Sofema Aviation Services (SAS) considers the key issues to be faced by the EASA Part CAMO Organisation when implementing PART IS & Regulation (EU) 2023/203 regulatory requirements
Introduction
The European aviation landscape is undergoing a pivotal transformation in response to the rapidly evolving threat environment posed by cyber and information security risks.
Effective Feb 2026 EASA Part CAMO Organisations are required to assess, monitor, and respond to risks to information and communication systems that may impact the continuing airworthiness of aircraft and the effectiveness of safety-critical decisions.
As aviation systems become increasingly reliant on interconnected digital technologies—ranging from maintenance tracking software to remote access tools and data exchange with third-party providers—the potential for information security events to impact aviation safety is no longer theoretical but a critical operational concern.
The European Commission, through EASA introduced Implementing Regulation (EU) 2023/203, which mandates the integration of Information Security Management Systems (ISMS) into all relevant aviation domains, including Continuing Airworthiness Management Organisations (CAMOs) under Annex Vc (Part-CAMO) to Regulation (EU) No 1321/2014.
Part-CAMO organisations are uniquely exposed to a diverse set of information security risks, given their constant interaction with digital records, maintenance data, reliability systems, remote audits, and interfaces with both Approved Maintenance Organisations (AMOs) and Operators. These risks include:
- Weak user access controls and poor credential management can enable unauthorized access to critical databases, including aircraft maintenance records, AD/SB compliance status, and reliability tracking systems.
- The widespread reliance on third-party software and external maintenance providers introduces supply chain vulnerabilities, where a single compromised vendor can expose the entire system.
- Threats to data integrity—such as manipulation or corruption of technical logs, component tracking, or reliability data—can severely undermine operational trust and safety.
- Compounding these risks, many CAMOs operate without effective real-time monitoring or alerting systems and often lack a robust internal reporting culture to flag anomalies.
- Finally, human error—whether through negligence, poor practices, or malicious intent—remains a dominant threat, including mishandling sensitive data, using unauthorized devices, or engaging in insider sabotage.
Part CAMO Organisations must conduct Information Security Risk Assessments to
- Identify threats, assess vulnerabilities, and evaluate risks to aviation safety stemming from information systems.
- Apply the principles outlined in IS.I.OR.205, including AMC and GM content, to real-world CAMO environments.
- Develop Risk Treatment Strategies
- Ensure Incident Response and Reporting
- Support a Culture of Cybersecurity Awareness and Competence including the development of training and competence programs for staff
Next Steps
Follow this link to our Library to find & download related documents for Free.
Sofema Aviation Services and Sofema Online provide Classroom, Webinar and Online Training compliant with EASA Information Security & Cyber Objectives – please see the websites or email [email protected].
Tags:
EASA, Regulation (EU) No 1321/2014, EASA Part – CAMO, SAS blogs, Annex Vc (Part-CAMO), Cybersecurity, Part-IS, Regulation (EU) 2023/203, Information Security Management Systems (ISMS), Information & Cybersecurity, Part CAMO Organisations, Information Security Risk Assessments, EASA Information Security & Cyber Objectives
