UR E26, After the Mandate ① — One Mandatory Rule, Five Perspectives

UR E26, After the Mandate ① — One Mandatory Rule, Five Perspectives
💡 Market Overview IACS UR E26 · E27 Series ① / ⑥ Condition of Class

UR E26, After the Mandate · ① — One Mandatory Rule, Five Perspectives

What 1 July 2024 actually changed — and the single variable that decides whether the structure holds: the clarity of the boundary.

Julius
Julius
Maritime Technical Consultant · Shipboard Cybersecurity & Compliance
- LinkedIn : linkedin.com/in/abysstoinfinity

The opening installment of a six-part series (one market overview + five stakeholder deep-dives). This piece is not written to evaluate or criticize any particular classification society or the class system itself — its purpose is to survey, as factually and neutrally as possible, the whole market structure that took shape once the mandatory rule entered into force.

IACS UR E26/E27 IEC 62443 mandatory floor voluntary notation OT / IT

① What 1 July 2024 actually changed

1 July 2024. From this date forward — for newbuildings whose construction contracts are signed on or after it — cyber resilience became a mandatory condition at the classification (class) level. The IACS Unified Requirements UR E26 "Cyber Resilience of Ships" and UR E27 "Cyber Resilience of On-Board Systems and Equipment" had entered into force. The two requirements were originally adopted in April 2022 for January 2024 application, but during a revision process that incorporated industry feedback the original texts were withdrawn and replaced by revised versions (E26 September 2023, E27 November 2023), pushing the application date to July 2024. Fail to comply, and no class certificate is issued — a simple change, but one with powerful meaning.

First, a common misconception worth clearing away. It is not that cyber security was absent before mandation. On the contrary, it already existed across several layers. Classification societies each operated their own voluntary cyber notations — DNV's "Cyber Secure" (July 2018), Bureau Veritas' NR659, ABS' CyberSafety, ClassNK's guidelines. Outside of class there were precedents too: IMO Res. MSC.428(98) and MSC-FAL.1/Circ.3 (2017), BIMCO's industry guidelines, and IACS's recommendations consolidated into Recommendation 166 (2020).

So, to put it precisely, what was missing before mandation was not cyber security itself but a mandatory, unified newbuilding baseline at the technical class level. The existing notations were a voluntary choice, and MSC.428(98), though mandatory, was a risk-management requirement at the safety-management-system (SMS) level — not a technical class requirement on newbuilding design.

What UR E26/E27 did was neither “invent something new” nor merely “tidy up the disparate.”

It converted a dispersed, voluntary set of approaches into a single technical baseline — a condition of class — mandated for every newbuilding.

In fact the URs did not abolish or replace existing notations; they aligned with them — even before mandation, DNV pointed to a path where its existing Cyber Secure (Essential) notation could pre-satisfy the URs. The technology was largely already there; the URs' essential contribution was the shift along two axes — voluntary → mandatory, and dispersed → unified.

And yet, even as a mandatory rule that proclaims “unification,” the field in its second year of mandation still shows class-by-class differences. For the same rule, each society issues its own guideline, presents differently named cyber notations, and differs in the depth and format of the deliverables demanded at survey. This is where the series' question arises.

A class-by-class differentiation layer is being stacked atop a mandatory baseline that aimed at unification. What does that dual structure mean for the market, and where is its boundary tested?

This series begins from that question. But the role of this opening piece is not to deliver an answer — it is to decompose the question itself precisely.

② The question actually contains two

The root of the confusion is that the question above bundles two distinct strata into one.

The mandatory baseline (the UR text) is itself interpreted differently across societies.
The voluntary notation layer stacked on top is a separate thing with a separate nature.

These two operate in entirely different ways and must be viewed separately. Many debates run on parallel tracks precisely because they mix the two. One clarification up front — nothing here is an attack on any society or on class itself. A society placing a differentiated layer atop the floor is, as long as the boundary stays clear, not a deviation but a normal function the IACS system explicitly permits and was designed to allow. The tension arises only when the boundary between that floor and the differentiation layer blurs. That boundary is the whole subject of this series.

③ Anatomy of the mandatory baseline — what UR E26/E27 are, and how far they reach

The starting point is to pin down exactly what is mandatorily applied. UR E26/E27 did not appear in a vacuum. Beneath them sits UR E22 "On Board Use and Application of Computer Based Systems" (first established 2006, revised to Rev.3 in June 2023), which sorts computer-based systems (CBS) into Category I / II / III according to the consequences their failure would have on people, the ship, and the environment. That classification becomes the skeleton of risk-based application in E26/E27. In short, E22 lays down the terminology and classification, and E26/E27 operate on top of it.

E26 — the ship as a whole (ship-level)

It treats not individual equipment but the ship as a single integrated object, and requires a cyber risk management framework. Its skeleton is the five NIST CSF functions — Identify · Protect · Detect · Respond · Recover — and the revised version comprises 17 requirements. In practice, E26 demands deliverables at three stages of the ship's life cycle:

· Design / construction — the systems integrator (typically the shipyard) submits the Zones and Conduit Diagram (ZCD), the ship asset inventory, and the cyber security design description.
· Commissioning — the ship cyber resilience test procedure is submitted and verified.
· Operation — the owner establishes and maintains the ship cyber security and resilience programme.

E27 — individual systems (system-level)

It specifies the minimum security capabilities each CBS and piece of equipment composing the ship must possess; its primary addressees are third-party equipment vendors. The revised version defines 30 core capabilities, plus +11 for systems connected to an untrusted network. If a vendor obtains type approval, the evidentiary burden at the later design, construction, and survey stages is greatly reduced. In the early days of mandation, however, type-approved systems were very few — on the order of 4 at ClassNK and 20 at DNV as of November 2024 — a bottleneck where certification could not keep pace with demand.

Scope and basis

Both requirements take IEC 62443 as their technical foundation and generally apply to ships of ≥ 500 GT on international voyages (mandatory vs non-mandatory by ship type and size, with exclusions such as small fishing vessels and yachts). The rule also operates in conjunction with the SMS-level cyber risk management required by MSC.428(98) and MSC-FAL.1/Circ.3.

A UR is, by definition, a minimum requirement. IACS expressly lets each member society set stricter requirements that exceed it. What E26/E27 mandate is not a ceiling but a floor — and the space above it was left open by design.

④ Why one rule yields different outcomes — three structural reasons

“If it's a unified rule, why does it differ by society?” is a natural question, but reducing the cause to a single actor's intent misreads the phenomenon. Divergence generally arises from the following three structural conditions.

One · E26 is, in substantial part, goal-based
Much of it is written as “meet this goal,” not “do exactly this, this way.” How a goal is to be met by some concrete method leaves room for interpretation, and a society's guideline takes on the character of an interpretation service that fills precisely that gap. It is a consequence of writing the norm at a deliberately high level of abstraction — a design feature, in short.
Two · It is a new rule, and we are still in a transitional period
E26/E27 gained binding force only in July 2024. Every new rule converges through Unified Interpretations, FAQs, and panel discussions after entry into force. Indeed, the first year was a time of friction, interpretive ambiguity, and advance coordination; only from late 2025 — type approvals surging, the first cyber-notated ships delivered — did it begin maturing into an execution phase, as DNV, ClassNK and others refined their rules and issued more granular guidance. Some of the present divergence may be a converging transitional phenomenon, not a permanent defect.
Three (most important) · The floor is explicitly exceedable — which legitimizes divergence
As seen above, a society stacking its own stricter standard atop the floor is a right the IACS system guarantees. Accordingly, different higher standards across societies are not evidence of a violation; they can instead be read as a sign that the rule is working as intended.

All three stem from structure, not intent. At the same time, all three to some degree imply “ambiguity in the floor itself.” This ambiguity becomes the soil for the tension addressed below.

⑤ Two strata — the mandatory floor and voluntary notation, and the key called ‘scope’

Now divide the market into two strata. The lower stratum is the mandatory floor — the minimum compliance the UR E26/E27 text requires, the non-negotiable baseline a newbuilding must satisfy to receive its class certificate. The upper stratum is the voluntary notation layer — DNV's Cyber Secure, ABS' Cyber Resilience (CR) and the fleet-facing CR-Ex, BV's NR659 line, ClassNK's guideline system, and so on. (LR issued no separate E26/E27 documents, aligning its existing rules to the URs instead.) Names and grading structures differ by society, but the common thread is that they are a choice, not a mandate.

Cross-section · the two strata scope decides everything
▲ surface — ship in serviceIT  |  OT
In-Operation / in-service notation existing fleet
Fleet-level continuous governance operational
Higher security profile (higher IEC 62443 SL) · IT domain beyond baseline
▬ MANDATORY FLOOR — UR E26 / E27 condition of class
— non-negotiable baseline · no certificate without it —
voluntary · added scope mandatory · the floor

Here the key question is “does the upper stratum sell the lower one twice?”, and the single criterion that decides the answer is scope. And, decisively, notations are not monolithic — their relationship to the baseline differs by tier.

Baseline-equivalent tier
DNV presents Cyber Secure (Essential) as a path to a newbuilding's UR E26 compliance. This is not “selling the same thing twice” but a means of discharging the mandatory obligation — close to a packaging of the class verification one must go through anyway.
Baseline-exceeding tier
Higher IEC 62443 security levels, the IT domain E26 does not directly address (E26 is essentially OT-centric), continuous operational / fleet-level governance, and in-service notations for existing ships outside mandatory scope. In late 2025 DNV split its notation into Design / In-Operation, and ABS broadened CR-Ex to existing fleets.

So “does it sell twice?” depends on the tier. The baseline-equivalent tier is a means to comply; the baseline-exceeding tier addresses a different scope. And the latter has real market demand. The most clearly grounded case is chartering / vetting — DNV explicitly emphasizes that a cyber notation raises charterer and oil-major vetting scores, increasing chartering prospects. Interest at the insurance and flag-state levels is growing too, but how much actually reaches price varies so widely by market, ship type, and timing that it is premature to be categorical.

⑥ Where the tension actually lives — kept in balance

This does not mean everything is seamless. When the two strata do not separate cleanly, the following tensions arise. But they are more accurately read as problems of boundary management than as properties of the notation product itself.

One · Interpretive divergence in the mandatory layer collides with the UR's reason for being
Since the purpose of unification was to resolve dispersion, if the interpretation, survey criteria, and pass criteria of the mandatory baseline itself diverge by society, the pre-unification dispersed state is partly reproduced. Differentiation in the upper (voluntary) layer is normal; divergence in the lower (mandatory) layer carries a different weight.
Two · The rule-maker and the compliance-seller are the same body
IACS makes the rule, and its member societies provide the compliance service. In such an incentive structure, regardless of intent, there is a latent inducement for the ambiguity of the mandatory baseline and the appeal of the higher notation to align in the same direction. This describes the system's incentive landscape — a variable a consultant must track when reading the boundary.
Three · Multi-class owners bear asymmetric costs
If, for the same E26 compliance, one bears different costs, criteria, and deliverables by society, this is not a notation-product problem but a governance-level one — a sign the mandatory floor is not sufficiently uniform.
Four · Floor and upsell can blur (scope creep)
When a voluntary notation's requirements are presented as if they were “mandatory E26 compliance” and the scope quietly expands, the owner comes to perceive as mandatory something they need not buy.

To stress again — so long as the two strata are cleanly separated (the mandatory floor surveyed clearly and uniformly, the voluntary layer above genuinely addressing additional scope), structural friction is near zero. Tension arises only at the point where that separation breaks down.

⑦ Part 1's provisional conclusion — the boundary decides everything

Now back to the opening question. What does this dual structure — a class-by-class differentiation layer stacked atop a mandatory rule that aimed at unification — mean for the market? The core of the answer Part 1 can offer compresses to a single variable: the clarity of the boundary.

If the mandatory floor is clear and uniform and the layer above genuinely addresses additional scope and assurance, this dual structure works coherently. That is the inherent way the classification business operates, the differentiation the market actually rewards, and the design the IACS system explicitly permits. Conversely, friction occurs when (a) the mandatory baseline itself is interpreted differently, enabling forum shopping among societies; (b) a voluntary notation's requirements are packaged as mandatory compliance and the scope expands; or (c) an owner with a dispersed fleet shoulders asymmetric costs for the same compliance. All three are problems not of the product itself but of boundary management.

Whether this boundary tension is a permanent design feature or a converging transitional phenomenon cannot yet be declared. Structural remedies generally run in three directions — IACS issuing Unified Interpretations more forcefully to narrow the interpretive room in the mandatory layer; UR revisions becoming more prescriptively refined; or, at the IMO level, elevating the baseline into a mandatory instrument so the source of binding force is drawn outside the class–customer relationship. That both E26's mandatory force and the notation products currently spring from the same root — a contractual relationship with the society — is the crux that makes the two structurally hard to separate, and only the third path touches that root. Until then, divergence is a fact of the market, and what matters is reading and managing it precisely.

⑧ Five perspectives — the series roadmap

The same structure looks like an entirely different landscape to each stakeholder. The following installments examine them one by one (the order may be adjusted).

② Owner Next up
Decision-making among cost, risk, and commercial reward. Sorting out what is the mandatory floor and what is the optional upsell, to distinguish what need not be bought from what must be.
③ Class
Balancing the uniform guarantee of the floor, value creation through differentiation, and liability versus reputation. A society's conservative interpretation has its own sound rationale.
④ Shipyard
The design and evidentiary burden borne as the systems integrator, and the reality of multi-class handling — satisfying multiple societies' differing expectations at once.
⑤ Vendor
The economics of E27 type approval, the cost of satisfying multiple societies' differing profiles, and the integration-compatibility challenge of safely interconnecting certified systems.
⑥ Consultant
As the owner-side advisor, reading and policing the boundary between the mandatory floor and the voluntary upsell — not accepting a society's guideline as the pass criterion as-is, but anchoring on the UR text and treating the society's interpretation as one claim.

The mandation of UR E26 was not a full stop but a comma. Cyber resilience finally became a mandatory condition, but how much more gets stacked on top is still being decided by the market, and the boundary between mandate and differentiation is tested without end.

Arguing over that boundary is easy; reading it precisely is hard. And that hard task is precisely the domain that all five of these stakeholders — each from their own position — can actually control.

Next, the same structure through the owner's eyes. The first question an owner facing the mandatory floor confronts is, unexpectedly, simple — “How far is what must be bought, and from where is it a choice?”


Key sources
☑ IACS UR E26 / E27 (revised, in force 1 Jul 2024) · UR E22 Rev.3 (2023)
☑ IACS Recommendation No. 166 "Recommendation on Cyber Resilience" (2020)
☑ IEC 62443 — cyber security for industrial automation & control systems
☑ IMO Res. MSC.428(98) · MSC-FAL.1/Circ.3 (2017)
☑ Class cyber notation systems — DNV Cyber Secure (2018–), BV NR659, ABS CyberSafety / CR · CR-Ex, ClassNK guidelines, LR aligned rules
This series is a general analysis of the market structure surrounding IACS UR E26/E27 — not advice on any specific project, classification society, or client. The concrete application of the rules follows the latest Unified Requirements and guideline texts of the relevant society.
#MaritimeCybersecurity #UR_E26 #UR_E27 #IEC62443 #ConditionOfClass #CyberResilience #MaritimeCyber
Author
[AUTHOR NAME]
Maritime Cybersecurity Consultant · IACS UR E26/E27 · ZCD · OT/IT Security Architecture

An owner-side technical advisor coordinating across classification societies (ClassNK · LR · DNV · ABS · BV), shipyards, and vendors on IACS UR E26/E27 compliance, Zone & Conduit (ZCD) design, and OT/IT security architecture.

🌐 More Articles ↗

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments