Information security in civil aviation: Part-IS
From 16 October 2025 or 22 February 2026, civil aviation organisations in the Netherlands must comply with new rules for managing information security risks that could affect aviation safety. These rules are set out in EASA Part-IS (Information Security). CAA NL monitors compliance with Part-IS in the Netherlands.
Bekijk deze pagina in het Nederlands
If your organisation already must comply with the
Wet beveiliging netwerk- en informatiesystemen, Wbni (Security of Network and Information Systems Act) you will already be partially familiar with the requirements of Part-IS.
Types of organisations that must comply with the new rules
From 16 October 2025, the new EASA rules on information security in civil aviation will apply to:
- Manufacturers and designers (in Dutch) holding a Part-21 certificate (DOA and POA holders).
- EASA-certified airports (ADR) and organisations operating services at EASA-certified airports (AMS).
The rules will apply from 27 March 2031 for ground handling organisations at EASA-certified airports.
With effect from 22 February 2026, the rules on information security in civil aviation will apply to:
- Airlines (Air Operator Certificate (AOC) holders, in Dutch).
- Continuing Airworthiness Management Organisations (CAMOs, in Dutch).
- Maintenance organisations (MOA holders, in Dutch).
- ATM/ANS providers.
- Air traffic controller training organisations (ATCOs, in Dutch).
- Approved training organisations (ATOs, in Dutch).
- National aviation oversight bodies.
Learn more about the organisations covered by Part-IS on the EASA website.
Requirements under Part-IS
By the applicable date, your civil aviation organisation must:
- Have an Information Security Management System (ISMS) in place.
This ISMS forms the foundation of your information security approach. It reduces the risks and consequences of a cyberattack. - Have an Information Security Management Manual (ISMM).
This manual describes your ISMS and your change and risk management policies. - Submit your ISMM for approval to the CAA NL.
How to prepare for the new rules
Read more about the ISMS and ISMM requirements under Part-IS on the EASA website:
- Part-IS – topics include applicability, risk assessment and integration with existing systems and processes.
- EASA Acceptable Means of Compliance and Guidance Material.
- Cybersecurity – EASA’s role and available Part-IS training.
- EASA’s oversight approach (PDF).
- Discussion forum for aviation organisations.
- ISO/IEC 27001
- Wet beveiliging netwerk- en informatiesystemen, Wbni (Security of Network and Information Systems Act) in Dutch
Queries
For further queries send an email to: luchtvaart-cybersecurity@ilent.nl