What PART-IS changes, who is affected, how to prepare.
PART-IS in a nutshell
PART-IS is the first European regulation to mandate an ISMS (ISMS/ISO 27001-like) across civil aviation, explicitly linking cybersecurity with operational safety. Two deadlines apply: 16 October 2025 for airports, designers and manufacturers; 22 February 2026 for airlines, MROs, CAMOs, ATM/U-Space service providers and national authorities.
Why now?
Transport has become the second most targeted sector in Europe (11% of cyber incidents in 2024). A faulty patch crippled Delta Air Lines in July 2024—7,000+ flights cancelled and an estimated $500M loss—a stark illustration of a risk that is now operational. Beyond “classic” attacks, digital supply-chain exposure and operational disruptions are the biggest concerns; the average cost of a breach is estimated at $4.88M ($5.17M in cloud environments). PART-IS therefore places cybersecurity at the core of aviation continuity, not on the IT periphery.
Who is in scope, and what does PART-IS cover?
The scope includes digital systems whose reliability conditions operational safety: on-board systems (e.g., FMS), traffic infrastructure (ATM/ANS), predictive maintenance, ground-to-air interfaces, airport digital tools, and the aircraft supply chain. Obligations apply to air operators, MRO/CAMO, manufacturers/OEMs, ATM/U-Space providers and authorities, with an end-to-end approach to manage interdependencies.
Key requirements
- Structured ISMS (policy, scope, roles).
- Regular risk assessments integrating safety impact.
- Technical measures: appropriate encryption, access controls, patch management, network segmentation, monitoring/SOC.
- Incident management: detect within < 24 hours, notify the authority, activate business continuity & recovery.
- Security culture: role-based training, regular exercises (table-top, cyber-range).
Business value: why invest now?
- Reduced downtime risk: an effective ISMS limits major disruptions and their operational cost.
- Improved insurability: demonstrable risk governance often leads to better coverage terms.
- Differentiation: stronger cyber ratings correlate with fewer major incidents—an advantage in tenders.
- Growing market: aeronautical cybersecurity is expanding rapidly—getting up to standard means staying ahead.
Ready for a PART-IS dry run?
Start with a PART-IS diagnostic: critical scope and interfaces, key gaps, and a compliance roadmap with evidence in the right format. Within a few weeks, you’ll have a clear direction and first, presentable results.
