RiskInsight

The cybersecurity & digital trust blog by Wavestone's consultants

Part-IS in 2026: from regulatory framework to operational reality

Following an initial phase focused on understanding the scope and framework of Part-IS and on drafting Information Security Management Systems (ISMS), the aviation sector has entered a new phase. In 2026, Part-IS is no longer a theoretical or purely documentary topic — it has become a matter of operational deployment, with clear expectations from authorities and regulatory adjustments designed to facilitate its implementation. 

Where does the sector stand? 

The rise of Part-IS has been gradual. After the progressive entry into force of the texts in 2022 and 2023, 2025 was marked by the preparation of compliance files and the structuring of ISMS.

Since 22 February 2026, the implementing regulation has been fully applicable, meaning that new scopes are now covered — in particular, maintenance and repair activities through Part-145. Part-IS now applies across the entire operational chain, from design through to operations and support. 

Today, the organisations concerned by Part-IS have acknowledged the subject and submitted their ISMS. In this context of broad engagement, EASA has on its side adjusted the framework by clarifying and easing certain modalities through the update of the Part-IS AMC and GM. 

EASA provides for an 18-month development phase after the applicability date to reach a fully operational implementation. This progression can be read simply in three steps: a system that is first present and suitable (P+S), then operational (O), before reaching effective long-term functioning (E). 

The EASA updates: what changes in practice? 

In late 2025, EASA updated the AMC and GM relating to Part-IS and consolidated these changes in a new version of the associated Easy Access Rules. 

In concrete terms, these changes introduce several significant easements: 

  • Declared organisations no longer need prior approval of their ISMS.
    • As a reminder, approved organisations are subject to a formal approval process by the authority (EASA or national authority). They must obtain approval, have their ISMS manual approved, and submit certain modifications for prior validation — unlike declared organisations, which are supervised ex post by the authority. The list of declared organisations subject to Part-IS can be found here. 
  • ISMS modifications, when covered by a defined internal procedure, no longer require formal sign-off from the authority: a notification is sufficient. 
  • The role of the authority is refocused on supervision and audit, rather than on a systematic approval logic. 

However, expectations remain the same: the ISMS (SGSI in the regulatory sense) must be robust, consistent, traceable, and genuinely applied. The relief brought by the AMC and GM update is therefore administrative, not operational. 

On the ground, this resonates with the first OSAC feedback on ISMS: governance around the ISMS appears as a central point. Authorities are paying increased attention to the cybersecurity dimension that identified actors must demonstrate. Document quality is also scrutinised — not only in substance, but also in form (structure, consistency…). 

The five key challenges for scaling Part-IS across the sector 

Beyond these initial observations, we have seen during our support engagements that the implementation of Part-IS brings five recurring challenges for most organisations: governance & coordination, inventory validation, completion of risk analyses, training of managers and teams, HR constraints and personnel controls. 

The most time-consuming, however, remains the risk analysis — particularly for large multi-site organisations. This can no longer be purely centralised; it must be broken down locally, integrating the realities of each site, functional chains, and subcontractors. This holistic approach is demanding, but essential to demonstrate consistent application of Part-IS. 

A pragmatic approach to scaling up 

Faced with these challenges, the key lies in anticipating deployment. An effective ISMS relies on a solid common foundation, but also on concrete tools enabling local adaptation: templates, guides, risk analysis methods tailored to operational realities. 

The success of Part-IS depends on coordination between cybersecurity teams, business teams, and quality and compliance functions. Part-IS is not an additional layer: it is a cross-cutting framework that durably structures cyber risk management in the service of aviation safety. 

Conclusion 

In 2026, Part-IS enters its implementation phase. The consolidation of the AMC/GM sets a clear baseline and reduces the administrative burden compared to the first version. 

In addition, the late-2025 updates notably extended the scope of Part-IS.D.OR to ground handling service providers via Delegated Regulation (EU) 2025/22 amending (EU) 2022/1645, applicable from 27 March 2031. No immediate operational impact in 2026, but a useful signal to anticipate interface mapping — with no short-term urgency. 

Prev post StormCell: How our blue team scales up incident response

On the same topic

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top