examples of applicability in terms of their scope, while being a “little short of detail” compared to other schemes such as CAA ASSURE, according to Munro.
The CAA ASSURE (Cyber Audit) scheme is a third-party audit model developed by the UK’s Civil Aviation Authority (CAA) in partnership with CREST.
“This [lack of detail in EAR] seems a little at odds with the CAA ASSURE scheme, which makes significant effort to identify critical systems at airlines and airports,” Munro explains. “This has helped operators focus their efforts on the systems that could affect flight safety or prevent flights dispatching. Either could have significant safety impacts.”
Munro concludes: “There is an attempt to give some examples of potential attacks in Appendix 1, but this seems quite a random selection and misses numerous important areas. The risk here is that organisations focus on the examples given at the expense of other areas.”
Hugo Teso, a commercial pilot and an expert in aviation cybersecurity, served as an external expert in the process that led onto the development of the regulation. In a post on LinkedIn, he says that the regulations go beyond “just requiring an ISMS” for in-scope organisations.
The supporting 278-page document outlining EAR Part-IS and their scope positions an ISMS as a key component, but by no means the only step in becoming compliant.
Preparing for Take Off
However, ISO 27001 is a good place to start, according to other experts.
“As aerospace companies prepare for the upcoming EU aviation cybersecurity regulations EASA EAR Part-IS, one of the first steps they can take is to establish an ISMS compliant with the ISO 27001 standard,” argues Sam Peters, ISMS.online Chief Product Officer.
“By proactively working towards ISO 27001 compliance now, aerospace organisations can get a head start on meeting EASA requirements and demonstrate to regulators that they are taking cybersecurity seriously.”
Peters goes on to map out a plan of action for compliance managers and those responsible for cybersecurity in the aviation sector.
“The first phase would be to define the scope of the ISMS based on the company’s aviation services and assets that will fall under EASA oversight,” he says.
“A comprehensive risk assessment can then identify cyber-vulnerabilities and map appropriate controls from ISO 27001 to strengthen defences in critical areas. Things like access control policies, supplier management, incident response plans, and staff security training should be prioritised.”
Regardless of EAR Part-IS requirements, becoming ISO 27001 will confer business benefits to aviation sector providers.
“An added benefit to embracing ISO 27001 is that it takes a holistic, process-based approach to information security. This makes the ISMS a sound business driver, allowing aerospace companies to identify inefficiencies, reduce risk, and make data-driven investment decisions across the entire organisation,” he concludes.
“As the deadline for EASA EAR Part-IS compliance approaches, following established ISO 27001 frameworks will help aerospace organisations demonstrate to EASA auditors that they have implemented a mature ISMS tailored to the unique cyber-risks of the aviation industry. Taking these proactive steps today will make the compliance journey smoother tomorrow.”
