Basics of maritime cybersecurity and an analysis of the IACS UR E26 and E27 standards, including how they fit into the EU legal framework.
The legal situation for maritime cybersecurity in the EU is built on a combination of international regulations and EU-specific directives. For ships operating in international waters, the requirements of the International Maritime Organization (IMO) apply first and foremost; the IMO sets requirements for different ship types and their equipment.
Within the EU, the Marine Equipment Directive (MED) 2014/90/EU plays a central role. It harmonises testing standards and certification procedures for marine equipment in the EU and integrates IMO standards into the EU legal framework. The implementation and oversight of these rules are the responsibility of the flag states, while specialised notified bodies are tasked with conformity assessments.
The MED is regularly updated to take new technologies and safety standards, including cybersecurity aspects, into account. In addition, other EU directives, such as the Network and Information Security Directive (NIS 2), also play a role in maritime cybersecurity.
This legal framework creates the basis for implementing cybersecurity standards such as IACS UR E26 and E27 within the EU. It ensures that ships flying an EU flag and marine equipment used in the EU comply with both international and EU-specific requirements, contributing to a more resilient and secure maritime infrastructure.
Requirements and objectives of the new rules
The new IACS requirements in the form of the Unified Requirements E26 and E27 mark a turning point in maritime cybersecurity. These requirements are not merely technical guidelines; they adopt a holistic approach that covers design, operation and maintenance.
By integrating proven industry standards and taking maritime-specific challenges into account, these requirements set new benchmarks for cybersecurity at sea. The following sections examine the essential requirements and objectives of these landmark regulations in detail.
IACS UR E26 – Cyber Resilience of Ships
IACS UR E26 sets requirements for the cyber resilience of ships. It applies to passenger ships, cargo ships over 500 BRZ, high-speed craft over 500 BRZ and mobile offshore drilling units that are all engaged on international voyages.
The core elements of E26 are:
- Identifying: developing a comprehensive understanding of cybersecurity risks on board
- Protecting: implementing proactive protective measures against potential cyber incidents
- Detecting: establishing advanced systems for the early detection of cyber incidents
- Responding: developing detailed and effective response plans for various cyber incident scenarios
- Recovering: preparing comprehensive plans for rapid recovery after cyber incidents
E26 not only defines these areas but also specifies how compliance with the requirements must be demonstrated. This includes regular audits, documentation and crew training.
IACS UR E27 – Cyber resilience of on-board systems and equipment
IACS UR E27 complements E26 and specifies requirements for the cyber resilience of systems and equipment on board. It applies to the same ship types as E26. UR E27 focuses on the security of individual on-board systems and devices. The central requirements include:
- Identification and authentication of users
- Access control and privilege management
- Protection against tampering and malware
- Secure communication
- Logging of security-relevant events
- Backup and recovery functions
Requirements are also set for the secure development process (secure development lifecycle) of the systems. In addition, UR E27 specifies which documentation manufacturers must provide and how compliance with the requirements is to be demonstrated.
Relationship between IACS UR E26 and E27
IACS UR E26 and UR E27 complement one another:
- E26 defines overarching requirements for the cyber resilience of the entire ship and is primarily aimed at shipowners and operators.
- E27 specifies concrete technical requirements for individual systems and devices and is mainly targeted at manufacturers of ship systems.
Together they create a holistic framework that covers both organisational and technical aspects of maritime cybersecurity.
Clarifying applicability of IACS UR E27
For manufacturers of marine equipment it is often not immediately clear which requirements from E26 and E27 are actually relevant and what evidence is needed for shipyards, operators or classification societies. In a short assessment discussion we check whether and how your systems are affected and which next steps make sense.
Schedule an assessment discussion
Relationship with IEC 62443 and the NIST CSF
IACS UR E26 “Cyber Resilience of Ships” focuses on the operation of ships and is based on the Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST). This framework has proven effective across various industries as an approach to improving cybersecurity.
NIST CSF and IACS UR E26
E26 adopts the five core functions of the NIST framework – identify, protect, detect, respond and recover – and adapts them to the maritime context. This risk-based approach enables shipowners and operators to design their cybersecurity measures in a flexible and scalable way.
A central aspect of the NIST framework that E26 takes on is the emphasis on continuous improvement. In the ever-evolving landscape of cyber threats, it is crucial that security measures in ship operations are regularly reviewed and adjusted.
IEC 62443 and IACS UR E27
While E26 focuses on the overarching organisational aspects of cybersecurity in ship operations, IACS UR E27 specifically addresses the technical aspects of on-board systems and equipment. E27 is strongly aligned with the international standard series IEC 62443 for IT security in industrial automation. IEC 62443 is considered the gold standard for cybersecurity in industrial control systems and provides a comprehensive framework for securing connected systems.
Concretely, E27 adopts detailed technical requirements for the security capabilities of on-board systems and devices from IEC 62443-3-3. This includes aspects such as access controls, secure communication and event logging for specific on-board components. In addition, E27 integrates concepts from IEC 62443-4-1 on the secure development lifecycle. This ensures that cybersecurity is considered not only in operation but already during the development and manufacture of maritime systems and equipment.
Zones and conduits in the IACS URs
A key concept that both E26 and E27 adopt from IEC 62443 is that of “zones and conduits.” This network segmentation concept is particularly relevant to the complex and interconnected systems of modern ships. It enables granular control of data flows between different on-board systems, thereby increasing overall security both at the operational level and within individual on-board systems.
The combination of the operational approaches from the NIST framework (E26) with the technical specifications from IEC 62443 (in both E26 and E27) creates a comprehensive framework for maritime cybersecurity. This integrated approach addresses both the management level of ship operations and the technical implementation in on-board systems, offering the maritime industry a robust guide for tackling current and future cybersecurity challenges.
Conclusion
These new regulations signal a paradigm shift in the shipping industry, underlining the importance of cybersecurity and the need to take proactive measures. They represent a forward-looking approach to protecting maritime infrastructure from increasingly complex and potentially devastating cyber threats. With the implementation of IACS UR E26 and E27, the shipping industry will become not only safer but also more resilient and future-proof.
Overall, IACS UR E26 and E27 are an important step toward a safer maritime future, but they also pose significant challenges for an industry that must adapt to new digital realities. The regulations are a clear signal that cybersecurity can no longer be ignored and that proactive measures are required to protect the integrity and security of global trade.
Translate IACS UR E27 into concrete measures
Manufacturers of marine equipment increasingly need to demonstrate that their products meet cybersecurity requirements. We support you in classifying IACS UR E27, aligning it with IEC 62443 and preparing the necessary technical documentation.
Discuss next steps
