Note: Regulations are current as of August 2025. Always check official sources for the latest updates.
Cybersecurity regulations in the maritime industry are no longer just guidance, they’re enforceable, global mandates. Whether you manage a fleet, operate port facilities, or oversee shipbuilding, compliance with new cyber rules is now essential for safety, operations, and your bottom line. In this article, we’ll walk you through the most significant maritime cybersecurity regulations, and more importantly, what you need to do to stay ahead.
Why cybersecurity matters more than ever
Vessels, ports, and offshore platforms are increasingly reliant on digital systems for navigation, communications, cargo handling, and engine controls. That means the potential impact of a cyberattack is operational and immediate. A targeted breach can delay schedules, jeopardize crew safety, damage your reputation, or even result in regulatory fines. The maritime industry is now expected to treat cybersecurity with the same seriousness as physical safety. The latest regulations formalize this shift, making cybersecurity a core operational and compliance requirement.
IMO Cyber Risk Management – MSC-FAL.1/Circ.3/Rev.3 (April 2025)
The International Maritime Organization (IMO) updated its guidance under MSC-FAL.1/Circ.3/Rev.3. This revision requires shipping companies to formally integrate cyber risk management into their existing Safety Management Systems. Importantly, Resolution MSC.428(98) has already required cyber risks to be addressed in the International Safety Management (ISM) Code since the first annual DOC verification after January 1, 2021.This means having clearly defined cyber policies, assigning responsibilities within your organization, and maintaining a well-documented continuity plan. The regulation also emphasizes the importance of maintaining an up-to-date inventory of your vessel’s digital systems, actively monitoring for vulnerabilities, and preparing incident response and recovery plans that align with international standards such as ISO 27001 and IEC 62443. If your current ISM documentation doesn’t include cybersecurity, it’s time to revisit and revise. (IMO MSC.428(98)), (IMO MSC-FAL.1/Circ.3/Rev.3)
IACS Unified Requirements – E26 & E27 (Mandatory from July 1, 2024)
Issued by the International Association of Classification Societies (IACS), Unified Requirements E26 and E27 are mandatory for all newbuild contracts signed from July 1, 2024. These requirements embed cyber resilience throughout a vessel’s lifecycle—from design and construction to daily operations. E26 covers cybersecurity for the entire vessel, ensuring IT and OT systems are secure during design and operations.
E27 focuses on onboard system resilience, requiring protection against unauthorized access, tampering, and malware. Both draw on IEC 62443 standards and extend to third-party equipment. Ship designers and supervisors must now ensure compliance with E26/E27 as a contractual and regulatory necessity.
U.S. Coast Guard Final Rule – Cybersecurity in the Marine Transportation System (Effective July 16, 2025)
In January 2025, the U.S. Coast Guard finalized new cybersecurity rules that will take effect on July 16, 2025, and they apply broadly to U.S.-flagged vessels over 100 gross tons, offshore supply vessels, mobile offshore drilling units (MODUs), passenger ships, and marine transportation system (MTSA) facilities such as ports and terminals.
Requirements include:
- Plans: Cybersecurity Plan and Cyber Incident Response Plan.
- Personnel: Appointment of a Cybersecurity Officer (CySO) responsible for oversight, reporting, and drills.
- Exercises: At least two cybersecurity drills per year, plus an annual exercise.
- Testing: Vulnerability assessments and penetration testing results must be available for review.
- Technical controls: MFA, strong password policies, account lockouts, hardware/software inventories, network segmentation, logging, and encryption.
- Reporting: Cyber incidents must be reported immediately to the National Response Center.
This rule shifts cyber responsibility from being an IT-only task to a board-level concern with clear accountability.
EU NIS2 Directive – (Effective October 2024)
The EU NIS2 Directive (Directive 2022/2555) expands cybersecurity obligations for “operators of essential services,” explicitly including shipping companies and port operators. It mandates risk management practices, strict incident reporting requirements, regulatory oversight, and the possibility of fines for non-compliance. For maritime businesses in or serving the EU, compliance means assessing and documenting cybersecurity posture, putting reporting structures in place, and preparing for audits.
Other Regional and Classification Requirements (Ongoing)
In addition to international and national regulations, classification societies like ABS, DNV, RINA, and industry organizations such as BIMCO have strengthened their own cybersecurity requirements. BIMCO’s Guidelines v5, for example, were updated in November 2024 to reflect growing threats and regulatory expectations. These bodies are now requiring more rigorous risk assessments, ongoing compliance audits, and formal cybersecurity documentation as part of ISM and ISPS certifications. In short, cyber readiness is becoming a core requirement for both classification and insurance renewal. If your fleet is due for a class inspection, it’s highly likely your surveyor will be asking cybersecurity-related questions, especially around network protections, access control, and data recovery capabilities.
What all this means in practice
With so many overlapping regulations and frameworks, the message is clear: Cybersecurity is now part of safe, legal, and responsible maritime operations. To comply and protect your business, here’s what you’ll need to implement across your fleet or facility:
- Risk Management: Conduct comprehensive cyber risk assessments for both IT and OT systems. Maintain a real-time inventory of assets and prioritize protections for critical functions.
- Governance: Assign clear responsibilities, such as appointing a CySO, and create documented policies and procedures.
- Technical Controls: Implement Multi-Factor Authentication (MFA), restrict unauthorized access, maintain approved device and software lists, apply encryption and network segmentation where appropriate, and ensure antivirus, monitoring, and web filtering are in place.
- Training & Testing: Regularly train all staff and run drills to test your response to cyber incidents. Schedule annual penetration tests to find weaknesses before attackers do.
- Incident Response: Prepare a detailed response plan. Know who to contact, how to isolate a threat, and how to report incidents to relevant authorities (e.g., the National Response Center in the U.S. or national agencies in the EU).
- Standards Alignment: Align your strategy and documentation with international cybersecurity standards like ISO 27001 and IEC 62443.
Cyber compliance as competitive advantage
Treating cybersecurity as a checkbox task is a mistake. Instead, think of it as a competitive advantage. Operators that embrace cyber readiness:
- Improve operational uptime and system reliability
- Build trust with clients, insurers, and regulators
- Protect crew safety and data integrity
- And just as importantly, they’re prepared when a cyber incident occurs.
Conclusion
We specialize in building cyber-compliant systems tailored to the unique needs of maritime operations. Let’s talk about how we can help you stay compliant in your cybersecurity approach.
IMO – Maritime Cyber Risk & Resolution MSC.428(98) https://www.imo.org/en/ourwork/security/pages/cyber-security.aspx
MSC-FAL.1/Circ.3/Rev.3 (Guidelines issued 4 April 2025) https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/MSC-FAL.1-Circ.3-Rev.3.pdf
IACS UR E26 & E27 – Press Release (effective 1 July 2024) https://iacs.org.uk/news/iacs-ur-e26-and-e27-press-release
U.S. Coast Guard – Final Rule (effective 16 July 2025) https://www.news.uscg.mil/maritime-commons/Article/4033732/final-rule-cybersecurity-in-the-marine-transportation-system/
BIMCO – Updated Guidelines on Cyber Security On Board Ships (Version 5, published 14 Nov 2024) https://www.bimco.org/news-insights/bimco-news/2024/20241114-cyber-security-guidelines
INTERCARGO – Guidelines on Cyber Security On Board Ships v5 (14 Nov 2024) https://www.intercargo.org/guidelines-cyber-security-onboard-ships guidelines-on-cyber-security-onboard-ships-min.pdf
Love This Article? Share It!
Remote work introduces real cybersecurity challenges, from insecure home networks to credential theft. This guide explains the essential security controls modern businesses need to protect sensitive data while enabling flexible work.
Vendor risk is a growing cybersecurity threat, often hiding beyond your firewall in the third-party tools and partners you trust. Learn how vendor vulnerabilities impact security, operations, and compliance, and how you stay protected and in control.
Quarterly Business Reviews (QBRs) help ensure your technology strategy stays aligned with your business goals, moving the conversation beyond daily support to focus on growth, risk reduction, and long-term planning.
A data breach is one of the most urgent challenges an organization can face, and the first steps you take can shape the entire outcome. This guide outlines seven immediate actions to contain damage, restore operations safely, and rebuild trust.
Generative AI can help teams move faster and work smarter, but without clear governance, it can introduce real risk. This guide shares five practical rules for using tools like ChatGPT compliantly, and with consistent business value.
AI can speed up work, improve consistency, and reduce busywork, but it won’t fix broken processes, unclear goals, or messy data. This blog breaks down the biggest AI myths and how to use AI responsibly for measurable impact.
Phishing attacks are one of the biggest cybersecurity threats facing construction companies today, and they’re only getting harder to detect. With constant vendor communication, high-value financial transactions, and fast-moving projects, it often takes just one convincing email to cause serious disruption
A strong disaster recovery plan helps your business recover quickly from unexpected disruptions and minimize downtime. Learn the key steps to protect your systems, data, and operations when it matters most.
Secure email communication is essential to safe, compliant, and reliable maritime operations. With vessels more digitally connected than ever, strong email security helps protect crews, critical data, and business continuity at sea.
Choosing between OneDrive and SharePoint is essential to keeping your business organized, secure, and efficient. Learn how each tool works, and how the right setup prevents data loss, duplicate files, and daily frustration.
STAY IN THE LOOP
Subscribe to our free newsletter.
