What cybersecurity requirements are mandatory for new ships and offshore constructions?

IACS (International Association of Classification Societies) has adopted two new cyber safety Unified Requirements (URs) of ships: URE26 and URE27. These URs will be mandatory for new ships and offshore constructions contracted on and after 1 January 2024.

by Concha González, February 2023

What is IACS?

 IACS is a Non-Governmental Organization which was granted Consultative Status with IMO (International Maritime Organization) in 1969. 

More than 90% of the world’s cargo carrying tonnage is covered by the classification design, construction and through-life compliance rules and standards set by the eleven Member Societies of IACS. Undeniably, IACS requirements have a weight on maritime industry. At this time, it consists of 11 member societies as listed below.

  • American Bureau of Shipping (ABS)
  • Bureau Veritas (BV)
  • China Classification Society (CCS)
  • Croatian Register of Shipping (CRS)
  • DNV-GL
  • Indian Register of Shipping (IRS)
  • Korean Register (KR)
  • Lloyd’s Register (LR)
  • Class NK (NK)
  • Polish Register of Shipping (PRS)
  • RINA

Worldwide there are more than 50 classification societies; but only 11 classification societies are currently recognised by the European Union. This recognition allows them to act as organisations on behalf of EU member States.

What is the impact of mandatory cyber security new requirements by IACS?

IACS adopted requirements on cyber safety which will be mandatory for new ships contracted for construction on and after 1 January 2024. In order to assess the impact of these new requirements, let us first talk about statutory, mandatory, and class certification.

Class Certification

Under international law, every vessel over 100 GT must have a flag of a country. The flag represents the nationality as well as the registration place of the ship.

Law of the flag of the ship requires statutory certificates. Therefore, if a ship sails without a statutory certificate is breaking the law. Although mandatory certificates may not be required by law of the flag of the ship, they can be required for trading. For example, a Philippine flag vessel may sail without a statutory certificate on fire protection under Philippine law, instead it needs to have a mandatory certificate on fire protection to trade in European waters and enter European ports. Moreover, flag states may demand design, construction, and maintenance of ships follow recognized classification societies standards; this way, flag states demand compliance to class certification to operate on their scope.

Since more than 90% of the world’s cargo carrying tonnage is covered by rules and standards set by the eleven Member Societies of IACS; new requirements on cyber security will surely have a big impact on shipbuilders, ship owners and managers, design offices and suppliers.

New cyber security requirements mandatory January 2024

These two new requirements, UR26 and UR27, will be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024.

IEC 62443 is the origin of both requirements. In brief, IEC 62443 is a series of standards which main goal is to increase cyber safety on industrial environments, addressing Industrial Automation and Control Systems’ vulnerabilities to cyber attacks and applying measures to mitigate their possible impact.


Unified Requirement 26 understands the ship as a whole and provides a minimum set of requirements for cyber resilience.

It covers five main areas. First, identification and understanding all devices, systems, networks, and data flows on board. Second, protection of OT and IT systems.Third, detection of cyber incidents timely and effectively. Fourth, responding to cyber incidents to limit extension, effects, and possible damages. Lastly and equally important, recovering functionality.

It applies to Operational Technology (OT) systems onboard ships that can be vulnerable to cyber incidents and, if compromised, could lead to dangerous situations for human safety, safety of the vessel and/or threat to the environment. Without being exhaustive: propulsion, fire detection, anchoring and mooring or navigational systems. Also, it applies to any IP (Internet Protocol) based communication or connection between equipments/systems.


Unified Requirement 27 is focused on ensuring system integrity is secured and hardened by third-party equipment suppliers. It provides requirements for product design and development before implementation onboard as well as for interfaces between computer-based systems and users.

It applies to CBS (computer based systems) including IT and OT systems. A CBS is defined as a “programmable electronic device, or interoperable set of programmable electronic devices, organized to achieve one or more specified purposes such as collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”

In this article “What is cybersecurity by design in the shipbuilding industry?” you can find more information about some IO and OT technology, their cyber vulnerabilities, how to check them from cyber security terms and how Aeromarine can help you on it.

If you need more information, contact us