Flying High: The EU Aviation Safety Agency's Part-IS Rules Explained

Flying High: The EU Aviation Safety Agency’s Part-IS Rules Explained

By Kate O'Flaherty • 19 March 2026 • 6 min read

The new European Union Aviation Safety Agency’s Part-IS rules have come into place, expanding cybersecurity obligations across the civil aviation sector. What do these new requirements mean in practice?

By Kate O’Flaherty

Aviation cyberattacks are surging. Between 2024 and 2025, there was a 600% spike in attacks on the sector, with 27 major incidents taking place during the period, according to Thales data.

Last year saw numerous high-profile incidents, including the ransomware attack on Collins Aerospace that knocked out check-in systems across European airports. Air France and KLM were also breached in 2025, through a third-party platform used by their parent group. Meanwhile, an attack on a supplier to Australian airline Qantas saw six million customers’ records exposed.

As attacks like these increase, the types of threats the aviation sector faces are becoming more complex and sophisticated. As well as compromising flight operations, cyberattacks now also have strategic objectives.

These include industrial cyberespionage, access to sensitive technologies such as avionics and communication systems, disruption of supply chains and “capture of high-value data such as diplomatic travel itineraries and confidential freight shipments”, according to Thales.

It is with this escalating threat in mind that the new European Union Aviation Safety Agency’s Part-IS rules have come into place, expanding cybersecurity obligations across the civil aviation sector.

So, what do the new requirements mean in practice?

Attractive Target

The interconnected systems required for global travel are exactly what make aviation an attractive target for cybercriminals and nation-state actors, says Danny Jenkins, CEO of ThreatLocker. “Breaches of booking, check-in, or boarding systems could cause widespread disruption — and outages in aviation quickly grow into broader economic damage,” he warns.

Part-IS therefore formalises what the threat landscape has been making obvious for a while. “Cybersecurity is no longer a technical back-office function,” Matt Conlon, CEO and co-founder, Cytidel explains. “It’s a safety discipline, and it needs the same structured governance, risk assessment, and continuous oversight that aviation has always applied to other operational hazards.”

Part-IS requires firms to show they have controls, and to demonstrate that they work. The rules mandate structured risk assessment, defined governance and accountability, implementation and monitoring of proportionate controls, incident reporting, and continuous improvement.

“It must align with the broader aviation regulatory framework and be subject to regulatory oversight, meaning organisations must evidence not just that controls exist, but that they work in practice,” Lawrence Baker, technical security consultant for aerospace at NCC Group tells IO.

Formal ISMS

Experts say the regulatory shift highlights how sector-specific cyber regulations increasingly favour management-system-based approaches aligned with recognised standards.

Part-IS mandates a formal Information Security Management System (ISMS). “And like all modern management system standards, this depends on documented processes, clear accountability, and continuous improvement,” Baker explains.

These principles are already embedded across aviation regulatory framework, including regulations such as Part-21, Part-CAMO and Part-145. These are familiar to airworthiness authorities conducting audits and oversight, Baker says.

According to Baker, Part-IS compliance requires organisations to demonstrate:

Traceability of decisions
Defined responsibilities
Performance monitoring
Ongoing enhancement of controls

Part-IS is also “deliberately designed” so that compliance isn’t something you “achieve once and file away”, according to Cytidel’s Conlon. “Accountability is explicit,” he says. “This means governance structures must clearly define who owns risk decisions, who’s responsible for oversight, and how escalation works.”

Documentation is the evidence base, says Conlon. “Risk assessments, treatment plans, incident handling procedures, and the ISMS manual must collectively demonstrate that the system is coherent and functioning in practice — not just on paper.”

Continuous improvement is where EASA’s oversight model “really shows its teeth”, adds Conlon. This sees regulators assessing whether your system is maturing. “Ongoing compliance monitoring, internal audits, management reviews and training are what separates organisations that simply have policies from organisations that can prove those policies work.”

Wider Regulatory Trends in CNI

Part-IS reflects the broader expansion of cybersecurity regulation across critical national infrastructure (CNI) as cyber threats intensify. Similar to frameworks such as the Network Information Systems 2 (NIS2) regulations for resilience and General Data Protection Regulation (GDPR) for data protection, aviation cybersecurity requirements are being layered into an existing sector-specific regulatory structure, says NCC Group’s Baker.

“As in other CNI sectors, the approach has been tailored to aviation’s established safety oversight model and operating environment, integrating cyber resilience into a mature regulatory ecosystem, rather than creating a standalone regime,” he tells IO.

The pattern is “consistent across every critical infrastructure sector in Europe right now”, Cytidel’s Conlon says. “The Digital Operational Resilience Act (DORA) has been in force for financial services since January 2025. NIS2 is expanding cybersecurity obligations across critical infrastructure with compliance expected by October 2026. Part-IS brings aviation into the same framework of expectations.”

The common thread is that regulators have moved from “do you have a security policy?” to “can you prove it’s working, continuously?”, Conlon explains.

Structured risk management, board-level accountability, supply chain visibility, incident reporting are now key. “The language differs across DORA, NIS2, and Part-IS, but the expectations are converging,” according to Conlon.

But this means there’s a practical upside for organisations operating across multiple frameworks. Part-IS aligns closely with ISO/IEC 27001 and shares structural similarities with DORA and NIS2, says Conlon.

Therefore, organisations that build one coherent security management framework and map it across obligations will be in a “much stronger position” than those treating each regulation as a separate compliance project, he advises.

Priorities for Aviation CISOs and Compliance Leaders

It’s clear that integrating information security, resilience and risk management within a structured framework supports regulatory defensibility and long-term operational trust, regardless of the many evolving regulations across sector and geography.

With Part IS, aviation CISOs and compliance leaders should prioritise ensuring their documented processes operate effectively in practice and “can withstand regulatory scrutiny”, NCC Group’s Baker advises.

They must monitor evolving threats, regulatory expectations, and workforce competencies, adapting their approach accordingly, he says.

As part of this, CISOs should integrate threat intelligence into their risk assessment process, Cytidel’s Conlon says. “Part-IS requires risk assessment proportionate to safety impact, but too many organisations are still assessing risk based on theoretical severity scores. Understanding which vulnerabilities are actually being weaponised against aviation, which threat actors are active, and what patterns their campaigns follow should be shaping how you prioritise.”

Supply chain visibility is key, adds Conlon. “Some of the most impactful aviation cyber incidents in recent years came through suppliers. The Collins Aerospace ransomware attack disrupted check-in across European airports in 2025. Air France and KLM were breached through a third-party customer service platform. If you don’t know how your critical suppliers’ exposure affects your own risk profile, that’s the gap to close first.”

At the same time, build for continuous compliance, Conlon advises. “Regulators will come back, and they’ll want evidence your system is operating and effective, not just that it existed when you set it up. That means ongoing monitoring, real-time awareness of emerging threats relevant to your sector, and the ability to show that your security programme adapts as the landscape shifts.”