Sofema Aviation (www.sofemaaviation.com ) considers the changing regulatory Landscape in 2026
Introduction
The regulatory landscape for EASA 1321/2014 has evolved rapidly, moving from a traditional focus on continuing airworthiness to a dual-track approach that includes digital resilience. As of March 2026, the industry is embracing the “Information Security Era.”
The Last 18 Months (Sept 2024 – March 2026)
This period focused on finalizing the transition of Maintenance Organizations (Part-145) into the Safety Management System (SMS) framework and launching the Information Security (Part-IS) requirements.
Part-145: Full SMS Integration
By December 2024, the transition period for Part-145 organizations to implement a fully functional SMS ended. This was a monumental shift.
- Organizations are no longer judged solely on their technical output but on their Safety Culture. This includes mandatory hazard identification, risk assessment, and the appointment of a Safety Manager.
- Note – This has also impacted U.S.-based repair stations (under the Maintenance Annex Guidance (MAG) 9agreement), who had to implement EASA-compliant SMS protocols to maintain their European approvals.
The Arrival of Part-IS (Information Security)
Regulation (EU) 2023/203 introduced the requirement for an Information Security Management System (ISMS). While Part-21 (Design/Production) organizations led the way in 2025, Part-CAMO and Part-145 spent the last 18 months drafting their Information Security Management Manuals (ISMM).
Airworthiness Review Refinements
Recent amendments in early 2026 have streamlined how Airworthiness Review Certificates (ARC) are handled during aircraft transfers. The goal has been to reduce the “bureaucratic lag” when an aircraft moves between different EASA member states by standardizing the digital documentation required for a recommendation.
Forthcoming Changes (Next 12 Months: April 2026 – March 2027)
The next year will be defined by the “Bedding-In” of cybersecurity rules and a push toward a fully digital environment.
Part-IS Enforcement and Audits
The deadline for Part-CAMO and Part-145 to comply with Part-IS has now passed. For the next 12 months, National Aviation Authorities (NAAs) will be conducting their first round of specialized “Cyber-Audits.” Organizations will need to demonstrate that they have identified their “critical information assets”—such as maintenance tracking software (e.g., AMOS, Envision) and Electronic Flight Bags (EFBs).
The “Paperless CAMO” Initiative
EASA is expected to release updated AMC (Acceptable Means of Compliance) regarding Digital Aircraft Records. This will move beyond just “scanned PDFs” toward structured data exchange. The goal is to establish a standard where a CAMO can accept a “Digital Birth Certificate” for a part or aircraft without needing a physical filing cabinet of historical records.
Challenged Best Practice Preparations
Organizations are finding it difficult to keep up with the “layering” of new regulations. Below are the primary challenges to best-practice implementation:
The “Silo” Problem Many organizations are making the mistake of keeping their Quality, Safety (SMS), and Security (ISMS) departments separate.
- Best practice now dictates an Integrated Management System (IMS) A single event may in fact be a Safety issue, a Quality issue, and an Information Security issue simultaneously. Managing these in three different environments is no longer sustainable.
Supply Chain Blind Spots Under Part-IS, a CAMO is responsible for the security of its subcontractors. Many organizations are struggling to audit their IT service providers.
- Best practice preparation now requires updating Technical Agreements to include “Right to Audit” clauses for the servers and data centers where maintenance records are hosted.
Competency Gaps There is a significant shortage of personnel who understand both Part-145 regulations and Cybersecurity. Small-to-medium enterprises (SMEs) are struggling to find an “Accountable Manager” who feels comfortable signing off on an Information Security Manual.
- The best practice is shifting toward training existing Quality Managers in basic cybersecurity frameworks rather than hiring IT staff who don’t understand aviation.
Data Integrity vs. Data Volume As maintenance records become fully digital, the “volume” of data is exploding.
- Organizations are being introduced to the potential for implementation of Automated Data Validation, where for example the software automatically flags if entered Data Does not match expected criteria.
Next Steps
Join Sofema Aviation for a CAMO Compliance Challenges webinar on Tuesday, 24 March, from 10:30 – 13:00 Sofia time. Register for the webinar here – places are limited, so be sure to secure your spot early.
Explore our extensive course library featuring 500+ aviation training courses and take the opportunity to deepen your regulatory knowledge, or email [email protected] for support.
Sofema Aviation Services (SAS) and Sofema Online (SOL) provide classroom, webinar, and online training. Please see the websites or email [email protected].
Tags:
CAMO, EASA Part 145, continuing airworthiness, Regulatory Compliance, EASA Part – CAMO, sasblogs, Sofema Online (SOL), Part-IS, sofema aviations (SAS), SMS (Safety Management System), Digital Aircraft Records
