PART-IS: strengthening cybersecurity and the resilience of aeronautical information systems

PART-IS: strengthening cybersecurity and the resilience of aeronautical information systems

Discover how PART-IS contributes to the protection of critical information systems in aviation and why it has become essential for aviation security.
‍

What is PART-IS?

PART-IS (Information Security) Is a mandatory European regulations, introduced by theEASA (European Aviation Safety Agency), whose objective is to protect critical aviation information systems and to strengthen their resilience in the face of cyber threats.

It is a part of the regulatory corpus of civil aviation, in the same way as Part-145 (maintenance) or Part-21 (certification), and aims specifically to protect critical information systems used in aviation.

Its objective is to ensure that essential aeronautical technologies — avionic communications, navigation, air traffic management systems, ground infrastructures — are resilient in the face of cyber threats.

PART-IS therefore requires players in the sector (airlines, airports, manufacturers, air navigation service providers) to:

• identify and assess their vulnerabilities,
  
  
• implementing corrective and preventive measures,
  
  
• ensure business continuity even in the event of a cyber incident.
  
  

This regulation is binding and is subject to controls by national authorities (such as the DGAC in France). In case of non-compliance, authorities may impose corrective measures or restrict certain activities until compliance is achieved. Beyond operational constraints, a non-compliant organization is also exposed to a loss of trust, which directly affects aviation safety.

‍

Why is the PART-IS regulation essential for aviation security?

A growing threat in the aviation sector

Air transport has become a prime target for cyberattacks. The threat vectors are multiple:

• hacking communication systems between planes and control towers,
  
  
• sabotaging navigation software or flight plan applications,
  
  
• denial-of-service attacks against critical airport infrastructures,
  
  
• compromise of sensitive data related to passengers or operations.
  
  

Each vulnerability represents a direct risk to passenger safety, but also for the economic continuity of the aviation sector, which is based on absolute confidence in the reliability of its systems. Aviation, more than any other sector, cannot tolerate approximation when it comes to cybersecurity.

‍

An obligation of trust and continuity

Civil aviation is based on a simple equation: zero compromise on safety.

• A computer attack that disrupts air traffic management can cause massive delays or even operational shutdowns, with considerable financial and organizational consequences.
  
  
• An in-flight avionics system compromise can have dramatic repercussions, putting the lives of passengers and the reputation of airlines at risk.
  
  

In this context, PART-IS is much more than a good practice: it is a regulatory obligation enshrined in the EASA corpus. It establishes resilience and cybersecurity standards applicable to the entire aeronautical chain: companies, manufacturers, technical service providers, airports and regulatory authorities.

‍

An adapted response to current challenges

PART-IS meets a double need:

• protect critical systems from emerging threats, whether state, criminal, or opportunistic;
  
  
• maintaining the trust of users and regulators, an essential condition for the continuity of air transport.
  
  

By imposing risk analysis procedures, correcting vulnerabilities and implementing resilience plans, PART-IS is transforming cybersecurity into structural component of aeronautical security.

‍

The key principles of PART-IS

PART-IS is based on a series of principles intended to strengthen the protection of aeronautical information systems and to guarantee their resilience in the face of cyber threats.

‍

Identifying critical assets

Identify all the systems, applications and infrastructures essential to the safe and continuous functioning of the aviation sector (avionics systems, air traffic, ground infrastructures, communication networks).

‍

Vulnerability Assessment

Analyze the weak points likely to be exploited by attackers, whether they are technical, organizational or human flaws. This analysis should be documented and updated regularly.

‍

Cyber risk management

Apply a risk management methodology (ISO 27005, EBIOS Risk Manager) to prioritize threats and prioritize security actions. The PART-IS requirements are aligned with ISO 27001 and NIST standards, which facilitates their adoption by organizations that are already certified or in compliance with these standards.

‍

Corrective and preventive action plans

Define and implement concrete measures to secure systems: patching, access hardening, infrastructure redundancy, network segmentation, but also audit procedures and continuous monitoring.

‍

Operational resilience

Ensuring business continuity even in the event of an incident: reliable backups, recovery procedures, crisis scenarios tested regularly. La incident management (detection, response, recovery) is one of the central obligations of PART-IS.

‍

Compliance and continuous improvement

PART-IS is not limited to the initial implementation of measures: it imposes a continuous improvement cycle, including record keeping (IS.D.OR.245), responding to authority audits (IS.D.OR.225) and regularly updating the Information Security Management System (ISMS).

‍

A framework harmonized with Europe

To avoid a multiplication of obligations, PART-IS integrates and recognizes European standards such as those ofEUROCAE, and a reconciliation is under way with the Directive NIS 2 for PART-IS compliance to be recognized as equivalent in terms of cybersecurity.

PART-IS and its relationship with other regulations

PART-IS does not take place in a vacuum. It complements and is articulated with several cybersecurity standards and regulations:

• NIS 2 : the NIS 2 directive is a cross-sectoral regulation imposing cybersecurity obligations on numerous critical sectors, including aviation. Part IS, for its part, is a sectoral regulation specific to aeronautics, included in the EASA corpus. To date, compliance with Part IS does not exempt from applying NIS 2, but work is under way between EASA and the European Commission to avoid duplications.
  
  
• DORA : European regulation on digital operational resilience, applicable to the financial sector. Although it is not directly related to aviation, it is based on a similar logic of risk management, continuity, and cybersecurity governance. The comparison therefore makes it possible to illustrate a general trend at the European level, but DORA remains outside the aeronautical perimeter.
  
  
• ISO standards (27001, 27005, 27019, etc.) : methodological frameworks for setting up an information security management system (ISMS) and managing cyber risks. PART-IS requirements are directly aligned with these standards, making it easy for organizations that are already certified to implement them.
  
  
• EBIOS Risk Manager : French risk analysis method widely used in aeronautics and defense, which can be used as part of PART-IS compliance.
  
  
• EUROCAE standards : technical guides and specifications specific to the aeronautical industry, which are explicitly referenced in PART-IS.
  
  

In practice, PART-IS allows aviation actors to strengthen their cyber posture while aligning with European and international compliance frameworks. EASA is also working with the European Commission to ensure that PART-IS compliance can be recognized in the context of NIS 2, in order to avoid any regulatory duplication.

‍

How do I prepare for PART-IS?

To successfully comply, organizations in the aviation sector must adopt a gradual and structured approach. PART-IS defines 14 main obligations (IS.D.OR) broken down into compliance methods (AMC) and guides (GM) published by EASA. This involves a rigorous approach, combining technique, organization and governance.

‍

1. Mapping critical systems

Identify avionics systems, ground infrastructures, management software, communication networks and sensitive data. This step should lead to a comprehensive view of critical assets, a prerequisite for any risk management (IS.D.OR.100).

‍

2. Analyzing risks and vulnerabilities

Evaluate the probability and impact of cyber threats: targeted attacks, intrusions, failures, human errors. PART-IS requires the establishment of a information security management system (ISMS — IS.D.OR.200) aligned with ISO 27001 and NIST, so that each organization has a solid methodological framework.

‍

3. Define crisis scenarios

The regulations require the integration of a structured management of security incidents (IS.D.OR.220-230) with detection, response and recovery procedures. Example scenarios:

• ransomware attack blocking a control center,
  
  
• compromise of a flight plan system,
  
  
• coordinated cyber attack during a critical weather situation.
  
  

4. Deploy resilience plans

Implement prevention, protection and continuity measures: reinforced authentication, real-time supervision, PRA (Business Recovery Plan), network segmentation. PART-IS also requires formalize an information security manual (IS.D.OR.250) which describes all the devices deployed.

‍

5. Ensuring ongoing governance

PART-IS compliance is not one-off: it requires a continuous improvement (IS.D.OR.260). Organizations must set up indicators, conduct regular audits, maintain a register (IS.D.OR.245), respond to supervisory authorities (IS.D.OR.225) and update their procedures in line with changes in the context.

‍

How to remain in compliance with PART-IS?

Initial compliance with PART-IS is only one step. To sustainably meet regulatory requirements and maintain a high level of cybersecurity, organizations in the aeronautical sector must set up a framework for monitoring and continuous improvement.

‍

1. Update the risk analysis regularly

The cyber threat is evolving rapidly. Airlines and airports must regularly reassess their exposure and adapt their risk mapping accordingly.

‍

2. Keep documentation and evidence up to date

PART-IS requires the documentation of processes (IS.D.OR.250 — Security Manual, IS.D.OR.245 — Records). This documentation must be kept up to date to be presented in the event of an audit by the competent authority.

‍

3. Carry out regular audits and controls

Civil aviation authorities, such as the DGAC in France, can check compliance. Frequent internal audits make it possible to detect discrepancies early on and to remedy them quickly.

‍

4. Testing and improving resilience

Compliance is not static. Organizations must organize crisis exercises, test their recovery plans and integrate feedback to continuously improve their systems (IS.D.OR.260).

‍

5. Follow regulatory and normative changes

EASA and the European Commission are working on the alignment between PART-IS and the NIS 2 Directive. Organizations must remain vigilant in the face of regulatory changes to anticipate new obligations.

‍

Anticipate with Egerie: your ally for compliance

The platform Egerie helps you secure your critical information systems by facilitating each stage of compliance:

• Dynamic cyber risk mapping, with a clear vision of critical dependencies.
  
  
• Incident scenario modeling, to anticipate the impacts on flight operations.
  
  
• Integrated action plans, allowing collaborative monitoring of the implementation of security measures.
  
  
• Real-time dashboards, to manage governance and communicate effectively with regulatory authorities.
  
  
• Centralized documentation, in order to streamline audits and continuously demonstrate compliance.
  
  

Thanks to this integrated approach, you gain efficiency, visibility and confidence in the face of PART-IS regulatory requirements.

Ask a free demo and find out how Egerie can simplify your compliance.

‍

In a sector where security does not tolerate any compromise, PART-IS stands out as a strategic lever to strengthen cybersecurity and the resilience of aeronautical information systems.

By allowing organizations to anticipate threats, integrate cyber risk management into their operations and demonstrate compliance, it is a concrete response to the current challenges of digital aviation.

With a solution like Egerie, industry players can turn this requirement into a strategic advantage, by strengthening passenger safety, regulatory confidence and operational continuity at the same time.

‍

Frequently asked questions about PART-IS

What is PART-IS?

PART-IS is a framework designed to protect and improve the resilience of critical information systems in aviation, in order to ensure the safety and continuity of aviation operations in the face of cyber threats.

‍

Who is affected by PART-IS?

All stakeholders in the aeronautical sector: airlines, manufacturers, airports, airports, technical service providers, air navigation service providers, as well as regulatory authorities.

‍

What is the difference between PART-IS and NIS 2?

The NIS 2 directive is a binding European regulation covering several critical sectors, including aviation. PART-IS, on the other hand, is a framework specifically designed for aviation security, focused on critical information systems.

‍

How to set up PART-IS?

The approach is based on the analysis of vulnerabilities, the implementation of corrective action plans, and the construction of ongoing cybersecurity governance. The use of a platform like Egerie Makes it possible to speed up and make this implementation more reliable.