On 1 July 2024, IACS Unified Requirements E26 and E27 came into force for ships contracted on or after that date. These are the most substantive cybersecurity requirements ever applied to commercial shipping at the class level — and they have direct implications for how OT equipment is designed, installed, and maintained throughout a vessel's life.
This post explains what E26 and E27 require, what the differences are, and what ship owners and fleet operators need to do in practice.
What Are IACS Unified Requirements?
IACS (International Association of Classification Societies) Unified Requirements are technical standards that member classification societies — including Lloyd's Register, DNV, Bureau Veritas, ABS, and others — must apply when classing vessels. When a UR comes into force, it becomes a condition of class. A vessel that doesn't comply won't get its class certificate.
E26 and E27 are the two cybersecurity-focused URs. They were developed by IACS's cybersecurity expert group and published in mid-2022, with a two-year implementation grace period before the July 2024 effective date.
UR E26: Cyber Resilience of Ships
E26 is the ship-level requirement. It applies to the overall OT network and the ship owner's management processes. Key requirements include:
Asset inventory — The ship owner must maintain a documented list of all computer-based systems and networks that are essential for the safe and secure operation of the ship. This includes PMS, ECDIS, propulsion controls, fire detection, cargo management, and any other safety-critical OT system. The inventory must include manufacturer, model, firmware version, and network connectivity.
Vulnerability management — The ship owner must have a process for identifying and responding to known vulnerabilities in the listed systems. This explicitly includes monitoring vendor security advisories and CISA ICS advisories. It's not enough to wait for the vendor's next scheduled update — you must have an active monitoring process.
Network segmentation — OT networks must be segregated from IT networks and from crew internet access. The requirement doesn't mandate specific technology, but does require documented network architecture and evidence of separation.
Incident response — Procedures for detecting, responding to, and recovering from cyber incidents must be documented and tested.
Supply chain security — New equipment installed post-commissioning must be assessed for cyber risk before installation.
For ship owners with vessels under E26, the most operationally significant requirement is vulnerability management. It requires a continuous process, not a point-in-time assessment.
UR E27: Cyber Resilience of Onboard Systems and Equipment
E27 operates at the equipment level — it applies to OT equipment manufacturers rather than ship owners. Key requirements:
Security by design — Equipment must be designed with cybersecurity controls: authentication, access control, encrypted communications, audit logging, and the ability to receive security updates.
Vulnerability disclosure — Manufacturers must have a published vulnerability disclosure policy. When a security vulnerability is discovered in their equipment, they must disclose it to customers and provide remediation guidance within a defined timeframe.
Security update process — Equipment must support the ability to receive and install security updates. This includes defining the update mechanism, signing updates, and providing documentation of the update process.
End-of-life declarations — Manufacturers must publish end-of-support dates for each product, after which security updates will no longer be provided.
For ship owners, E27 matters because it defines what you can expect from your equipment suppliers. Compliant equipment comes with documented update processes, vulnerability disclosure channels, and end-of-life timelines. If you're procuring equipment for a post-July 2024 newbuild, you should be asking vendors for their E27 compliance documentation.
What This Means for Newbuild Projects
If you're involved in a newbuild contracted after 1 July 2024:
At the shipyard, the cybersecurity architecture must be part of the design specification from the start, not a retrofit. Network diagrams showing OT/IT segregation, a list of all computer-based systems, and evidence that installed equipment meets E27 requirements must be part of the class documentation package.
For equipment suppliers, E27 compliance is increasingly being written into procurement contracts. If a supplier can't demonstrate that their equipment has a vulnerability disclosure policy and update mechanism, they risk being excluded from bids.
For ship owners taking delivery, the handover documentation should include the initial asset inventory, class-approved cybersecurity architecture documentation, and evidence that all installed equipment meets E27 requirements. This becomes the baseline for ongoing vulnerability management.
The Vulnerability Monitoring Requirement in Practice
Both E26 and E27 create expectations around vulnerability monitoring that go beyond what most ship owners currently have in place:
E26 requires an active process for monitoring vendor advisories. This means you need a way to receive alerts when vendors like ABB, Siemens, Yokogawa, or Schneider Electric publish security advisories — not just check their websites annually. It's worth noting that some maritime OT vendors (including Kongsberg Maritime and Wärtsilä) rarely publish through public advisory channels like CISA; their vulnerabilities more commonly surface through NVD or private customer notifications. Your monitoring process needs to cover both.
E27 requires manufacturers to notify customers when vulnerabilities are discovered. In practice, vendors notify via their security advisory portals, via CISA's ICS advisory feed, and through the NVD. You need to be subscribed to receive these notifications.
The practical implementation is straightforward: use an ICS vulnerability monitoring service that watches CISA's advisory feed, vendor-native feeds, and NVD, then sends filtered email alerts for your specific vendors. OTWarden does this — you add your vendors to a watchlist, and receive an email when a relevant advisory is published from any of those sources. The alert includes the CVSS score, affected version ranges, CVE IDs, and remediation steps.
This gives you the active monitoring process that E26 requires, and a timestamped evidence trail of notifications received — useful for class audits.
Existing Fleet vs. Newbuilds
E26 and E27 apply to ships contracted on or after 1 July 2024. They do not retroactively apply to existing vessels. However:
- IMO MSC-FAL.1/Circ.3 still applies to all vessels (since January 2021)
- Many class societies are now recommending E26-aligned practices as best practice for existing vessels
- Port State Control is increasingly auditing cybersecurity as part of ISPS Code assessments
If your existing fleet isn't currently subject to E26, that will likely change as class societies incorporate these requirements into renewal surveys over the coming years.
Preparing Your Fleet
Whether you're taking delivery of an E26/E27 compliant newbuild or bringing your existing fleet up to an equivalent standard:
1. Build your asset inventory — Every vessel needs a documented list of OT systems with manufacturer, model, and firmware version
2. Establish vendor monitoring — Subscribe to ICS vulnerability alerts for every vendor in your inventory
3. Document your assessment process — When alerts arrive, record your relevance assessment and any response actions
4. Review equipment lifecycle plans — Check E27 end-of-life dates for critical equipment and plan replacements
OTWarden supports this workflow — watchlist-based monitoring for any combination of maritime OT vendors, with full alert history for audit documentation. Start a free trial or see pricing.