EASA Part-IS: the deadlines have passed

17 luglio 2026

For organisations within the Part-IS scope, compliance now enters the operational evidence phase.

The EASA Part-IS framework set two application dates:


  • 16 October 2025 for organisations covered by Delegated Regulation (EU) 2022/1645;
  • 22 February 2026 for organisations and competent authorities covered by Implementing Regulation (EU) 2023/203.


By the applicable date, organisations were required to have an information security risk management system capable of protecting civil aviation safety. Now the more demanding phase begins: proving that the system is actually operational.


Under EASA's oversight approach, the ISMS must be shown to be in place, adequate, and increasingly able to produce evidence of how it functions.

For competent authorities, in Italy ENAC for the entities under its remit, verification can therefore focus on a number of core elements.


Governance and accountability

  • The accountable manager must be able to demonstrate how information security decisions are made, approved, and reviewed.
  • Roles, delegations, resources, and escalation flows must be clearly defined and consistent with the organisation.


Dynamic risk assessment

  • The risk assessment must reflect the current state of systems and activities.
  • Operational changes, new suppliers, evolving threats, and technological updates must trigger risk re-evaluation and updates to the risk register.


Incident management and testing

  • Procedures and plans must be exercised periodically.
  • Test evidence must document response times, decisions made, issues identified, and corrective actions taken.


ISMS and SMS integration

  • Information security risks capable of affecting safety require a structured link between the ISMS and the Safety Management System.
  • Responsibilities, information flows, indicators, and incident management processes must be consistent at the points where cybersecurity and operational safety intersect.


Training and awareness

  • Personnel must know their responsibilities and how to act in the event of an incident.
  • Training pathways, participation, learning verification, and periodic updates must produce verifiable evidence.


EASA assesses systems that are in place, adequate, and operational, sustained through oversight, testing, and continuous improvement.

Many organisations have focused their efforts on building the documentation framework. The current phase requires verifying that it holds up over time and can withstand an oversight review.


This is the moment to identify any gaps, consolidate evidence, and strengthen the integration between safety governance and cyber risk management.


Magis & Partners supports airlines, airports, and aeronautical organisations in preparing for EASA Part-IS audits and in strengthening integrated governance between SMS and ISMS.


👉 Contact us to discover our Part-IS readiness assessment methodology.


#EASA #PartIS #AviationSecurity #CyberSecurity #Safety #ISMS #SMS #RiskManagement #Governance #ENAC

17 luglio 2026
Per le organizzazioni nel perimetro Part-IS, la conformità entra nella fase delle evidenze operative.
7 luglio 2026
NIS2 operativa: obblighi di notifica, tempistiche e impatti sull’Incident Response. Scopri come adeguare processi, governance e framework GRC.
1 luglio 2026
Per CISO e Risk Manager, inventario e classificazione dei sistemi AI diventano priorità di governance.
10 giugno 2026
Le sfide legate a 𝘤𝘺𝘣𝘦𝘳𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺, 𝘤𝘰𝘮𝘱𝘭𝘪𝘢𝘯𝘤𝘦 𝘦 𝘳𝘦𝘴𝘪𝘭𝘪𝘦𝘯𝘻𝘢 𝘰𝘱𝘦𝘳𝘢𝘵𝘪𝘷𝘢 stanno cambiando rapidamente il settore aviation e il mondo delle infrastrutture critiche.
10 giugno 2026
🇪🇺 EU AI Act: cos’è e cosa prevede.
10 giugno 2026
🇪🇺 Direttiva NIS2: UE e la Sicurezza Informatica
10 giugno 2026
Quanto può costarti ignorare il rischio cyber? 
10 giugno 2026
Grazie di cuore al Comandante e al 51° Stormo di Istrana
RUN51, solidarietà e territorio
10 giugno 2026
Magis & Partners è impegnata sul territorio con iniziative di solidarietà. Scopri i nostri progetti sociali e come contribuiamo al benessere collettivo.