Secure your fleet and crew with expert guidance on new cyber regulations
Cybersecurity at sea: A regulatory imperative
The maritime industry is undergoing a digital transformation — and with it, a surge in cyber threats targeting vessels, ports, and supply chains. In response, international maritime bodies like the International Maritime Organization (IMO) and the International Association of Classification Societies (IACS) have introduced recommendations and mandatory cybersecurity requirements that are reshaping how maritime stakeholders design, build, and operate vessels.
These recommendations and requirements are not just compliance checkboxes — they are catalysts for building long-term cyber resilience across the maritime ecosystem.
IMO resolution MSC.428(98): Cyber risk management in safety systems
Since 2021, IMO has recommended that cyber risks be addressed in safety management systems under the ISM Code. This resolution encourages flag states to enforce that shipowners, operators, and managers integrate cyber risk management into their existing safety frameworks.
IMO MSC-FAL.1/Circ.3/Rev.3: Guidelines On Maritime Cyber Risk Management
In April 2025, IMO relased a new extended version of their guidance document on how to manage cyber risk onboard vessels. This version included extended descriptions on how to govern, identify, protect, detect, respond and recover from cyber incidents.
What this means for you
Most flagstates across the world have promoted the introduction of the MSC.428(98) and the assosiated guideline. They are de-facto seen as the minnimual baseline requirments for cyber security on all vessels today.
Cybersecurity is now a core component of operational safety.
Compliance requires a structured approach to identifying, assessing, and mitigating cyber risks across IT and OT systems.
The IMO’s guidelines (MSC-FAL.1/Circ.3) emphasize a risk-based approach — but leave implementation details to the discretion of each organization.
Our perspective
Compliance with IMO is not a one-time effort. It’s a strategic opportunity to embed cybersecurity into your operational DNA — and to align safety, security, and resilience objectives.
IACS Unified Requirements E26 & E27: Cybersecurity by design
From 1 July 2024, all newbuilds contracted under IACS class must comply with UR E26 (system integration) and UR E27 (essential onboard systems). These requirements are grounded in the IEC 62443 standard and represent a significant shift: cybersecurity must now be engineered into vessels from the design phase and kept upto date throughout the complete lifecycle of a vessel
What this means for you
Vendors, yards, and owners must collaborate to ensure secure integration of IT and OT systems.
Compliance spans everything from main engine control to navigation, fire detection, and communication systems.
The requirements cover the full lifecycle — from design and commissioning to operation and maintenance.
Our perspective
IACS URs are prescriptive — but they’re also a baseline. True resilience comes from going beyond minimum requirements to build adaptive, threat-informed security architectures.
Drawing on a timely survey of almost 500 maritime professionals and in-depth interviews with cybersecurity experts, Maritime Cyber Priority explores changing attitudes and approaches to cybersecurity. It covers the industry’s key challenges and priorities, and offers recommendations from DNV.
DNV Cyber helps maritime stakeholders navigate the tightening landscape of cybersecurity regulations with clarity and confidence. From integrating cyber risk into safety management systems to ensuring secure design of essential onboard systems, we guide you through compliance while strengthening your operational resilience. Our expertise ensures your vessels and systems are not only regulation-ready, but also better protected against the evolving threats these rules are designed to mitigate
Why act now: Regulation as a strategic lever
Cybersecurity regulation is tightening — and maritime is no exception. But compliance is not just about avoiding penalties. It’s about protecting your operations, your people, and your reputation.
DNV’s approach:
We help you interpret how IMO and IACS regulations apply to your fleet, operations, and supply chain.
We assess your current capabilities and identify gaps — from incident response to system hardening.
We support you in building or sourcing the capabilities needed to comply and thrive in a regulated environment.
Remember: You can’t buy compliance. You need to build it — with the right strategy, systems, and partners.
How DNV can help
With deep expertise in both maritime operations and cybersecurity, DNV is uniquely positioned to guide you through the complexities of IMO and IACS compliance. Our services include:
Cybersecurity gap assessments tailored to IMO and IACS requirements
OT/IT risk management and system architecture reviews
Compliance readiness programs for newbuilds and existing fleets
Continuous compliance monitoring and reporting frameworks
Regulation is currently the strongest driver of cybersecurity investment in the maritime sector — but it should be viewed as a starting point, not the finish line. The real value lies in using regulatory momentum to build long-term cyber resilience: strengthening your security posture across IT and OT systems, aligning cybersecurity with broader business goals such as operational continuity and decarbonization, and fostering collaboration across the supply chain to raise the collective standard of protection
Svante Einarsson
Head of Cybersecurity Advisory EMEA, APAC & Maritime