NIS2 and IACS UR E26/E27 for the maritime sector

Maritime operators (shipping companies, ports and shipyards) face both NIS2 and IMO MSC-FAL.1/Circ.3. IACS Unified Requirements E26 and E27 provide a structured framework for ship OT cybersecurity.

IACS Unified Requirements

UR E26 and UR E27 explained

The International Association of Classification Societies (IACS) published Unified Requirements E26 and E27 to address maritime OT cybersecurity. They apply to all IACS-member-classed vessels.

IACS UR E26
Mandatory for newbuilds with keel laying after 1 January 2024
Scope: Ship systems (IAS, ECDIS, DP, bridge systems, propulsion)
  • Network segmentation and zoning on board
  • Software update policy for ship controls
  • Access control on critical ship systems
  • Incident response plan for maritime OT
  • Secure remote access by OEM and shipyard
IACS UR E27
Mandatory for components in newbuilds with keel laying after 1 January 2024
Scope: Ship equipment (sensors, actuators, ship system components)
  • Security product requirements for ship component suppliers
  • Authentication and access control at component level
  • Logging and audit capability of ship equipment
  • Patchability over the lifecycle of the component
  • Software Bill of Materials (SBOM) on delivery
NIS2 obligations

What NIS2 requires from maritime operators

Art. 21(2)(a): Risk analysis

Maritime operators (ports, shipping companies, shipyards as essential service providers) must conduct a risk assessment covering OT systems on board and in the port.

Art. 21(2)(d): Supply chain

Shipyards and shipping companies are responsible for the cybersecurity of components they install. IACS UR E27 compliance by suppliers is a demonstrable instrument here.

Art. 21(2)(b): Incident response

Cyber incidents on board must be reported within 24 hours. Maritime operators need an incident response plan that works with limited connectivity at sea.

Scope

Which maritime organisations are covered?

Ports and port authorities

Port IT and OT (cranes, locks, terminal operating systems) fall under NIS2 transport Annex I. Dutch ports (Rotterdam, Amsterdam) are essential entities.

Shipping companies and ferry operators

Inland waterway transport falls under Annex I. Shipping companies with ≥50 employees or >€10M turnover are covered. On-board OT is in scope.

Shipyards

Yards typically fall under manufacturing (Annex II) or under transport as suppliers of services to covered entities. IACS UR E27 compliance is part of the supply chain obligation.

Offshore installations

Energy production vessels (FPSO, FSO) fall under energy Annex I. OT on the production deck (DCS, SCADA, ESD) is in scope of NIS2 article 21.

Our approach

Combining NIS2 and IACS UR compliance

01

Combined gap analysis

Assessment against both NIS2 article 21 and IACS UR E26 (ship systems) and E27 (components) in one analysis. Overlap identified, duplicate effort avoided.

02

On-board network segmentation

Separation of navigation OT (ECDIS, DP, IAS) from IT network (VSAT, crew wifi) via hardware firewall. In line with IMO MSC-FAL.1/Circ.3 and IACS UR E26.

03

Evidence package for flag state and NIS2

Gap report, risk register, network diagrams and security policy, usable as evidence for both classification societies and NIS2 regulators.

Partners

Trusted partners in maritime automation

Eekels Technology (TBI)

Marine engineering automation and electrical installations for maritime and offshore applications. Partner for maritime OT projects.

Rondal (Royal Huisman)

Specialist in masts, bowsprits and deck equipment for superyachts. Collaboration on integrated deck automation and NIS2 demonstrability.

Also relevant
Maritime machine refit

OT security and PLC modernisation go hand in hand for maritime installations.

View maritime refit
Also relevant
IEC 62443 for OT security

IEC 62443 is the international standard for OT cybersecurity. GCG uses it as the technical framework for NIS2 compliance.

View IEC 62443

Frequently asked questions

Start your maritime NIS2 assessment

We combine the NIS2 and IACS UR frameworks in a single gap analysis: one process, one evidence package.