Maritime cybersecurity compliance: what you need to know (and do) 

Note: Regulations are current as of August 2025. Always check official sources for the latest updates.

Cybersecurity regulations in the maritime industry are no longer just guidance, they’re enforceable, global mandates. Whether you manage a fleet, operate port facilities, or oversee shipbuilding, compliance with new cyber rules is now essential for safety, operations, and your bottom line. In this article, we’ll walk you through the most significant maritime cybersecurity regulations, and more importantly, what you need to do to stay ahead.

Why cybersecurity matters more than ever

Vessels, ports, and offshore platforms are increasingly reliant on digital systems for navigation, communications, cargo handling, and engine controls. That means the potential impact of a cyberattack is operational and immediate. A targeted breach can delay schedules, jeopardize crew safety, damage your reputation, or even result in regulatory fines. The maritime industry is now expected to treat cybersecurity with the same seriousness as physical safety. The latest regulations formalize this shift, making cybersecurity a core operational and compliance requirement.

IMO Cyber Risk Management – MSC-FAL.1/Circ.3/Rev.3 (April 2025)

The International Maritime Organization (IMO) updated its guidance under MSC-FAL.1/Circ.3/Rev.3. This revision requires shipping companies to formally integrate cyber risk management into their existing Safety Management Systems. Importantly, Resolution MSC.428(98) has already required cyber risks to be addressed in the International Safety Management (ISM) Code since the first annual DOC verification after January 1, 2021.This means having clearly defined cyber policies, assigning responsibilities within your organization, and maintaining a well-documented continuity plan. The regulation also emphasizes the importance of maintaining an up-to-date inventory of your vessel’s digital systems, actively monitoring for vulnerabilities, and preparing incident response and recovery plans that align with international standards such as ISO 27001 and IEC 62443. If your current ISM documentation doesn’t include cybersecurity, it’s time to revisit and revise. (IMO MSC.428(98)), (IMO MSC-FAL.1/Circ.3/Rev.3)

IACS Unified Requirements – E26 & E27 (Mandatory from July 1, 2024)

Issued by the International Association of Classification Societies (IACS), Unified Requirements E26 and E27 are mandatory for all newbuild contracts signed from July 1, 2024. These requirements embed cyber resilience throughout a vessel’s lifecycle—from design and construction to daily operations. E26 covers cybersecurity for the entire vessel, ensuring IT and OT systems are secure during design and operations.
E27 focuses on onboard system resilience, requiring protection against unauthorized access, tampering, and malware. Both draw on IEC 62443 standards and extend to third-party equipment. Ship designers and supervisors must now ensure compliance with E26/E27 as a contractual and regulatory necessity.

U.S. Coast Guard Final Rule – Cybersecurity in the Marine Transportation System (Effective July 16, 2025)

In January 2025, the U.S. Coast Guard finalized new cybersecurity rules that will take effect on July 16, 2025, and they apply broadly to U.S.-flagged vessels over 100 gross tons, offshore supply vessels, mobile offshore drilling units (MODUs), passenger ships, and marine transportation system (MTSA) facilities such as ports and terminals.

Requirements include:

• Plans: Cybersecurity Plan and Cyber Incident Response Plan.
• Personnel: Appointment of a Cybersecurity Officer (CySO) responsible for oversight, reporting, and drills.
• Exercises: At least two cybersecurity drills per year, plus an annual exercise.
• Testing: Vulnerability assessments and penetration testing results must be available for review.
• Technical controls: MFA, strong password policies, account lockouts, hardware/software inventories, network segmentation, logging, and encryption.
• Reporting: Cyber incidents must be reported immediately to the National Response Center.

This rule shifts cyber responsibility from being an IT-only task to a board-level concern with clear accountability.

EU NIS2 Directive – (Effective October 2024)

The EU NIS2 Directive (Directive 2022/2555) expands cybersecurity obligations for “operators of essential services,” explicitly including shipping companies and port operators. It mandates risk management practices, strict incident reporting requirements, regulatory oversight, and the possibility of fines for non-compliance. For maritime businesses in or serving the EU, compliance means assessing and documenting cybersecurity posture, putting reporting structures in place, and preparing for audits.

Other Regional and Classification Requirements (Ongoing)

In addition to international and national regulations, classification societies like ABS, DNV, RINA, and industry organizations such as BIMCO have strengthened their own cybersecurity requirements. BIMCO’s Guidelines v5, for example, were updated in November 2024 to reflect growing threats and regulatory expectations. These bodies are now requiring more rigorous risk assessments, ongoing compliance audits, and formal cybersecurity documentation as part of ISM and ISPS certifications. In short, cyber readiness is becoming a core requirement for both classification and insurance renewal. If your fleet is due for a class inspection, it’s highly likely your surveyor will be asking cybersecurity-related questions, especially around network protections, access control, and data recovery capabilities.

What all this means in practice

With so many overlapping regulations and frameworks, the message is clear: Cybersecurity is now part of safe, legal, and responsible maritime operations. To comply and protect your business, here’s what you’ll need to implement across your fleet or facility:

• Risk Management: Conduct comprehensive cyber risk assessments for both IT and OT systems. Maintain a real-time inventory of assets and prioritize protections for critical functions.
• Governance: Assign clear responsibilities, such as appointing a CySO, and create documented policies and procedures.
• Technical Controls: Implement Multi-Factor Authentication (MFA), restrict unauthorized access, maintain approved device and software lists, apply encryption and network segmentation where appropriate, and ensure antivirus, monitoring, and web filtering are in place.
• Training & Testing: Regularly train all staff and run drills to test your response to cyber incidents. Schedule annual penetration tests to find weaknesses before attackers do.
• Incident Response: Prepare a detailed response plan. Know who to contact, how to isolate a threat, and how to report incidents to relevant authorities (e.g., the National Response Center in the U.S. or national agencies in the EU).
• Standards Alignment: Align your strategy and documentation with international cybersecurity standards like ISO 27001 and IEC 62443.

Cyber compliance as competitive advantage

Treating cybersecurity as a checkbox task is a mistake. Instead, think of it as a competitive advantage. Operators that embrace cyber readiness:

• Improve operational uptime and system reliability
• Build trust with clients, insurers, and regulators
• Protect crew safety and data integrity
• And just as importantly, they’re prepared when a cyber incident occurs.

Conclusion

We specialize in building cyber-compliant systems tailored to the unique needs of maritime operations. Let’s talk about how we can help you stay compliant in your cybersecurity approach.

 

IMO – Maritime Cyber Risk & Resolution MSC.428(98) https://www.imo.org/en/ourwork/security/pages/cyber-security.aspx 

MSC-FAL.1/Circ.3/Rev.3 (Guidelines issued 4 April 2025) https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/MSC-FAL.1-Circ.3-Rev.3.pdf 

IACS UR E26 & E27 – Press Release (effective 1 July 2024) https://iacs.org.uk/news/iacs-ur-e26-and-e27-press-release 

U.S. Coast Guard – Final Rule (effective 16 July 2025) https://www.news.uscg.mil/maritime-commons/Article/4033732/final-rule-cybersecurity-in-the-marine-transportation-system/ 

BIMCO – Updated Guidelines on Cyber Security On Board Ships (Version 5, published 14 Nov 2024) https://www.bimco.org/news-insights/bimco-news/2024/20241114-cyber-security-guidelines 

INTERCARGO – Guidelines on Cyber Security On Board Ships v5 (14 Nov 2024) https://www.intercargo.org/guidelines-cyber-security-onboard-ships guidelines-on-cyber-security-onboard-ships-min.pdf