IMO MSC.428(98) & IACS UR E26/E27 — Maritime Cyber Risk Management
Status: In Force — IMO cyber risk management is mandatory under the ISM Code, and IACS E26/E27 set technical standards for all newbuilds.
What Is It?
IMO Resolution MSC.428(98) on Maritime Cyber Risk Management, adopted in June 2017, requires ship owners and managers to incorporate cyber risk management into their existing Safety Management Systems (SMS) under the ISM Code. Since January 1, 2021, administrations and their recognized organizations (classification societies) must verify that cyber risks are appropriately addressed in the company's SMS no later than the first annual verification of the DOC (Document of Compliance) after that date. This effectively makes maritime cyber risk management a mandatory element of ISM Code compliance for all SOLAS vessels.
The International Association of Classification Societies (IACS) has further strengthened maritime cybersecurity requirements through two Unified Requirements: UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of On-Board Systems and Equipment). These requirements, which entered into force on July 1, 2024, apply to all new ship constructions contracted on or after that date and establish minimum cybersecurity standards that must be met during the design, construction, commissioning, and operational lifecycle of vessels.
IACS UR E26 addresses ship-level cyber resilience, requiring shipowners and shipbuilders to identify and protect computer-based systems, detect cyber incidents, respond to and recover from cyber events, and maintain an asset inventory of all networked onboard systems. UR E27 addresses the cyber resilience of individual onboard systems and equipment, requiring system integrators and equipment manufacturers to design and deliver products with built-in cybersecurity features including secure configuration, access control, and the ability to be maintained and updated securely throughout their operational life.
Together, IMO MSC.428(98) and IACS E26/E27 create a comprehensive maritime cybersecurity framework that complements the EU's NIS2 Directive — IMO provides the global baseline through the ISM Code, IACS establishes technical standards for newbuilds, and NIS2 adds EU-specific governance and reporting obligations.
Who It Affects
IMO MSC.428(98) applies to all vessels subject to the ISM Code — essentially all SOLAS-class vessels engaged in international voyages, including cargo ships of 500 GT and above and all passenger ships. The requirement is enforced through the existing ISM Code audit and DOC verification process, meaning flag states and their recognized organizations (classification societies) verify compliance during routine ISM audits. IACS UR E26 and E27 apply to all new ship constructions contracted on or after July 1, 2024 by IACS member classification societies (which collectively class over 90% of the world's cargo-carrying tonnage). This includes Lloyd's Register, Bureau Veritas, DNV, ClassNK, ABS, and other major societies. While UR E26/E27 technically apply only to newbuilds, the underlying principles are increasingly being applied retroactively through class recommendations and enhanced survey requirements. Shipyards, system integrators, and equipment manufacturers are also directly affected by UR E27 supply chain requirements.
Key Dates
IMO MSC.428(98) adopted — maritime cyber risk management resolution
IMO cyber risk management verification mandatory at first annual DOC verification for all SOLAS vessels
IACS adopts UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of On-Board Systems and Equipment)
IACS UR E26 and UR E27 enter into force — apply to new ship constructions contracted on or after this date
NIS2 obligations take effect in the EU — creating complementary cybersecurity requirements for maritime entities
Requirements
- Incorporate cyber risk management into the company Safety Management System (SMS) under the ISM Code as required by IMO MSC.428(98)
- Identify and document all onboard computer-based systems, operational technology (OT), and networked equipment in a comprehensive asset inventory
- Implement technical and procedural measures to protect critical shipboard systems from cyber threats, including network segmentation and access controls
- Establish cyber incident detection capabilities and response procedures integrated into the vessel's emergency preparedness plans
- For newbuilds contracted after July 1, 2024: comply with IACS UR E26 ship-level cyber resilience requirements throughout design, construction, and commissioning
- For newbuild systems and equipment: ensure compliance with IACS UR E27 requirements for secure-by-design onboard systems with built-in cybersecurity features
- Conduct regular cyber risk assessments of both IT and OT systems onboard and ashore, documenting findings and corrective actions
- Provide cybersecurity awareness training to all shipboard and shore-based personnel with access to company and vessel systems
- Maintain the ability to securely update and patch onboard systems throughout the vessel's operational lifecycle as required by UR E27
Penalties & Non-Compliance
Non-compliance with IMO MSC.428(98) is enforced through the ISM Code framework. If a flag state administration or recognized organization determines that cyber risks are not adequately addressed in the company SMS during DOC verification, the DOC may be suspended or withdrawn — effectively preventing the company from operating vessels internationally. Individual vessels may also have their Safety Management Certificates (SMC) suspended or withdrawn, rendering them unable to trade. Port state control inspections can identify ISM deficiencies related to inadequate cyber risk management, potentially resulting in vessel detention. For IACS UR E26/E27, non-compliance during the newbuild process means the classification society will not issue the required class notations, preventing the vessel from entering service. For vessels in operation, failure to maintain cybersecurity measures may result in class conditions, recommendations, or ultimately suspension of class — any of which can trigger insurance coverage issues and charterer rejection.
How CyberSmart Helps
These modules directly support your maritime cyber compliance workflow.
Achieve maritime cyber compliance
See how CyberSmart delivers ISM Code cyber risk management, IACS E26/E27 readiness, and NIS2 compliance in a single platform.