This year marks another watershed moment in the aviation industry, as 2026 will see a profound digital transformation. With increasing evolution to digital maintenance management systems, and cloud-based platforms, challenges associated with cybersecurity and data protection are at the top of the industry’s agenda. Disruption or compromise of these systems can directly impact airworthiness, maintenance accuracy, and operational safety.
In response to these challenges, the European Union Aviation Safety Agency (EASA) has introduced a new regulatory framework, called Part-IS (Information Security), that directly links information security to aviation safety.
As a provider of cloud-based smart solutions and consulting services to aviation Maintenance, Repair and Overhaul (MRO) organisations, MRO-PRO examines the impact of EASA Part-IS on the sector in this blog, as well as highlighting how it can support organisations in the transition.
Overview of Part-IS and the challenge facing MRO organisations
Part-IS formally brings information security into the regulated aviation safety framework. Approved organisations are now required to implement a structured Information Security Management System (ISMS), integrated into their existing Part-145 or continuing airworthiness management systems. This includes identifying and managing information security risks, implementing governance and incident response processes, and ensuring oversight of suppliers and digital service providers.
For many MRO organisations, this represents a cultural as well as operational change. Information security can no longer be treated as a standalone IT concern; it must be embedded into safety management, compliance monitoring, management-of-change, and senior governance. With the compliance deadline of 22 February 2026 approaching, all applicable organisations must demonstrate not only documented intent, but practical, auditable implementation.
In essence, EASA Part-IS forces MRO organisations to treat information security as a regulated safety topic, with a formal Information Security Management System (ISMS) integrated into their existing Part‑145 management systems. Consequently, this will significantly expand the role of IT and digital risk management in maintenance operations, governance, and compliance. Alongside their existing Part‑145 obligations, EASA Part‑IS places explicit legal responsibility on MROs to implement structured controls for detecting, responding to, and recovering from information security incidents.
The key regulatory pillars include:
- Establishment of an Information Security Management System (ISMS) with clear scope, responsibilities, and governance.
- Systematic identification and management of information security risks to operational ICT systems and aviation data.
- Documented procedures for incident response, business continuity, and change management related to information and digital assets.
Compliance with Part-IS will be assessed through audits by National Aviation Authorities and EASA. Organisations must demonstrate effective governance, documented processes, and implementation of their ISMS. Non-compliance may result in approval limitations or disqualifications, potential financial penalties, as well as reputational damage.
Implications for MRO organisations
Part‑IS will materially change the expectations placed on IT management in MRO organisations. IT will be central to designing, operating, and evidencing a formal ISMS aligned to Part‑IS, ensuring it integrates with existing safety and compliance management systems, rather than sitting in parallel. In-house IT departments therefore move from a support role to a safety-critical function, with key responsibilities including:
- Implementing and maintaining security controls for the protection of documentation and operational data
- Supporting risk assessments and audits
- Enabling incident detection, response, and recovery
- Ensuring system resilience, monitoring and availability
Any incident with potential safety impact must be escalated and reported to the relevant NAA.
Further practical consequences for IT management:
- Configuration and change control: ICT changes that could affect safety‑critical processes (for example, updates to maintenance software, EFB tools, or connectivity with OEM systems) must fall within a documented management framework that considers information security and safety impact together.
- Third‑party and cloud oversight: As more MRO tools move to SaaS and cloud models, IT will need structured due diligence, contractual clauses, and ongoing monitoring of external providers in line with Part‑IS expectations on suppliers.
- Evidence and audit readiness: Regulators and authorities will expect clear documentation such as an Information Security Management Manual, records of risk assessments, incident logs, and evidence of corrective actions, which IT must help to generate and maintain.
How MRO-PRO simplifies the transition to Part-IS
While the regulatory responsibility for Part-IS compliance sits firmly with approved organisations, the systems they rely on day-to-day play a decisive role in how complex, time-consuming, and resource-intensive that transition becomes. MRO-PRO is designed to support safety-critical maintenance operations in a structured, controlled, and auditable way, helping organisations meet Part-IS expectations without introducing unnecessary complexity.
Built-in governance and traceability
Under Part-IS, information security becomes a senior management responsibility, not a departmental one. It positions information security at the heart of corporate governance, meaning that board executives must deliver oversight of information security risks affecting maintenance operations and an alignment between safety, compliance, and information security objectives.
MRO-PRO provides role-based access control, full audit trails, and immutable records across maintenance, certification, planning, and parts workflows. This allows organisations to evidence who did what, when, and under which authorization. This is a core requirement when demonstrating governance, accountability, and control of safety-critical information under Part-IS audits.
Secure digital maintenance processes
Part-IS places particular emphasis on the integrity and availability of information that supports airworthiness. MRO-PRO enables controlled digital processes such as electronic work orders, electronic maintenance records, and regulated use of electronic signatures. These capabilities reduce reliance on informal or fragmented systems, helping organisations ensure that maintenance data remains accurate, protected from unauthorised changes, and consistently available across all stations and bases.
Supporting risk management and incident response
MRO-PRO’s consistent system behaviour and controlled configuration model supports customers’ information security risk assessments by clearly defining how maintenance information is created, processed, and stored. In the event of a system-related issue, MRO-PRO’s structured support and incident handling processes assist organisations in meeting their Part-IS escalation, reporting, and recovery obligations in a timely and auditable manner.
Simplifying supplier and cloud oversight
Part-IS requires organisations to assess and manage risks associated with third-party providers. MRO-PRO supports this by providing transparency around system architecture, data handling, access controls, and resilience measures. This allows customers to incorporate MRO-PRO more easily into their supplier assurance activities, reducing the effort required for contractual reviews, audits, and ongoing compliance monitoring.
Integration with existing management systems
Crucially, MRO-PRO does not impose a parallel compliance framework. Instead, it supports the integration of information security considerations directly into existing Part-145 management systems, safety reporting processes, and management-of-change workflows. This helps organisations avoid duplication, streamlines compliance activity, and treats information security as a natural extension of established safety and quality practices.
Commenting on the new regulations, Scott Wells, founder and managing director of MRO-PRO, which supports several major MRO organisations with bespoke maintenance management solutions, said:
“By combining advanced data tools with real-time insight, MRO-PRO is setting a new standard in digital MRO management, which will see further innovation in 2026 with the integration of AI-enhanced solutions. The proactive adoption of Part-IS principles, therefore, will not only ensure compliance but also strengthen safety, operational resilience, and trust in an increasingly transformative aviation environment. MRO-PRO is well placed to guide and support MRO organisations through this important and complex transition.”
For a confidential discussion on how MRO-PRO can support your organization in the transition to Part-IS, please contact us.