EASA Part-IS Compliance 2026 Roadmap, Risks & 72h Reporting

February 2026 isn’t just another deadline for aviation organisations—it’s the moment information security becomes a regulatory safety requirement under the EASA information security regulation (Part-IS). If you hold (or support) an EASA approval—Part-145, CAMO, AOC, ATO, ATM/ANS, and more—Part-IS is now the rulebook you’ll be audited against, not a “nice-to-have” cyber programme.

This article breaks down what changed, who’s affected, the real-world consequences of non-compliance, and a practical implementation roadmap you can run like a pre-flight checklist (only with fewer acronyms… okay, maybe slightly fewer).

What changed in 2026?

Part-IS didn’t appear overnight. The regulations were adopted earlier, but 2026 is the big applicability milestone for a large portion of the aviation ecosystem under Implementing Regulation (EU) 2023/203—22 February 2026 is the key date many organisations have been preparing for.

A few important 2026 realities to keep in mind:

Information Security Management System (ISMS) is mandatory for safety-relevant information assets and processes (think “aviation safety impact,” not just “IT risk”).
External reporting is time-bound: where Part-IS requires reporting, the formal report must be submitted as soon as possible, but not exceeding 72 hours (unless exceptional circumstances apply).
Oversight gets real: competent authorities review your documentation (including an ISMM) and can raise findings if you’re not ready.

If you already run ISO 27001, you’re not starting from zero—but you do need to adapt your system to aviation’s safety context. EASA explicitly notes strong alignment with ISO/IEC 27001 while adding aviation safety specifics.

Who is affected (and why IT & travel businesses should care)

Directly in scope

Many organisations are directly covered by the 22 February 2026 applicability date, including:

Air operators (AOC holders), NCC, SPO
CAMOs
Maintenance organisations (Part-145)
ATM/ANS providers
ATCO training organisations
Approved Training Organisations (ATOs)
Aero-medical centres
(Plus other aviation stakeholders, depending on approvals and domain)

That means CAMO information security is no longer a side project owned by “the IT person who also resets passwords.” It’s a management system requirement tied to continued approval.

Indirectly affected: suppliers and partners

Even if you’re not an EASA approval holder, you can still end up “pulled into” Part-IS through contracts.

Part-IS explicitly requires organisations to ensure that contracted activities comply, and it gives competent authorities the ability to access contracted organisations when needed.

So yes—this matters to:

IT companies and SaaS providers (MRO systems, crew tools, airport service platforms, document control, SOC services)
Tour operators and travel platforms integrated with airline/airport workflows
Managed service providers and cloud vendors supporting safety-relevant systems

Before we go deeper, here’s a quick “am I exposed?” check. If you answer “yes” to any of these, treat Part-IS seriously:

You hold an EASA approval (Part-145, CAMO, AOC, ATO, etc.)
You provide services that touch safety-relevant operations (maintenance, dispatch, airworthiness records, training systems)
You’re a supplier to an EASA organisation and your service could introduce risk
Your customers are already asking for Part-IS clauses in contracts

If you ticked even one box, the next sections are for you.

Real risks of penalties and non-compliance (beyond “failing an audit”)

Let’s talk about consequences in business language.

1) Findings, operational limitations, and approval pressure

EASA’s oversight approach anticipates findings where organisations can’t demonstrate compliance—especially if required documentation isn’t available by the applicability date. In some cases, authorities may allow continued operation; in others, they may impose limitations while findings are closed.

2) The 72-hour clock is unforgiving

If you don’t have a working incident detection + reporting process, you’re not merely “less mature”—you may be non-compliant, because Part-IS reporting can require a formal report within 72 hours.

3) Supply chain incidents are not theoretical

A practical reason Part-IS leans hard into supplier risk: aviation disruptions increasingly come through third parties. For example, Reuters reported major airport disruptions after a ransomware-related incident affecting check-in systems provided by a third party—delays, cancellations, and manual workarounds across multiple airports.

4) Threat volume keeps rising (you’re not imagining it)

ENISA’s Threat Landscape 2025 describes a cyber environment shaped by rapid vulnerability exploitation and a high volume of curated incidents (nearly 4,900 in the reporting period), with ransomware still central. Even if that’s not aviation-specific, it’s the background weather you’re flying through.

The core idea: an aviation ISMS is “safety-first” security

Part-IS expects an aviation ISMS that protects information assets so the organisation’s operational and safety objectives can be achieved. The scope is not “everything IT owns,” but everything that could cause or contribute to aviation safety consequences.

A helpful way to explain this to leadership:

ISO 27001 often asks, “What could hurt our business?”
Part-IS asks, “What could hurt safe operations?”

That safety impact lens is what changes your risk method, your priorities, and what the authority will want to see.

EASA risk management requirements (what auditors look for)

Part-IS is fundamentally risk-based, but with aviation safety impact at the centre. In practice, auditors expect you to demonstrate that you:

Know your safety-relevant information assets and interfaces
Run a repeatable risk assessment method that includes safety impact
Choose controls based on risk treatment (not vendor trends or fear)
Maintain evidence (risk register, decisions, approvals, reviews)

And because Part-IS is not a substitute for other laws, you may be managing overlaps with NIS2 and other schemes—EASA notes Part-IS isn’t treated as “lex specialis” under NIS2, which matters for compliance planning in the EU.

Step-by-step roadmap to Part-IS compliance (a practical implementation plan)

Here’s a roadmap that works for aviation organisations and for suppliers supporting them. You can compress or expand timelines, but don’t skip steps—Part-IS is a system, not a checklist.

1) Confirm scope and applicability (Week 1–2)

Start by identifying which approval(s) and activities fall under Part-IS, and which systems/processes could affect aviation safety. Your scope statement is a foundational audit artefact.

2) Set governance: accountable ownership + competent roles (Week 1–3)

Part-IS expects leadership involvement and clear responsibilities. Create a simple governance model: accountable manager awareness, ISMS owner, risk owners, and a compliance monitoring mechanism.

3) Map “what matters” (Week 2–6)

This is where programmes either become usable—or become shelfware. Identify:

Critical processes (maintenance release, airworthiness records, training progression, flight ops interfaces)
Information assets and supporting systems (apps, networks, data stores, suppliers)
External interfaces (partners, airports, OEMs, vendors)

Document it in a way that your ops people recognise, not only your IT team.

4) Build the risk method with a safety impact dimension (Week 4–8)

Your risk model needs to show how you evaluate aviation safety consequences, not just confidentiality/integrity/availability in abstract terms. The AMC/GM explicitly ties IS risk management to aviation safety risk acceptance levels.

5) Create a risk register and treatment plan (Week 6–10)

You’ll need a risk register (risk ledger) with treatments, owners, deadlines, and evidence. Controls should cover governance, people, physical, and technical layers—not just “buy another tool.”

6) Engineer incident detection, response, and reporting (Week 8–12)

This is a common failure point. Build your internal and external reporting flows and make them usable under stress.

You should be able to demonstrate:

How events become incidents
Who decides safety impact
How you report externally within the required timeline (including the 72-hour reporting limit where applicable)

7) Lock down supplier and contracting controls (Week 8–14)

If you outsource anything (SOC, cloud hosting, MRO platforms, penetration testing, even policy drafting), Part-IS requires oversight of contracted activities and appropriate risk management—plus potential authority access to contracted parties.

This is where IT providers and tour operators often get surprised: your aviation customer may require evidence of your controls because they are responsible for supplier risk.

8) Write the ISMM (Information Security Management Manual) (Week 10–16)

Your ISMM should connect the dots: scope, roles, risk process, controls approach, reporting scheme, monitoring, and improvement. Authorities expect to review ISMM elements as part of oversight.

9) Train, test, and measure (Week 12–20)

Before any audit, run at least one tabletop exercise for an aviation-relevant scenario (e.g., maintenance system outage, compromised training records, supplier breach). Gather KPIs that show the ISMS is alive.

10) Perform a readiness assessment (Week 18–24)

Do a mock audit against Part-IS requirements and your own ISMM. Close gaps, collect evidence, and prepare a clean narrative for the competent authority.

A key tip: don’t “overbuild” controls. Part-IS supports proportionality, but it does not support wishful thinking.

EASA Part-IS vs ISO 27001 (how they align—and where they differ)

If you’re already ISO 27001 certified, you have a head start. EASA states Part-IS is largely consistent with ISO/IEC 27001, but adds aviation safety-specific provisions and expects aviation safety to be included in organisational risk management.

Here’s a practical comparison:

Topic	ISO 27001	Part-IS
Core structure	ISMS lifecycle (plan-do-check-act)	ISMS lifecycle, aligned but aviation-specific
Primary objective	Protect information & business objectives	Protect information to protect aviation safety
Risk assessment	Often business impact-driven	Must include aviation safety consequences
External reporting	Not inherently time-bound by standard	Formal reporting expectation (e.g., ≤72 hours in specific cases)
Authority oversight	Certification body audits	Competent authority oversight and findings
Supplier controls	Required	Required with explicit contracting/oversight expectations

The headline isn’t “choose one.” It’s: use ISO 27001 as the foundation, then adapt to Part-IS expectations and evidence needs.

Why it’s usually better to prepare with a consultant

Could you do this alone? Possibly—if you have aviation safety expertise, information security expertise, regulatory interpretation skills, and time.

Most organisations don’t have all four available at once, which is why consulting support often pays for itself by preventing:

Over-scoping (“we’re securing the entire universe because we’re scared”)
Under-scoping (“IT is secure, therefore we’re compliant”)
Evidence gaps (“we do it, but can’t prove it”)
Authority friction (“our documents don’t match what auditors expect to see”)

In practice, a good consultant accelerates the hard parts: scope definition, risk method design, ISMM structuring, and audit-ready evidence.

Book EASA Part-IS readiness assessment

If you want the fastest way to de-risk 2026 compliance, start with a structured gap analysis and a clear, evidence-based action plan.

Book EASA Part-IS readiness assessment — and get:

Scope confirmation and applicability mapping
A Part-IS-aligned risk assessment review
ISMM and reporting process gap check (including 72-hour readiness)
Supplier/contracting compliance review
A prioritised remediation roadmap your leadership can fund and follow

If you’re an aviation organisation (Part-145, CAMO, MRO, AOC) or a supplier (SaaS, IT, travel operations) supporting them, this is the most practical first step you can take.