Frequently asked questions

ISO 2700X certification will be considered to comply with the EASA PART-IS Regulation to a large extent. However, the EASA PART-IS Regulation introduces requirements specific to the aviation security context that are not covered by the ISO 2700X certification framework. Guidance material on ISO 2700X certification has been developed within the EASA PART-IS Working Group for Authorities and may be useful to you.

The supervision of the EASA PART-IS Regulation will be carried out by the Competent Authority that issued the approvals for the different activities of the organization. For those approvals issued by EASA, the inspection of each organization, once the Regulation is in force, will be carried out by the Unit assigned by that organization.

Regulation 203/2023 of the PART-IS establishes cybersecurity requirements to be met by entities belonging to civil aviation from the SAFETY point of view; while Regulation 2019/1583 and its transposition into the National Security Programme and Instruction SA-16 also establishes cybersecurity requirements, but from the AVSEC (SECURITY) point of view.

Therefore, they are regulations with measures related to Information Security (Cybersecurity) but with different objectives and establishing different measures that in some cases may or will need synergies since there will be entities that are affected by both regulations as often happens with the legislations of SAFETY and SECURITY. It is clear that one does not come to replace the other, and therefore, both must coexist.

AESA is in the process of developing these aspects.

The figure of the Civil Aviation Information Security Officer is defined in section 2 of Security Instruction SA-16 as the person of an entity in charge of ensuring the security of the organization's information against threats and cyberattacks that could affect AVSEC, having established the following functions and responsibilities (after the last update of SA-16 of 18/12/2023):

a. Identification of critical functions that apply to the entity. 
b. Determination of criticality of communications systems and/or critical data based on the critical functions identified. 
c. Performing risk analysis to identify vulnerabilities, select and implement security measures of the entity. 
d. Develop, maintain and update the entity's information security documentation. 
e. Assignment of profiles and responsibilities for information security. 
f. Check that the personnel comply with the provisions of section 11.1.2 (c) and Instruction SA-20. 
g. Ensure staff awareness and training on information security. 
h. Point of contact with national competent authorities and other information security entities. 
i. Information security supply chain management. 
j. Establish the procedure for reporting information security incidents and monitoring their compliance. 
k. Manage and share relevant information with competent authorities and other entities, on their own initiative or at the request of the authorities. 
l. Information security incident management and coordination with the reference CSIRT. 
m. Responsible to the competent authority for the information security audits carried out. Manage deficiencies and implement corrective measures as necessary.

Likewise, Reg. EC No 2023/203 in IS.I.OR.240(b) Personnel Requirements states that the responsible manager shall appoint a person or group of persons to ensure that the organisation complies with the requirements of this Regulation, and shall define the scope of its authority. That person or group of persons shall report directly to the responsible manager and shall have the appropriate knowledge, training and experience to carry out their responsibilities. Proceedings shall determine who replaces a particular person in the event of his or her prolonged absence.

In addition, IS.I.OR.240(d) states that, if the organization shares organizational structures, policies, processes and procedures for information security with other organizations or with areas of its own organization that are not part of the approval or declaration, the responsible manager may delegate its activities to a Common Responsible Person (CRP).

The Acceptable Means of Compliance and Guidance Material to Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 clarifies that:

“The possibility of delegating a CRP applies to an organisation that shares organisational structures, policies, processes and procedures for information security with other organisations or with parts of its own organisation that are not part of the authorisation or declaration, therefore this CRP is expected to have responsibilities and competences for information security. In particular, the CRP should be able to manage the organisation’s information security strategy and its implementation to ensure the achievement of the objectives described in Article 1. According to the European Cybersecurity Skills Framework (ECSF) published by ENISA in September 2022, this person can be described, for example, as (chief) responsible for information security, director of the cybersecurity programme or responsible for information security.”

Therefore, both the AVSEC regulations, through the RSIAC, and the SAFETY regulations (PART-IS) through the CRP establish the need for a person or several to be appointed to guarantee compliance with the Information Security requirements established by said regulations.

It will be the power of each entity to establish whether the figure responsible for compliance with the information security requirements from the AVSEC point of view (RSIAC) and the figure responsible for compliance with the information security requirements from the SAFETY point of view (CRP) is a common figure or are different coordinated persons, as well as the possible organizational structure that ensures compliance with both legislations.

The Competent Authority is also required to implement an information security management system. Among the aspects covered by this management system is: the protection of the confidentiality of any information that the competent authority may hold in relation to organisations under its supervision and information received through the organisation’s external reporting systems. See requirement IS.AR.200(a) (9).

As provided in point CAMO.A.125(d)(3), a CAMO may organise the performance of limited continuing airworthiness tasks with any subcontracted undertaking, working under its Management System, which shall be included in its certificate of approval (AC-CAMO-P01-F14).
Tasks that can be outsourced include reliability control and engine health control (reliability monitoring & engine health monitoring). 
However, when these tasks are entrusted to the manufacturers or owners of the aircraft or engine designs and their feedback is limited to reporting to CAMO the reading of the data provided, it will be considered as non-subcontracting and, therefore, will not be included in the CAMO approval certificate.

“Details of maintenance work performed” according to GM M.A.305(g) are the records that must be maintained by the person or organisation responsible for the continuing airworthiness of the aircraft in accordance with M.A.201 in order to be able to fulfil its obligations under Part M. They are only part of the records referred to in points CAO.A.090(a) or 145.A.55(a).
Maintenance organizations must keep all detailed records to demonstrate that they have worked in accordance with their respective requirements and procedures.
It is not necessary to transfer all records from the maintenance organisation to the person or organisation responsible for the continuing airworthiness of the aircraft in accordance with M.A.201, unless they specifically contain information relevant to the configuration of the aircraft and its future maintenance. Therefore, it is not necessary for the person or organisation responsible in accordance with M.A.201 to keep the certificates of conformity, the references to the batch numbers of the material used or the individual work cards verified and/or generated by the maintenance organisation. However, the owner/CAMO may request such information from the maintenance organisation to verify and demonstrate the effectiveness of the aircraft maintenance programme.
Information relevant to future maintenance may be contained in specific documents related to:

• amendments;
• airworthiness directives;
• repaired and unrepaired damage;
• components mentioned in M.A.305(d); and
• measures relating to defects.

Yes, regardless of owner/operator approvals and scope, you have the option to sign a contract with a CAMO. The important thing is that continued airworthiness is managed by an appropriate CAMO.

Electric load analysis (ELA) is provided by the aircraft manufacturer to the operator.
These data are part of the ICAs (see AMC to Appendix H, H25.5 Instructions for continuing airworthiness applicable to point 5 of the EWIS). Changes to ICAs are changes to the type certificate that must be approved in accordance with Part 21.
Where relevant, a change or modification should contain a difference sheet for ELA, so that the operator can update the current ELA.
CAMO is responsible for the condition of the ELA, which must be in accordance with the design of the aircraft, including its approved changes.
The aircraft owner should have access to all relevant information to fulfil its continuing airworthiness obligations under Regulation (EU) 1321/2014, for example to provide that information to the competent authority on request or to transfer the continuing airworthiness records of the aircraft to a new owner when the aircraft changes ownership or in similar circumstances.
The new CAMO, which receives the aircraft, will verify this data when developing the aircraft maintenance program (see M.A.302).