[IACS UR E26/E27] IMO MSC-FAL.1/Circ.3/Rev.3 Explained — Alignment with IACS UR E26/E27
💡 Insight
IMO Rev.3
IACS UR E26/E27
Maritime Cybersecurity
IMO MSC-FAL.1/Circ.3/Rev.3 Explained — Alignment with IACS UR E26/E27 and What It Means for the Maritime Industry
How the 2025 IMO cyber guidelines revision shifts the industry from awareness to measurable cyber resilience — and what it means for ships, shipyards, and classification societies
Captain Ethan
Maritime 4.0 · AI, Data & Cyber Security
LinkedIn : linkedin.com/in/shipjobs
Collaborator : Blue Horizonist
LinkedIn : linkedin.com/in/shipjobs
Collaborator : Blue Horizonist
In April 2025, the International Maritime Organization (IMO) released a critical revision to its maritime cybersecurity framework — MSC-FAL.1/Circ.3/Rev.3. This revision replaces its 2021 predecessor, Rev.2, and marks a significant paradigm shift from basic cyber risk awareness to structured cyber resilience implementation across all digital assets involved in maritime operations. It serves as a direct policy foundation for IACS UR E26 and UR E27, both mandatory for all new vessels contracted from 1 July 2024.
📌 1. What Has Changed? Comparing Rev.2 vs. Rev.3
📌 Why is this important?
The previous Rev.2 served primarily as an awareness-raising document — encouraging companies to consider cyber risk within Safety Management Systems (SMS). In contrast, Rev.3 provides actionable, measurable, and documentable requirements, making it more of a technical standard than a guideline. Rev.3 transforms from "what you should consider" to "what you must prepare and prove."
The previous Rev.2 served primarily as an awareness-raising document — encouraging companies to consider cyber risk within Safety Management Systems (SMS). In contrast, Rev.3 provides actionable, measurable, and documentable requirements, making it more of a technical standard than a guideline. Rev.3 transforms from "what you should consider" to "what you must prepare and prove."
Rev.2 vs. Rev.3 — Key Differences
| Feature | Rev.2 (2021) | Rev.3 (2025) |
|---|---|---|
| Core Purpose | Risk awareness & high-level guidance | Achieving structured, measurable cyber resilience |
| Framework | Based on NIST CSF (v1) | Based on NIST CSF v2.0, includes Minimum Security Controls |
| Scope | Focus on onboard IT/OT systems | Expanded to shore-side links, port interfaces, autonomy, supply chains |
| Training | Recommended only | Mandatory annual training, with OT-specific modules |
| Documentation | Basic risk analysis records | Asset inventories, zone maps, incident response & recovery plans required |
🧩 2. Why It Matters — Rev.3 and UR E26/E27
📌 Why is this important?
Both UR E26 and UR E27 from IACS define mandatory cybersecurity requirements for ship systems and equipment, enforced from July 2024 onward. Rev.3 provides the strategic and documentation expectations, while UR E26/E27 enforce them through classification and certification mechanisms.
Both UR E26 and UR E27 from IACS define mandatory cybersecurity requirements for ship systems and equipment, enforced from July 2024 onward. Rev.3 provides the strategic and documentation expectations, while UR E26/E27 enforce them through classification and certification mechanisms.
🔐 UR E26: Cyber Resilience of Ships
This standard applies to ship-wide Operational Technology (OT) systems — propulsion, steering, ballast, fire systems, and navigation.
✅ How Rev.3 Aligns with UR E26
- Asset Inventory — Rev.3 mandates a current list of all hardware/software and system interconnections → directly required by UR E26 for cybersecurity zoning.
- Network Segmentation — Rev.3 recommends secure zoning of ship networks → UR E26 enforces this with physical/logical security zones.
- Incident Response & Recovery — Rev.3 demands documented and tested strategies → UR E26 requires actionable recovery steps for system certification.
- Documentation Governance — Rev.3 sets expectations for diagrams, policies, and logs → these serve as audit artifacts under UR E26's verification process.
⚙️ UR E27: Cyber Resilience of Onboard Equipment
UR E27 focuses on individual equipment and systems — sensors, PLCs, control units, and HMIs.
✅ How Rev.3 Aligns with UR E27
- Device Security Features — Rev.3 calls for access control, password policies, and firmware integrity → all directly required in UR E27 as embedded equipment capabilities.
- Patch & Update Management — Rev.3 mandates managed updates and vulnerability remediation → E27 requires secure software updates and version control processes.
- Authentication and Logging — Rev.3 defines user identification and access logging as essential → E27 treats these as non-negotiable technical criteria for type approval.
🧠 3. Stakeholder Insights
📌 Why is this important?
Rev.3 impacts every stakeholder in the maritime ecosystem differently. Shipyards, shipowners, and classification societies each face distinct obligations — and the window to prepare is now.
Rev.3 impacts every stakeholder in the maritime ecosystem differently. Shipyards, shipowners, and classification societies each face distinct obligations — and the window to prepare is now.
🏗️ For Shipyards
- Security must be embedded into design: Rev.3 encourages cyber zoning and documentation during early-stage engineering.
- Cybersecurity schematics (network topology, data flow maps, system classification) become contractual deliverables.
- Cyber-specific Factory/Site Acceptance Tests (FAT/SAT) will likely become standardized under UR E26 audits.
🚢 For Shipowners
- Integration into ISM and SMS is now non-optional. Cyber risk, incident response, and recovery must be part of safety documentation.
- Crew must undergo mandatory annual cybersecurity training, including OT-specific content (ECR systems, bridge systems).
- Shipowners will need to prove incident response readiness via drills and records, just as with fire or man-overboard scenarios.
⚓ For Classification Societies
- Rev.3 lays the foundation for E26/E27 to be auditable standards, not abstract policies.
- Class societies will play a larger role in approving cyber zoning designs, testing cyber controls, and monitoring compliance during annual surveys.
- There is growing demand for "Cyber Class Notations", especially for digitally integrated or remotely operated vessels.
📍 Final Thoughts: This is the New Normal
MSC-FAL.1/Circ.3/Rev.3 is no longer a suggestive roadmap — it's a clear blueprint for how ships must be built, operated, and maintained in the digital age.
- Rev.3 provides a strategic policy layer enabling UR E26/E27 to function as enforceable standards — integrated into class rules, insurance policies, and port security frameworks.
- Cybersecurity is now a core part of vessel design, operations, safety, and certification — not just an IT concern.
- The industry must act now: documentation, training, and audit readiness are no longer optional.
📬 ShipJobs is committed to helping maritime professionals, shipbuilders, suppliers, and regulators stay ahead in this era of digital maritime transformation.
If you'd like to receive a downloadable checklist, a compliance self-assessment tool, or training recommendations — just drop us a message.
📄 Official Source: MSC-FAL.1/Circ.3/Rev.3 — IMO Guidelines on Maritime Cyber Risk Management (PDF)
If you'd like to receive a downloadable checklist, a compliance self-assessment tool, or training recommendations — just drop us a message.
📄 Official Source: MSC-FAL.1/Circ.3/Rev.3 — IMO Guidelines on Maritime Cyber Risk Management (PDF)
#IMOCybersecurity
#MSCFAL
#IACSE26
#IACSE27
#MaritimeCybersecurity
#CyberResilience
#Maritime40
#OTSecurity
#ShipTech
Captain Ethan
Maritime 4.0 · AI, Data & Cyber Security
Maritime professional focused on the intersection of vessel operations, classification society regulations, and OT/IT cybersecurity. Writing for engineers, consultants, and operators navigating Maritime 4.0 together.
Comments
Post a Comment