EASA Part-IS: the deadlines have passed
For organisations within the Part-IS scope, compliance now enters the operational evidence phase.
The EASA Part-IS framework set two application dates:
- 16 October 2025 for organisations covered by Delegated Regulation (EU) 2022/1645;
- 22 February 2026 for organisations and competent authorities covered by Implementing Regulation (EU) 2023/203.
By the applicable date, organisations were required to have an information security risk management system capable of protecting civil aviation safety. Now the more demanding phase begins: proving that the system is actually operational.
Under EASA's oversight approach, the ISMS must be shown to be in place, adequate, and increasingly able to produce evidence of how it functions.

For competent authorities, in Italy ENAC for the entities under its remit, verification can therefore focus on a number of core elements.
Governance and accountability
- The accountable manager must be able to demonstrate how information security decisions are made, approved, and reviewed.
- Roles, delegations, resources, and escalation flows must be clearly defined and consistent with the organisation.
Dynamic risk assessment
- The risk assessment must reflect the current state of systems and activities.
- Operational changes, new suppliers, evolving threats, and technological updates must trigger risk re-evaluation and updates to the risk register.
Incident management and testing
- Procedures and plans must be exercised periodically.
- Test evidence must document response times, decisions made, issues identified, and corrective actions taken.
ISMS and SMS integration
- Information security risks capable of affecting safety require a structured link between the ISMS and the Safety Management System.
- Responsibilities, information flows, indicators, and incident management processes must be consistent at the points where cybersecurity and operational safety intersect.
Training and awareness
- Personnel must know their responsibilities and how to act in the event of an incident.
- Training pathways, participation, learning verification, and periodic updates must produce verifiable evidence.
EASA assesses systems that are in place, adequate, and operational, sustained through oversight, testing, and continuous improvement.
Many organisations have focused their efforts on building the documentation framework. The current phase requires verifying that it holds up over time and can withstand an oversight review.
This is the moment to identify any gaps, consolidate evidence, and strengthen the integration between safety governance and cyber risk management.
Magis & Partners supports airlines, airports, and aeronautical organisations in preparing for EASA Part-IS audits and in strengthening integrated governance between SMS and ISMS.
👉 Contact us to discover our Part-IS readiness assessment methodology.
#EASA #PartIS #AviationSecurity #CyberSecurity #Safety #ISMS #SMS #RiskManagement #Governance #ENAC










