Coming soon to an organisation like yours - Information Security Management

We’ve no doubt written about more interesting topics in the past than this but as we’ve been repeatedly asked about this topic by our customers we can’t put it off any longer as, for operators falling under the oversight of EASA, there is a new requirement coming into view very rapidly. Information Security Management.

This was brought in by Implementing Regulation (EU) 2023/203 and has been incorporated in the Easy Access Rules as ORA.GEN.200A and becomes effective from 22 February 2026 for FSTDOs and ATOs. You may have noticed that the latest version of the EASA application form for initial activities for an FSTDO or FSTD qualification (form FO.FCTOA_00120-009) already includes a line for a new nominated/designated post holder, line 3.2.5 Information Safety Manager. 

The regulation itself is fairly short;

ORA.GEN.200A Information security management system Regulation (EU) 2023/203

In addition to the management system referred to in point ORA.GEN.200, the organisation shall establish, implement and maintain an information security management system in accordance with Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.

[applicable from 22 February 2026 — Implementing Regulation (EU) 2023/203]

However there is currently no Acceptable Means of Compliance (AMC) or Guidance Material (GM) in Part ORA Easy Access as of yet and, from the EASA response when we asked the question at the  EFTeG meeting before Christmas last year, it appears there won't be any coming any time soon. 

In that case where do we find guidance?

For that you have to look at the overall Part.IS documents. These we have to warn you are on the verbose side and not specific to ATO or FSTDO operations; indeed reading them it is hard to find direct relevant references to our part of the industry. There are three principal documents, one specific to national authorities, one specific to organisations and a combined document: Easy Access Rules for Information Security (Regulations (EU) 2023/203 and 2022/1645).

Unfortunately the individual documents only contain the AMCs and Guidance materials not the hard law so are pretty much pointless. The combined document includes the hard law, Annex II (Part.IS.I.OR) being the relevant section; this section alone is 85 pages long! We don’t like to advertise specific products so let’s just say you need to make sure you have a good supply of heavily caffeinated drinks on hand before attempting to read this. 

OK, but what's this all actually about?

Well it’s all about aviation safety risks. The regulations are being implemented to ensure that aviation safety is not compromised by accident or nefarious actors stealing or deliberately corrupting information or information systems. 

What do FSTDOs and ATOs need to do?

Put simply you need to put an Information Security Management System (ISMS) in place. Job done one might say. 

Part-IS splits the implementation into two distinct phases; Implementation and Operation. Whilst the operational phase is a continuous process identifying risks and managing them. The guidance material includes the diagram below.

Implementation Phase: The first phase, as the name suggests is the initial establishment of the ISMS including scoping the ISMS, appointing the responsible person and putting in place the management and reporting framework. This will lead to the production of an Information Security Management Manual (ISMM) but will also require integrating the principles into the existing Management Manuals including, assuming you don’t wish to set up an additional system, incorporating oversight of the ISMS into your Compliance Management system.

The biggest challenge we foresee is appointment of the “Responsible Person”; this person is going to need to have practical experience in either implementing or managing an ISMS in a relevant organisation. This skill set will be hard to find within a small FSTDO or ATO. Whilst larger organisations may have an IT department to turn to, even though the scope is not just cybersecurity, smaller organisations won’t have this luxury. Once this person is in place the ISMM should not be too difficult, in fact not a million miles away from your Safety Management Manual.

Operational Phase: We don’t see this phase as being too onerous, like Safety Management it is a case of regular reviews and ensuring that staff remain vigilant. Oh, and doing what you said you were going to do.

What sort of aviation risks then?

Appendix 1 to the AMC/guidance material does have some examples and a specific example for “Training systems”, example 5.  

This example has three threat scenarios which can be summarised as follows;

• Denial of availability of training equipment leading to a shortage of trained staff to operate aircraft.

• Loss of integrity of the training systems whereby changes are made that lead to negative training, again leading to a shortage of trained staff to operate aircraft.

• Compromised access to confidential information leading to more sophisticated attacks.

Whilst these are real threats, certainly the first two, it’s hard to believe that these risks are not already known to any FSTDO/ATO and that they don’t already have processes in place to mitigate them. We did a short brainstorm to think of other possible scenarios. Among the ones we identified were;

• Theft of pilot licensing information leading to impersonation, yes very low likelihood of anyone actually getting access to an aircraft but perhaps in a TRE/TRI role?

• Supply Chain Vulnerabilities from third-party software or equipment used in training (e.g. Arinc 424, FMS databases, online CBT and FSTDO/ATO Management tools, TDM updates) that may be compromised. 

• Insider Threats where authorised users misuse access to compromise information (or systems).

• Ransomware attacks, again leading to denial of service.

• Malicious updates or interference from either external sources or disaffected internal sources.

Conclusion

Although we are not 100% convinced this initiative will add many safety benefits to a FSTDO we can see its relevance to an ATO, particularly one that operates aircraft in addition to FSTDs. However, despite unsubstantiated rumours of delays in its implementation, it is coming, it will be law and has to be done. 

Once the hurdle of appointing the responsible person has been passed the writing of the ISMM should not be too complex and the continuous monitoring can be combined with the Safety Management and Compliance Monitoring schedules and training.

How can SIM OPS help?

We’ve developed an implementation checklist and can provide training and support on the regulations and their implementation.