Maritime Cyber Resilience Requirements | IMO / IACS UR E26 and E27 / LR July 2025 Rules

01 | Quick Read

This is not an IT add-on. It is part of ship safety and class maintenance.

The question is not simply whether a firewall has been installed. The real question is whether the ship can remain in a safe condition, protect critical operational technology systems, keep auditable evidence, and recover essential functions during and after a cyber event.

IMO: management system

MSC.428(98) requires companies to address maritime cyber risk within the SMS / ISM framework. Cyber risk therefore belongs in company safety management, crew training, reporting, drills, and audits, not only in the IT department.

IACS: technical requirements

UR E26 applies at ship level, while UR E27 applies to onboard systems and equipment. Together they add design, documentation, testing, and supplier responsibilities.

LR: practical verification

Annual and special surveys focus on plans, asset inventories, network diagrams, change records, remote access, backups, training, and test evidence. The key is whether delivery arrangements remain valid during operation.

02 | Regulatory Timeline

The requirements did not appear suddenly. They evolved from SMS management into class technical verification.

This timeline places IMO, IACS, LR, and the EU Cyber Resilience Act in one view for use in newbuilding specifications, owner training, and survey preparation.

2017

IMO MSC.428(98)

IMO required maritime cyber risk to be addressed in safety management systems.

2021.01.01

DOC annual verification milestone

Cyber risk management should be included in the SMS before the first annual DOC verification after this date.

2024.07.01

IACS UR E26/E27

Primary application date for new ships contracted for construction on or after this date.

2025.07

LR July 2025 Rules

Cyber resilience requirements are implemented through plan approval, survey, and continuing compliance checks.

2026-2027

EU CRA-related milestones

Marine digital product supply chains may also face vulnerability reporting, product security, and lifecycle management expectations.

Incident Reminder

The move toward technical verification is grounded in real evidence of operational disruption and navigation deception.

2013

White Rose of Drachs / GPS spoofing

A University of Texas at Austin research team conducted a GPS spoofing experiment on the approximately 213-foot yacht White Rose of Drachs. By transmitting counterfeit GPS signals, the team successfully misled the onboard GPS receivers and caused the vessel to deviate without triggering an obvious alarm. (UT Austin)

2017.06

Maersk / NotPetya

Maersk was affected by NotPetya. This was not ordinary ransomware, but destructive malware that encrypted or damaged victim machines and made systems and data unavailable. CFR's Cyber Operations Tracker also describes NotPetya as a tool that rendered victim machines' data unusable. (CFR)

03 | Application Route

Read the requirements as an executable route: specification, integration, testing, delivery, and operation.

The six-step route below provides a practical framework before moving into detailed checklists and document evidence.

Write clear specifications

Include E26/E27, class requirements, supplier documents, and cyber test scope at the newbuilding contract stage.

Design ship-level zones

Define security zones and conduits for OT, IT, crew Wi-Fi, supplier remote access, and critical computer-based systems.

Collect supplier evidence

E27 documents, topology, security functions, patching, backup, and test reports must support plan approval.

Verify during testing

Test accounts, access rights, remote connections, network segmentation, backups, restoration, and safe states.

Deliver maintainable records

Asset lists, network diagrams, change records, and recovery procedures must be usable after handover.

Maintain during operation

Annual and five-year surveys focus on whether software, accounts, diagrams, remote access, and drills remain valid.

04 | 15-Minute Guide

Full Reading Guide

This condensed reading path starts with the core concept, then moves through the history, effective dates, framework, UR E26, UR E27, LR implementation, responsibilities, and field application.

A. Document Positioning

This version is a 15-minute guide for owner technical teams, shipyards, system integrators, equipment suppliers, and surveyors to build a common language. It does not expand every checklist item; instead, it helps readers understand three points:

Why this regulatory framework appeared
What IMO, IACS UR E26/E27, and LR classification rules each control
How to apply the requirements during newbuilding, plan approval, factory and shipboard testing, annual survey, and operational maintenance

Practical note: This article is a visual learning and training note. Formal design, plan approval, survey, and compliance decisions should always be based on the latest IMO documents, IACS URs, LR Rules, flag State requirements, and formal class advice.

B. Cyber Resilience Is Not Antivirus; It Is a Ship Safety Capability

Modern ships are no longer purely mechanical platforms. ECDIS, integrated automation systems, alarm monitoring systems, power management systems, dynamic positioning, cargo control, remote monitoring, satellite communications, and supplier remote maintenance all make ships interconnected IT and OT environments.

Therefore, maritime cyber resilience is not mainly about whether antivirus software or a firewall exists. The real question is:

Can the ship remain in a safe condition, continue essential operations, and recover critical functions when a cyber event occurs?

In LR's report on the cyber-resilient bulk carrier design developed with COSCO Heavy Industry, the operational scope of UR E26 is summarized through five elements: identification, protection, attack detection, response, and recovery. These five functions are a useful way to understand how cyber resilience requirements translate into ship design and operation. (LR)

Function	Meaning for a ship	Field application
Identify	Know the computer systems, hardware, software, network connections, and dependencies onboard.	Asset inventory, network diagram, security zone diagram.
Protect	Reduce unauthorized access and malware impact.	Network zoning, account privileges, USB control, remote access control.
Detect	Detect abnormal behavior or event indicators.	Logs, alarms, abnormal connections, and scan records.
Respond	Know how to isolate, report, and switch modes during an event.	Incident response, remote access shutdown, manual or backup mode switching.
Recover	Restore systems and operations after an event.	Backups, restoration tests, system images, recovery procedures.

This is why cyber resilience has become a safety and class-maintenance topic in the maritime domain.

C. Regulatory History and Effective Dates

1. IMO: placing cyber risk into SMS / ISM

In 2017, IMO adopted MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems. It asks Administrations to ensure that cyber risks are appropriately addressed in existing Safety Management Systems (SMS) no later than the first annual verification of the company's Document of Compliance (DOC) after 1 January 2021. (imo.org)

IMO also issued MSC-FAL.1/Circ.3/Rev.3, Guidelines on Maritime Cyber Risk Management, which provides high-level recommendations for managing maritime cyber risk. (imo.org)

Companies and ship managers must include cyber risk in ISM / SMS.

2. IACS: from management requirement to class technical requirement

IMO addressed who should manage cyber risk, but it did not define in detail what evidence a ship or onboard equipment must submit during design, testing, plan approval, and survey.

IACS therefore developed:

UR E26: Cyber resilience of ships
UR E27: Cyber resilience of on-board systems and equipment

In LR's North Star CSOV cyber resilience class case, LR explains that the vessels were approved under LR Rules incorporating IACS UR E26 and UR E27. LR also states that such certification helps vessels withstand cyber attack, continue operating under threat, and recover quickly after an incident. (LR)

3. Key effective date: 1 July 2024

IACS states that the revised UR E26/E27 apply to new ships contracted for construction on or after 1 July 2024; the previous 1 January 2024 application date was withdrawn. (Safer and Cleaner Shipping - IACS)

Date	Event	Practical meaning
2017	IMO MSC.428(98)	Cyber risk enters SMS / ISM.
2021.01.01	DOC annual verification milestone	Company management systems must include cyber risk.
2024.07.01	Primary application of IACS UR E26/E27	New ships begin facing class technical requirements.
2025.07	LR July 2025 Rules	Requirements are implemented through LR plan approval, survey, and continuing compliance.
2026-2027	EU Cyber Resilience Act milestones	Marine digital products may face product security and lifecycle obligations.

D. Overall Framework: Who Governs What?

The easiest way to avoid confusion is to separate the framework into four layers:

Layer	Main role	Practical focus
IMO	Sets the management expectation.	Cyber risk must be included in SMS / ISM.
IACS UR E26	Defines ship-level cyber resilience.	Ship zones, network connections, remote access, recovery, and integration evidence.
IACS UR E27	Defines system and equipment-level cyber resilience.	Security functions, supplier documents, testing, hardening, patching, and restoration.
LR Rules	Translate requirements into class processes.	Plan approval, survey, annual verification, special survey, and class notation evidence.

In short, IMO answers who must manage the risk, IACS defines what minimum technical capability is expected, and LR implements those expectations through class review and survey.

E. UR E26: Ship-Level Requirements

1. Positioning of E26

UR E26 is the ship-level requirement. It does not look only at a single item of equipment; it considers the cyber resilience of the whole ship: which systems are connected, which systems are critical to operation, which network zones must be isolated, how remote maintenance is controlled, and how the ship maintains a safe state and recovers functions after an event.

LR's report on the COSCO Heavy Industry joint development project explains that UR E26 addresses ship cyber resilience and focuses on secure integration of OT and IT equipment over the ship lifecycle. (LR)

2. Key deliverables

For newbuildings, the result of E26 should not be a single cyber resilience document. It should be a set of evidence that can be reviewed, tested, delivered, and maintained.

Evidence	Purpose
Cyber resilience plan	Explains the ship-level concept, scope, responsibilities, and verification method.
Asset inventory	Identifies computer-based systems, software, versions, and responsibilities.
Network architecture	Shows zones, conduits, interfaces, and remote access paths.
Risk assessment	Links threats, vulnerabilities, consequences, and controls.
Test and recovery evidence	Demonstrates that controls and restoration procedures work in practice.

3. Practical first checks

A surveyor or owner does not need to begin with packet-level detail. A better first step is to ask:

Which critical computer-based systems are onboard?
Are OT, IT, crew Wi-Fi, and supplier remote access clearly separated?
Do network drawings match switches, VLANs, gateways, firewalls, and actual cabling?
What software, firmware, or network settings have changed recently?
If ECDIS, IAS, PMS, or cargo control fails, are backups and recovery procedures available?

If these questions cannot be answered, the E26 ship-level management is probably not yet operational.

F. UR E27: System and Equipment-Level Requirements

1. Positioning of E27

UR E27 is the system and equipment-level requirement. It applies to onboard computer-based systems such as ECDIS, integrated automation, alarm monitoring, power management, DP control, main engine control, cargo control, ballast control, tank gauging, fire detection, and communication systems.

LR's North Star case shows that mission-critical systems such as dynamic positioning software and complex control systems connected to propulsion units are part of the review scope. This illustrates E27's role: suppliers must deliver systems with reviewable, testable, and maintainable cyber security capability. (LR)

2. What suppliers must provide

Supplier evidence	Why it matters
System description and topology	Shows interfaces, data flows, and dependencies.
Security functions	Confirms account control, logging, access control, malware protection, and hardening.
Patch and update support	Supports lifecycle maintenance after delivery.
Backup and recovery procedure	Allows the ship to restore essential functions after an event.
Test reports	Provides objective evidence for FAT, integration, and class review.

3. Relationship with FAT and plan approval

E27 directly affects shipyards and suppliers:

The specification stage should require E27 documentation.
FAT procedures should include cyber security capability tests.
System integrators should confirm that supplier equipment remains compliant after integration into the ship network.
Delivery documentation should support patching, backup, restoration, and incident response during operation.

G. LR July 2025 Rules: Implementation Through Plan Approval and Survey

According to LR's official rules page, the July 2025 Rules and Regulations for the Classification of Ships have been published and can be accessed through Regs4ships. (lr.org)

In practical terms, LR's role is to convert IMO and IACS requirements into items that can be checked through class processes:

Stage	Practical check
Plan approval	Review plans, network architecture, security zones, supplier evidence, and test procedures.
Construction and testing	Confirm implementation through FAT, integration tests, harbour tests, and sea trials where applicable.
Delivery	Confirm that records, procedures, and evidence can be handed over and maintained.
Annual survey	Check whether cyber resilience arrangements remain valid during operation.
Special survey	Review accumulated changes and confirm that the onboard reality still matches the documented arrangement.

The annual survey is not a complete redesign review. Its focus is whether plans, diagrams, accounts, remote access, backups, drills, and change records remain current and consistent with the ship.

H. Responsibilities by Role

The difficult part is that responsibility spans the owner, shipyard, system integrator, and suppliers. If contractual interfaces are not clear, the result may be that individual equipment appears compliant but the whole ship is not.

Role	Most important responsibility
Owner / company	Include requirements in specifications and maintain SMS, training, drills, updates, backups, and change records after delivery.
Shipyard	Integrate the ship network, collect supplier evidence, organize FAT / harbour / sea trial testing, and deliver maintainable records.
System integrator	Design zones and conduits, confirm cross-system interfaces, and avoid uncontrolled remote maintenance paths.
Equipment supplier	Provide E27 evidence, security functions, test reports, patch support, hardening guidance, and recovery procedures.
Surveyor	Verify whether documents, site configuration, testing, and continuing compliance evidence are consistent.
Crew	Follow USB, account, remote connection, reporting, drill, and response procedures.

The most important responsibility transfer occurs at delivery. Before delivery, the shipyard and suppliers complete design, testing, records, and integration. After delivery, the owner and manager must maintain updates, records, training, and drills.

I. How to Apply This in the Field

If you only have a short time to assess a ship's cyber resilience readiness, ask these six questions:

Field question	What it tells you
1. Please provide the cyber security and resilience plan.	If the ship cannot locate it, the system may not be implemented in practice.
2. Please provide the latest asset inventory and network diagram.	If the drawing is still the delivery version but Starlink, 4G/5G routers, or remote monitoring have been added, the records may be invalid.
3. Are OT, IT, crew Wi-Fi, and supplier remote access really segregated?	Do not only look at drawings; check switches, VLANs, gateways, firewalls, and cabling.
4. How is supplier remote access authorized, logged, and terminated?	Remote maintenance is acceptable only when it is controlled, time-limited, traceable, and interruptible by the ship.
5. What software, firmware, or network settings changed in the past year?	Changes without approval, testing, rollback, and documentation are change-management risks.
6. When was the latest restoration test or cyber incident drill?	Having backups does not prove recovery; having procedures does not prove crew readiness.

These six questions quickly show whether documents are onboard, the actual configuration matches records, remote access is controlled, changes are managed, and recovery drills are real.

J. Common Misunderstandings

Misunderstanding	Better interpretation
E26/E27 are only document requirements.	They require ships and equipment to demonstrate cyber resilience capability.
Antivirus and a firewall are enough.	Protection is only one part; identification, detection, response, and recovery are also required.
Existing ships do not need to care.	The mandatory technical focus is new ships, but existing ships may still face expectations through class notation, retrofit, flag State, charterer, or management requirements.
If each supplier item is compliant, the whole ship is compliant.	E26 looks at ship-level integration. Supplier E27 compliance does not automatically make the ship compliant.
Cyber resilience ends after delivery documents are received.	Updates, accounts, remote access, backups, drills, and change records after delivery are the core of continuing compliance.

K. Final Summary

IMO MSC.428(98) answers who must manage cyber risk. IACS UR E26 answers how the whole ship should demonstrate cyber resilience. IACS UR E27 answers what security capabilities and evidence onboard systems and equipment should provide. LR Rules implement these requirements through plan approval, testing, annual survey, special survey, and field verification.

Cyber resilience is now part of ship safety, class maintenance, newbuilding delivery, and operational management. It is not a single IT measure, but a management and technical framework spanning design, equipment, integration, testing, delivery, and lifecycle maintenance.