Information security in civil aviation: Part-IS
As a civil aviation organisation in the Netherlands, you must comply with new European Aviation Safety Authority (EASA) rules on information security from 16 October 2025 or 22 February 2026, depending on your organisation type. These rules are set out in Part-IS.
Bekijk deze pagina in het Nederlands
Types of organisations that must comply with the new rules
From 16 October 2025, the new EASA rules on information security in civil aviation will apply to:
- Manufacturers and designers (in Dutch) holding a Part-21 certificate (DOA and POA holders).
- Organisations operating services at airports.
- Air navigation service providers (ANSPs, in Dutch).
From 22 February 2026, the EASA rules for information security in civil aviation will also apply to:
- Airlines (Air Operator Certificate (AOC) holders, in Dutch).
- Continuing Airworthiness Management Organisations (CAMOs, in Dutch).
- Maintenance organisations (MOA holders, in Dutch).
- Air traffic controllers (ATCOs) and ATCO training organisations (in Dutch).
- Approved Training Organisations (ATOs, in Dutch).
- National aviation oversight bodies.
Learn more about the organisations covered by Part-IS on the EASA website.
Requirements under Part-IS
By the applicable date, your civil aviation organisation must:
- Have an Information Security Management System (ISMS) in place.
This ISMS forms the foundation of your information security approach. It reduces the risks and consequences of a cyberattack. - Have an Information Security Management Manual (ISMM).
This manual describes your ISMS and your change and risk management policies. - Submit your ISMM for approval to the Civil Aviation Authority the Netherlands (CAA NL).
You will be informed in due time when submission is possible. The procedure will be similar to that used for your Safety Management System (SMS).
Read more about the ISMS and ISMM.
About Part-IS
The new rules are laid down in EASA Part-IS (Information Security). Part-IS:
- Sets mandatory standards for all measures aviation organisations must take to reduce the risks and consequences of cyberattacks.
- Aims to better align European requirements for information security across aviation organisations.
CAA NL oversees compliance with Part-IS and is currently setting up the necessary procedures.
How to prepare for the new rules
To ensure your ISMS and ISMM are ready in time for the deadline, you can use the ISO/IEC 27001 standard as a reference.
If your organisation is already subject to the Wet beveiliging netwerk- en informatiesystemen, Wbni (network and information systems security act, Wbni), you may already be familiar with some of the requirements set out in Part-IS.
Read more about the ISMS and ISMM requirements under Part-IS on the EASA website:
- EASA Acceptable Means of Compliance and Guidance Material.
- Part-IS – topics include applicability, risk assessment and integration with existing systems and processes.
- Cybersecurity – EASA’s role and available Part-IS training.
- EASA’s oversight approach (PDF).
- Discussion forum for aviation organisations.