IMO's 2025 Cybersecurity Decision — One Year On 2026, the Clock Is Running

📰 Maritime Cyber Brief 🏛️ IMO Policy IACS E26 · E27 Cyber Resilience by Design

IMO's 2025 Cybersecurity Decision — One Year On 2026, the Clock Is Running

Maritime Cyber Brief · Looking Back at MSC 110 (June 2025) and What Has Changed by Mid-2026

Captain Paul
Captain Paul
Maritime 4.0 · AI & Cyber Intelligence · July 2026
📡 About This Series · Maritime Cyber Brief

Maritime Cyber Brief is a weekly series analyzing critical developments in maritime cybersecurity — IMO decisions, international regulations, and real-world incidents — from the perspective of a field practitioner. Rather than simply relaying regulatory text, each issue focuses on what actually changes on the ground and what you need to do about it.

This inaugural issue takes stock of the most consequential maritime cyber policy development of the past year: IMO's June 2025 decision to develop a non-mandatory Cybersecurity Code — and traces what has happened in the twelve months since, including the formal development program approved at MSC 111 in May 2026.

🗓️ Where We Are Now — The 12-Month Arc (July 2025 → July 2026)
Jun 2025

MSC 110, London — Delegates agreed that ship cybersecurity should advance through a non-mandatory Cybersecurity Code built on goal-based, risk management principles. An informal expert group was tasked with preliminary drafting work. No mandatory requirement was introduced.

May 2026

MSC 111, London — The formal work program for the Cybersecurity Code was approved, officially launching the development process. MSC 111's headline output was the adoption of the MASS Code for autonomous ships — a preview of the same phased pathway the Cybersecurity Code is now following.

Jul 2026

Now — The Cybersecurity Code is in active development. No adoption date has been formally confirmed. For practitioners, this is the most important window: the gap between "we decided" and "it is mandatory" is where preparation determines outcomes.

📅 Regulatory Timeline — What Actually Happened at Each Session
MSC 110 · June 2025 — DECISION

Agreed to develop a non-mandatory Cybersecurity Code with goal-based, risk management requirements. Because launching a formal work program requires a new output proposal to be approved at a subsequent MSC session, the committee directed that preliminary drafting work be conducted by an informal expert group in the interim. (Source: ClassNK MSC 110 Summary, Section 6)

MSC 111 · May 2026 — FORMAL WORK PROGRAM APPROVED

Member states and international organizations were invited to submit proposals for a new work output at MSC 111. The primary headline at MSC 111 was the adoption of the MASS Code (Maritime Autonomous Surface Ships) as a non-mandatory instrument. For the Cybersecurity Code, MSC 111 was the session where the formal development program was approved and work officially began — not adoption.

MSC 112+ · 2027 onwards — DRAFTING → ADOPTION (TBD)

The code will be drafted through subsequent MSC sessions. Final adoption timeline has not been formally confirmed — it will depend on the pace of the informal expert group's work and member state submissions.

Fact-check note: MSC 111 (May 2026) is sometimes described as the "adoption" stage for the Cybersecurity Code. This is inaccurate. MSC 111 approved the formal work program — the code itself remains under development. Compare this with the MASS Code, which was also non-mandatory and took multiple sessions from decision to adoption.

Ⅰ. What Was Decided in 2025 — The MSC 110 Cybersecurity Outcome

Looking back from mid-2026, the June 2025 MSC 110 decision now appears even more significant than it did at the time. Following the 2024 update to the IMO's cyber risk management guidelines (MSC-FAL.1/Circ.3/Rev.3), delegates confirmed that a non-mandatory Cybersecurity Code — not a mandatory regulation — would be the next step. The code is being built around two foundational principles.


Principle 1
Risk-Based Approach — The emphasis is on identifying, assessing, and treating risk — not on ticking compliance checkboxes.
Principle 2
Resilience over Defense — Across ship systems, ports, and remote-control interfaces, the code targets the ability to withstand and recover from incidents — not merely to prevent them.

Key interpretation (as of mid-2026): This was not a rejection of mandatory requirements. Member states chose a phased pathway — build experience through a non-mandatory code, then revisit mandatory status. The proof of this intent arrived at MSC 111 (May 2026): the formal Cybersecurity Code work program was approved, and the MASS Code was adopted as a non-mandatory instrument on exactly the same trajectory — a model for where the Cybersecurity Code is now headed.

Ⅱ. How This Connects to IACS E26 & E27

The most common question I receive in the field: "If IMO develops a code, what happens to IACS UR E26/E27?"

IACS E26/E27 remains the only enforceable cybersecurity standard today. Mandatory for newbuilds contracted on or after 1 July 2024. While the IMO code is still non-mandatory, class society enforcement of E26/E27 is the sole active compliance channel in the industry.
🔗
When the IMO Cybersecurity Code is finalized, E26/E27 technical requirements are highly likely to align with the code's overarching principles. In practical terms: implement E26/E27 properly today and you will face minimal rework when the IMO code becomes mandatory.
⚠️
Shipowners and yards that treated E26/E27 as a "paper pass" exercise face technical and operational rework when the IMO code becomes mandatory. Engaging with the code's draft content now, and embedding it into ongoing E26 implementation, is far more cost-effective than retrofitting later.
The IMO Code's "risk-based, resilience-centered" philosophy is already the design philosophy of E26. The critical difference: E26 is scoped to ship systems, while the IMO code extends to ports and remote-access interfaces. What that expansion means operationally is the subject of the next issue.

Ⅲ. What We Must Prepare — Before the Mandate Arrives

The window between a non-mandatory code and a mandatory regulation is not a grace period — it is a preparation window. Here is what every shipowner, superintendent, yard, and equipment supplier should be doing right now.

🚢 Shipowners & Technical Superintendents

Build your Cyber Asset Register now. Map every computer-based system (CBS) onboard — bridge, engine room, cargo, communication — and document which systems receive external data inputs (GNSS, AIS, remote monitoring, port connectivity). This is the foundational document E26 requires, and the IMO code will require the same.

Review your Cyber Incident Response Plan (CIRP). A plan that exists only in a binder fails at sea. Validate that your officers can execute it under pressure — including the scenario where shore-based support is unavailable for 48+ hours.

Start tracking port cybersecurity exposure. As the IMO code expands scope to ports and terminal interfaces, understand which ports your vessels call and what data connections are established at berth. USB transfers, cargo system integrations, and maintenance remote access are the highest-risk touchpoints.

Engage your class society before the next survey. Ask specifically: what documentation gaps will they look for under E26? Getting ahead of survey findings is far cheaper than post-survey corrective action.

🏗️ Shipyards & System Integrators

Integrate cyber security architecture into early design review (EDR). By the time commissioning tests begin, redesigning network segmentation or adding authentication layers is expensive and disruptive. At EDR, it is a design decision — fast and cheap.

Demand E27 documentation from every equipment supplier. The E27 obligation sits on the manufacturer, but your E26 compliance depends on it. A Class-approved piece of equipment without an E27-compliant cyber security profile is an open compliance gap on your vessel.

Conduct a network topology audit on every project. Map all data flows between IT and OT systems. Flat networks — where a compromised laptop can reach engine control — are the most common critical gap found in current newbuild designs.

⚙️ Equipment Manufacturers (E27)

Publish your Cyber Security Plan (CSP) and keep it current. The CSP is not a one-time document — it must reflect the actual software and firmware versions deployed. An outdated CSP is a compliance finding, and shipyards are increasingly checking.

Establish a formal vulnerability disclosure and patch management process. The IMO code's resilience focus means regulators will scrutinize how quickly manufacturers respond to discovered vulnerabilities. Your PSIRT (Product Security Incident Response Team) process needs to be documented and demonstrable.


Ⅳ. The Posture We Must Adopt — A Practitioner's Mindset

Regulatory timelines can be tracked. Documents can be filed. But there is a deeper readiness that no checklist can substitute for. These are the attitudinal shifts that separate organizations that will navigate this transition well from those that will not.

🎯 Treat Compliance as a Floor, Not a Ceiling

E26, E27, and the forthcoming IMO code define the minimum. Ships that implement only the minimum will have minimum resilience. The threat environment — GPS spoofing, ransomware targeting OT, port-side supply chain attacks — does not respect a compliance deadline. Compliance earns you the certificate. Resilience earns you the ability to keep operating when the attack happens.

🔄 Assume Breach, Not Prevention

The IMO's explicit pivot to resilience language is not accidental. Regulators know that preventive controls will be bypassed. The question they are now asking — and the question you should already be asking — is: "When a system is compromised, can we detect it, contain it, and restore operations without losing the vessel?" If your incident response plan has never been tested, the answer is probably no.

🧭 Cybersecurity Is Now a Seamanship Skill

For decades, cybersecurity was the domain of IT departments ashore. That era is over. Bridge officers who cannot recognize GPS position anomalies as a potential cyber event are a navigational risk. Engineers who plug unknown USB drives into OT systems are a safety risk. Cyber awareness must be embedded in daily watchkeeping culture — not reserved for annual training videos.

🤝 Share Intelligence — Stop Competing on Incidents

The maritime industry's historical reluctance to share cyber incident data has left the entire sector flying blind on threat patterns. The IMO's move toward a structured code creates a natural framework for shared intelligence. Organizations that share what they learn from near-misses and incidents make the whole fleet harder to attack. Those that stay silent make themselves — and everyone else — easier targets.

📐 Design Decisions Last 25 Years

A ship contracted today will trade into the 2050s. The cybersecurity architecture decisions made at preliminary design review — network segmentation boundaries, authentication methods, software update pathways — will govern that vessel's resilience for its entire service life. The cost of getting it wrong compounds every year the vessel operates. The argument for investing in proper cyber architecture at the design stage has never been stronger.


⚓ Captain's Take — July 2026

Twelve months on from MSC 110, the picture is clearer: IMO's 2025 choice of a non-mandatory code was not a delay — it was a structured runway to mandatory requirements. The formal work program approved at MSC 111 means the development clock is now running. The industry is no longer waiting for a decision. It is waiting for a deadline.

1

Audit the quality of your E26/E27 implementation now — not when the survey is scheduled.

2

Map your port and remote-interface dependencies. The IMO code's scope expansion will create new obligations. Know what they will hit before they arrive.

3

Do not mistake 'non-mandatory' for 'optional'. Port State Control inspectors and major charterers have already begun using code conformance as a benchmark — independently of flag state enforcement. The market moves faster than the regulator.

← Previous Issue 📡 View All Maritime Cyber Brief Issues Next Issue →
#IMO #MSC110 #CybersecurityCode #IACSE26 #IACSE27 #MaritimeCyber #CyberResilience #Maritime40 #MaritimeNewsAnalysis #ShipCybersecurity #CyberResilienceByDesign

References & Sources

🏛️
IMO MSC 110th Session — Official Meeting Summary
imo.org — Official summary of the 110th Maritime Safety Committee session (18–27 June 2025, London), including the cybersecurity code development decision.
📰
IMO MSC 110 Wraps with Key Progress — Breakbulk News
Breakbulk News (July 2025) — Comprehensive MSC 110 outcome summary including MASS Code progress, alternative fuel safety guidelines, and cybersecurity code decision.
📋
IACS UR E26 & E27 — Unified Requirements (Cyber)
iacs.org.uk — Full text of E26 (Ship Cyber Resilience) and E27 (On-board Systems Manufacturer Obligations). Mandatory for newbuilds contracted from 1 July 2024.
🇯🇵
ClassNK — IMO MSC 110 Session Summary (Japanese)
classnk.or.jp — ClassNK's official summary of IMO MSC 110 outcomes, covering cybersecurity code development, MASS Code progress, and key SOLAS amendments. PDF.
Captain Paul
Captain Paul
Maritime 4.0 · AI & Cyber Intelligence

Maritime cybersecurity professional specializing in IACS UR E26/E27 compliance, OT system architecture, and shipyard-level cyber resilience design. Writing for engineers, superintendents, and operators navigating Maritime 4.0.

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments