The aviation industry is rapidly adopting new technologies to improve efficiency and safety, reduce costs, and enhance the passenger experience.
However, this is leading to increased connectivity, and the sector’s cyber security risks increase as a result. The rapid adoption of emerging digital technologies is partly why the EU introduced the Part-IS regulation in 2022 - to establish a framework for managing cyber risks in the aviation sector.
What is the Part-IS regulation?
Standing for “Part of the Implementing Regulation (EU) 2023/203 on Information Security in the Aviation System,” Part-IS establishes a unified set of rules and guidelines, aiming to ensure that entities within the aviation sector achieve a fundamental level of cyber security. This harmonization is crucial in maintaining safety and security standards in an industry that is increasingly reliant on digital technologies.
A key component of Part-IS is the need for robust cyber security management systems. This means having processes in place to identify cyber risks, protect against attacks, detect suspicious activity, respond effectively to incidents, and recover normal operations.
We're helping aviation companies assess their security posture, identify gaps, and implement controls aligned to industry best practices and Part-IS expectations.
Consequences of Non-Compliance
Failure to comply with Part-IS can lead to significant repercussions for licensed aviation organizations. The National Aviation Authorities (NAA) may issue a warning letter, impose fines, or, in severe cases, suspend or revoke the operating certificate.
Who is Affected?
Part-IS applies broadly to NAA and virtually all licensed aviation organizations globally, including aerodrome operators, air operators, air navigation service providers, designers, manufacturers, maintainers, continuing airworthiness management organization "CAMO", and trainers. The regulation's extensive scope ensures comprehensive enhancement of safety and security across the aviation ecosystem. The deadlines for compliance are currently set for Q4 2025 and Q1 2026; the deadlines differ depending on what type of organization you are within the aviation sector and supply chain.
Our top 5 tips for achieving Part-IS compliance.
1. Perform regular risk assessments. Conduct thorough cyber security risk assessments to identify vulnerabilities in your systems, networks, and processes. Your risks should be evaluated in the context of your critical operations and data.
2. Develop robust cyber security policies and procedures. Document your cyber security management controls and ensure they align with industry standards like ISO 27001, NIST and NIS2. Policies should cover asset management, access controls, vulnerability management, incident response, and more.
3. Provide cyber security training. Educate your IT and operational staff, as well as your customers, on cyber risks and their collective role in protecting systems and data. Training helps build a culture of security awareness.
4. Monitor networks proactively. Implement continuous monitoring solutions to detect cyber intrusions in real-time. Utilize technologies like Security Information and Event Management (SIEM), intrusion detection, and file integrity monitoring.
5. Test defenses through simulations. Conduct periodic red team or attack path mapping exercises and vulnerability scans to test the effectiveness of your controls against real-world attack techniques. Use results to identify and remediate gaps.
These tips will help aviation companies implement a systematic approach to managing cyber security and demonstrate Part-IS compliance. Partnering with experienced cyber security firms can also provide expertise and resources to build robust defenses tailored to the aviation sector.
How we’re helping the aviation sector to prepare:
NCC Group's specialist transportation practice understands aviation companies' unique challenges in complying with Part-IS. As a leading cyber security business that's supported the aviation sector for over 30 years, we're well-positioned to help clients meet regulatory requirements and protect their systems and data.
We also assist with continuous monitoring of networks to detect potential intrusions rapidly. Our international network of manned security operations centers (SOC) provides 24/7 threat detection and response capabilities explicitly tuned to the needs of the aviation sector. We leverage cutting-edge technologies like AI and machine learning to analyze massive amounts of data and identify anomalies that could indicate a cyber-attack.
In addition, NCC Group provides incident response (IR) services, retainers, and playbooks customized for aviation networks. Having an IR plan in place, as per the Part-IS requirements, allows companies to react quickly and effectively in the event of a confirmed breach. Our expert first responders have experience containing advanced threats targeting industrial control systems commonly used in aviation.
Aviation companies must assess their data flows, provide privacy training to employees, and implement data minimization techniques. Companies often already have measures in place to address data protection, e.g., GDPR compliance, and can build upon existing security programs to include safety risks. While Part-IS is primarily focused on addressing risks to the availability and integrity of information assets, there are some aspects of confidentiality that need to be considered. Our data discovery services identify where regulated data resides within complex IT environments. We can also perform an online exposure monitoring service that can find leaked data from your company on the clear, deep, or dark web, and we'll remedy anything we find.
Staying on top of continuously evolving cyber threats is challenging. That’s why NCC Group offers cyber threat intelligence feeds providing real-time updates on risks relevant to the aviation sector. We also perform regular simulated attacks to test the resilience of security programs against advanced adversaries.
Aerospace Technical Lead, NCC Group
Since joining NCC Group's Transport Assurance practice in 2018, Lawrence Baker has worked with Government, operators, system providers, and academia on improving the cyber resiliency of the transport sector. He has delivered services in all transport modes for clients across the globe—most notably in the automotive and aerospace sectors.
He has almost two decades of experience working within the transport industry, much of this as a chartered engineer on major engineering programs in civil aerospace and railway. Lawrence has a strong systems security engineering focus, understanding both the technical qualities of products and the organizational processes to develop and operate them.
Want to talk to an expert?
Meeting Part-IS requires a holistic approach to cyber security - people, processes, and technologies. Learn how we’re helping aviation companies secure their systems, demonstrate compliance, and focus on their mission of moving people and cargo safely and efficiently.