Sofema Aviation Services (SAS) Considers Aerodrome Information Security Management System (ISMS) obligations to be observed by Feb 2026
Introduction
In todayâs increasingly interconnected aviation landscape, the risk to information systems is growing rapidly.
- With the proliferation of digital infrastructure supporting critical airport functionsâfrom airside operations to baggage handlingâthe need for a robust Information Security Management System (ISMS) has never been more pressing.
- In response to these emerging threats, the European Union has mandated the implementation of ISMS across multiple aviation domains, including aerodromes and airports, under Commission Implementing Regulation (EU) 2023/203. This document introduces the core obligations, challenges, and timeline for achieving ISMS compliance within European airports.
Regulatory Obligations
Commission Implementing Regulation (EU) 2023/203, adopted on 27 October 2022 and published in the Official Journal of the EU on 2 February 2023, establishes the legal framework for managing information security risks with a potential impact on aviation safety.
- It mandates that all aerodrome operators certified under Regulation (EU) No 139/2014 must establish, implement, maintain, and continuously improve an ISMS in accordance with Annex II (Part-IS.I.OR) of the regulation.
- The regulation enters into force on 22 February 2023, with a fixed compliance deadline set for 22 February 2026. After this date, full compliance is legally required.
Key regulatory components include:
- Establishment of an information security policy and manual (ISMM)
- Risk assessment and treatment (IS.I.OR.205, IS.I.OR.210)
- Incident detection, reporting, response, and recovery (IS.I.OR.215 to IS.I.OR.230)
- Internal audits, monitoring, and continuous improvement (IS.I.OR.260)
- Integration with the Safety Management System (SMS) where applicable
Oversight will be carried out by national competent authorities designated under Regulation 139/2014.
Implementation Challenges within the Aerodrome Environment
The implementation of an ISMS in the aerodrome environment presents a unique set of challenges:
- System Complexity:Â Airports are complex ecosystems with a wide variety of interconnected systems including airside control systems, public terminal networks, baggage handling systems, and airport collaborative decision-making (A-CDM) tools.
- Third-Party Dependencies:Â Extensive reliance on third-party vendors such as ground handlers, IT service providers, and airlines increases the risk surface and complicates control implementation.
- Legacy Systems:Â Many airports operate on legacy systems that lack modern cybersecurity features, necessitating costly upgrades or compensatory controls.
- Organizational Silos:Â Disparate teams responsible for operations, IT, and safety may lack coordinated risk management approaches, hindering ISMS integration.
- Resource Constraints:Â Smaller regional airports may face difficulty in allocating financial and human resources to build and maintain an ISMS.
Overcoming these challenges requires a coordinated, risk-based implementation plan that incorporates stakeholder engagement, targeted training, and incremental system enhancements.
Implementation Timeline
The following timeline supports structured implementation toward full compliance by 22 February 2026:
Phase 1: Awareness & Planning (JuneâAugust 2025)
- Appoint ISMS Lead and secure management commitment
- Conduct internal awareness sessions and regulatory briefings
- Perform ISMS gap analysis and scope definition
Phase 2: Design & Documentation (SeptemberâOctober 2025)
- Develop ISMS framework, policies, and draft the ISMM
- Identify and document critical assets and interfaces
- Establish reporting schemes and stakeholder coordination mechanisms
Phase 3: Risk Management & Controls (NovemberâDecember 2025)
- Complete risk assessment and define mitigation strategies
- Implement technical, physical, and procedural controls
- Launch internal reporting and external notification systems
Phase 4: Testing, Training & Audit (January 2026)
- Deliver staff training and simulation exercises
- Conduct internal audits and update ISMM
- Resolve identified non-conformities
Phase 5: Finalization & Certification Readiness (February 2026)
- Submit documentation to competent authority
- Demonstrate ISMS effectiveness and readiness
- Receive approval or findings for closure prior to the deadline
Next Steps
Follow this link to our Library to find & download related documents for Free.
Sofema Aviation Services and Sofema Online provide Classroom, Webinar and Online Training compliant with EASA Information Security & Cyber Objectives â please see the websites or email [email protected].
Tags:
Annex II (Part-IS.I.OR), Finalization & Certification Readiness, Training & Audit, Risk Management & Controls, Design & Documentation, Awareness & Planning, Resource Constraints, Organizational Silos, Third-Party Dependencies, System Complexity, Compliance, Security Management System, Legacy Systems, Regulation (EU) 2023/203, Testing, European airports, Information Security Management System (ISMS), SAS blogs, EASA requirements
