Go to content

Requesting permission for exemption from Part-IS obligations

If your civil aviation organisation falls under EASA Part-IS (Information Security), you must apply for approval of initial compliance. In certain cases, you can apply for permission to be exempted from part of your Part-IS obligations.

Bekijk deze pagina in het Nederlands

Eligibility requirements

Your organisation is eligible for the exemption when it falls under Part-IS, and also:

  • It falls under an exemption rule in Article 2 of Implementing Regulation EU 2023/203. Or:
  • A risk analysis can demonstrate that there are no information security risks, including for chain partners. For example, because you do not have any digital systems.

Apply for the exemption before the Part-IS obligations for your type of organisation come into effect.

Applying for an exemption

Apply for the exemption from the Civil Aviation Authority the Netherlands (CAA NL), part of the Human Environment and Transport Inspectorate (ILT). The application process consists of 2 phases.

  1. In phase 1, use the online form Aanvraag derogation EASA Part-IS (in Dutch). Upload the following documents together with your application:
    • An overview of the services your organisation provides and receives.
    • Description of the architecture of the information systems used.
    • Detailed justification for the exemption from specific obligations.
    • Summary of the risk analysis carried out in line with the architecture.
  2. In phase 2, when CAA NL has approved these documents, use the online form Aanvraag derogation EASA Part-IS (in Dutch) again. Upload the following documents together with your application:
    • Detailed risk analysis.

Prepare this documentation in English or Dutch. You can use your own methods to prepare these documents or there are templates for the justification (in phase 1) and the detailed risk analysis (in phase 2) available online.

After your application

The processing of your application is free of charge.

CAA NL will let you know within 8 weeks whether you will be granted the exemption.

  • If you are granted the exemption, you must continue to comply with the Part-IS obligations to:
    • Treat information from other organisations as confidential (IS.I.OR.200 (a) (13)).
    • Perform a risk analysis on your information security (IS.I.OR.205).
    • Set additional requirements for your personnel (IS.I.OR.240).
    • Properly documenting knowledge about the exemption conditions.
    • Notify CAA NL of any changes in your organisation that may affect your exemption.
  • If you do not receive an exemption, you must apply for approval of your initial compliance.

Queries

If you have any queries regarding applying for exemption from Part-IS obligations, please refer to the Implementation Guidelines for Part-IS IS.I/D.OR.200 (e).

Otherwise you can send an email to luchtvaart-cybersecurity@ilent.nl