EASA Boosts Aviation Cybersecurity
The European Union Aviation Safety Agency (EASA) is strengthening data security requirements with new Part-IS regulations. The move reflects the growing convergence of cybersecurity and functional safety, creating new compliance demands for European-certified aircraft and their embedded systems.
- The regulations are being implemented in two phases with distinct deadlines: October 16, 2025, for design and production organizations, and February 22, 2026, for air operators and maintenance organizations. - Part-IS mandates the implementation of a formal Information Security Management System (ISMS) that integrates with existing Safety Management Systems (SMS). This requires companies to identify and mitigate information security risks that could directly impact aviation safety, moving beyond traditional IT security. - The rules were established under two key regulations: Delegated Regulation (EU) 2022/1645 and Implementing Regulation (EU) 2023/203. These regulations shift cybersecurity from a technical issue to a core, managed safety process. - This initiative is a direct response to escalating cyber threats targeting the aviation sector, including ransomware attacks on airports and data breaches at major manufacturers like Boeing. EASA's cyber threat intelligence identified airports as the most frequent target of cyberattacks in late 2024, primarily through denial-of-service and ransomware attacks. - Unlike voluntary standards such as ISO 27001, compliance with Part-IS is a mandatory, legally binding requirement for any organization holding an EASA approval. Non-compliance can lead to the restriction or suspension of an organization's activities. - The regulation explicitly requires managing risks across the supply chain, meaning that the security posture of third-party software and hardware suppliers will come under increased scrutiny. - While distinct from software development standards like DO-178C, Part-IS adds a layer of security requirements for the entire operational environment of the aircraft. It focuses on protecting the integrity of data used by safety-critical systems, such as field-loadable software and navigation databases. - The regulation mandates specific capabilities for incident detection, response, recovery, and reporting of security events and vulnerabilities to the competent national authorities.
