UR E26, After the Mandate ① — One Mandatory Rule, Five Perspectives
UR E26, After the Mandate · ① — One Mandatory Rule, Five Perspectives
What 1 July 2024 actually changed — and the single variable that decides whether the structure holds: the clarity of the boundary.
- LinkedIn : linkedin.com/in/abysstoinfinity
The opening installment of a six-part series (one market overview + five stakeholder deep-dives). This piece is not written to evaluate or criticize any particular classification society or the class system itself — its purpose is to survey, as factually and neutrally as possible, the whole market structure that took shape once the mandatory rule entered into force.
① What 1 July 2024 actually changed
1 July 2024. From this date forward — for newbuildings whose construction contracts are signed on or after it — cyber resilience became a mandatory condition at the classification (class) level. The IACS Unified Requirements UR E26 "Cyber Resilience of Ships" and UR E27 "Cyber Resilience of On-Board Systems and Equipment" had entered into force. The two requirements were originally adopted in April 2022 for January 2024 application, but during a revision process that incorporated industry feedback the original texts were withdrawn and replaced by revised versions (E26 September 2023, E27 November 2023), pushing the application date to July 2024. Fail to comply, and no class certificate is issued — a simple change, but one with powerful meaning.
First, a common misconception worth clearing away. It is not that cyber security was absent before mandation. On the contrary, it already existed across several layers. Classification societies each operated their own voluntary cyber notations — DNV's "Cyber Secure" (July 2018), Bureau Veritas' NR659, ABS' CyberSafety, ClassNK's guidelines. Outside of class there were precedents too: IMO Res. MSC.428(98) and MSC-FAL.1/Circ.3 (2017), BIMCO's industry guidelines, and IACS's recommendations consolidated into Recommendation 166 (2020).
So, to put it precisely, what was missing before mandation was not cyber security itself but a mandatory, unified newbuilding baseline at the technical class level. The existing notations were a voluntary choice, and MSC.428(98), though mandatory, was a risk-management requirement at the safety-management-system (SMS) level — not a technical class requirement on newbuilding design.
What UR E26/E27 did was neither “invent something new” nor merely “tidy up the disparate.”
It converted a dispersed, voluntary set of approaches into a single technical baseline — a condition of class — mandated for every newbuilding.
In fact the URs did not abolish or replace existing notations; they aligned with them — even before mandation, DNV pointed to a path where its existing Cyber Secure (Essential) notation could pre-satisfy the URs. The technology was largely already there; the URs' essential contribution was the shift along two axes — voluntary → mandatory, and dispersed → unified.
And yet, even as a mandatory rule that proclaims “unification,” the field in its second year of mandation still shows class-by-class differences. For the same rule, each society issues its own guideline, presents differently named cyber notations, and differs in the depth and format of the deliverables demanded at survey. This is where the series' question arises.
This series begins from that question. But the role of this opening piece is not to deliver an answer — it is to decompose the question itself precisely.
② The question actually contains two
The root of the confusion is that the question above bundles two distinct strata into one.
These two operate in entirely different ways and must be viewed separately. Many debates run on parallel tracks precisely because they mix the two. One clarification up front — nothing here is an attack on any society or on class itself. A society placing a differentiated layer atop the floor is, as long as the boundary stays clear, not a deviation but a normal function the IACS system explicitly permits and was designed to allow. The tension arises only when the boundary between that floor and the differentiation layer blurs. That boundary is the whole subject of this series.
③ Anatomy of the mandatory baseline — what UR E26/E27 are, and how far they reach
The starting point is to pin down exactly what is mandatorily applied. UR E26/E27 did not appear in a vacuum. Beneath them sits UR E22 "On Board Use and Application of Computer Based Systems" (first established 2006, revised to Rev.3 in June 2023), which sorts computer-based systems (CBS) into Category I / II / III according to the consequences their failure would have on people, the ship, and the environment. That classification becomes the skeleton of risk-based application in E26/E27. In short, E22 lays down the terminology and classification, and E26/E27 operate on top of it.
E26 — the ship as a whole (ship-level)
It treats not individual equipment but the ship as a single integrated object, and requires a cyber risk management framework. Its skeleton is the five NIST CSF functions — Identify · Protect · Detect · Respond · Recover — and the revised version comprises 17 requirements. In practice, E26 demands deliverables at three stages of the ship's life cycle:
E27 — individual systems (system-level)
It specifies the minimum security capabilities each CBS and piece of equipment composing the ship must possess; its primary addressees are third-party equipment vendors. The revised version defines 30 core capabilities, plus +11 for systems connected to an untrusted network. If a vendor obtains type approval, the evidentiary burden at the later design, construction, and survey stages is greatly reduced. In the early days of mandation, however, type-approved systems were very few — on the order of 4 at ClassNK and 20 at DNV as of November 2024 — a bottleneck where certification could not keep pace with demand.
Scope and basis
Both requirements take IEC 62443 as their technical foundation and generally apply to ships of ≥ 500 GT on international voyages (mandatory vs non-mandatory by ship type and size, with exclusions such as small fishing vessels and yachts). The rule also operates in conjunction with the SMS-level cyber risk management required by MSC.428(98) and MSC-FAL.1/Circ.3.
A UR is, by definition, a minimum requirement. IACS expressly lets each member society set stricter requirements that exceed it. What E26/E27 mandate is not a ceiling but a floor — and the space above it was left open by design.
④ Why one rule yields different outcomes — three structural reasons
“If it's a unified rule, why does it differ by society?” is a natural question, but reducing the cause to a single actor's intent misreads the phenomenon. Divergence generally arises from the following three structural conditions.
All three stem from structure, not intent. At the same time, all three to some degree imply “ambiguity in the floor itself.” This ambiguity becomes the soil for the tension addressed below.
⑤ Two strata — the mandatory floor and voluntary notation, and the key called ‘scope’
Now divide the market into two strata. The lower stratum is the mandatory floor — the minimum compliance the UR E26/E27 text requires, the non-negotiable baseline a newbuilding must satisfy to receive its class certificate. The upper stratum is the voluntary notation layer — DNV's Cyber Secure, ABS' Cyber Resilience (CR) and the fleet-facing CR-Ex, BV's NR659 line, ClassNK's guideline system, and so on. (LR issued no separate E26/E27 documents, aligning its existing rules to the URs instead.) Names and grading structures differ by society, but the common thread is that they are a choice, not a mandate.
Here the key question is “does the upper stratum sell the lower one twice?”, and the single criterion that decides the answer is scope. And, decisively, notations are not monolithic — their relationship to the baseline differs by tier.
So “does it sell twice?” depends on the tier. The baseline-equivalent tier is a means to comply; the baseline-exceeding tier addresses a different scope. And the latter has real market demand. The most clearly grounded case is chartering / vetting — DNV explicitly emphasizes that a cyber notation raises charterer and oil-major vetting scores, increasing chartering prospects. Interest at the insurance and flag-state levels is growing too, but how much actually reaches price varies so widely by market, ship type, and timing that it is premature to be categorical.
⑥ Where the tension actually lives — kept in balance
This does not mean everything is seamless. When the two strata do not separate cleanly, the following tensions arise. But they are more accurately read as problems of boundary management than as properties of the notation product itself.
To stress again — so long as the two strata are cleanly separated (the mandatory floor surveyed clearly and uniformly, the voluntary layer above genuinely addressing additional scope), structural friction is near zero. Tension arises only at the point where that separation breaks down.
⑦ Part 1's provisional conclusion — the boundary decides everything
Now back to the opening question. What does this dual structure — a class-by-class differentiation layer stacked atop a mandatory rule that aimed at unification — mean for the market? The core of the answer Part 1 can offer compresses to a single variable: the clarity of the boundary.
If the mandatory floor is clear and uniform and the layer above genuinely addresses additional scope and assurance, this dual structure works coherently. That is the inherent way the classification business operates, the differentiation the market actually rewards, and the design the IACS system explicitly permits. Conversely, friction occurs when (a) the mandatory baseline itself is interpreted differently, enabling forum shopping among societies; (b) a voluntary notation's requirements are packaged as mandatory compliance and the scope expands; or (c) an owner with a dispersed fleet shoulders asymmetric costs for the same compliance. All three are problems not of the product itself but of boundary management.
Whether this boundary tension is a permanent design feature or a converging transitional phenomenon cannot yet be declared. Structural remedies generally run in three directions — IACS issuing Unified Interpretations more forcefully to narrow the interpretive room in the mandatory layer; UR revisions becoming more prescriptively refined; or, at the IMO level, elevating the baseline into a mandatory instrument so the source of binding force is drawn outside the class–customer relationship. That both E26's mandatory force and the notation products currently spring from the same root — a contractual relationship with the society — is the crux that makes the two structurally hard to separate, and only the third path touches that root. Until then, divergence is a fact of the market, and what matters is reading and managing it precisely.
⑧ Five perspectives — the series roadmap
The same structure looks like an entirely different landscape to each stakeholder. The following installments examine them one by one (the order may be adjusted).
The mandation of UR E26 was not a full stop but a comma. Cyber resilience finally became a mandatory condition, but how much more gets stacked on top is still being decided by the market, and the boundary between mandate and differentiation is tested without end.
Arguing over that boundary is easy; reading it precisely is hard. And that hard task is precisely the domain that all five of these stakeholders — each from their own position — can actually control.
Next, the same structure through the owner's eyes. The first question an owner facing the mandatory floor confronts is, unexpectedly, simple — “How far is what must be bought, and from where is it a choice?”
☑ IACS Recommendation No. 166 "Recommendation on Cyber Resilience" (2020)
☑ IEC 62443 — cyber security for industrial automation & control systems
☑ IMO Res. MSC.428(98) · MSC-FAL.1/Circ.3 (2017)
☑ Class cyber notation systems — DNV Cyber Secure (2018–), BV NR659, ABS CyberSafety / CR · CR-Ex, ClassNK guidelines, LR aligned rules
An owner-side technical advisor coordinating across classification societies (ClassNK · LR · DNV · ABS · BV), shipyards, and vendors on IACS UR E26/E27 compliance, Zone & Conduit (ZCD) design, and OT/IT security architecture.
🌐 More Articles ↗⚓ Join the ShipPaulJobs Community
Join →
Comments
Post a Comment