EASA Part-IS mandates MFA for EU aviation sector

As a core part of the EU’s critical infrastructure, the aviation sector is under growing pressure to strengthen cybersecurity. To address this, the European Union Safety Agency (EASA) has introduced Part-IS, a mandatory set of cybersecurity regulations with two implementation deadlines: October 2025 and February 2026. Here’s how UserLock's multi-factor authentication (MFA) can help aviation sector organizations.

EASA structures its aviation regulations into “Parts,” with “IS” referring to information security.

While Part-IS is new, it builds on existing standards such as ISO 27001, the NIS2 Directive, and cybersecurity frameworks from NIST and EASA itself.

For aviation organizations, Part-IS is a big deal. Not only is it the EU’s first unified set of rules specific to aviation cybersecurity, but major players like Airbus are expected to make compliance a condition for doing business.

Modern aviation runs on digital systems, from cockpit software to air traffic control to maintenance. But aviation infrastructure is complex, with out-of-date systems and long, insecure supply chains. All of this combined makes the sector a high value target for attackers. 

Threats include denial-of-service, navigation spoofing, supply chain software compromises, and ransomware. According to Thales, between January 2024 and April 2025, the sector experienced at least 27 ransomware attacks.

• 600% more ransomware attacks year-on-year

• 70% of the attacks exploited authentication weaknesses

• The most exploited weakness was credential compromise.

The level of disruption these attacks can cause is immense.

Borrowing from the approach of cybersecurity frameworks such as NIST, Part-IS’s response to the common weaknesses that make ransomware possible isn’t prescriptive. Rather than mandating specific technologies, it requires organizations to think of cybersecurity in terms of risk management.

A recurring theme is the importance of getting authentication right which is why it is no surprise that it emphasizes the need for multi-factor authentication (MFA), comprehensive password management, and applying the principle of least privilege across all users.

Privileged accounts, routinely targeted by attackers, are another big concern. Part-IS recommends that organizations counter this by putting in place centralized identity and access management (IAM) with centralized logging and access monitoring.

Given that aviation sector businesses are often part of complex supply chains with multiple partners and logistics, Part-IS stresses the need to carefully secure any access by third parties. 

It’s easy to assume that organizations can solve their problems by migrating to the cloud and passing some of the security responsibility to service providers.

In aviation, nothing could be further from the truth. Most organizations will continue to use numerous on-premise and legacy applications out of necessity, which means they face securing increasingly complex hybrid networks for years to come.

In addition, there may be a requirement for some suppliers to keep critical data and IP on-premise for regulatory reasons.

UserLock was designed to address these problems for organizations that need to keep critical applications and data on-premise.

UserLock’s primary capability is as an IAM solution used to extend the capabilities of Windows Active Directory (AD) with flexible, granular MFA policies securing all users.

This offers a simple way to implement Part-IS’s suggested authentication controls in an on-premise environment.

UserLock can be used to apply Active Directory MFA across a wide range of session types, including the Windows Login, Remote Desktop (RDP, RD Gateway, RemoteApp), IIS, VPNs, offline Windows login, off-domain, and SaaS.  

Part-IS requires organizations to implement MFA across all connection types at all times.

UserLock supports contextual access, including AD Role, machine location or IP, time, and connection type. It also allows admins to manage insecure use of concurrent connections.

Contextual access allows organizations to add an extra layer of access control in addition to MFA.

Activity can be monitored in real time and through retrospective user login auditing.

The ability to analyze user access over time is an important control for frameworks such as Part-IS.

UserLock access controls help detect suspicious logins, critical for detecting insider attacks or password compromise.

Many successful cyberattacks hijack legitimate user accounts. Detecting these in real time is essential to stop a larger compromise from happening.

Because UserLock is built on top of AD domain security, organizations can simply start using it without the need to create new policies from scratch.

Networks are already complex enough. UserLock is simple to implement and runs from a single server, avoiding the need for time-consuming management.