Summary of "Re(vivez) le webinaire Partie-IS de la DSAC et OSAC !"

Summary of the Webinar on Part-IS of DSAC and OSAC

This webinar focused on the implementation, compliance, and monitoring of the European aviation cybersecurity regulation known as Part S, which integrates cybersecurity as an evolution of existing aviation management systems. The session brought together key stakeholders from organizations responsible for various aviation approvals including EROPS, aircrew training, CAMO, Part 145 maintenance, and Part 21J production.

---

Main Ideas and Concepts

• Purpose of Part S: Part S aims to incorporate cybersecurity risk management into existing aviation safety and security management systems, addressing the increasing cyber threats in the aviation sector.
• Cybersecurity as an Evolution: Cybersecurity is presented as an extension of existing management systems rather than a complete overhaul. Organizations should capitalize on current processes and integrate cybersecurity risk management accordingly.
• Proportionality and Risk-Based Oversight (RBO): The regulation’s implementation is based on proportionality, adapting requirements to the size, complexity, and risk exposure of organizations to optimize resource allocation and focus on the most critical areas.
• Common Approach Between Authorities (DSAC and OSAC): A harmonized strategy and collaboration between DSAC (Direction de la Sécurité de l'Aviation Civile) and OSAC (Organisme pour la Sécurité de l'Aviation Civile) ensure coherent monitoring and supervision of organizations.
• Key Regulatory and Organizational Changes:
  • Introduction of new roles such as a common responsible person for cybersecurity within groups of companies.
  • Designation of a person responsible for Part S implementation with authority for daily cybersecurity risk management.
  • Integration of cybersecurity incident management into existing crisis management and change management processes.
  • Emphasis on internal compliance monitoring and assurance, ideally combining cybersecurity compliance roles with existing compliance managers.
• Cybersecurity Risk Management Process: Aligns with traditional risk management steps (identification, analysis, prioritization, treatment) but with adjustments to account for cyber-specific threat likelihood and system vulnerabilities.
• Incident and Change Management: Organizations must establish systems for reporting cybersecurity-related events and incidents, integrating these into their overall crisis and change management frameworks.
• Exemptions and Eligibility: Certain organizations and activities are exempt or eligible for exemptions based on risk assessments using a Cyber Risk Exposure Analysis Tool. Exemptions are not automatic and require formal requests.
• Implementation Tools and Guidance:
  • The France Cyber Compliance Framework (3CF) guide assists organizations in implementing cybersecurity requirements aligned with ISO 27001 standards and European regulations.
  • A self-assessment matrix (PG1) and exemption request forms (PJ2 and PJ3) are provided to facilitate compliance and exemption applications.
  • The Cyber Risk Exposure Analysis Tool (Excel-based) helps organizations assess their risk level and eligibility for exemption.
• Monitoring and Surveillance: After the transition phase, scheduled audits will focus on cybersecurity elements integrated within management systems. Leading entities will conduct comprehensive audits, while follower entities will perform complementary surveys.
• Deadlines and Compliance Timeline:
  • June 16, 2025: Deadline for submitting initial instruction or exemption files for Part 21G approvals.
  • October 22, 2025: Deadline for other approvals (CTA, CAMO, Part 145, etc.).
  • October 16, 2025, and February 22, 2026: Dates for the application of Part S regulations for respective approvals.

---

Detailed Methodology / Instructions Presented

1. Organizational Setup and Roles
   • Identify and appoint key personnel:
     • Responsible Manager / Executive
     • Common Responsible Person (for groups)
     • Part S Implementation Manager
     • Compliance Manager (ideally combined with existing roles)
   • Ensure these roles have appropriate authority and independence.
2. Policy and Commitment
   • Integrate cybersecurity into existing security policies.
   • Obtain formal commitment from top management.
   • Reflect cybersecurity in organizational manuals and management system documents.
3. Incident Management
   • Set up reporting systems for cybersecurity events and incidents.
   • Integrate incident response into crisis management plans.
   • Define detection, reaction, and recovery procedures.
4. Risk Management
   • Use established risk management processes adapted for cybersecurity.
   • Focus on likelihood of cyberattacks and system vulnerabilities.
   • Prioritize and treat risks with designated action leaders.
5. Compliance Monitoring
   • Develop a monitoring plan combining Part S with existing compliance frameworks.
   • Maintain independence of compliance assurance functions.
   • Monitor effectiveness and corrective actions.
6. Change Management
   • Define changes subject to authority approval and those that are not.
   • Integrate cybersecurity risk analysis into all changes affecting information systems.
   • Capitalize on existing change management procedures.
7. Exemption Process
   • Use the Cyber Risk Exposure

Category

Educational

Share this summary

Share on X/Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Share on Telegram

Video