{"id":29660,"date":"2026-02-09T08:58:10","date_gmt":"2026-02-09T13:58:10","guid":{"rendered":"https:\/\/ops.group\/blog\/?p=29660"},"modified":"2026-02-13T07:55:32","modified_gmt":"2026-02-13T12:55:32","slug":"easa-new-rule-for-operators-in-europe","status":"publish","type":"post","link":"https:\/\/ops.group\/blog\/easa-new-rule-for-operators-in-europe\/","title":{"rendered":"EASA\u2019s New Cyber and Data Risk Rule for Operators in Europe"},"content":{"rendered":"

On 22 Feb 2026, EASA<\/span><\/span> brings the Part-IS Information Security regulation<\/a> into force.<\/p>\n

This is not a new avionics requirement, and not a connectivity upgrade mandate. It\u2019s a management system rule. EASA wants certain aviation organisations to show they understand and manage cyber and data risks that could affect aviation safety.<\/strong><\/p>\n

That includes things like aircraft networks, satcom and cabin connectivity, data flows, access to systems, and how cyber incidents are handled. EASA\u2019s view is simple: if a digital failure or attack could impact safety, it needs to be treated like any other operational risk.<\/p>\n

The most important point up front: Part-IS only applies to organisations EASA regulates.<\/strong> Flying into Europe alone does not put you in scope.<\/p>\n

What affected operators actually have to do<\/h4>\n

If you\u2019re in scope, EASA expects a working information security management system<\/strong> that fits the size and complexity of your operation. Not theory, and not a one-off document exercise.<\/p>\n

In practical terms, inspectors will expect to see that:<\/p>\n

    \n
  • You\u2019ve assigned responsibility:<\/strong> Information security sits at management level. It\u2019s owned, not outsourced to \u201cIT\u201d.<\/li>\n
  • You know what matters operationally:<\/strong> You\u2019ve identified systems and data that would hurt safety or operations if compromised. That usually includes connectivity, EFB links, maintenance and planning systems, and interfaces with third parties.<\/li>\n
  • You actively manage risk:<\/strong> There\u2019s a repeatable process to identify, assess, mitigate, and review cyber and data risks. This updates when things change – new aircraft, new satcom, new apps, new vendors.<\/li>\n
  • Basic controls are in place:<\/strong> Access control, configuration management, patching, backups, logging, and secure remote access. Nothing exotic, but it must exist and be used.<\/li>\n
  • You can deal with incidents<\/strong>: You can detect issues, respond, recover, and learn. If an information security event could affect safety, EASA expects it to be managed properly.<\/li>\n
  • You manage suppliers:<\/strong> Part-IS pushes hard on supply chain risk. Operators are expected to understand and manage information security risks across connectivity and data providers, not just internally.<\/li>\n<\/ul>\n

    Do operators have to submit anything before Feb 22?<\/h4>\n

    Short answer: no.<\/strong> There is no blanket requirement to submit a declaration, form, or compliance statement to EASA by 22 Feb 2026.<\/p>\n

    Instead, EASA expects that from that date, your Part-IS setup exists and is actually working.<\/p>\n

    Compliance is checked through normal oversight.<\/strong> That means Part-IS will typically be reviewed at your next audit or inspection, during approval changes or renewals, or earlier if there\u2019s any kind of incident or trigger event.<\/p>\n

    Bottom line: no paperwork deadline, but also no grace period. From 22 Feb, you need to be audit-ready.<\/p>\n

    Who is definitely not directly impacted<\/h4>\n

    This is where most of the confusion sits.<\/p>\n

    Part-IS does not automatically apply to:<\/strong><\/p>\n

      \n
    • US Part 91 operators.<\/strong><\/li>\n
    • US Part 135 operators.<\/strong><\/li>\n
    • Privately owned foreign registered aircraft.<\/strong><\/li>\n
    • Operators with no EASA approval or certificate.<\/strong><\/li>\n
    • EASA Third Country Operator (TCO) authorisation holders.<\/strong><\/li>\n<\/ul>\n

      If you don\u2019t hold an EASA AOC, EASA has no legal way to enforce Part-IS on you.<\/p>\n

      So the common scenarios we\u2019re hearing about:<\/p>\n

        \n
      • A US owner flying a jet into Europe under Part 91, with no EASA approvals – no direct Part-IS compliance requirement.<\/li>\n
      • A US charter operator flying into Europe under Part 135 and holding an EASA TCO only – again, no direct Part-IS compliance requirement.<\/li>\n<\/ul>\n

        Flying into Europe, or holding a TCO, does not by itself make an operator subject to Part-IS.<\/p>\n

        Why you might be getting emails from your connectivity provider about this<\/h4>\n

        So why are operators being told \u201cthis affects you\u201d and \u201cyou must be ready by 22 Feb\u201d?<\/p>\n

        Because connectivity providers sit inside the compliance chain<\/strong>.<\/p>\n

        Their EASA-regulated customers will be audited. Auditors will ask how information security is handled end to end, including customer configurations, access rights, data routing, and system interfaces.<\/p>\n

        Providers likely don\u2019t want two security standards, weak links in customer setups, or any awkward audit questions they can\u2019t answer!<\/p>\n

        So they might be pushing requirements downstream via contract changes or software upgrades.<\/p>\n

        For operators outside scope, this can feel like a regulatory mandate. It isn\u2019t. It\u2019s commercial and risk-driven pressure, not a new EASA legal obligation.<\/p>\n

        Bottom line<\/h4>\n

        Part-IS is real and it matters – for EASA-regulated organisations.<\/strong> For non-EASA operators, the impact is indirect, driven by vendors and contracts, not regulation.<\/p>\n

        If you don\u2019t hold an EASA approval, Part-IS is not suddenly your problem on Feb 22.<\/strong> But expect more security questions from the companies you connect to.<\/p>\n","protected":false},"excerpt":{"rendered":"

        On 22 Feb 2026, EASA brings the Part-IS Information Security regulation into force. This is…<\/p>\n","protected":false},"author":32,"featured_media":29666,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[64],"class_list":{"0":"post-29660","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-briefings","8":"tag-easa"},"_links":{"self":[{"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/posts\/29660","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/comments?post=29660"}],"version-history":[{"count":7,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/posts\/29660\/revisions"}],"predecessor-version":[{"id":29739,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/posts\/29660\/revisions\/29739"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/media\/29666"}],"wp:attachment":[{"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/media?parent=29660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/categories?post=29660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/tags?post=29660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}