The Role of Part-IS in Part-145

Securing Maintenance and Continuing Airworthiness

In an era where cyber threats are increasingly sophisticated, organizations in the aviation maintenance and continuing airworthiness domain must prioritize information security to ensure safety and operational continuity. Recognizing this need, the European Union introduced Part-IS, a regulatory framework mandating the implementation of an Information Security Management System (ISMS).

This article explores how maintenance organizations can adopt Part-IS to safeguard their operations while maintaining compliance with industry standards.

What is Part-IS?

Part-IS, formalized under Commission Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation 2022/1645, extends the principles of traditional Safety Management Systems (SMS) to encompass cybersecurity risks.

By implementing an ISMS, organizations can:

• Prevent unauthorized access, data breaches, and cyber-attacks.
• Protect critical aviation systems, networks, and data.
• Ensure safe and secure operations even amid evolving cyber threats.
• Prepare for effective responses to cybersecurity incidents.
• Continuously improve security measures to adapt to emerging challenges.

Who Needs to Comply with Part-IS?

The regulation applies to several organizations, including:

• Part-145 Maintenance Organizations (excluding certain smaller entities).
• Continuing Airworthiness Management Organizations (CAMOs).
• Approved Training Organizations (ATOs) and Air Navigation Service Providers (ANSPs), among others.

Organizations that consider Part-IS is not applocable/outside its scope can request derogations under specific provisions. If you consider Part-IS is deemed inapplicable, HACE can assist organizations in obtaining a derogation from the competent authority.

Why Part-IS Matters for Maintenance and Airworthiness

Cyber threats in the maintenance domain can severely impact safety and operations. Examples include ransomware attacks on maintenance records, phishing schemes targeting staff, and exploitation of IT vulnerabilities in aircraft systems. Addressing these risks through a structured ISMS not only ensures compliance but also fortifies operational resilience.

How to Implement ISMS in Maintenance Organizations

To comply with Part-IS, organizations can adopt a phased approach:

1. Assessment and Planning:
   • Review regulatory requirements, particularly IS.I.OR.200 and IS.I.OR.205.
   • Conduct a gap analysis against current practices and define roles and responsibilities.
2. Design and Development:
   • Establish robust risk management frameworks.
   • Develop policies for incident detection, response, and recovery.
   • Train staff on cybersecurity best practices tailored to their roles.
3. Execution:
   • Implement ISMS governance structures.
   • Operationalize risk assessments and response procedures.
   • Integrate ISMS into daily operations and align with SMS.

The Way Forward towards compliance with Part-IS and implementing ISMS

The deadline for compliance with Part-IS and implemening ISMS is set to be 22nd of February 2026. By embracing Part-IS, organizations in the maintenance and continuing airworthiness domain can elevate their cybersecurity posture while aligning with regulatory expectations. For those unsure about its applicability, expert guidance from our experts at HACE provide a pathway to secure derogations or tailored compliance solutions.

Cybersecurity is not just a technical necessity—it’s an operational imperative. Implementing ISMS under Part-IS ensures that your maintenance and airworthiness operations remain secure, compliant, and resilient against evolving threats. Please contact us (info@hace.aero) if you are interested in our support in succesfully introducing Part-IS in your companies Part-145A.200 Management System.