Sofema Aviation Services (SAS) www.sassofia.com considers the changes to be introduced to comply with Regulation (EU) 2023/203 affecting EASA Part 145 organizations and specifically targeting information security management requirements
Introduction – Key changes include:
- Mandatory Information Security Management System (ISMS):
Part 145 organizations must establish, implement, and maintain an ISMS to manage information security risks that could impact aviation safety. This includes identifying and mitigating risks related to processes, systems, and interfaces with other organizations. - Risk Assessment and Treatment:
Organizations are required to conduct structured risk assessments to identify vulnerabilities and threats, classify risks based on severity, and implement appropriate mitigation measures to reduce or eliminate unacceptable risks. - Incident Detection, Response, and Recovery:
Measures must be implemented to detect deviations in system performance, respond effectively to incidents, and restore affected systems to a safe state within defined recovery times. - Internal and External Reporting Schemes:
Organizations must establish reporting systems for information security incidents. Critical incidents must be reported to the competent authority and, if applicable, to the relevant design approval holders within strict timeframes. - Continuous Improvement:
Organizations must assess and enhance their ISMS regularly, ensuring compliance with applicable requirements and improving security measures based on past incidents and new threats. - Personnel Requirements and Training:
Adequate personnel with appropriate skills must be assigned to manage ISMS activities, and their roles and responsibilities should be clearly defined. - Record-Keeping and Documentation:
Records related to information security management activities, including risk assessments, incident reports, and corrective actions, must be retained for specified periods and made accessible to relevant authorities.
- These changes are designed to integrate information security management into the broader safety management framework of Part 145 organizations, aligning with evolving aviation safety and cybersecurity threats. The regulation applies from February 22, 2026, allowing organizations time to adapt.
Implementation
Implementing the information security requirements within an EASA Part 145 organization’s Safety Management System (SMS) requires integrating Part IS (Information Security) standards into the existing framework. Below is a structured plan and timeline to achieve compliance.
Timeline for Integration – Immediate Actions (0–3 Months)
Initial Preparation – Regulatory Understanding:
>> Review EASA Regulation (EU) 2023/203 and Part-IS requirements,
focusing on:
- ISMS (Information Security Management System).
- Integration into existing SMS.
- Assess overlaps with ISO 27001 or equivalent standards if already implemented.
Notes – Key components of ISMS under EASA include:
- Risk assessment processes (aligned with Part IS.I.OR.205).
- Incident reporting schemes (internal and external as per Part IS.I.OR.215 and IS.I.OR.230).
- Record-keeping for information security incidents and risk management activities.
Integration into an Existing SMS
- Integration ensures a seamless approach to managing both safety and information security risks.
- Align ISMS with the SMS framework by embedding:
>> Risk management practices to cover both operational and information security risks.
>> A unified incident response mechanism that addresses information security breaches within the context of overall organizational safety.
>> Training and communication protocols to bridge knowledge gaps and foster a culture of security awareness.
>> Synchronize documentation, such as updating the Maintenance Organization
>> Exposition (MOE) to include ISMS policies and processes.
Gap Analysis – Compare current SMS practices against the information security requirements.
- Identify vulnerabilities in current processes, particularly in IT systems, data handling, and reporting.
Notes – Assess Existing SMS Practices
Review the current state of your SMS, including:
- Policies and Procedures: How are safety risks currently managed?
>> Are there provisions for managing information security risks?
- Risk Management Framework: What is the process for identifying, assessing, and mitigating risks?
- Incident Reporting: How are incidents reported, tracked, and resolved?
- Is there an existing system for handling security breaches?
Map Part-IS Requirements
- Examine the specific requirements of EASA Regulation (EU) 2023/203 and Part-IS, including:
>> Risk Management (Part IS.I.OR.205).
>> Incident Detection, Response, and Recovery (Part IS.I.OR.215).
>> Reporting Mechanisms (Part IS.I.OR.230).
>> Continuous Improvement (Part IS.AR.235).
Compare Current Practices
- Identify areas where your existing SMS addresses information security requirements.
- Highlight gaps where additional controls or processes are required
Team Formation
- Establish an Information Security Taskforce involving SMS managers, IT security specialists, and compliance officers.
Short-Term Actions (4–6 Months)
- Planning – Define Objectives – Set clear goals for integrating information security into the SMS, including risk management and incident response.
Key Goals:
- Align Information Security with SMS Priorities:
>> Ensure that information security is treated as a core component of overall safety management.
>> Develop objectives that prioritize aviation-specific threats, such as:
- Cyberattacks targeting operational IT systems.
- Unauthorized access to safety-critical data.
- Compromise of communication systems.
- Establish a Culture of Security Awareness:
>> Build organizational awareness of information security risks through training and communication.
>> Promote a shared responsibility for information security across all departments and personnel.
- Meet Regulatory and Industry Standards:
>> Ensure compliance with EASA Regulation (EU) 2023/203 and Part-IS requirements.
>> Integrate best practices from ISO 27001 and other relevant information security frameworks.
Next Steps
Please see the following course available online EASA Compliant Organization Cyber Security Responsibilities.
For questions or group enrolments, please email team@sassofia.com.
Tags:
Part 145, Risk Assessment, Documentation, SAS blogs, Record-keeping, continuous improvement, Regulation (EU) 2023/203, Part 145 changes, information security management, information security management requirements, Mandatory Information Security Management System (ISMS), Incident Detection, Internal and External Reporting Schemes
