Cybersecurity is going through a fundamental shift in how organisations think about it. The old model was perimeter defence — to protect the infrastructure. Servers. Databases. Networks. Define the boundary, keep attackers out. That model made sense when organisations were more contained. It no longer reflects reality.
Today, supply chains span dozens of organisations, contractors access internal systems remotely, data lives across cloud services, and AI has lowered the barrier of entry for attackers dramatically. Deepfakes, credential theft, loss of access to critical systems — threats that once required significant resources are now accessible to almost anyone.
The goal becomes seeing risks clearly, responding fast, limiting damage, and maintaining operations when a cyber incident happens. The question is no longer if — it's when.
The real vulnerability is trust. Trust in access controls. Trust in email. Trust in contractors. A login and password costs approximately $1.50 on the darknet. Phishing emails have increased 12x in volume last year — and they're now targeted, not mass-blast. The biggest consequence of a successful attack isn't financial loss. It's a loss of trust — from clients, partners, regulators.
More than 90% of cyberattack incidents in 2025 involved AI in some form.
The tools are the same on both sides. The battle is no longer cybercriminal versus security professional — it is algorithm against algorithm. AI is an amplifier: weak processes do not stay weak, they get exploited faster than any human team could find them.
Technically, cybersecurity keeps up. Organisationally — no.
Cybercriminal
- Picks tool → executes → done.
- No procurement process.
- No compliance review.
Fast.
Regulated organisation
Justifies purchase → documentation → training → approvals → deploys.
The threat has already moved.
This is the gap. And it is not a technology gap.
Why aviation feels this harder
Structural exposure — before the regulation
Risk-based thinking — identifying hazards, assessing likelihood and impact, building systems that detect and recover — is already embedded in how regulated industries operate. Aviation has practised this logic in safety management for decades. In that sense, the direction cybersecurity is moving is familiar ground. But familiarity is not the same as readiness. Aviation organisations face specific information security exposures that deserve serious attention — and the AI era is making them harder to ignore.
Dense supply chains mean, for example, a large airline or MRO operates across hundreds — sometimes thousands — of active vendor relationships and other interfaces. Each one is an access point. Each one carries trust assumptions that an attacker can exploit.
Management of change in aviation is deliberately slow and comprehensive. That is the right approach for safety. But it creates a structural asymmetry: the organisation cannot move at the speed the threat landscape moves, by design.
And the consequence profile is different. In most industries, a corrupted system means a business problem — financial loss, reputational damage, operational disruption. In aviation, corrupted data, compromised navigation systems, or manipulated maintenance records can mean a safety event. The stakes are not comparable.
This is why cybersecurity in aviation cannot be treated as an IT matter. It is also considered as a safety matter — which is exactly the logic that produced Part-IS.
The regulatory response
Part-IS and the Safety Management System
EASA Part-IS (Commission Delegated Regulation (EU) 2022/1645) sits directly inside this conversation. It is a safety regulation — not an IT regulation. It does not redefine aviation safety standards. It introduces information security risk as an additional cause within the existing safety risk management framework. An information security incident that could affect safety-critical operations belongs in the safety management system, next to hazard identification and risk assessment.
Part-IS is not an addition to your IT security policy. It is an extension of your SMS — the same framework that governs hazard identification, risk assessment, and safety assurance.
For aviation organisations, EASA has developed proportionality criteria across three dimensions: safety impact (your position in the aviation functional chain), organisational complexity (people, hierarchies, sites), and ICT complexity (your technology environment). The assessment result determines what a proportionate information security management system looks like for your organisation.
ISO 27001 certification does not equal Part-IS compliance. ISO is business-oriented, focused on business continuity. Part-IS is safety-focused, with risk appetite predetermined by safety severity levels. They can complement each other, but one does not substitute for the other.
The deeper challenge Part-IS surfaces is organisational — not technical.
In most aviation organisations, the safety team and the information security function have never needed to work together. Safety Managers understand hazard identification and bow-tie analysis. IT security teams understand threat modelling and vulnerability management. Neither speaks the other's language fluently. Part-IS does not just add requirements — it requires these two communities to build a shared process and a shared vocabulary. That is harder than any technical implementation.
Aviation organisations had Safety Management Manuals years before they had genuine safety culture. Part-IS can follow the same path — checkbox compliance on paper, no real resilience underneath. Or not.
A speaker at an EASA aviation cybersecurity workshop, despite holding ISO 27001 certification, discovered through Part-IS implementation that their biggest vulnerability was none of their systems. It was their people — phishing attempts, domain spoofing, fake invoices reaching their customers. Their conclusion was simple: the best mitigation is you. The best antivirus and firewall mean nothing if user awareness is low.
People. Process. Technology. Continuous improvement. In that order.
The reframe
Safety intelligence as competitive position
Most organisations frame cybersecurity as cost and risk. I think that framing is incomplete.
Organisational maturity in safety and security is a competitive differentiator. The technology is increasingly the same on both sides.
That is not a cost centre. That is a strategic position.
The organisational capability to convert signals into decisions — detecting threats early, managing their impact, and demonstrating control when it matters most — is the foundation of safety intelligence.
Compliance keeps your certificate. Trust keeps your clients. Safety sustains your ability to operate. The organisations that protect all three aren't just more secure — they're harder to compete with.
Sources and references
-
01
Cybersecurity Dialogue — Diia.City Union & DarkCloud, Kyiv, March 31, 2026. Source for: attack surface shift, credential pricing, phishing volume data and AI.
-
02
EASA Part-IS Implementation Workshop 2025 — Cologne, June 25–26, 2025. Source for: organisational use cases, Lufthansa Cargo implementation experience, use cases from early implementation.
- 03