On July 1, 2024, two unified requirements from the International Association of Classification Societies became mandatory for all new-build vessel contracts. IACS UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of On-Board Systems and Equipment) established, for the first time, a binding international standard for maritime cyber resilience that classification societies must enforce during the design, construction, and commissioning of new vessels.

If you operate existing vessels, you might be tempted to dismiss E26 and E27 as someone else's problem - a concern for shipyards and naval architects, not for vessels already in service. That would be a mistake. The ripple effects of these requirements are already reaching existing vessel operators through classification society notations, insurance underwriting, and charter party negotiations.

What E26 and E27 Actually Require

E26 addresses cyber resilience at the ship level. It requires vessel designs to incorporate secure network architecture with proper segmentation between operational technology (OT) and information technology (IT) networks. It mandates documented asset inventories of all computer-based systems on board. It requires access control mechanisms, network monitoring capabilities, and incident response procedures. It also requires that the vessel's Safety Management System (SMS) incorporate cyber risk management as an integral component.

E27 addresses cyber resilience at the system and equipment level. It applies to the suppliers and integrators who build the systems installed on board - navigation systems, engine control systems, cargo management systems, and communication equipment. E27 requires these suppliers to demonstrate that their products meet specific cybersecurity standards: secure development practices, hardened default configurations, the ability to receive security patches, and documented security capabilities.

Together, E26 and E27 create a comprehensive framework. E26 ensures the ship's network architecture is designed to be resilient. E27 ensures the individual systems connected to that network are themselves secure. The combination addresses both the infrastructure and the endpoints - something that previous maritime cyber guidelines recommended but never mandated.

Why Existing Vessel Operators Should Pay Attention

Classification Society Voluntary Notations

Classification societies have not waited for existing vessels to age out of the fleet before applying E26/E27 thinking. DNV introduced its "Cyber Secure Basic" and "Cyber Secure Advanced" class notations, which use E26/E27 as the assessment framework. Lloyd's Register offers "Cyber-enabled Ship" descriptive notes. Bureau Veritas has its "Cyber Managed" notation. These voluntary notations are assessed against criteria drawn directly from E26 and E27.

While these notations are technically voluntary, the market is making them increasingly expected. Operators pursuing class notation renewals or additional notations will find that E26/E27 alignment is the standard their classification society applies - even for vessels built long before July 2024.

Insurance Implications

Marine insurance underwriters are increasingly referencing E26/E27 standards when assessing cyber risk. Following Lloyd's Market Bulletin Y5381, which required cyber exclusion clauses in marine policies from 2023, underwriters need a framework for evaluating which vessels represent acceptable cyber risk and which do not. E26/E27 provides that framework.

Vessels that can demonstrate alignment with E26/E27 principles - documented asset inventories, network segmentation, access controls, monitoring, and incident response - present a measurably lower risk profile. This translates into more favorable policy terms, fewer exclusions, and in some cases, the difference between being insurable for cyber incidents and not being insurable at all.

Charter Party Competitiveness

Major charterers - particularly oil majors, LNG operators, and container lines - are beginning to include cyber resilience requirements in their vetting questionnaires and charter party terms. The BIMCO Cyber Security Clause (adopted in 2019 and updated since) provides a contractual framework for requiring cyber risk management. Charterers evaluating multiple vessels for a time charter are starting to prefer vessels with demonstrable cyber credentials.

A vessel with a DNV Cyber Secure notation or documented E26/E27 alignment has a competitive advantage over an equivalent vessel with no cyber posture documentation. As the pool of E26/E27-compliant new builds grows, the gap between "cyber-ready" and "cyber-unknown" vessels will widen.

The Gap Between E26/E27 and a Typical Existing Vessel

Most existing vessels fall well short of E26/E27 standards in several key areas:

Bringing an Existing Vessel Closer to E26/E27 with NCoDE Command

NCoDE Command is a vessel-level cyber resilience platform that addresses the core E26/E27 requirements for existing vessels. It does not require replacing existing equipment or redesigning the vessel's network from scratch. Instead, it provides the management, monitoring, and documentation layer that transforms a vessel's cyber posture.

Systems Inventory

NCoDE Command maintains a comprehensive inventory of every computer-based system on board - hardware, software versions, network configuration, physical location, and responsible person. This inventory is the foundation of E26 compliance. You cannot secure systems you do not know about. The inventory is continuously maintained, not a one-time spreadsheet that becomes outdated the moment a system is updated or replaced.

Network Monitoring

NCoDE Command provides visibility into network activity across the vessel's systems. Unauthorized devices, unusual traffic patterns, and connection attempts to known malicious destinations are detected and alerted. This monitoring capability addresses E26's requirement for continuous awareness of the vessel's cyber environment.

Access Control via LDAP

NCoDE Command integrates LDAP-based access control across vessel systems, enabling role-based access with individual user accounts, password policies, and session logging. This replaces the shared-password model that is endemic on existing vessels and provides the access control and audit trail that E26 requires.

Vulnerability Scanning

Regular vulnerability assessments identify systems with known security weaknesses - outdated software, missing patches, insecure configurations. NCoDE Command tracks these vulnerabilities through their lifecycle from discovery to remediation, providing the patch management evidence that both E26 and insurance underwriters expect to see.

Compliance Documentation

Every action taken within NCoDE Command - asset updates, access changes, vulnerability remediation, incident response activities - is automatically documented with timestamps, responsible persons, and version control. This creates the audit-ready evidence trail that classification society surveyors, port state control inspectors, and insurance auditors need to verify compliance.

The Strategic View

E26 and E27 represent the direction the entire maritime industry is heading. The requirements that are mandatory for new builds today will become the expected standard for all vessels within the next classification cycle. Operators who begin aligning with E26/E27 now - rather than waiting until it becomes compulsory for existing vessels - will avoid the rush, reduce their insurance exposure, maintain charter party competitiveness, and build genuine cyber resilience rather than last-minute checkbox compliance.