Detailed working notes on the EASA Part-IS information security framework and its ICAO, EU NIS2, and national regulatory context. This folder expands the summary in topics/part_is.md into per-aspect files so each can be read on its own.

Files in this folder#

• overview.md — what Part-IS is, where it sits in the ICAO/EASA/EU framework, and why it matters for ANSPs and ATM/ANS organisations.
• components.md — the twelve building blocks of a Part-IS ISMS.
• blocks.md — the four regulatory layers (ICAO / EU Part-IS / NIS2 / national) and the two Part-IS applicability phases; mermaid diagram.
• threads.md — the six functional axes of aviation cybersecurity governance (governance, risk management, detection/monitoring, incident response, supply-chain, safety interface).
• modules.md — anatomy of a Part-IS ISMS implementation; worked example of an information security risk assessment (ISRA) cycle.
• enablers.md — regulatory prerequisites, CNS/IT infrastructure elements, training, certification, and institutional arrangements.
• performance_objectives.md — KPA contribution matrix; security KPIs and how they map to the ICAO KPA framework.
• timeline.md — historical evolution from ICAO Annex 17 cyber provisions through the Part-IS regulations to NIS2 transposition.
• references.md — consolidated ICAO, EU, and external references.

Reading order#

Start with overview.md, then blocks.md for the regulatory layering, then threads.md for the functional axes, then components.md for the ISMS building blocks. modules.md gives a worked example. enablers.md, performance_objectives.md, timeline.md, and references.md are reference material for deeper study.

Source basis#

Content is grounded in:

• ICAO Annex 17 (Aviation Security), Twelfth Edition, 2022, §4.9.
• ICAO Assembly Resolution A41-19 (Doc 10184), 2022.
• ICAO AN-Conf/14 Report (Doc 10209), 2022, Recommendation 4.2/1.
• ICAO PANS-IM (Doc 10199), First Edition, 2024, §6.3.
• Regulation (EU) 2022/1645 (EASA Delegated, design/production/aerodromes).
• Regulation (EU) 2023/203 (EASA Implementing, ATM/ANS/AIR OPS/etc.).
• Directive (EU) 2022/2555 (NIS2).
• EASA AMC and GM to Part-IS.
• ICAO Doc 10204 (Manual on Information Security).

What Part-IS is#

Part-IS is the EASA implementing rule framework that requires civil aviation organisations to establish, implement, maintain, and continually improve an Information Security Management System (ISMS) covering information security risks that have a potential impact on aviation safety.

The name derives from "Part Information Security." It is implemented through two EU regulations:

• Regulation (EU) 2022/1645 (Delegated): covers design organisations, production organisations, and aerodrome operators. Applicable from 16 October 2025.
• Regulation (EU) 2023/203 (Implementing): covers ATM/ANS organisations, air operations (AIR OPS), aircrew licensing, ATCO training organisations, and continuing airworthiness management organisations (CAMOs). Applicable from 22 February 2026.

The defining criterion is potential impact on aviation safety. Part-IS is not a generic IT security framework; it targets the subset of information security risks whose realisation could degrade safety-critical operations. This keeps the scope proportionate and focuses management effort where it matters most: ATC automation, data link infrastructure, surveillance data chains, aeronautical information services, SWIM interfaces, and their supply chains.

Where Part-IS sits in the ICAO/EASA/EU framework#

Part-IS sits at the intersection of three frameworks:

1. EASA airworthiness and operational rules. Both regulations amend existing EASA implementing rules (AIR OPS, ATM/ANS, aircrew, CAMO, ATCO training) by inserting a Part-IS annex. They derive their mandate from the EASA Basic Regulation (EU) 2018/1139, which requires EASA to develop implementing rules for all aspects of civil aviation safety including cybersecurity. Competent authority oversight of Part-IS compliance sits with the national aviation authority (NAA) of each Member State, with EASA setting the standards.

2. EU NIS2 Directive. Directive (EU) 2022/2555, transposed by Member States by 17 October 2024, establishes EU-wide cybersecurity risk management and incident reporting obligations for essential and important entities. Aviation entities (ANSPs, airlines, airports) are in scope as transport-sector critical infrastructure. Part-IS acts as lex specialis: compliance with Part-IS satisfies the NIS2 obligations in the aviation domain, and national supervisory authorities coordinate oversight to avoid duplicating requirements.

3. ICAO global framework. Annex 17 §4.9 sets global Standards and Recommended Practices on cyber threats. ICAO Assembly Resolution A41-19 and the Aviation Cybersecurity Strategy and Action Plan provide the strategic framework. PANS-IM (Doc 10199) §6.3 mandates an information security framework for SWIM stakeholders globally. Part-IS is the EU regional implementing rule that gives concrete, binding content to these global provisions for EASA-scope organisations.

Why it matters for ANSPs and ATM/ANS organisations#

ANSPs sit at the intersection of multiple threat vectors:

• Data link and communications: VHF voice networks, ACARS, CPDLC (ATN B2), ADS-C, and SWIM feeds are increasingly IP-connected and reachable from external networks.
• Surveillance: ADS-B receivers process unauthenticated aircraft broadcasts; Mode S secondary radar feeds flow through networked ground chains.
• ATM automation: trajectory processors, conflict detection tools, flow management systems, and ATIS broadcast systems run on commercial operating systems that accumulate vulnerabilities.
• Aeronautical information: NOTAM distribution, digital AIP, SWIM aeronautical data services depend on authenticated, integrity-verified feeds.
• Third-party dependencies: network operators, meteorological service providers, and inter-ANSP data sharing partners all expand the attack surface.

A successful compromise of any of these chains could lead to incorrect traffic information, loss of separation assurance, or disruption of flow management services — all with potential safety consequences. Part-IS forces an ANSP to document these risks explicitly, treat them proportionately, and maintain the controls that keep residual risk within tolerable bounds.

How Part-IS relates to the safety management system#

Annex 19 (Safety Management) requires ANSPs and ATM/ANS organisations to maintain a Safety Management System (SMS). Part-IS adds an ISMS that is conceptually parallel: where the SMS manages safety risks from operational, technical, and human factors, the ISMS manages information security risks that could generate safety events.

EASA guidance encourages organisations to integrate their ISMS and SMS risk processes — sharing hazard identification inputs, aligning management review cadence, and ensuring that a security incident triggers a parallel safety risk assessment where the two are linked. This safety-security interface is the conceptually novel element of Part-IS compared with conventional IT governance frameworks.

References#

• Regulation (EU) 2022/1645 (EASA Delegated Regulation; design, production, aerodrome operators), applicable 16 October 2025 (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R1645).
• Regulation (EU) 2023/203 (EASA Implementing Regulation; ATM/ANS, AIR OPS, aircrew, ATCO training, CAMOs), applicable 22 February 2026 (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R0203).
• Directive (EU) 2022/2555 (NIS2), transposition deadline 17 October 2024 (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555).
• Annex 17 (Aviation Security), Twelfth Edition, 2022, Chapter 4, §4.9 — Cyber threat provisions (authoritative source — not in local library for §4.9 standalone; present in local library at Annexes/an17_cons.md:909).
• Doc 10184 (Assembly Resolutions in Force, 41st Session), Resolution A41-19 — Addressing Cybersecurity in Civil Aviation; ICAO Cybersecurity Strategy and Action Plan.
• Doc 10209 (AN-Conf/14 Report, 2022), Recommendation 4.2/1 — Aviation cybersecurity; States to develop national plans; ANSP integrated cyber risk management.
• Annex 19 (Safety Management), Second Edition — SMS requirements for ANSPs and ATM/ANS organisations; safety-security interface context.
• Doc 10199 (PANS-IM), Chapter 6, §6.3 — Information security framework for SWIM stakeholders.

The twelve ISMS building blocks under Part-IS#

Part-IS requires an Information Security Management System (ISMS) that covers the full lifecycle of information security risk management for aviation-safety-relevant information assets. The ISMS is composed of twelve building blocks, grouped here into four functional clusters.

Cluster A — Foundation#

The foundation cluster establishes the organisational context and sets the rules of engagement for the entire ISMS.

• A1. Scope and context definition The organisation defines which information assets, systems, processes, and interfaces are within the Part-IS scope. The scoping criterion is potential impact on aviation safety. Assets with no plausible safety consequence are excluded, keeping the ISMS focused. Typical in-scope assets for an ANSP: ATC automation systems, surveillance data chains, aeronautical data services, data link ground infrastructure, SWIM interfaces, meteorological feed integrations, network perimeter devices.

• A2. Information security policy A documented, management-approved policy that states the organisation's commitment to protecting information assets commensurate with their safety importance. The policy sets the principles: risk-based approach, continual improvement, compliance with applicable regulations (Part-IS, NIS2), and the relationship to the safety management system (SMS). The policy is communicated to all personnel and relevant external parties.

• A3. Roles, responsibilities, and competence Defined accountabilities: a named information security manager or equivalent, management oversight responsibility, operational roles (asset owners, system administrators, incident handlers), and third-party interface owners. Personnel must be competent for their information security responsibilities through qualification, training, or experience. Competence records are maintained.

Cluster B — Risk management#

The risk management cluster is the analytical engine of the ISMS and the primary value-delivery element of Part-IS.

• B4. Information security risk assessment (ISRA) A structured identification, analysis, and evaluation of information security risks to in-scope assets. For each risk, the assessment considers the threat (internal or external adversary, accidental failure, supply-chain compromise), the vulnerability (technical or procedural gap), and the potential safety consequence. Risks are scored against agreed acceptance criteria. The ISRA is documented, traceable, and reviewed at defined intervals or following significant change.

• B5. Risk treatment For each unacceptable risk, the organisation selects a treatment option: modify (implement controls to reduce likelihood or impact), retain (accept residual risk with documented justification), avoid (cease the activity), or share (transfer risk through contract or insurance where applicable). A risk treatment plan documents the selected controls, responsible owners, implementation timelines, and residual risk. The residual risk is formally accepted by management.

• B6. Security controls The technical and organisational measures that implement the risk treatment decisions. Control families relevant to aviation cybersecurity include: access control and identity management; network architecture and segmentation; patch and vulnerability management; configuration management; cryptographic controls; physical and environmental security; secure software development and supply-chain assurance; audit logging and log management; backup and recovery.

Cluster C — Operational#

The operational cluster covers the day-to-day running of the ISMS once controls are implemented.

• C7. Security monitoring and detection Continuous or periodic monitoring of in-scope systems for anomalous behaviour, known attack signatures, and policy violations. This may include: security information and event management (SIEM) tooling, intrusion detection systems (IDS), log aggregation and correlation, network traffic analysis, and vulnerability scanning. The monitoring capability must be able to generate alerts that feed the incident response process.

• C8. Incident response Defined procedures for detecting, classifying, containing, eradicating, recovering from, and reviewing information security incidents with potential safety impact. The response procedure must integrate with the organisation's safety management and crisis management processes. Significant incidents must be reported to the competent authority within the timeframes specified in Part-IS and, where applicable, NIS2 national legislation. After each incident, a post-incident review drives ISMS improvement.

• C9. External interfaces and supply-chain security Controls on information flows with external parties: data service providers, network operators, equipment vendors, inter-ANSP data sharing, meteorological service integrations, SWIM information service providers, and maintenance contractors with system access. Each significant external interface is assessed for risk; contractual security requirements are defined; supplier security performance is monitored. Part-IS explicitly requires supply-chain security to be addressed in the ISMS scope.

• C10. Personnel security and awareness Pre-employment vetting proportionate to the sensitivity of the role; defined information security responsibilities in job descriptions; regular security awareness training for all personnel; targeted training for those with elevated access rights. Personnel departing the organisation must have access promptly removed and return credentials.

Cluster D — Governance and improvement#

The governance cluster ensures the ISMS remains effective over time and under change.

• D11. Management of change Before introducing changes to in-scope systems, processes, or external interfaces, the information security implications are assessed. Significant changes trigger a partial or full ISRA update. The change management process is aligned with the organisation's existing safety management of change procedure to ensure safety and security risks are assessed together.

• D12. Continual improvement and management review Periodic management review of ISMS performance: audit findings, monitoring results, incident statistics, risk register currency, and regulatory changes. The review drives updates to the ISMS policy, scope, risk assessment, controls, and competence plans. Records of the review are maintained. The ISMS is subject to periodic internal audit and, where required by the competent authority, oversight inspection.

Hierarchy of ISMS components#

The twelve building blocks nest under the ISMS in a structured hierarchy:

• ISMS
  • Foundation
    • Scope and context (A1)
    • Policy (A2)
    • Roles and competence (A3)
  • Risk management
    • Risk assessment — ISRA (B4)
    • Risk treatment (B5)
    • Security controls (B6)
  • Operational
    • Monitoring and detection (C7)
    • Incident response (C8)
    • Supply-chain and external interfaces (C9)
    • Personnel security (C10)
  • Governance
    • Management of change (D11)
    • Continual improvement / management review (D12)

References#

• Regulation (EU) 2023/203 (EASA Implementing Regulation; ATM/ANS, AIR OPS, etc.), Part-IS Annex — ISMS requirements including policy, risk assessment, incident response, supply-chain, and competence (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R0203).
• Regulation (EU) 2022/1645 (EASA Delegated Regulation; design, production, aerodromes), Part-IS Annex — equivalent ISMS requirements for design/production/aerodrome scope (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R1645).
• EASA AMC and GM to Part-IS — guidance on scope definition, acceptable risk assessment methods, control families, incident reporting thresholds (authoritative source — not in local library; https://www.easa.europa.eu/en/document-library/acceptable-means-of-compliance-and-guidance-material/amc-and-gm-part-is).
• Doc 10199 (PANS-IM), Chapter 6, §6.3.1 to §6.3.5 — information security framework requirements for SWIM stakeholders; classification by security category; confidentiality, integrity, availability.
• Doc 10204 (Manual on Information Security) — ICAO guidance on classification, risk assessment, and control selection for aviation information assets (authoritative source — not in local library).
• Annex 17 (Aviation Security), §4.9.1 and §4.9.2 — cyber threat Standard and Recommended Practice; CIA protection; supply chain; network separation.

The regulatory layering model#

Aviation cybersecurity governance is not a single instrument; it operates through four nested regulatory layers, each adding specificity and binding force to the one above. This file maps those layers as the "blocks" of the Part-IS framework — analogous to the way ASBU blocks represent progressive capability tiers in the ATM context.

Layer 1 — ICAO Global#

Instruments. Annex 17 (Aviation Security), Twelfth Edition, 2022, §4.9; ICAO Assembly Resolution A41-19 (Doc 10184); ICAO Aviation Cybersecurity Strategy (2019) and Cybersecurity Action Plan; AN-Conf/14 Recommendation 4.2/1 (Doc 10209); PANS-IM (Doc 10199) §6.3; Manual on Information Security (Doc 10204).

What it does. Establishes the global floor: States must require relevant entities to identify critical ICT systems and data and implement protective measures per risk assessment (Annex 17 §4.9.1, Standard). Recommends CIA protection, security by design, supply chain security, and network separation (§4.9.2). Assembly Resolution A41-19 urges national governance, cybersecurity culture, and cross-cutting alignment across safety, security, and ATM disciplines. PANS-IM §6.3 mandates an information security framework for all SWIM stakeholders, with guidance in Doc 10204.

Applicability. All 193 ICAO Member States. Not self-executing: States must transpose through national law or regulation. Non-EU ICAO Members are bound by Annex 17 but not by the EU Part-IS regulations.

Character. Standards-based, principle-level. Annex 17 §4.9 gives the "what" (identify, assess, protect) but not a detailed ISMS methodology. Doc 10204 provides guidance on the "how."

Layer 2 — EU Regional#

Layer 2 is where binding, detailed ISMS requirements enter. It comprises two Part-IS regulations and the overarching NIS2 Directive.

Phase 1 — Regulation (EU) 2022/1645 (Delegated)#

Scope. Design organisations (DO), production organisations (PO), and aerodrome operators (including those with ATM functions at aerodromes).

Applicable from. 16 October 2025.

Character. Delegated Regulation: amends Annexes to the relevant EASA implementing rules (Commission Regulation (EU) No 748/2012 for design/production; Commission Regulation (EU) No 139/2014 for aerodromes). Inserts Part-IS requirements as a new subpart. EASA published AMC/GM for this regulation ahead of its applicability date.

Key obligations. ISMS establishment covering information assets with potential safety impact; information security policy; risk assessment; risk treatment; incident reporting to competent authority; supply-chain controls; competence and training; continual improvement.

Phase 2 — Regulation (EU) 2023/203 (Implementing)#

Scope. ATM/ANS organisations, air operations organisations (AIR OPS), aircrew licensing, ATCO training organisations, and continuing airworthiness management organisations (CAMOs).

Applicable from. 22 February 2026.

Character. Implementing Regulation: amends Annexes to Regulations (EU) 965/2012 (AIR OPS), 1178/2011 (aircrew), 1035/2011 (ATM/ANS), 1321/2014 (continuing airworthiness), and 2015/340 (ATCO licensing). Inserts Part-IS subparts defining ISMS requirements in each domain. This is the regulation of primary concern for ANSPs and ATM/ANS organisations.

Key obligations. Same ISMS lifecycle as Phase 1, applied to ATM/ANS-specific information assets: ATC automation, SWIM, data link, surveillance, aeronautical data services, inter-ANSP interfaces.

NIS2 Directive — (EU) 2022/2555#

Transposition deadline. 17 October 2024 by EU Member States.

Character. Directive (requires national legislation for effect). Applies to essential and important entities in critical sectors; air transport (ANSPs, airlines, airports) is an essential sector. Obligations: implement cybersecurity risk management measures; report significant incidents within defined timeframes; ensure supply-chain security; maintain cyber hygiene policies.

Relationship to Part-IS. Part-IS acts as lex specialis in the aviation domain. An ANSP that complies with Part-IS satisfies the equivalent NIS2 obligations. National supervisory authorities coordinate to avoid duplication, but the reporting obligations may add a second channel (to the national NIS2 authority) alongside Part-IS reporting to the NAA.

Layer 3 — National#

Each EU Member State transposes NIS2 through national legislation and runs a national aviation authority (NAA) oversight programme for Part-IS compliance. For non-EU ICAO Member States, the national layer is the State's implementation of Annex 17 §4.9 and, where adopted, the ICAO Cybersecurity Action Plan.

Key national activities:

• Designation of the competent authority for aviation cybersecurity (may be the NAA, a national cybersecurity authority (NCA), or a joint body — per A41-19 requirement to define governance).
• Oversight programme: initial compliance verification, periodic audits, incident follow-up, enforcement.
• National incident reporting portal and coordination with Computer Security Incident Response Team (CSIRT).
• Coordination between NAA (Part-IS) and NCA (NIS2) to align oversight and avoid duplicate reporting burdens.

Layer 4 — Organisational#

The organisational layer is the ISMS itself, as described in the components.md file. It implements the obligations set by Layers 1-3.

For an ANSP subject to Regulation (EU) 2023/203, the organisational layer must be operational from 22 February 2026 and must demonstrate compliance to the NAA through records of the ISRA, risk treatment plan, security controls, monitoring capabilities, incident log, competence records, and management review.

Applicability phases summary#

References#

• Regulation (EU) 2022/1645 (Delegated), applicable 16 October 2025 (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R1645).
• Regulation (EU) 2023/203 (Implementing), applicable 22 February 2026 (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R0203).
• Directive (EU) 2022/2555 (NIS2), transposition deadline 17 October 2024 (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555).
• Annex 17 (Aviation Security), Twelfth Edition, 2022, Chapter 4, §4.9.1 and §4.9.2 — global cyber Standard and Recommended Practice.
• Doc 10184 (Assembly Resolutions in Force, 41st Session), Resolution A41-19 — aviation cybersecurity; national governance; Strategy and Action Plan implementation.
• Doc 10209 (AN-Conf/14 Report, 2022), Recommendation 4.2/1 — national plans; regional alignment; ANSP integrated cyber risk management.
• Doc 10199 (PANS-IM), Chapter 6, §6.3 — information security framework for SWIM stakeholders globally.

The six functional axes of aviation cybersecurity#

Aviation cybersecurity governance can be described along six functional axes — "threads" in the ASBU sense — that cut across the regulatory layers and the ISMS building blocks. Each thread represents a distinct subject area with its own stakeholders, standards, and tools. Together they constitute the full operational scope of Part-IS compliance for an ANSP or ATM/ANS organisation.

Thread 1 — Governance and accountability#

What it covers. Organisational structures, policy frameworks, management accountability, and the relationship between the ISMS and other management systems (SMS, quality management, environmental management).

Key activities.

• Designation of information security management role(s) with defined authority and reporting line to accountable manager / Director General.
• Adoption of an information security policy approved by top management.
• Integration of ISMS management review into the organisation's regular governance cycle.
• Interface with the competent authority: oversight acceptance, audit responses, regulatory change tracking.

Regulatory hooks. Part-IS policy requirement (both regulations); A41-19 §2(b) national authority designation; Annex 17 §4.9.1 State obligation to ensure measures are in place.

Thread 2 — Risk management#

What it covers. The information security risk assessment (ISRA) process, the risk register, and the risk treatment plan. This thread is the analytical core of the ISMS.

Key activities.

• Asset inventory of safety-relevant information assets.
• Threat and vulnerability analysis for each asset.
• Likelihood and impact scoring, with safety consequence as the primary impact dimension.
• Risk acceptance decisions and treatment option selection.
• Maintenance of a live risk register reviewed at defined intervals and on significant change.

Regulatory hooks. Part-IS risk assessment requirement (both regulations); EASA AMC/GM guidance on ISRA methodology; PANS-IM §6.3.5 (consumers assess CIA impact on safety for information security category); Doc 10204 risk classification guidance.

Thread 3 — Detection and monitoring#

What it covers. Technical and procedural capabilities to detect anomalous activity, policy violations, and active attacks on in-scope systems in a timely manner.

Key activities.

• Security monitoring architecture: SIEM, IDS/IPS, log aggregation, network traffic analysis, vulnerability scanning schedules.
• Alert triage and escalation procedures.
• Definition of monitoring scope matched to the ISRA's asset inventory.
• Periodic review of monitoring effectiveness.

Regulatory hooks. A41-19 §2(e) monitoring and incident detection methods; Part-IS incident detection requirement; NIS2 risk management measures (monitoring obligation).

Thread 4 — Incident response and reporting#

What it covers. The capability to contain, eradicate, recover from, and learn from information security incidents that affect or potentially affect aviation safety.

Key activities.

• Incident classification scheme distinguishing safety-impacting events from non-safety IT incidents.
• Documented response playbooks for high-priority scenario types (ransomware, data link integrity loss, ADS-B feed spoofing, SWIM service outage caused by cyber event).
• Notification chains: internal (safety manager, operations), competent authority (NAA), and where applicable national NIS2 authority.
• Post-incident review feeding the risk register and ISMS improvement.
• Regular tabletop and live exercises to test response capability.

Regulatory hooks. Part-IS incident reporting requirement; NIS2 tiered reporting timelines (early warning 24h, notification 72h, final report 1 month for significant incidents under national transposition); A41-19 §2(e) incident recovery and forensic analysis.

Thread 5 — Supply-chain and external interfaces#

What it covers. Security risks introduced through third-party data providers, network operators, equipment vendors, maintenance contractors, inter-ANSP data sharing, and SWIM service providers.

Key activities.

• Mapping of external data flows and system interfaces within the Part-IS scope.
• Supplier security assessment and contractual security requirements.
• Periodic review of supplier security posture.
• Controls on privileged remote access by third parties.
• Inter-ANSP interface security for AIDC (ATC Interfacility Data Communications), FF-ICE flight object exchange, and cross-border SWIM services.

Regulatory hooks. Part-IS supply-chain security requirement; Annex 17 §4.9.2 (supply chain security listed as a recommended measure); A41-19 §2(e) system architectures secure by design; NIS2 supply-chain security obligations.

Thread 6 — Safety interface#

What it covers. The conceptually novel thread of Part-IS: the managed interface between the ISMS and the Safety Management System (SMS), ensuring that information security events that have safety consequences are recognised and handled through both management systems.

Key activities.

• Mapping of information assets to safety-critical functions in the SMS hazard register.
• Procedure for escalating a cyber incident to a safety event when the information security classification indicates a safety impact.
• Coordination between the information security manager and the safety manager on shared risks (e.g. loss of ATC automation data integrity).
• Input from the ISRA to the SMS hazard identification process and vice versa.
• Joint management review agenda items where safety and security risks are interlinked.

Regulatory hooks. Part-IS scope criterion (potential impact on aviation safety); EASA AMC/GM on safety-security interface; Annex 19 SMS requirements; Doc 10209 §4.18 (need for cyber considerations in ANSPs' management systems; recovery from cyber incidents that impact areas beyond ATC).

Thread interaction#

The six threads interact continuously. A detection alert (Thread 3) triggers incident response (Thread 4), which may activate the safety interface (Thread 6) and trigger a supply-chain review (Thread 5) if the compromise entered through a third party. The governance thread (Thread 1) ensures the response is escalated to management and reported to the competent authority. The risk management thread (Thread 2) is updated with the new information and the risk register is revised. This creates the feedback loop that drives continual improvement of the ISMS.

References#

• Regulation (EU) 2023/203, Part-IS Annex — all six thread obligations embedded in ISMS requirements (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R0203).
• EASA AMC and GM to Part-IS — detailed guidance on risk assessment, incident reporting, supply-chain controls, and safety-security interface (authoritative source — not in local library; https://www.easa.europa.eu/en/document-library/acceptable-means-of-compliance-and-guidance-material/amc-and-gm-part-is).
• Annex 17 (Aviation Security), §4.9.1 and §4.9.2 — Threads 1, 2, 5 regulatory grounding.
• Doc 10184 (Assembly Resolutions in Force), Resolution A41-19 — Thread 1 (governance), Thread 3 (monitoring), Thread 4 (response and recovery), Thread 6 (cross-cutting).
• Doc 10209 (AN-Conf/14 Report, 2022), §4.18 — Thread 6 (cyber considerations in ANSP management systems; safety-security interface).
• Annex 19 (Safety Management), Appendix 2 — SMS framework parallels for Thread 6 safety interface.
• Directive (EU) 2022/2555 (NIS2), Articles 21-23 — Thread 4 incident reporting timelines; Thread 5 supply-chain (authoritative source — not in local library).

What a Part-IS module is#

In the Part-IS context, a "module" is the complete cycle of work for one defined ISMS activity at the intersection of a functional thread and a regulatory layer. This file presents the anatomy of the most central module: the Information Security Risk Assessment (ISRA) cycle for an ANSP subject to Regulation (EU) 2023/203.

The ISRA cycle is the analytical engine of the ISMS. All other ISMS activities — control selection, monitoring design, incident response scope, supply-chain requirements — flow from the ISRA outputs.

Worked example: ISRA cycle for an ANSP (Part-IS, ATM/ANS scope)#

Step 1 — Establish scope#

The ANSP defines the perimeter of the ISRA: which information assets are in scope because a compromise could have a potential impact on aviation safety.

Typical in-scope assets for a medium/large ANSP:

• ATC automation platform — radar data processing, conflict detection and resolution advisory, flight data processor, controller working position software.
• Surveillance data chain — ADS-B receiver network, Mode S decoder, multilateration (MLAT) processor, surveillance data distribution network to CWP.
• Data link ground infrastructure — VHF Data Link (VDL) Mode 2 ground stations, ACARS router, CPDLC gateway (for ATN B2 where deployed), ADS-C ground processor.
• Aeronautical data services — NOTAM database, digital AIP publication system, AIXM data feeds, SWIM information service provider interfaces.
• Flow management interface — connection to the Network Manager (NM) or regional ATFM system; sector capacity data feeds.
• Voice communications — IP-based voice switching systems (VOIP-based ATM voice); recording system.
• Network infrastructure — core routers, firewalls, WAN connections to neighbouring ANSPs (AIDC), to the SWIM network, and to external meteorological service providers.

Assets excluded from scope: HR payroll systems, finance platforms, procurement portals — these have no plausible pathway to aviation safety impact.

Step 2 — Identify threats and vulnerabilities#

For each in-scope asset, the ISRA team identifies plausible threats and existing vulnerabilities:

Example asset: ADS-B receiver network

• Threat: Injection of false aircraft positions (ADS-B spoofing) from a ground-based transmitter.
• Vulnerability: ADS-B is unauthenticated by design (ICAO SARPs do not yet require authentication for ADS-B Out); receivers process any conformant 1090 MHz transmission.
• Threat: Compromise of the data distribution network between receivers and the surveillance processor.
• Vulnerability: Network segmentation incomplete; a single vLAN shared with less-critical systems.

Example asset: SWIM information service provider interface

• Threat: Integrity attack — a compromised upstream SWIM provider injects false aeronautical data (e.g. wrong NOTAM status for a runway).
• Vulnerability: No end-to-end integrity verification of SWIM data beyond transport-layer TLS; no cross-check with a second authoritative source.
• Threat: Availability attack — denial-of-service against the SWIM endpoint.
• Vulnerability: Single SWIM connection; no fallback retrieval path.

Step 3 — Assess likelihood and impact#

Each risk is scored against the organisation's risk matrix.

The impact axis always considers the safety dimension first:

• Catastrophic: Compromise could directly cause a loss of separation, runway incursion, or controlled flight into terrain (CFIT) without other safety barriers intervening.
• Critical: Compromise degrades a safety-critical function but other barriers (controller awareness, backup procedures, adjacent system) provide some mitigation.
• Significant: Compromise causes service disruption or data degradation that requires controller action but with no immediate safety consequence.
• Minor: Compromise causes operational inconvenience with no plausible safety pathway.

The likelihood axis considers threat actor capability, motivation, and opportunity given current vulnerability profile.

Step 4 — Evaluate and prioritise#

Risks scoring above the defined acceptance threshold are prioritised for treatment. EASA AMC/GM guidance recommends that risks assessed as Critical or Catastrophic impact are treated without exception; Significant risks are treated unless accepted with documented justification; Minor risks may be accepted with management approval.

Step 5 — Select and implement treatment#

For each priority risk, the ANSP selects controls:

Step 6 — Document residual risk and obtain acceptance#

After control implementation, residual risk is re-scored. Management formally accepts residual risk above the tolerance threshold with documented justification. The risk register records the original risk, the controls applied, the residual risk score, the acceptance decision, and the review date.

Step 7 — Review cycle#

The ISRA is reviewed:

• At least annually.
• Following a significant change to in-scope systems or interfaces.
• After a significant security incident.
• When new threat intelligence indicates a material change in the threat landscape.

Each review updates the risk register, triggers control re-evaluation where necessary, and feeds the next management review agenda.

Integration with the incident response module#

When the monitoring system (Thread 3) generates an alert, the incident handler checks the ISRA risk register to determine: Is this asset in scope? What is the assessed impact category? Are the expected controls in place? If the incident indicates a control failure, the ISRA is flagged for immediate review, and the safety manager is notified if the impacted asset carries a Critical or Catastrophic safety impact rating.

References#

• Regulation (EU) 2023/203, Part-IS Annex — ISRA and risk treatment requirements for ATM/ANS organisations (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R0203).
• EASA AMC and GM to Part-IS — detailed guidance on ISRA methodology, risk scoring, control selection, and acceptance (authoritative source — not in local library; https://www.easa.europa.eu/en/document-library/acceptable-means-of-compliance-and-guidance-material/amc-and-gm-part-is).
• Doc 10199 (PANS-IM), Chapter 6, §6.3.5 — consumers assess CIA impact on safety for information security category; foundational for ISRA impact scoring.
• Doc 10204 (Manual on Information Security) — classification of information in security categories; risk assessment guidance (authoritative source — not in local library).
• Annex 17 (Aviation Security), §4.9.1 — risk assessment as the basis for protective measures; ISRA obligation at State/entity level.
• Doc 10209 (AN-Conf/14 Report, 2022), §4.18 — integrated management of cyber-related risks in ANSPs; recovery from cyber incidents with broader impacts.

Overview#

Part-IS compliance does not emerge from regulation alone. A set of enabling conditions must be in place before an ANSP or ATM/ANS organisation can build and maintain an effective ISMS. This file maps those enablers across six categories: regulatory prerequisites, technical infrastructure, standards and frameworks, personnel and competence, institutional arrangements, and the safety-security interface.

Regulatory prerequisites#

EASA Basic Regulation (EU) 2018/1139. The legal mandate for both Part-IS regulations derives from the Basic Regulation's requirement for EASA to develop implementing rules covering all aspects of civil aviation safety, including information security. Without the Basic Regulation mandate, the Part-IS implementing rules have no foundation.

National transposition of NIS2. For EU Member States, effective NIS2 legislation must be in place (deadline 17 October 2024) to provide the legal basis for national competent authorities (NCAs) to exercise oversight. Coordination between the NCA and the NAA is an enabler for coherent oversight without duplication.

ICAO Annex 17 §4.9 compliance. For non-EU ICAO Member States, national legislation implementing Annex 17 §4.9 is the prerequisite for ISMS-type requirements to have binding force. States that have not transposed the Standard face a gap.

Part-IS AMC and GM publication. EASA published AMC/GM to Part-IS in advance of the applicability dates. Without this guidance, organisations lack clarity on the detailed methods for ISRA, control selection, and incident reporting. The AMC/GM is therefore an enabler, not merely supplementary material.

Technical infrastructure#

Network architecture. Effective Part-IS implementation requires that the organisation's information technology and operational technology (OT) networks are sufficiently segmented to allow security controls to be applied proportionately. Legacy unsegmented networks are a common Part-IS readiness gap. Remediation requires investment in network architecture redesign, firewall policy, and vLAN infrastructure.

Security monitoring tooling. A Security Information and Event Management (SIEM) system, or equivalent log aggregation and alert correlation capability, is required to fulfil the monitoring and detection obligations. IDS/IPS, endpoint detection, and network traffic analysis tools are supporting elements. Many ANSPs are starting from a low baseline; tooling acquisition and configuration is a multi-year effort.

Identity and access management. Centralised identity management, multi-factor authentication (MFA) for privileged access, and role-based access control are foundational controls that enable effective audit logging and privilege management. Where legacy ATC systems do not support MFA natively, compensating controls (network segmentation, privileged access workstations, jump hosts) are required.

Cryptographic infrastructure. TLS for network communications, digital signatures for aeronautical data integrity (e.g. SWIM data packages), and key management infrastructure are technical enablers for multiple control families under Part-IS.

Backup and recovery. Tested backup and recovery procedures for safety-critical systems are an enabler for the resilience requirements. Recovery time objectives (RTOs) must be defined for each safety-critical system and validated through periodic recovery tests.

Standards and frameworks#

ISO/IEC 27001. The internationally recognised information security management standard. EASA AMC/GM to Part-IS acknowledges ISO/IEC 27001 as a reference framework. Organisations holding ISO/IEC 27001 certification can map their existing ISMS to Part-IS requirements, reducing implementation effort. The key delta is the aviation-safety impact scoping criterion.

NIST Cybersecurity Framework (CSF). Widely used by ANSPs in the Americas and APAC region. The NIST CSF Identify-Protect-Detect-Respond- Recover functions map closely to the Part-IS ISMS lifecycle.

EUROCONTROL Aviation Cyber Security Strategy. The EUROCONTROL Network Manager publishes cybersecurity guidance for European ANSPs and operates a Cyber Security Operations Centre (CSOC) that provides threat intelligence sharing relevant to the detection thread.

IEC 62443. Industrial control system security standard relevant to the OT/SCADA components of ATC automation and surveillance infrastructure. Complements ISO/IEC 27001 for the operational technology domain.

Personnel and competence#

Information security manager (or CISO equivalent). A named individual with the competence, authority, and resources to manage the ISMS. Typically a new or elevated role at ANSPs that previously had only IT security at staff level. The role requires both information security expertise and aviation domain knowledge.

Security awareness training. All personnel must understand their information security responsibilities, recognise social engineering and phishing attempts, and know how to report suspicious activity. Training must be refreshed periodically. Part-IS AMC/GM specifies minimum content.

Specialist competence. Roles with elevated access (system administrators, network engineers, SWIM service operators) require additional competence in their specific security domain. Training plans must be documented and competence records maintained.

Incident response team. A defined team with practiced response capability. Table-top and live exercises are required enablers for effective incident response. CSIRT coordination (national and sector-specific) provides external expertise.

Institutional arrangements#

Competent authority oversight programme. The NAA must have an oversight methodology, qualified inspectors, and a checklist or protocol for assessing Part-IS compliance. This is an enabler for the system to function: organisations need clarity on what the authority will inspect.

National coordination between NAA and NCA. Where Part-IS and NIS2 overlap, a coordination protocol between the national aviation authority and the national cybersecurity authority avoids organisations facing contradictory or duplicate requirements.

Information sharing. Sector-level threat intelligence sharing mechanisms — EUROCONTROL CSOC, national aviation ISAC equivalents, ICAO Cybersecurity Action Plan Point of Contact Network — enable organisations to benefit from collective threat awareness rather than defending in isolation.

ICAO regional coordination. Regional planning groups (APANPIRG, MIDANPIRG, EANPG) increasingly include cybersecurity on their agenda, following AN-Conf/14 Recommendation 4.2/1. Regional air navigation plans that include cybersecurity provisions create a coordination framework for non-EU ICAO Member States.

Safety-security interface enabler#

Integrated management system design. The most important organisational enabler is the design choice to integrate the ISMS and SMS from the outset, rather than treating them as parallel but separate compliance obligations. This requires:

• A joint asset-to-safety-function mapping exercise.
• Shared hazard identification sessions between the safety and security teams.
• Common management review rhythm with combined agenda items.
• Defined escalation protocol for cyber events with safety consequence.

Organisations that build their ISMS as an isolated IT governance programme will struggle to demonstrate to their NAA that the safety-security interface requirement is genuinely met.

References#

• Regulation (EU) 2023/203, Part-IS Annex — organisational competence, training, and management of change enabler requirements (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R0203).
• EASA AMC and GM to Part-IS — detailed enabler guidance: ISO/IEC 27001 mapping, training content, monitoring tools, safety-security interface (authoritative source — not in local library).
• Annex 17 (Aviation Security), §4.9.2 — security by design, supply chain, network separation, remote access limitation as technical enablers.
• Annex 19 (Safety Management), Appendix 2 — SMS framework as the parallel management system that Part-IS ISMS integrates with.
• Doc 10184 (Assembly Resolutions in Force), Resolution A41-19 §2(i) — cybersecurity culture as an enabler; §2(b) national governance designation.
• Doc 10209 (AN-Conf/14 Report, 2022), Recommendation 4.2/1(b) — regional plan alignment as institutional enabler.
• Doc 10199 (PANS-IM), §6.3.4 — information security requirements commensurate with security category; technical control enabler.

Performance framework#

Part-IS is a management system requirement; it does not specify quantitative performance targets in the way ASBU modules do. However, aviation cybersecurity can be mapped to the ICAO KPA framework from Doc 9854 / Doc 9883, and meaningful KPIs can be defined for ISMS operational effectiveness.

The chain is:

KPA  -->  Performance objective  -->  KPI  -->  ISMS control evidence

Security is the primary KPA. Safety, Interoperability, and Cost-effectiveness are secondary KPAs that cybersecurity either protects or enables.

KPA contribution matrix#

The matrix below scores the contribution of aviation cybersecurity to each ICAO KPA across four implementation maturity levels. The levels correspond to the regulatory layering:

• L1 — ICAO floor: Annex 17 §4.9 Standard implemented; basic cyber risk identification in place.
• L2 — Part-IS Phase 1: Regulation (EU) 2022/1645 compliant (from Oct 2025); design/production/aerodrome ISMS operational.
• L3 — Part-IS Phase 2: Regulation (EU) 2023/203 compliant (from Feb 2026); ATM/ANS ISMS fully operational.
• L4 — Mature: ISMS fully integrated with SMS, mature monitoring, sector threat sharing, audited supply chain.

Scoring: 1 = some benefit; 2 = clear benefit; 3 = primary driver.

Notes:

• Security at L3-L4 = 3 because an operational ATM/ANS ISMS is the primary instrument for managing information security risk in the aviation domain.
• Safety at L3-L4 = 3 because cyber attacks on safety-critical ATM systems are now a recognised safety hazard; an ISMS that prevents or limits their impact directly protects safety outcomes.
• Interoperability at L4 = 3 because a mature ISMS with strong supply-chain controls and authenticated SWIM/data-link interfaces is a prerequisite for trusted, cross-border data exchange.
• Capacity and Predictability at L3 = 2 because a cyber-resilient ATM system avoids service disruptions that would reduce capacity and inject uncertainty into flow management.
• Cost-effectiveness at L4 = 2 because a mature ISMS reduces the cost of cyber incident response and recovery, and avoids the regulatory and reputational costs of a notifiable breach.

Performance objectives by KPA#

KPA: Security#

PO-SEC-1: Organisations identify all safety-relevant information assets and maintain a current risk register with no unacceptable untreated risks.

Measured by:

• Percentage of in-scope assets with a current (reviewed within 12 months) ISRA entry.
• Count of risks rated Critical or Catastrophic with no approved treatment plan.

PO-SEC-2: Significant information security incidents are detected, reported to the competent authority within required timeframes, and followed by a post-incident review.

Measured by:

• Mean time to detect (MTTD) for security events above a defined severity threshold.
• Percentage of significant incidents reported to competent authority within the regulatory timeframe.
• Percentage of post-incident reviews completed within 30 days.

PO-SEC-3: Personnel demonstrate adequate information security competence for their role.

Measured by:

• Percentage of personnel with current security awareness training (within 12 months).
• Percentage of privileged-access users with role-specific security training.

KPA: Safety#

PO-SAF-1: Information security incidents with a safety impact are identified and managed through both the ISMS and SMS processes.

Measured by:

• Count of ISMS incidents classified with a safety impact that have a corresponding SMS safety occurrence report.
• Annual joint ISMS-SMS management review conducted.

PO-SAF-2: Safety-critical systems have tested backup and recovery procedures with defined recovery time objectives (RTOs).

Measured by:

• Percentage of safety-critical systems with a tested recovery procedure (within the last 12 months).
• Percentage of recovery tests meeting the defined RTO.

KPA: Interoperability#

PO-INT-1: External data interfaces (SWIM, AIDC, FF-ICE, NM B2B) operate with authenticated and integrity-protected connections.

Measured by:

• Percentage of external data interfaces using minimum TLS 1.2 with mutual authentication.
• Count of active supplier security assessments for critical external data feeds.

KPA: Cost-effectiveness#

PO-CE-1: ISMS investment is proportionate to assessed risk, with controls matched to the security category of protected assets.

Measured by:

• Ratio of ISMS operational cost to number of in-scope critical assets (directional indicator).
• Percentage of risk treatment plans implemented on schedule.

KPIs — operational monitoring#

Security KPIs#

• Number of detected security events per quarter (trended; increase may indicate improved detection or elevated threat, not degraded security).
• Mean time to detect (MTTD) and mean time to respond (MTTR) for Priority 1 incidents.
• Patch compliance rate: percentage of in-scope systems meeting the defined patch currency SLA.
• Vulnerability scan findings: count of critical/high vulnerabilities open beyond the defined remediation SLA.
• Access control: count of accounts with excessive privilege, accounts not reviewed within the defined review cycle.

Safety-interface KPIs#

• Count of ISMS incidents escalated to SMS per quarter.
• Time to safety manager notification following a cyber event meeting the escalation criteria.

Supply-chain KPIs#

• Percentage of critical suppliers with a current security assessment on file.
• Count of third-party access sessions without a valid access authorisation record.

Training KPIs#

• Percentage of personnel with current awareness training.
• Phishing simulation click rate (for organisations running simulation programmes).

How performance is reported#

Internally. Monthly ISMS operational dashboard to the information security manager; quarterly summary to the safety manager; annual management review with full KPI trends.

To the competent authority. Per Part-IS requirements: significant incident reports; periodic oversight submissions as required by the NAA oversight programme; management review records available on inspection.

Regionally. Via the NM cybersecurity coordination channel (European ANSPs); EUROCONTROL CSOC operational statistics; ICAO regional group reporting per AN-Conf/14 Recommendation 4.2/1(c).

References#

• Regulation (EU) 2023/203, Part-IS Annex — performance monitoring and continual improvement requirements; incident reporting obligations (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R0203).
• Doc 9854 (Global ATM Operational Concept) and Doc 9883 (Manual on Global Performance of the Air Navigation System) — KPA definitions and KPI families underpinning the matrix.
• Directive (EU) 2022/2555 (NIS2), Articles 21-23 — incident reporting KPIs: early warning 24h, notification 72h, final report 1 month (authoritative source — not in local library).
• Doc 10184 (Assembly Resolutions in Force), Resolution A41-19, §2(d) — risk-based approach; monitoring and incident detection KPI rationale.
• EASA AMC and GM to Part-IS — guidance on ISMS effectiveness measurement and management review content (authoritative source — not in local library).

Two timelines to keep distinct#

When working with aviation cybersecurity dates, separate:

1. Regulatory development — when instruments were published or amended by ICAO, EASA, or the EU.
2. Applicability / entry into force — when those instruments became binding on organisations.

Implementation by individual organisations is a third timeline; it must be expressed in terms of the applicability dates, not the publication dates.

Consolidated year-keyed timeline#

Key inflection points#

Three dates are the headline milestones for the ATM/ANS community:

17 October 2024 — NIS2 transposition. EU Member States' NIS2 legislation comes into force, applying cyber risk management and incident reporting obligations to essential entities including air transport operators. ANSPs need to understand their NIS2 scope and the lex specialis relationship with Part-IS.

16 October 2025 — Regulation (EU) 2022/1645 applicable. Design organisations, production organisations, and aerodrome operators must demonstrate ISMS compliance. Some aerodromes with embedded ATM functions are in scope.

22 February 2026 — Regulation (EU) 2023/203 applicable. This is the critical date for ANSPs and ATM/ANS organisations. From this date, the ISMS must be operational, documented, and available for NAA oversight inspection.

Implementation monitoring#

• EU level: EASA and national competent authorities (NAAs) run oversight programmes against Part-IS. EASA may conduct standardisation inspections to assess consistency of national oversight.
• EU NIS2 level: National cybersecurity authorities (NCAs) monitor NIS2 compliance; coordination with NAA avoids duplicate supervision.
• Global level: ICAO monitors State implementation of Annex 17 §4.9 and the Aviation Cybersecurity Strategy through the USAP-CMA audit programme and regional planning group reporting. AN-Conf/14 Recommendation 4.2/1(c) calls on States to report experience to ICAO.
• Organisational level: Periodic NAA oversight visits; annual management review; ISMS internal audit cycle.

References#

• Annex 17 (Aviation Security), Twelfth Edition, 2022, §4.9 — cyber Standard applicable from 18 November 2022.
• Doc 10184 (Assembly Resolutions in Force, 41st Session, 2022), Resolution A41-19 — adopted October 2022.
• Doc 10209 (AN-Conf/14 Report, 2022), Recommendation 4.2/1 — adopted 2022.
• Doc 10199 (PANS-IM), First Edition — approved 18 March 2024; applicable 28 November 2024; §6.3 information security framework.
• Regulation (EU) 2022/1645 (Delegated), OJ L 248, 26.9.2022 — applicable 16 October 2025 (authoritative source — not in local library).
• Regulation (EU) 2023/203 (Implementing), OJ L 31, 2.2.2023 — applicable 22 February 2026 (authoritative source — not in local library).
• Directive (EU) 2022/2555 (NIS2), OJ L 333, 27.12.2022 — transposition deadline 17 October 2024 (authoritative source — not in local library).

ICAO instruments#

• Annex 17 (Aviation Security), Twelfth Edition, 2022, Chapter 4, §4.9.1 — Standard: States to ensure operators identify critical ICT systems/data for civil aviation and implement protective measures per risk assessment.
• Annex 17, Twelfth Edition, 2022, Chapter 4, §4.9.2 — Recommended Practice: protection of confidentiality, integrity, availability; security by design; supply chain; network separation; remote access limitation.
• Annex 10, Volume III (Communication Systems), §1 Amendment record, Note 5 — Information security provisions referenced to PANS-IM (Doc 10199) in context of ATN and SWIM.
• Annex 10, Volume II (Communication Procedures), Note — information security provisions also in PANS-IM (Doc 10199).
• Annex 19 (Safety Management), Second Edition — SMS framework for ANSPs and ATM/ANS organisations; parallel management system that Part-IS ISMS integrates with.
• Doc 10199 (PANS-IM, Procedures for Air Navigation Services — Information Management), First Edition, applicable 28 November 2024, Chapter 6, §6.3 — Information security framework for SWIM stakeholders; CIA requirements; information security category; guidance in Doc 10204.
• Doc 10184 (Assembly Resolutions in Force, 41st Session, 2022), Resolution A41-19 — Addressing Cybersecurity in Civil Aviation; implementation of ICAO Aviation Cybersecurity Strategy and Action Plan; risk-based approach; national authority designation; cybersecurity culture.
• Doc 10209 (AN-Conf/14 Report, 2022), Recommendation 4.2/1 — Aviation cybersecurity; States to develop national plans; align with regional plans; report implementation experience; ANSP integrated cyber risk management.
• Doc 10204 (Manual on Information Security) — ICAO guidance on classification of information in security categories, risk assessment, and control selection (authoritative source — not in local library; https://www.icao.int/Security/CyberSecurity/Pages/doc10204.aspx).

EU regulatory instruments#

• Regulation (EU) 2022/1645 (Commission Delegated Regulation establishing requirements on information security for design organisations, production organisations, and aerodrome operators), applicable 16 October 2025 (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R1645).
• Regulation (EU) 2023/203 (Commission Implementing Regulation establishing requirements on information security for ATM/ANS organisations, air operations, aircrew, ATCO training, and continuing airworthiness management organisations), applicable 22 February 2026 (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R0203).
• Regulation (EU) 2018/1139 (EASA Basic Regulation) — legal mandate for Part-IS implementing rules; competent authority framework (authoritative source — not in local library).
• Directive (EU) 2022/2555 (NIS2 — Network and Information Security Directive, recast), OJ L 333, 27.12.2022, transposition deadline 17 October 2024 — EU-wide cybersecurity risk management and incident reporting for essential entities including air transport; lex specialis relationship with Part-IS (authoritative source — not in local library; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555).

EASA guidance#

• EASA AMC and GM to Part-IS — Acceptable Means of Compliance and Guidance Material for both Part-IS regulations; ISMS scope, risk assessment methodology, control families, incident reporting, safety-security interface (authoritative source — not in local library; https://www.easa.europa.eu/en/document-library/acceptable-means-of-compliance-and-guidance-material/amc-and-gm-part-is).

ICAO strategic documents#

• ICAO Aviation Cybersecurity Strategy (2019) — cross-cutting, multi-disciplinary approach to aviation cyber threats; founding strategic document (authoritative source — not in local library; https://www.icao.int/Security/CyberSecurity/Pages/Cyber-Strategy.aspx).
• ICAO Cybersecurity Action Plan — operational tool supporting implementation of the Aviation Cybersecurity Strategy; updated periodically (authoritative source — not in local library; https://www.icao.int/Security/CyberSecurity/Pages/Action-Plan.aspx).

External reference standards (non-binding guidance)#

• ISO/IEC 27001 (Information security management systems — Requirements) — international ISMS standard referenced in EASA AMC/GM as an acceptable reference framework for Part-IS compliance (authoritative source — not in local library; https://www.iso.org/standard/27001).
• EUROCONTROL Aviation Cyber Security Strategy — sector-specific guidance for European ANSPs; threat intelligence sharing via EUROCONTROL CSOC (authoritative source — not in local library; https://www.eurocontrol.int/sites/default/files/2019-11/eurocontrol-aviation-cyber-security-strategy-2019.pdf).
• NIST Cybersecurity Framework (CSF) — US framework widely used in ATM sector globally; Identify-Protect-Detect-Respond-Recover functions map to Part-IS ISMS lifecycle (authoritative source — not in local library; https://www.nist.gov/cyberframework).