The forthcoming EASA Cybersecurity Regulations, particularly the Part-IS Regulation, will significantly impact smaller EASA Part 145 maintenance organizations.
• These regulations mandate the integration of Information Security Management Systems (ISMS) into existing Safety Management Systems (SMS) to effectively manage cyber risks that could affect aviation safety.
• Compliance deadlines are set for October 2025 for production organizations and February 2026 for maintenance organizations.
• While smaller EASA Part 145 organizations face unique challenges in meeting the new cybersecurity regulations, early preparation, targeted investment, and a phased implementation strategy can ensure compliance without excessive disruption or financial strain.
By integrating cybersecurity into SMS, training employees, and leveraging external support, these organizations can strengthen their cyber resilience and maintain regulatory approval under EASA Part-IS.
To support these efforts, smaller organizations might consider engaging in specialized training programs and workshops designed to address the specific needs of EASA Part 145 entities. These programs can provide practical guidance on implementing ISMS and achieving compliance with the new regulations.
• Risk Management Framework: Implementing a structured approach to identify, assess, and mitigate information security risks. This involves training staff to recognize cyber threats, enforcing strict access controls, and regularly backing up critical data.
• Incident Response and Reporting: Developing simple yet effective incident response plans that outline procedures for detecting, responding to, and recovering from cybersecurity incidents. This includes documenting all incidents and reporting significant ones to relevant authorities, such as EASA.
• Continuous Monitoring and Improvement: Establishing ongoing monitoring processes to detect unusual activities and conducting regular reviews of systems and networks to identify vulnerabilities. This proactive approach ensures that cybersecurity measures remain effective and up-to-date.
• By proactively addressing these areas, smaller EASA Part 145 organizations can enhance their cybersecurity posture, ensure compliance with upcoming regulations, and contribute to the overall safety and integrity of the aviation industry.
• The EASA Part-IS Regulation mandates that all maintenance organizations (Part 145) comply by February 2026.
• Organizations must demonstrate compliance with cybersecurity risk management principles, ensuring their systems and processes adequately protect against cyber threats.
• Failure to comply may lead to regulatory scrutiny, additional oversight, or even restrictions on operations.
Smaller organizations typically have fewer resources (both financial and personnel), making it more difficult to implement cybersecurity frameworks at the same level as larger entities. The main challenges include:
• Limited IT and cybersecurity expertise: Many smaller organizations rely on external IT support rather than in-house specialists, making compliance more challenging.
• Financial constraints: The need for additional investments in cybersecurity infrastructure, tools, and training can be a burden for organizations with smaller budgets.
• Operational disruption risks: Implementing new cybersecurity policies and procedures may slow down existing workflows until teams become accustomed to new requirements.
To comply with EASA requirements, small Part 145 organizations will need to focus on these areas:
• Establish a structured cybersecurity risk management approach aligned with the organization’s SMS.
• Identify critical IT assets, assess potential vulnerabilities, and implement mitigation strategies.
• Develop and enforce access control policies, ensuring only authorized personnel have access to sensitive systems.
• Create a Cybersecurity Incident Response Plan outlining how to:
>> Detect cyber incidents (e.g., malware attacks, phishing, ransomware).
>> Respond effectively to minimize operational disruption.
>> Report serious incidents to EASA as required under the new regulations.
• Train personnel to recognize cyber threats and respond accordingly.
• Implement continuous monitoring to detect unusual activities or unauthorized system access.
• Conduct regular vulnerability assessments and penetration testing to identify security weaknesses.
• Keep software and systems updated to protect against known cyber threats.
• Conduct mandatory cybersecurity awareness training for all employees to recognize phishing attempts, social engineering attacks, and password security practices.
• Integrate cybersecurity responsibilities into the organization’s safety culture, ensuring every team member understands their role in preventing cyber threats.
• Assess cybersecurity risks associated with third-party vendors, including:
>> IT service providers
>> Aircraft component suppliers
>> Maintenance software providers
• Ensure contracts include cybersecurity clauses requiring vendors to meet EASA security standards.
To meet compliance deadlines and mitigate cybersecurity risks, smaller organizations should:
• Perform a gap analysis: Identify current cybersecurity weaknesses against EASA’s new requirements.
• Develop a simple, practical ISMS: Focus on realistic measures that align with existing SMS frameworks.
• Invest in cybersecurity tools: Consider cost-effective solutions for endpoint protection, data encryption, and network security.
• Seek external support: Engage cybersecurity consultants or third-party IT security providers to assist with compliance.
• Leverage industry training: Enroll in specialized cybersecurity courses
See the following 2-day course- Part 145 Cyber Security Implementation. For comments or questions, please email team@sassofia.com.
