EASA's Part-IS compliance material names EUROCAE ED-202A and ED-203A, the standards known internationally as DO-326A and DO-356A, which is why EASA Part-IS training is now on the agenda for every design and production organisation.
If you are reading this, you are likely aware that since October 2025, every EASA Design Organisation Approval (DOA, Part 21J) and Production Organisation Approval (POA, Part 21G) holder must comply with Part-IS (Regulation (EU) 2022/1645), building and maintaining an Information Security Management System (ISMS).
At the core of that ISMS is a risk assessment covering cyber risks that could affect aviation safety, and DO-326A is the method EASA points to for running it.
The three parts of Part-IS that matter here:
1/ IS.D.OR.205 requires the risk assessment. Its compliance material points to EUROCAE ED-202A and ED-203A (DO-326A and DO-356A) for the method:
Supporting documentation and methods can be found in EUROCAE ED-203A, Chapter 3.6 which references the evaluation of the potential of occurrence of the threat scenario in the Security Risk Assessment of EUROCAE ED-202A.
2/ IS.D.OR.240 requires the people doing this work to be competent. If nobody in your design team can run a security risk assessment, that is a compliance gap that regulators expect to be satisfied.
3/ IS.D.OR.245 requires the records to prove it. A course certificate is exactly the evidence an auditor will ask for.
According to the standard, ownership sits with the Head of the Design Organisation. The people who need the competence are your Heads of Airworthiness, Chief Engineers, and certification and design assurance leads.
What level of training you need
What you actually need depends on your organisation's situation.
If your driver is Part-IS compliance, the security risk assessment is the piece that matters.
We are building a focused Part-IS session around exactly that: security scope definition, the risk assessment process itself, risk acceptability, and communicating the evidence.
You will leave equipped to satisfy IS.D.OR.205, with the competence and records that IS.D.OR.240 and IS.D.OR.245 demand, and a method your team can actually run - if that is what you need, get in touch today.
If you are certifying products and need the full DO-326A/ED-202A process end to end, we are running our complete two-day Cyber Security Airworthiness course in Cardiff, as well as offering bespoke in-house delivery, tailored to your organisational requirements.
That covers the whole airworthiness security process through to security development, effectiveness, and full assessment.
Both are BCS-accredited and were built by our founder Dan Locke, former Head of Cyber Security and Software at the UK Military Aviation Authority.
References
- Commission Delegated Regulation (EU) 2022/1645 — eur-lex.europa.eu
- EASA Easy Access Rules for Information Security (Part-IS) — easa.europa.eu
- EUROCAE ED-202A / ED-203A — eurocae.net