Estimated reading time: 5 minutes
Introduction: Why EASA Part‑IS Matters Now
The European aviation regulatory landscape has shifted significantly with the introduction of EASA Part‑IS, established under Regulation (EU) 2022/1645 and further detailed in Implementing Regulation (EU) 2023/203.
For airlines, MROs, CAMOs, and other approved aviation organizations, Part‑IS mandates an Information Security Management System (ISMS). Its purpose is clear: to ensure that information and information systems are protected wherever their compromise could impact aviation safety, regulatory compliance, or operational continuity.
This regulation reflects a simple reality: modern aviation depends on digital information. From maintenance data and controlled documentation to training records and operational systems, information integrity and availability are now safety‑critical.
Who Is Accountable Under EASA Part‑IS?
EASA Part‑IS applies to the organization, not just to IT or cybersecurity teams. As with safety and compliance, ultimate accountability rests with the Accountable Manager.
In practice, however, Part‑IS is a shared responsibility across senior leadership. Information security risks cut across operational, maintenance, safety, training, and compliance functions, meaning no single role can manage Part‑IS alone.
Key contributors typically include the ISMS Manager or CISO, supported by Compliance Monitoring, Safety, Flight Operations, Maintenance, Ground Operations, and Training leadership. In MRO and Part‑145 environments, this shared ownership is particularly important, as maintenance records, technical documentation, and competency data are all information assets that directly support airworthiness and regulatory compliance.
Regulators expect to see clear ownership, defined responsibilities, and coordination across these roles, rather than treating Part-IS as a purely technical issue.
What Does EASA Part‑IS Regulate?
A common misunderstanding is that EASA Part‑IS certifies or approves specific software products. It does not.
Part‑IS regulates how information systems are used within an aviation organization, not what those systems are called. Any system can fall within scope if a loss of confidentiality, integrity, or availability could affect aviation safety or compliance.
This includes systems supporting:
- Flight and ground operations
- Maintenance and continuing airworthiness
- Safety and risk management
- Regulatory compliance and authority oversight
- Training, qualifications, and competency management
The key question is simple: If this system failed or was compromised, could it affect safe operations? If the answer is yes, Part‑IS applies, regardless of whether the organization is an airline or an MRO.
EASA Part‑IS Applicability Across Comply365 Solutions
When deployed within an aviation organization, Comply365 solutions may fall within the organization’s Part‑IS scope, depending entirely on how they are used.
It is important to be clear on accountability:
- The aviation organization remains fully responsible for compliance
- Comply365 acts as a supporting supplier, providing secure platforms, governance controls, and evidence to support oversight
Final determination of Part‑IS compliance always rests with the customer and their competent authority.
SafetyManager365 and EASA Part‑IS
SafetyManager365 supports EASA Part‑IS in two complementary ways.
1. Information‑Security Risk Identification and Management
Part‑IS requires organizations to identify, assess, and manage information‑security risks that may affect aviation safety.
SafetyManager365 can be configured to:
- Identify and document information‑security risks
- Assess severity and potential safety impact
- Define and track mitigations and corrective actions
- Monitor effectiveness and residual risk over time
While SafetyManager365 is not a dedicated cybersecurity or GRC tool, it aligns well with EASA guidance by allowing organizations to use existing SMS‑based risk management approaches to support Part‑IS.
2. Platform Security, Resilience, and Governance
At platform level, Comply365 provides controls that support Part‑IS expectations, including:
- Role‑based access control and least‑privilege principles
- Protection of data integrity and availability
- Incident monitoring and response processes
- Backup, disaster recovery, and business continuity capabilities
- ISO/IEC 27001‑aligned information‑security governance
Together, these support the use of SafetyManager365 as a secure and auditable system within a Part‑IS environment.
ContentManager365 and EASA Part‑IS
ContentManager365 typically falls within Part‑IS scope when used to manage or distribute:
- Operational manuals (OM, FCOM, MEL)
- Maintenance Organization Exposition (MOE)
- Safety‑critical and compliance‑driven documentation
In these use cases, Part‑IS expectations focus on controlled access, content integrity, availability, and traceability.
ContentManager365 supports these requirements through:
- Role‑based permissions and access control
- Structured authoring, review, and approval workflows
- Full version control and audit trails
- Secure hosting aligned with ISO/IEC 27001
For MROs, this is especially important where documentation integrity underpins continued airworthiness.
TrainingManager365 and EASA Part‑IS
TrainingManager365 may fall within Part‑IS scope when used for:
- Safety‑critical training
- Regulatory qualification and recurrency records
- Evidence used during audits or authority oversight
In these scenarios, loss of data integrity or availability could indirectly affect aviation safety.
TrainingManager365 supports Part‑IS through:
- Controlled access to training records
- Protection of record integrity and traceability
- Audit trails for oversight
- Secure hosting, backup, and recovery capabilities
This is particularly relevant for licensed engineers and certifying staff in MRO environments.
Platform‑Wide Information Security and Governance
Across all Comply365 solutions, customers benefit from shared platform controls, including:
- ISO/IEC 27001‑aligned information‑security management
- Encryption of data in transit and at rest
- Secure hosting environments
- Incident response and supplier oversight
- Contractual assurances via DPAs and security addenda
Roles, Responsibilities, and Regulatory Accountability
Under EASA Part‑IS:
- Compliance accountability remains with the aviation organization
- Comply365 provides supporting systems and controls
- Compliance is assessed by the competent authority
- Comply365 does not claim Part‑IS certification
Key Takeaways for Aviation and MRO Leadership
- EASA Part‑IS applies at the organizational level
- Applicability depends on system usage, not product names
- MROs are fully in scope
- Comply365 supports governance, security, and evidence needs
- Final accountability always remains with the customer
