Frequently asked questions

The EASA PART-IS Regulation applies to the activities of the aviation sector in the civil field.

To carry out an initial evaluation of your organization, the following document attached as a work plan proposal may be useful.

It is possible to include ISMS requirements in a comprehensive management system comprising information security, aviation security, quality management, etc. In addition, existing ISMS (e.g. ISO/IEC 27001) can be adapted to the needs of Part-IS. From an organizational perspective, different types of risks interact with each other, and the implementation of certain controls (measures) can address more than one type of risk.

Having a single manual will be a matter to evaluate in each organization, according to its characteristics. In regulation, it is explicitly not required.

ISO 2700X certification will be considered to comply with the EASA PART-IS Regulation to a large extent. However, the EASA PART-IS Regulation introduces requirements specific to the aviation security context that are not covered by the ISO 2700X certification framework. Guidance material on ISO 2700X certification has been developed within the EASA PART-IS Working Group for Authorities and may be useful to you.

The supervision of the EASA PART-IS Regulation will be carried out by the Competent Authority that issued the approvals for the different activities of the organization. For those approvals issued by EASA, the inspection of each organization, once the Regulation is in force, will be carried out by the Unit assigned by that organization.

Regulation 203/2023 of the PART-IS establishes cybersecurity requirements to be met by entities belonging to civil aviation from the SAFETY point of view; while Regulation 2019/1583 and its transposition into the National Security Programme and Instruction SA-16 also establishes cybersecurity requirements, but from the AVSEC (SECURITY) point of view.

Therefore, they are regulations with measures related to Information Security (Cybersecurity) but with different objectives and establishing different measures that in some cases may or will need synergies since there will be entities that are affected by both regulations as often happens with the legislations of SAFETY and SECURITY. It is clear that one does not come to replace the other, and therefore, both must coexist.

AESA is in the process of developing these aspects.

The figure of the Civil Aviation Information Security Officer is defined in section 2 of Security Instruction SA-16 as the person of an entity in charge of ensuring the security of the organization's information against threats and cyberattacks that could affect AVSEC, having established the following functions and responsibilities (after the last update of SA-16 of 18/12/2023):

a. Identification of critical functions that apply to the entity. 
b. Determination of criticality of communications systems and/or critical data based on the critical functions identified. 
c. Performing risk analysis to identify vulnerabilities, select and implement security measures of the entity. 
d. Develop, maintain and update the entity's information security documentation. 
e. Assignment of profiles and responsibilities for information security. 
f. Check that the personnel comply with the provisions of section 11.1.2 (c) and Instruction SA-20. 
g. Ensure staff awareness and training on information security. 
h. Point of contact with national competent authorities and other information security entities. 
i. Information security supply chain management. 
j. Establish the procedure for reporting information security incidents and monitoring their compliance. 
k. Manage and share relevant information with competent authorities and other entities, on their own initiative or at the request of the authorities. 
l. Information security incident management and coordination with the reference CSIRT. 
m. Responsible to the competent authority for the information security audits carried out. Manage deficiencies and implement corrective measures as necessary.

Likewise, Reg. EC No 2023/203 in IS.I.OR.240(b) Personnel Requirements states that the responsible manager shall appoint a person or group of persons to ensure that the organisation complies with the requirements of this Regulation, and shall define the scope of its authority. That person or group of persons shall report directly to the responsible manager and shall have the appropriate knowledge, training and experience to carry out their responsibilities. Proceedings shall determine who replaces a particular person in the event of his or her prolonged absence.

In addition, IS.I.OR.240(d) states that, if the organization shares organizational structures, policies, processes and procedures for information security with other organizations or with areas of its own organization that are not part of the approval or declaration, the responsible manager may delegate its activities to a Common Responsible Person (CRP).

The Acceptable Means of Compliance and Guidance Material to Annex II (Part-IS.I.OR) to Commission Implementing Regulation (EU) 2023/203 clarifies that:

“The possibility of delegating a CRP applies to an organisation that shares organisational structures, policies, processes and procedures for information security with other organisations or with parts of its own organisation that are not part of the authorisation or declaration, therefore this CRP is expected to have responsibilities and competences for information security. In particular, the CRP should be able to manage the organisation’s information security strategy and its implementation to ensure the achievement of the objectives described in Article 1. According to the European Cybersecurity Skills Framework (ECSF) published by ENISA in September 2022, this person can be described, for example, as (chief) responsible for information security, director of the cybersecurity programme or responsible for information security.”

Therefore, both the AVSEC regulations, through the RSIAC, and the SAFETY regulations (PART-IS) through the CRP establish the need for a person or several to be appointed to guarantee compliance with the Information Security requirements established by said regulations.

It will be the power of each entity to establish whether the figure responsible for compliance with the information security requirements from the AVSEC point of view (RSIAC) and the figure responsible for compliance with the information security requirements from the SAFETY point of view (CRP) is a common figure or are different coordinated persons, as well as the possible organizational structure that ensures compliance with both legislations.

The Competent Authority is also required to implement an information security management system. Among the aspects covered by this management system is: the protection of the confidentiality of any information that the competent authority may hold in relation to organisations under its supervision and information received through the organisation’s external reporting systems. See requirement IS.AR.200(a) (9).