Introduction
The European aviation landscape is undergoing a pivotal transformation in response to the rapidly evolving threat environment posed by cyber and information security risks.
Effective Feb 2026 EASA Part CAMO Organisations are required to assess, monitor, and respond to risks to information and communication systems that may impact the continuing airworthiness of aircraft and the effectiveness of safety-critical decisions.
As aviation systems become increasingly reliant on interconnected digital technologies—ranging from maintenance tracking software to remote access tools and data exchange with third-party providers—the potential for information security events to impact aviation safety is no longer theoretical but a critical operational concern.
The European Commission, through EASA introduced Implementing Regulation (EU) 2023/203, which mandates the integration of Information Security Management Systems (ISMS) into all relevant aviation domains, including Continuing Airworthiness Management Organisations (CAMOs) under Annex Vc (Part-CAMO) to Regulation (EU) No 1321/2014.
Part-CAMO organisations are uniquely exposed to a diverse set of information security risks, given their constant interaction with digital records, maintenance data, reliability systems, remote audits, and interfaces with both Approved Maintenance Organisations (AMOs) and Operators. These risks include:
· Weak user access controls and poor credential management can enable unauthorized access to critical databases, including aircraft maintenance records, AD/SB compliance status, and reliability tracking systems.
· The widespread reliance on third-party software and external maintenance providers introduces supply chain vulnerabilities, where a single compromised vendor can expose the entire system.
· Threats to data integrity—such as manipulation or corruption of technical logs, component tracking, or reliability data—can severely undermine operational trust and safety.
· Compounding these risks, many CAMOs operate without effective real-time monitoring or alerting systems and often lack a robust internal reporting culture to flag anomalies.
· Finally, human error—whether through negligence, poor practices, or malicious intent—remains a dominant threat, including mishandling sensitive data, using unauthorized devices, or engaging in insider sabotage.
Part CAMO Organisations must conduct Information Security Risk Assessments to
· Identify threats, assess vulnerabilities, and evaluate risks to aviation safety stemming from information systems.
· Apply the principles outlined in IS.I.OR.205, including AMC and GM content, to real-world CAMO environments.
· Develop Risk Treatment Strategies
· Ensure Incident Response and Reporting
· Support a Culture of Cybersecurity Awareness and Competence including the development of training and competence programs for staff
Who is the course for?
The training is designed for professionals involved in EASA Part-CAMO activities, including compliance managers, IT/security staff, maintenance leaders, and aviation authorities responsible for managing or assessing cybersecurity and information security practices.
What is the Benefit of this Training – What will I learn?
- Understand and apply the principles of information security risk management in the context of Part CAMO airworthiness.
- Integrate cybersecurity safeguards into existing Part CAMO Safety Management Systems (SMS), quality systems, and compliance monitoring functions.
- Establish internal and external reporting mechanisms for information security events and incidents as required under Part-IS & (EU) 2023/203
- Contribute to an organisational culture of digital security awareness and resilience.
Detailed Content / Topics – The following Subjects will be addressed
Day 1
General Introduction
Why Are We Seeing EASA Mandated Regulations related to Information Security and Cyber Security – What will This mean for European Aviation?
Part CAMO Information Security
Regulatory Drivers for Information Security – EASA Part CAMO
Summary of Directive (EU) 2022/2555 (NIS2 Directive)
Reference Listing of Relevant Documentation EASA Aviation Cyber Security
EASA Part CAMO Information Security Duties, Accountabilities, Responsibilities Compliant with IS.I.OR.240
Part CAMO – Gap Analysis Information Security – Cybersecurity
The Potential for Information Security / Cyber Exposure in Aircraft Maintenance Management (Part CAMO)
Identifying and Assessing Cyber Risks within EASA Part CAMO Organizations
Day 2
Information Security Reporting Criteria – External & Internal
Implementing an ISMS in an EASA-Compliant Part CAMO Organization
Information & Cyber Security – Structured Risk Assessment Considerations
EASA Part CAMO Organisation – General Overview of Cyber Security Responsibilities (Maintaining Existing Headcount)
Implementing an ISMS in an EASA-Compliant Part CAMO Organization
Stakeholder Risk Information Sharing Requirements in Cybersecurity and Information Security within an EASA Part CAMO Organization
Considering Cultural Resistance & Staff Awareness in EASA Part CAMO Cybersecurity Implementation
Cyber Security & Information Security Training for EASA Part CAMO Organizations
Pre-requisites
Participants should have a basic understanding of EASA Part-CAMO regulations and general aviation safety management principles.
Target Groups
This course is intended for CAMO staff, nominated post holders, information security personnel, maintenance managers, and regulatory auditors involved in implementing or overseeing EASA Part-CAMO cyber and information security requirements.
Learning Objectives
Upon completion of this training, participants will be able to:
Understand the Information Security Regulatory Basis:
o Recognise the definitions and framework of key concepts such as “information security risk,” “incident,” “threat,” and “vulnerability”
o Implement an Information Security Management System (ISMS):
a)Interpret and apply the requirements of IS.I.OR.200 & (EU) 2023/203 to design and operate an ISMS within a CAMO structure.
b)Integrate information security policies, objectives, and resources into existing safety and compliance frameworks.
What do People Say about Sofema Aviation Services Training?
“The instructor clearly had an in-depth understanding of the subject matter.“
“The duration of the course was well-suited to my expectations and needs.“
“The content was highly informative — I came away with valuable new knowledge.“
“The practical examples were clearly presented and easy to relate to.”
Duration
2 days – To commence at 09.00 and finish at 17.00, with appropriate refreshment breaks.
To register for this training, please email [email protected] or Call +359 28210806
