Please don’t forget that the deadline for the implementation of an Information Security Management System (ISMS) for ATO’s, FSTD Operators, Air Operators, AeMC’s, CAMO’s, Maintenance Organizations, etc. is 22 February 2026.
Organizations that fall under the scope of the European Commission's Implementing Regulation No 2023/203 (also known as Part-IS) shall establish, implement and maintain an information security management system in accordance with the requirements of the above regulation in order to ensure the proper management of information security risks which may have an impact on aviation safety.
If you are not sure whether your organization is subject to this regulation or not, you can check Article 2 of Regulation (EU) 2023/203 that determines which organizations this regulation applies to. For example, air operators solely involved in the operation of ELA2 aircraft, or ATO’s solely involved in training activities of ELA2 aircraft (whatever this may mean) are exempted from having to comply.
Please note: Part-IS requirements are quite heavy. Organizations that fall under the scope of Part-IS must establish a whole new management system similar in complexity to their existing compliance and safety management systems, define its structure and processes, create an ISMS Manual together with the required appendices (e.g. forms), and find, train and nominate an Information Security Manager.
Complying with Part-IS requires a significant amount of time and effort, so if you haven’t started the implementation process yet, you must act right now!
Authorities will definitely verify compliance with the new regulation, and failing to comply may even lead to the suspension of the organization’s certificate.