IMO's 2025 Cybersecurity Decision — One Year On 2026, the Clock Is Running
IMO's 2025 Cybersecurity Decision — One Year On 2026, the Clock Is Running
Maritime Cyber Brief · Looking Back at MSC 110 (June 2025) and What Has Changed by Mid-2026
Maritime Cyber Brief is a weekly series analyzing critical developments in maritime cybersecurity — IMO decisions, international regulations, and real-world incidents — from the perspective of a field practitioner. Rather than simply relaying regulatory text, each issue focuses on what actually changes on the ground and what you need to do about it.
This inaugural issue takes stock of the most consequential maritime cyber policy development of the past year: IMO's June 2025 decision to develop a non-mandatory Cybersecurity Code — and traces what has happened in the twelve months since, including the formal development program approved at MSC 111 in May 2026.
MSC 110, London — Delegates agreed that ship cybersecurity should advance through a non-mandatory Cybersecurity Code built on goal-based, risk management principles. An informal expert group was tasked with preliminary drafting work. No mandatory requirement was introduced.
MSC 111, London — The formal work program for the Cybersecurity Code was approved, officially launching the development process. MSC 111's headline output was the adoption of the MASS Code for autonomous ships — a preview of the same phased pathway the Cybersecurity Code is now following.
Now — The Cybersecurity Code is in active development. No adoption date has been formally confirmed. For practitioners, this is the most important window: the gap between "we decided" and "it is mandatory" is where preparation determines outcomes.
Agreed to develop a non-mandatory Cybersecurity Code with goal-based, risk management requirements. Because launching a formal work program requires a new output proposal to be approved at a subsequent MSC session, the committee directed that preliminary drafting work be conducted by an informal expert group in the interim. (Source: ClassNK MSC 110 Summary, Section 6)
Member states and international organizations were invited to submit proposals for a new work output at MSC 111. The primary headline at MSC 111 was the adoption of the MASS Code (Maritime Autonomous Surface Ships) as a non-mandatory instrument. For the Cybersecurity Code, MSC 111 was the session where the formal development program was approved and work officially began — not adoption.
The code will be drafted through subsequent MSC sessions. Final adoption timeline has not been formally confirmed — it will depend on the pace of the informal expert group's work and member state submissions.
Fact-check note: MSC 111 (May 2026) is sometimes described as the "adoption" stage for the Cybersecurity Code. This is inaccurate. MSC 111 approved the formal work program — the code itself remains under development. Compare this with the MASS Code, which was also non-mandatory and took multiple sessions from decision to adoption.
Ⅰ. What Was Decided in 2025 — The MSC 110 Cybersecurity Outcome
Looking back from mid-2026, the June 2025 MSC 110 decision now appears even more significant than it did at the time. Following the 2024 update to the IMO's cyber risk management guidelines (MSC-FAL.1/Circ.3/Rev.3), delegates confirmed that a non-mandatory Cybersecurity Code — not a mandatory regulation — would be the next step. The code is being built around two foundational principles.
Key interpretation (as of mid-2026): This was not a rejection of mandatory requirements. Member states chose a phased pathway — build experience through a non-mandatory code, then revisit mandatory status. The proof of this intent arrived at MSC 111 (May 2026): the formal Cybersecurity Code work program was approved, and the MASS Code was adopted as a non-mandatory instrument on exactly the same trajectory — a model for where the Cybersecurity Code is now headed.
Ⅱ. How This Connects to IACS E26 & E27
The most common question I receive in the field: "If IMO develops a code, what happens to IACS UR E26/E27?"
Ⅲ. What We Must Prepare — Before the Mandate Arrives
The window between a non-mandatory code and a mandatory regulation is not a grace period — it is a preparation window. Here is what every shipowner, superintendent, yard, and equipment supplier should be doing right now.
Build your Cyber Asset Register now. Map every computer-based system (CBS) onboard — bridge, engine room, cargo, communication — and document which systems receive external data inputs (GNSS, AIS, remote monitoring, port connectivity). This is the foundational document E26 requires, and the IMO code will require the same.
Review your Cyber Incident Response Plan (CIRP). A plan that exists only in a binder fails at sea. Validate that your officers can execute it under pressure — including the scenario where shore-based support is unavailable for 48+ hours.
Start tracking port cybersecurity exposure. As the IMO code expands scope to ports and terminal interfaces, understand which ports your vessels call and what data connections are established at berth. USB transfers, cargo system integrations, and maintenance remote access are the highest-risk touchpoints.
Engage your class society before the next survey. Ask specifically: what documentation gaps will they look for under E26? Getting ahead of survey findings is far cheaper than post-survey corrective action.
Integrate cyber security architecture into early design review (EDR). By the time commissioning tests begin, redesigning network segmentation or adding authentication layers is expensive and disruptive. At EDR, it is a design decision — fast and cheap.
Demand E27 documentation from every equipment supplier. The E27 obligation sits on the manufacturer, but your E26 compliance depends on it. A Class-approved piece of equipment without an E27-compliant cyber security profile is an open compliance gap on your vessel.
Conduct a network topology audit on every project. Map all data flows between IT and OT systems. Flat networks — where a compromised laptop can reach engine control — are the most common critical gap found in current newbuild designs.
Publish your Cyber Security Plan (CSP) and keep it current. The CSP is not a one-time document — it must reflect the actual software and firmware versions deployed. An outdated CSP is a compliance finding, and shipyards are increasingly checking.
Establish a formal vulnerability disclosure and patch management process. The IMO code's resilience focus means regulators will scrutinize how quickly manufacturers respond to discovered vulnerabilities. Your PSIRT (Product Security Incident Response Team) process needs to be documented and demonstrable.
Ⅳ. The Posture We Must Adopt — A Practitioner's Mindset
Regulatory timelines can be tracked. Documents can be filed. But there is a deeper readiness that no checklist can substitute for. These are the attitudinal shifts that separate organizations that will navigate this transition well from those that will not.
E26, E27, and the forthcoming IMO code define the minimum. Ships that implement only the minimum will have minimum resilience. The threat environment — GPS spoofing, ransomware targeting OT, port-side supply chain attacks — does not respect a compliance deadline. Compliance earns you the certificate. Resilience earns you the ability to keep operating when the attack happens.
The IMO's explicit pivot to resilience language is not accidental. Regulators know that preventive controls will be bypassed. The question they are now asking — and the question you should already be asking — is: "When a system is compromised, can we detect it, contain it, and restore operations without losing the vessel?" If your incident response plan has never been tested, the answer is probably no.
For decades, cybersecurity was the domain of IT departments ashore. That era is over. Bridge officers who cannot recognize GPS position anomalies as a potential cyber event are a navigational risk. Engineers who plug unknown USB drives into OT systems are a safety risk. Cyber awareness must be embedded in daily watchkeeping culture — not reserved for annual training videos.
The maritime industry's historical reluctance to share cyber incident data has left the entire sector flying blind on threat patterns. The IMO's move toward a structured code creates a natural framework for shared intelligence. Organizations that share what they learn from near-misses and incidents make the whole fleet harder to attack. Those that stay silent make themselves — and everyone else — easier targets.
A ship contracted today will trade into the 2050s. The cybersecurity architecture decisions made at preliminary design review — network segmentation boundaries, authentication methods, software update pathways — will govern that vessel's resilience for its entire service life. The cost of getting it wrong compounds every year the vessel operates. The argument for investing in proper cyber architecture at the design stage has never been stronger.
Twelve months on from MSC 110, the picture is clearer: IMO's 2025 choice of a non-mandatory code was not a delay — it was a structured runway to mandatory requirements. The formal work program approved at MSC 111 means the development clock is now running. The industry is no longer waiting for a decision. It is waiting for a deadline.
Audit the quality of your E26/E27 implementation now — not when the survey is scheduled.
Map your port and remote-interface dependencies. The IMO code's scope expansion will create new obligations. Know what they will hit before they arrive.
Do not mistake 'non-mandatory' for 'optional'. Port State Control inspectors and major charterers have already begun using code conformance as a benchmark — independently of flag state enforcement. The market moves faster than the regulator.
References & Sources
Maritime cybersecurity professional specializing in IACS UR E26/E27 compliance, OT system architecture, and shipyard-level cyber resilience design. Writing for engineers, superintendents, and operators navigating Maritime 4.0.
⚓ Join the ShipPaulJobs Community
Join →
Comments
Post a Comment