Cybersecurity at sea: A regulatory imperative

The maritime industry is undergoing a digital transformation — and with it, a surge in cyber threats targeting vessels, ports, and supply chains. In response, international maritime bodies like the International Maritime Organization (IMO) and the International Association of Classification Societies (IACS) have introduced recommendations and mandatory cybersecurity requirements that are reshaping how maritime stakeholders design, build, and operate vessels.

These recommendations and requirements are not just compliance checkboxes — they are catalysts for building long-term cyber resilience across the maritime ecosystem.

IMO resolution MSC.428(98): Cyber risk management in safety systems

Since 2021, IMO has recommended that cyber risks be addressed in safety management systems under the ISM Code. This resolution encourages flag states to enforce that shipowners, operators, and managers integrate cyber risk management into their existing safety frameworks.

IMO MSC-FAL.1/Circ.3/Rev.3: Guidelines On Maritime Cyber Risk Management

In April 2025, IMO relased a new extended version of their guidance document on how to manage cyber risk onboard vessels. This version included extended descriptions on how to govern, identify, protect, detect, respond and recover from cyber incidents.

What this means for you

  • Most flagstates across the world have promoted the introduction of the MSC.428(98) and the assosiated guideline. They are de-facto seen as the minnimual baseline requirments for cyber security on all vessels today.
  • Cybersecurity is now a core component of operational safety.
  • Compliance requires a structured approach to identifying, assessing, and mitigating cyber risks across IT and OT systems.
  • The IMO’s guidelines (MSC-FAL.1/Circ.3) emphasize a risk-based approach — but leave implementation details to the discretion of each organization.

Our perspective

Compliance with IMO is not a one-time effort. It’s a strategic opportunity to embed cybersecurity into your operational DNA — and to align safety, security, and resilience objectives.

IACS Unified Requirements E26 & E27: Cybersecurity by design

From 1 July 2024, all newbuilds contracted under IACS class must comply with UR E26 (system integration) and UR E27 (essential onboard systems). These requirements are grounded in the IEC 62443 standard and represent a significant shift: cybersecurity must now be engineered into vessels from the design phase and kept upto date throughout the complete lifecycle of a vessel

What this means for you

  • Vendors, yards, and owners must collaborate to ensure secure integration of IT and OT systems.
  • Compliance spans everything from main engine control to navigation, fire detection, and communication systems.
  • The requirements cover the full lifecycle — from design and commissioning to operation and maintenance.

Our perspective

IACS URs are prescriptive — but they’re also a baseline. True resilience comes from going beyond minimum requirements to build adaptive, threat-informed security architectures. 

Maritime Cyber Priority 2024/25: Managing cyber risk to enable innovation

Maritime Cyber Priority 2024/25: Managing cyber risk to enable innovation

Drawing on a timely survey of almost 500 maritime professionals and in-depth interviews with cybersecurity experts, Maritime Cyber Priority explores changing attitudes and approaches to cybersecurity. It covers the industry’s key challenges and priorities, and offers recommendations from DNV.

DNV Cyber helps maritime stakeholders navigate the tightening landscape of cybersecurity regulations with clarity and confidence. From integrating cyber risk into safety management systems to ensuring secure design of essential onboard systems, we guide you through compliance while strengthening your operational resilience. Our expertise ensures your vessels and systems are not only regulation-ready, but also better protected against the evolving threats these rules are designed to mitigate

Why act now: Regulation as a strategic lever

Cybersecurity regulation is tightening — and maritime is no exception. But compliance is not just about avoiding penalties. It’s about protecting your operations, your people, and your reputation.

DNV’s approach:

  • We help you interpret how IMO and IACS regulations apply to your fleet, operations, and supply chain.
  • We assess your current capabilities and identify gaps — from incident response to system hardening.
  • We support you in building or sourcing the capabilities needed to comply and thrive in a regulated environment.

Remember: You can’t buy compliance. You need to build it — with the right strategy, systems, and partners.

How DNV can help

With deep expertise in both maritime operations and cybersecurity, DNV is uniquely positioned to guide you through the complexities of IMO and IACS compliance. Our services include:

  • Cybersecurity gap assessments tailored to IMO and IACS requirements
  • OT/IT risk management and system architecture reviews
  • Compliance readiness programs for newbuilds and existing fleets
  • Continuous compliance monitoring and reporting frameworks

Regulation is currently the strongest driver of cybersecurity investment in the maritime sector — but it should be viewed as a starting point, not the finish line. The real value lies in using regulatory momentum to build long-term cyber resilience: strengthening your security posture across IT and OT systems, aligning cybersecurity with broader business goals such as operational continuity and decarbonization, and fostering collaboration across the supply chain to raise the collective standard of protection

  • Svante Einarsson
  • Head of Cybersecurity Advisory EMEA, APAC & Maritime