How EASA Part-IS ISMS Controls Map to NIS2 Article 21(2)(e) — and What Aviation Operators Still Need to Close

Every aviation operator that completed their EASA Part-IS Information Security Management System build before the February 2026 deadline faces the same uncomfortable question: does Part-IS compliance satisfy NIS2 Article 21? The short answer is partly — but not enough to stop there.

In December 2025, EASA’s joint mapping effort with the NIS Cooperation Group was formally endorsed. The mapping covers the interplay between Part-IS controls, NIS2 Article 21 risk management measures, and Article 23 incident notification obligations. The document is currently restricted to national competent authorities, so aviation operators are left to piece together their compliance picture from public regulatory sources. This article does that piecing-together for you, with a control-level equivalence table that does not appear anywhere else in published guidance.

The stakes are concrete. Aviation entities classified as NIS2 essential entities face penalties of up to €10 million or 2% of global annual revenue — administered by a national competent authority that is entirely separate from EASA and national aviation authorities. Dual oversight with two reporting lines and two compliance calendars is the operational reality for most large EU aviation operators from 2026 onwards.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Who Is Actually In Scope: NIS2 Aviation Entity Classification

NIS2 Directive (EU) 2022/2555 designates the transport sector as a sector of high criticality under Annex I. Within the air transport subsector, three categories of entities are explicitly listed:

1. Air carriers used for commercial purposes — defined as undertakings holding a valid operating licence or equivalent
2. Airport managing bodies, including core airports and entities operating ancillary installations — responsible for administration, management, and coordination of airport infrastructure
3. Traffic management control operators providing air traffic control (ATC) services

Two categories of entity are new to NIS2 compared to the original NIS Directive. Air Navigation Service Providers (ANSPs) and ATM Data Service Providers (ADSPs) were not covered under NIS1 — NIS2 removes the distinction between the critical service and the service provider, bringing both into scope. For a detailed breakdown of how essential and important entity classification works across sectors, the thresholds and designation criteria are covered in the linked guide. For an ANSP operating in multiple EU member states, this means registering with each national competent authority in jurisdictions where they exceed the size thresholds.

Size thresholds apply, with an important exception. Standard NIS2 classification requires 250+ employees or annual turnover above €50 million to qualify as an essential entity. However, the Directive allows national competent authorities to designate entities as essential or important regardless of size if they are the sole provider of a service in a member state or if their disruption would have significant societal or economic impact. For smaller regional airports or domestic ANSPs, this sole-provider exception is the more likely route to essential entity status.

Entity Type	NIS2 Annex I Reference	Default Classification	Notes
Large commercial air carrier	Annex I, Sector 2 (Air Transport)	Essential entity (size threshold)	250+ FTE or >€50M turnover
Major airport managing body	Annex I, Sector 2 (Air Transport)	Essential entity (size threshold)	Core airports typically qualify
ANSP / ANSP subsidiary	Annex I, Sector 2 (Air Transport)	Essential entity (size or designation)	New under NIS2; not covered by NIS1
ADSP (ATM Data Service Provider)	Annex I, Sector 2 (Air Transport)	Essential or important (size or designation)	Newly in scope
Ancillary installation operator at airport	Annex I, Sector 2 (Air Transport)	Designation-based	Includes fuelling, cargo handling ICT
GNSS ground station operator	Via Annex I transport / designation	Designation-based	See ground navigation section below

Once in scope as an essential entity, the compliance obligations under NIS2 Article 21 apply in full. The next question is how much of that obligation is already satisfied by your Part-IS ISMS.

What NIS2 Article 21 Actually Requires of Aviation Entities

For compliance officers and legal teams: Article 21 mandates that essential entities implement technical, operational, and organisational measures to manage cybersecurity risks using an all-hazards approach. The measures must be proportionate to the entity’s size, risk exposure, and the potential impact of an incident. Ten specific measure categories form the minimum floor — no opt-outs, no sector exceptions for aviation.

For CISOs and IT security managers: the critical phrase in Article 21(2) is “all-hazards approach.” This distinguishes NIS2 from Part-IS in a fundamental way. Part-IS is explicitly safety-centric: EASA’s IS.I.OR.205/210 risk management provisions require identification and assessment of information security risks “with potential safety impact.” NIS2 Article 21 contains no such safety-impact filter. Business-disruption cyber risks, reputational risks, and data integrity risks that carry no direct aviation safety consequence are still within NIS2 scope and require documented risk treatment plans.

The ten mandatory measure categories under Article 21(2) are:

1. Policies on risk analysis and information system security
2. Incident handling
3. Business continuity, including backup management, disaster recovery, and crisis management
4. Supply chain security, addressing vulnerabilities in direct supplier and service provider relationships
5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
7. Basic cyber hygiene practices and cybersecurity training
8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption
9. Human resources security, access control policies, and asset management
10. Multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems

Article 21(2)(e) — network and information systems acquisition, development, and maintenance security, including vulnerability handling — is the measure most directly parallel to Part-IS network security scope. It is also the measure where the gap analysis is most nuanced. More on that in the mapping table below.

The Control-Level Mapping: IS.I.OR Articles vs NIS2 Article 21(2)

The following table maps each of the ten NIS2 Article 21(2) measure categories to the corresponding IS.I.OR provision in EASA Part-IS. For deeper reference on any individual measure, the risk assessment and supply chain security guides on this site cover those measures in detail for operators without an aviation background., assesses the degree of coverage, and identifies the residual compliance gap. This mapping is consistent with the framework used by EASA and ENISA in the December 2025 NIS Cooperation Group endorsement, though the full endorsed document remains restricted to national authorities.

NIS2 Art.21(2)	Requirement	IS.I.OR Article	Coverage Level	Residual Gap
(a) Risk analysis & IS policies	Risk analysis and IS security policies	IS.I.OR.205 / IS.I.OR.210	Partial	Part-IS risk scope = safety-impacting cyber risks only. NIS2 requires all cyber risks including business disruption without safety consequence.
(b) Incident handling	Incident handling procedures	IS.I.OR.220 (detection & response) + IS.I.OR.230 (72h EASA reporting)	Partial	NIS2 Art.23 adds a 24-hour early warning to national competent authority not required by Part-IS. IS.I.OR.220 detection scope is safety-incident-focused; NIS2 scope is broader.
(c) Business continuity, backup, DR, crisis mgmt	BCP, backup, disaster recovery, crisis management	Limited provisions in IS.I.OR.200 ISMS scope	Weak	Part-IS does not mandate a standalone BCP/DRP or crisis management plan. This is a primary gap requiring new documentation.
(d) Supply chain security	Direct supplier / service provider security	IS.I.OR.200 (ISMS scope includes third-party systems)	Partial	Part-IS requires that third-party systems accessing critical assets are considered in risk assessment. NIS2 requires formal supplier security policies, contractual security clauses, and supplier assessment records.
(e) Network/IS acquisition, development, maintenance, vulnerability handling	Secure acquisition, development, maintenance; vulnerability management and disclosure	IS.I.OR.205 / IS.I.OR.210 (risk treatment for IS assets)	Partial	Part-IS covers vulnerability assessment as part of risk management. NIS2 Art.21(2)(e) specifically requires documented vulnerability disclosure procedures and structured handling for third-party component vulnerabilities — a gap for operators without a formal VDP.
(f) Effectiveness assessment	Policies and procedures to assess measure effectiveness	Limited — IS.I.OR.200 includes review provisions	Weak	Part-IS ISMS includes an improvement cycle but does not mandate formal KPI-based effectiveness measurement. NIS2 expects documented assessment procedures with measurable outputs.
(g) Cyber hygiene & training	Basic cyber hygiene and cybersecurity training for all personnel	IS.I.OR.240 (Competence & Training)	Strong	Minor gap: IS.I.OR.240 mandates role-specific training for personnel with access to critical IS assets. NIS2 requires basic cyber hygiene for ALL staff. Extend training programme to general workforce.
(h) Cryptography & encryption	Cryptography and encryption policies	Not explicitly mandated in IS.I.OR	None	Primary gap. Part-IS implies confidentiality controls but does not require a standalone cryptography and encryption policy. NIS2 Art.21(2)(h) explicitly requires documented policy.
(i) HR security, access control, asset management	HR security procedures, access control policy, asset management	IS.I.OR.200 (need-to-know principle, IS asset identification)	Partial	Part-IS mandates need-to-know access and asset identification. NIS2 requires formal HR security procedures (joiners/movers/leavers), a documented access control policy, and a maintained asset management register.
(j) MFA, secured communications	MFA or continuous authentication; secured voice/video/text; secured emergency communications	Not mandated in IS.I.OR	None	Primary gap. Part-IS does not mandate MFA. NIS2 Art.21(2)(j) explicitly requires MFA for all privileged access and remote access to critical systems, plus secured emergency communication channels.

Summary of gaps by priority: Three categories require entirely new documentation that Part-IS does not address: business continuity documentation (c), cryptography policy (h), and MFA implementation (j). Three more require significant extension of existing Part-IS documentation: supply chain security formalisation (d), vulnerability disclosure procedures (e), and HR security / access control policies (i). Risk management (a), incident handling (b), and effectiveness assessment (f) require scope extension rather than entirely new frameworks.

Why Part-IS Is Not Yet Lex Specialis — and Why That Matters

The most consequential legal distinction for aviation compliance officers is this: Part-IS compliance does not satisfy NIS2 obligations, and NIS2 compliance does not satisfy all Part-IS obligations. The two frameworks run in parallel, with separate oversight regimes, separate reporting chains, and separate enforcement authorities.

Under NIS2 Article 4, the Directive acknowledges that certain sector-specific Union legal acts can be treated as equivalent — a concept known as lex specialis. If a sector-specific regulation is found equivalent, compliance with that regulation satisfies the corresponding NIS2 obligations. On 18 September 2023, the European Commission published guidelines identifying the sector-specific acts currently considered equivalent. Part-IS does not appear in that list. As of the time of writing, only the DORA Regulation (EU) 2022/2554 for the financial sector has been confirmed as equivalent to NIS2 under Article 4.

This is not a permanent determination. EASA has been working with the European Commission to have Part-IS compliance credited in the NIS2 context — either through member state transposition provisions or implementation-phase guidance. The December 2025 NIS Cooperation Group endorsement of the aviation cybersecurity mapping represents the most significant step toward that credit to date. However, guidance translating the mapping into actionable credit for national competent authorities was expected in Q4 2025 and has not yet been published in a form accessible to operators.

The operational consequence is a dual oversight burden:

• EASA and national aviation authority (NAA) — oversees Part-IS ISMS implementation, audits IS.I.OR compliance, receives 72-hour significant incident reports
• NIS2 national competent authority (NCA) — separate body (often a cybersecurity agency or communications regulator) that oversees NIS2 compliance, administers penalties, receives Article 23 incident notifications

For most EU member states, these are different organisations with different audit calendars, different documentation formats, and different enforcement cultures. An aviation CISO who has invested 18 months building a Part-IS-compliant ISMS may find themselves starting a parallel NIS2 compliance programme with an NCA that has no aviation domain expertise and applies generic digital-sector benchmarks.

The practical answer, until formal credit guidance is published, is to extend the Part-IS ISMS to cover the NIS2 gaps identified in the mapping table rather than building a separate NIS2 compliance programme. A single integrated ISMS that satisfies both frameworks reduces audit overhead and aligns with EASA’s stated direction of travel.

GNSS, ILS, and VOR Ground Stations: The NIS2 Essential Entities Aviation Operators Overlook

Most NIS2 aviation scope analysis focuses on airlines, airports, and ANSPs. The analysis rarely reaches the operators of ground-based navigation infrastructure — the entities running ILS transmitter sites, VOR stations, and GNSS ground reference equipment. This is a compliance blind spot that national competent authorities are beginning to address.

The NIS2 classification pathway for ground-based navigation operators depends on who operates the equipment:

• If operated by the aerodrome operator: the ILS and VOR equipment is part of the aerodrome’s ancillary installations and is already in scope as part of the airport’s NIS2 essential entity classification. The Art.21 obligations apply to the entire aerodrome operator entity, including its navigation infrastructure systems.
• If operated by the ANSP: ground navigation transmitters are part of the ANSP’s network and information systems. ANSPs are in scope under NIS2 Annex I. IS.I.OR.220 already identifies GPS spoofing as a specific risk scenario, making the safety-to-NIS2 bridge here relatively direct.
• If operated by a civil aviation authority or designated state agency: NIS2 Article 2 applies to public administration entities where member states determine that such entities provide services essential to the maintenance of critical societal functions. Ground navigation signal integrity — particularly in terminal areas around major airports — qualifies. National competent authorities can designate these entities as essential regardless of size.

For GNSS ground infrastructure specifically, the picture is more complex. EGNOS ground stations (Ranging and Integrity Monitoring Stations, RIMS) are operated under contracts that may split oversight between EUSPA, national surveying agencies, and private operators. Under NIS2, each operator in that chain that exceeds size thresholds or is designated by a national authority becomes a covered entity in its own right.

The Article 21 implications for navigation infrastructure operators are specific:

• Art.21(2)(e): Software and firmware updates for ILS and VOR transmitters must be managed under a documented vulnerability management programme. Updates for safety-critical navigation equipment cannot simply follow standard IT patch cycles — but the absence of a patch cycle is not a valid NIS2 compliance position. The requirement is for a documented, risk-accepted maintenance window approach, not for applying every patch immediately.
• Art.21(2)(j): Secured emergency communications includes the backup navigation systems activated when primary navigation aids fail. The integrity of those backup systems — and the secure communication channels used to activate them — falls within Art.21(2)(j) scope.
• Art.21(2)(a): GNSS receiver operators must verify the integrity of Position, Navigation, and Timing (PNT) data streams as part of their risk analysis obligations. Spoofing and jamming are explicitly identified risks, not edge cases.

Closing the Gap: Your Dual-Compliance Implementation Roadmap

The mapping table identifies ten measure categories, three with no Part-IS coverage and four with only partial coverage. The implementation approach that minimises overhead is to extend the existing Part-IS ISMS rather than build a parallel NIS2 programme. Here is a sequenced roadmap:

Step	Action	Effort	Owner	Addresses
1	Confirm NIS2 entity classification. Determine if your organisation meets size thresholds or is designated by national competent authority. Register with NCA if in scope.	Low	Compliance Officer / Legal	Art.2 scope determination
2	Conduct a structured Part-IS / NIS2 gap analysis using the mapping table above. Document which IS.I.OR controls are claimed as partial credit for each Art.21(2) measure, and list remaining gaps.	Medium	CISO / IT Security Manager	Art.21(2)(a)-(j) baseline
3	Extend ISMS documentation to cover the three primary gaps: (a) Business Continuity and Disaster Recovery Plan covering non-safety cyber incidents; (b) Cryptography and Encryption Policy per Art.21(2)(h); (c) MFA implementation covering all privileged and remote access.	High	CISO + IT Security Team	Art.21(2)(c), (h), (j)
4	Build a dual incident notification workflow. Part-IS requires 72-hour reporting to EASA for significant incidents. NIS2 Art.23 requires a separate early warning to the NIS2 national competent authority within 24 hours, a detailed notification within 72 hours, and a final report within one month. See the full Article 23 incident notification guide for the exact content requirements at each stage.	Medium	CISO + Legal + Compliance Officer	Art.21(2)(b), Art.23
5	Formalise supply chain security documentation: supplier security policy, security clauses for direct supplier contracts, and a supplier assessment register. Existing Part-IS third-party controls provide a starting point.	Medium	CISO + Procurement / Legal	Art.21(2)(d)
6	Establish a vulnerability disclosure procedure (VDP). This is the element of Art.21(2)(e) most likely to be absent from a pure Part-IS programme. Document how you receive, triage, and respond to vulnerability disclosures for your network and information systems.	Medium	IT Security Manager	Art.21(2)(e)

Frequently Asked Questions

Does EASA Part-IS compliance satisfy NIS2 Article 21 requirements?
No — not automatically. Part-IS is not currently listed as equivalent to NIS2 under Article 4 of the Directive. The European Commission’s September 2023 guidelines confirmed that Part-IS does not constitute a sector-specific lex specialis for NIS2. Aviation operators classified as NIS2 essential entities must comply with NIS2 independently of their Part-IS obligations. EASA is working toward a credit mechanism, but this has not yet been published in a form accessible to operators.

Is our ANSP a NIS2 essential entity?
Almost certainly, yes, if you operate in the EU and meet either the size threshold (250+ employees or €50M+ annual turnover) or are the sole or primary provider of ATM services in a member state. ANSPs are explicitly within NIS2 Annex I scope as traffic management control operators. Registration with the relevant national competent authority is required. Check whether your national aviation authority also serves as the NIS2 competent authority — in most EU member states, they are different organisations.

Does ISO 27001 certification help with both frameworks?
Yes, substantially. Both Part-IS and NIS2 are aligned with ISO/IEC 27001 as a reference ISMS standard. Part-IS explicitly allows ISO 27001-based ISMS to be adapted to meet its requirements. NIS2 and its implementing regulation use ISO 27001 as a basis for many technical and methodological requirements. An ISO 27001-certified ISMS is the strongest starting point for dual-framework compliance, though it will still require aviation-specific customisation for Part-IS and explicit Art.21 measure documentation for NIS2.

What are the penalties for NIS2 non-compliance in aviation?
For essential entities, NIS2 administrative fines reach up to €10 million or 2% of total global annual turnover in the preceding financial year, whichever is higher. These penalties are enforced by national competent authorities independently of EASA enforcement under Part-IS. Management-level personal accountability provisions in NIS2 also expose board members and senior executives to individual liability for failures of oversight.

Do ground-based navigation operators need to comply with NIS2 separately from the airport?
It depends on the operational structure. If ILS and VOR systems are operated by the aerodrome operator or ANSP, they are included in those entities’ NIS2 obligations. If operated by a separate legal entity — such as a civil aviation authority subsidiary or contracted navigation services provider — that entity must be assessed independently against NIS2 classification criteria.

Sources

1. Article 21 — Cybersecurity Risk-Management Measures, NIS 2 Directive (EU) 2022/2555
2. Information Security (Part-IS) FAQ — EASA
3. Part-IS Regulation Published, Completing Regulatory Framework for Cyber-Resilient Aviation — EASA
4. Mapping of EU Cybersecurity Rules on Aviation Endorsed by NIS Cooperation Group — EASA Community
5. NIS2 Guidelines on Sector Specific Union Legal Acts & Part-IS — EASA Community
6. Civil Aviation Cybersecurity: EASA Part-IS Sets New Information Security Obligations — Jones Day
7. EASA Part-IS: A Comprehensive Guide to Reg 2023/203 and 2022/1645 — Raven Aero
8. NIS 2 Directive: Air Transport — airline-cybersecurity.ch
9. What Does NIS2 Mean for the Aviation Industry? — Egis Group
10. Navigating the NIS2 Directive: Critical Infrastructure Sectors and GNSS Compliance — Timing Solutions