NIS2 and IACS UR E26/E27 for the maritime sector
Maritime operators (shipping companies, ports and shipyards) face both NIS2 and IMO MSC-FAL.1/Circ.3. IACS Unified Requirements E26 and E27 provide a structured framework for ship OT cybersecurity.
UR E26 and UR E27 explained
The International Association of Classification Societies (IACS) published Unified Requirements E26 and E27 to address maritime OT cybersecurity. They apply to all IACS-member-classed vessels.
- •Network segmentation and zoning on board
- •Software update policy for ship controls
- •Access control on critical ship systems
- •Incident response plan for maritime OT
- •Secure remote access by OEM and shipyard
- •Security product requirements for ship component suppliers
- •Authentication and access control at component level
- •Logging and audit capability of ship equipment
- •Patchability over the lifecycle of the component
- •Software Bill of Materials (SBOM) on delivery
What NIS2 requires from maritime operators
Maritime operators (ports, shipping companies, shipyards as essential service providers) must conduct a risk assessment covering OT systems on board and in the port.
Shipyards and shipping companies are responsible for the cybersecurity of components they install. IACS UR E27 compliance by suppliers is a demonstrable instrument here.
Cyber incidents on board must be reported within 24 hours. Maritime operators need an incident response plan that works with limited connectivity at sea.
Which maritime organisations are covered?
Ports and port authorities
Port IT and OT (cranes, locks, terminal operating systems) fall under NIS2 transport Annex I. Dutch ports (Rotterdam, Amsterdam) are essential entities.
Shipping companies and ferry operators
Inland waterway transport falls under Annex I. Shipping companies with ≥50 employees or >€10M turnover are covered. On-board OT is in scope.
Shipyards
Yards typically fall under manufacturing (Annex II) or under transport as suppliers of services to covered entities. IACS UR E27 compliance is part of the supply chain obligation.
Offshore installations
Energy production vessels (FPSO, FSO) fall under energy Annex I. OT on the production deck (DCS, SCADA, ESD) is in scope of NIS2 article 21.
Combining NIS2 and IACS UR compliance
Combined gap analysis
Assessment against both NIS2 article 21 and IACS UR E26 (ship systems) and E27 (components) in one analysis. Overlap identified, duplicate effort avoided.
On-board network segmentation
Separation of navigation OT (ECDIS, DP, IAS) from IT network (VSAT, crew wifi) via hardware firewall. In line with IMO MSC-FAL.1/Circ.3 and IACS UR E26.
Evidence package for flag state and NIS2
Gap report, risk register, network diagrams and security policy, usable as evidence for both classification societies and NIS2 regulators.
Trusted partners in maritime automation
Eekels Technology (TBI)
Marine engineering automation and electrical installations for maritime and offshore applications. Partner for maritime OT projects.
Rondal (Royal Huisman)
Specialist in masts, bowsprits and deck equipment for superyachts. Collaboration on integrated deck automation and NIS2 demonstrability.
OT security and PLC modernisation go hand in hand for maritime installations.
IEC 62443 is the international standard for OT cybersecurity. GCG uses it as the technical framework for NIS2 compliance.
Frequently asked questions
Start your maritime NIS2 assessment
We combine the NIS2 and IACS UR frameworks in a single gap analysis: one process, one evidence package.