To understand how organizations can navigate this shift, we sat down with Steven Bentley FRAeS, CEO of Sofema Aviation Services and Sofema Online, to discuss the launch of their new Essential Information and Cyber Security course and why this training is vital for the front line.
Steven Bentley: The timing is critical. As European aviation becomes increasingly interconnected, the "digital footprint" of a maintenance organization has expanded exponentially. We are no longer just turning wrenches; we are managing massive flows of digital data. EASA recognized that this creates a safety risk.
By introducing Regulation (EU) 2023/203, the regulator has effectively mandated that information security be treated with the same level of oversight as physical safety. We prioritized this 1-day course because the industry needs a high-impact, time-efficient way to bridge the knowledge gap before the 2026 deadlines.
Steven Bentley: The transition to a "regulatory obligation" means that failure to protect that data is now a non-compliance issue. Organizations are now legally required to have an Information Security Management System (ISMS). It’s no longer about whether you want to secure your data; it’s about the fact that you must do so to maintain your approvals.
Steven Bentley: The biggest challenge is the "Compliance Gap." Many organizations have IT security, but they don't have Regulatory Information Security. Demonstrating compliance requires a structured approach to risk management that links back to aviation safety.
You have to prove to the competent authority that you have identified your "Critical Information Assets" and that you have a reporting culture in place. Most organizations struggle with the documentation and the specific reporting criteria—both internal and external—that EASA now demands under IS.I.OR.240.
Steven Bentley: Cyber security can be a dry, overly technical subject if it's just text on a screen. By using Voice Over, we add a layer of guidance and human understanding.
For frontline staff, hearing an instructor explain why a certain reporting protocol exists or how a risk assessment is structured makes the information much more "sticky." It reduces the cognitive load, allowing the learner to focus on the concepts rather than just reading paragraphs of regulatory text. It brings a "classroom feel" to the convenience of online learning.
Steven Bentley: We designed this to be "all meat and no filler." We know a technician or a supervisor doesn't have three days to sit in a seminar.
The 1-day equivalent format focuses on the Cybersecurity Essentials. We cover the "Why," the regulatory drivers, and the practical implementation steps. It’s about giving them the tools they need to recognize a threat and understand their role in the ISMS without overwhelming them with unnecessary jargon. It’s intensive, but it’s highly focused on operational reality.
Steven Bentley: Ultimately, the Accountable Manager holds the corporate responsibility for ensuring the ISMS is financed and functional. However, the regulation is very clear that responsibility filters down.
Business Area Managers and Nominated Post Holders must ensure that their specific areas are compliant. Our course clarifies these roles so that everyone knows where the "buck stops" and what their individual reporting duties are.
Steven Bentley: They will learn how to move away from "guessing" what might go wrong to a structured EASA-compliant methodology. This involves identifying the asset, the threat, and the vulnerability, and then calculating the risk based on the potential impact on aviation safety.
Steven Bentley: Internal reporting is about the "no-blame" culture—catching small anomalies before they become breaches. External reporting is a regulatory mandate.
If an information security incident could have a safety impact, EASA requires it to be reported within very specific timelines (often 72 hours). Our training ensures staff know what constitutes a "reportable event" so the organization doesn't fall foul of the law.
Steven Bentley: The ISMS is the "engine" of your information security. It’s a set of policies, procedures, and controls. The course provides a roadmap for implementation.
We don't just say "you need a system"; we show you the building blocks—from the security policy to the continuous improvement mechanisms. It simplifies a complex requirement into manageable steps.
Steven Bentley: Visit www.sofemaonline.com and look for the Cybersecurity Essentials course. It’s priced at 89.00 EUR to keep it accessible.
For individuals, I highly recommend our SOL Plus program, which offers significant discounts and even free courses. For companies, our Privileged Training Program (PTP) provides "Enroll Now – Pay Later" options and corporate discounts. The 2026 deadline is closer than it looks—the time to build that foundational understanding is now.
Ready to secure your operations? You can register for the EASA Cybersecurity Essentials course today.
