From 16 October 2025, 22 February 2026 or 27 March 2031, civil aviation organisations in the Netherlands must comply with new rules for managing information security risks that could affect aviation safety. These rules are set out in the European Union (EU) Regulation for Information Security, Regulations (EU) 2023/203, 2022/1645 and 2025/22. The Civil Aviation Authority the Netherlands (CAA NL), part of the Human Envirionment and Transport Inspectorate (ILT), monitors compliance with Part-IS in the Netherlands.
Please note: If your organisation complies with the
Wet beveiliging netwerk- en informatiesystemen, WBNI (Security of Network and Information Systems Act, in Dutch) you will already be partially familiar with the requirements of Part-IS.
Types of organisations that must comply with the new rules
From 16 October 2025, the new EASA rules on information security in civil aviation apply to:
- Manufacturers (in Dutch) holding a Part-21 certificate (POA holders).
-
Designers (in Dutch) holding a Part-21 Subpart J certification (DOA holders; these certificate holders are under the direct supervision of EASA).
- EASA-certified airports (ADR) and organisations operating services at EASA-certified airports (AMS).
With effect from 22 February 2026, the rules on information security in civil aviation will apply to:
- Air operators with complex motor-powered aircrafts as referred to under Annex III (Part-ORO):
- Airlines – Air Operator Certificate, AOC holders (in Dutch).
- Non-commercial (in Dutch) operations with complex motor-powered aircraft (NCC).
- Commercial (in Dutch) and non-commercial (in Dutch) specialised flight operations (SPO).
- Aircrew aero-medical centres (Annex VII: Part-ORA)
- Continuing Airworthiness Management Organisations, CAMOs (in Dutch).
- Maintenance organisations (Part-145).
- ATM/ANS-providers.
- Air traffic controller training organisations, ATCOs (in Dutch).
- Approved training organisations, ATOs (in Dutch).
- U-space service providers and single common information service providers.
With effect from 27 March 2031, the rules on information security in civil aviation shall apply to:
- Ground handling organisations at EASA-certified airports.
Read more about the organisations covered by Part-IS on the EASA website.
Requirements under Part-IS
By the applicable date, your civil aviation organisation must have:
- An Information Security Management System (ISMS) in place.
This ISMS forms the foundation of your information security approach. It reduces the risks and consequences of a cyberattack. - An Information Security Management Manual (ISMM).
This manual describes your ISMS and your change and risk management policies. - An application for approval of your ISMM already submitted to CAA NL.
How to prepare for the new rules
Read more about the ISMS and ISMM requirements under Part-IS on the EASA website:
- Part-IS – topics include applicability, risk assessment and integration with existing systems and processes.
- EASA Acceptable Means of Compliance and Guidance Material.
- Cybersecurity – EASA’s role and available Part-IS training.
- EASA’s oversight approach.
- Easy Acces Rules for Information Security.
- Discussion forum for aviation organisations.
- ISO/IEC 27001.
Queries
For further queries send an email to: luchtvaart-cybersecurity@ilent.nl