As ships under IACS UR E26·E27 enter the delivery stage, ship security quality and cost savings emerge as the challenge

Can a ship that holds the required compliance documentation safely maintain navigation, propulsion, communications, and cargo operations even when it comes under a real cyberattack? As ships contracted on or after July 1, 2024 and subject to the mandatory IACS Unified Requirements UR E26·E27 enter their delivery period, the industry's question is shifting from "Have we met the requirements?" to exactly this.

The maritime cybersecurity company CYTUR Inc. has published a white paper addressing this issue, Secure-by-Design for Ship Cyber Resilience, pointing out that if UR E26·E27 compliance stops at documentation and manual checks, a gap can open between regulatory compliance and actual resilience. Classification societies describe UR E26·E27 as the "minimum requirements" for the cyber resilience of newbuildings.

According to CYTUR, a ship's network configuration, equipment specifications, software versions, remote-access paths, and supply-chain information change continually throughout design and construction. Tracking this by hand and verifying it only once, just before delivery, makes omissions and inconsistencies likely. Ships in particular are systems in which navigation, propulsion, power, communications, cargo, remote support, and the supply chain are intricately interconnected; checking only some equipment or part of the network makes it difficult to identify the compound attack paths a real adversary could use. Documentary compliance can be demonstrated on paper, the company notes, yet that does not guarantee the ability to withstand an attack during actual operation.

This concern is also evident at the maritime industry's flagship events. POSIDONIA 2026—the world's largest shipping event, held in Athens, Greece, from June 1 to 5—addresses digitalization and maritime security as major agenda items, reflecting how, as connected ships and data-driven operations spread, cyber risk is emerging as a core operational risk for the shipbuilding and maritime industry.

The regulatory environment points in the same direction. In April 2025, the IMO issued its Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3/Rev.3), treating cyber risk management as a natural extension of the existing safety management system and recommending continuous risk management not only for newbuildings but across existing ships and the ship-port interface. The European Union, through the EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847), has made security-by-design and lifecycle vulnerability management mandatory for products with digital elements, applicable from December 2027. In the United States, in May 2026, Senators Rick Scott and Andy Kim introduced the Maritime Cybersecurity Act (S.4564), which would mandate annual assessments of cyber vulnerabilities at port facilities. Beyond a documentation review at the point of certification, regulation is expanding toward full-lifecycle security spanning ships, facilities, equipment, software, and the supply chain.

As a solution to this trend, CYTUR proposes Secure-by-Design: identifying threats at the design stage and tracing them all the way through to security requirements, design measures, test items, and verification evidence. This is not an additional security procedure but an engineering approach that raises design quality and verification efficiency, making it possible to quickly trace which requirements and test items are affected when a system changes. As a result, shipyards and shipowners can reduce repetitive manual documentation and last-minute rework before delivery, cutting the cost and man-hours of class response, equipment-maker collaboration, and owner review—while raising resilience in the actual operating environment.

Precedents from the automotive and defense industries are also instructive. The automotive industry, through UN Regulation No. 155 and ISO/SAE 21434, treats cybersecurity as an engineering activity spanning vehicle type approval and the entire development lifecycle, and in defense, design-stage threat modeling is likewise required for weapon systems. The shift to treating cybersecurity as part of design rather than an after-the-fact inspection has already taken place in other industries.

CYTUR CEO Yonghyun Cho said: "IACS UR E26·E27 is the minimum requirement for cyber resilience. Passing class certification means that minimum requirement has been met—it is not a guarantee that a real attack can be repelled." He added: "Documents can be produced once, but a ship's systems change throughout design and construction. Cyber resilience is secured not through a manual check just before delivery, but when threats are identified at the design stage and traced all the way through to requirements and test evidence."

The white paper Secure-by-Design for Ship Cyber Resilience covers clause-by-clause approaches to IACS UR E26·E27, a methodology for ship-systems threat modeling, the direction of international regulations and standards such as IMO, IACS, and the EU CRA, and Secure-by-Design precedents from the automotive and defense industries. It is available via the CYTUR website (cytur.net)