The implementation of Information Security (IS) systems within EASA Part 145 organizations presents a series of complex challenges.
Historically, the aviation maintenance sector has been shaped by an intense focus on physical safety and operational compliance — with cybersecurity often considered outside the traditional scope. However, the introduction of EASA Part-IS, under Regulation (EU) 2023/203, mandates the integration of Information Security Management Systems (ISMS) within existing Safety Management Systems (SMS). This regulatory evolution demands a significant shift in both mindset and methodology.
Competency Gaps & Need for Specialized Skills
The core competencies within most Part 145 organizations are centered on aircraft maintenance, engineering, and operational safety — not cybersecurity. Cybersecurity is a domain requiring highly specialized knowledge, including threat intelligence, penetration testing, and encryption, and network defense – competencies that typically do not exist in maintenance or CAMO teams. Organizations are often compelled to hire new personnel with IT/cybersecurity backgrounds or engage external consultants, which introduces concerns such as insider threats and data leakage from third-party access, as well as continuity risks when critical knowledge resides outside the organization.
Observation: The heavy reliance on external IT support is perceived as a vulnerability. Granting third parties access to critical aviation data and systems significantly raises the risk of internal compromise, a concern echoed across the sector.
Complexity of Integration with Existing SMS
EASA Part 145 organizations are already governed by rigorous SMS frameworks. The addition of ISMS requirements introduces significant integration complexity. ISMS and SMS manage fundamentally different threat landscapes: SMS focuses on human error and operational risks, while ISMS focuses on technological vulnerabilities such as hacking, data breaches, and ransomware. Aligning these requires a cross-functional approach that bridges maintenance, quality assurance, IT, and security teams — groups that traditionally operate in silos.
Key Questions Raised: How can ISMS risk assessments be harmonized with existing SMS methodologies? Should responsibility lie with the Quality Department, the IT Department, or a dedicated Cybersecurity Office? How can existing tools (e.g. BowTie risk models) be adapted to encompass cybersecurity threats?
Lack of Internal Expertise & Regulatory Clarity
There remains a significant knowledge gap within the aviation maintenance sector when it comes to cybersecurity and ISMS implementation. Detailed EASA guidance on ISMS risk assessment frameworks is still pending. While ISO/IEC 27001 is widely regarded as best practice, it is not explicitly mandated under current EASA regulations, resulting in ambiguity around the required compliance approach.
Open Questions: Are organizations free to adopt any recognized ISMS methodology (e.g. NIST, ISO 27001)? What level of documentation detail is expected, and how should it integrate with the Maintenance Organisation Exposition (MOE)?
Organizational Structure & Accountability
The implementation of Part-IS introduces uncertainty around governance and organizational accountability. Should cybersecurity oversight fall under the existing Quality or Compliance Department? Should a new Nominated Post Holder (NP) for Information Security be appointed? Who should lead ISMS audits — Quality, IT, or a dedicated internal audit function?
Key Questions Raised: Does the Accountable Manager bear ultimate responsibility for ISMS, as with SMS? How should audits be structured to evaluate ISMS effectiveness alongside SMS performance?
Disproportionate Impact on Smaller Organizations
For smaller Part 145 organizations — particularly those with fewer than 50 employees — the challenges are magnified. Resource constraints limit their ability to build in-house cybersecurity capabilities. High initial setup costs for ISMS frameworks, coupled with greater dependence on external IT providers, increase exposure to supply chain threats.
Key Questions Raised: Will EASA offer proportional or tiered compliance models for smaller organizations? Can subcontracted IT services be used to meet ISMS obligations?
Third-Party and Supply Chain Risks
Part 145 organizations rely heavily on third-party suppliers for maintenance data, IT systems, and component support — all of which introduce external cybersecurity risk. A breach within the supplier network can compromise internal systems. Suppliers may operate under different jurisdictions, complicating oversight and contractual accountability.
Key Questions Raised: Will EASA Part-IS extend cybersecurity requirements to cover subcontractors and supply chain partners? How should cybersecurity risk be shared or transferred contractually?
Long-Term Operational and Cultural Shift
The implementation of ISMS represents more than a compliance exercise — it requires a fundamental shift in organizational culture. Maintenance and operations personnel must become proficient in information security practices. Unlike physical incidents, cyber incidents may lack immediate visibility, making it harder to instill urgency. Increased focus on data protection may introduce operational constraints, impacting flexibility and turnaround times.
Conclusion
The integration of ISMS into the EASA Part 145 environment is a necessary step toward aligning aviation maintenance with today’s digital threat landscape. However, it also presents a multi-dimensional challenge involving regulatory ambiguity, skill shortages, structural uncertainty, and cultural resistance. Proactive engagement, cross-department collaboration, and investment in specialized training will be essential to achieving successful and sustainable compliance with EASA Part-IS.