💡 Insight Pilot Program USCG COC UR E26

What USCG's Performance-Driven COC Inspection Regime and IACS UR E26 Are Telling Us

Not "an era of fewer inspections" — but "an era where you must prove it" — has begun.

Julius

Maritime Technical Consultant · Shipboard Cybersecurity & Compliance
- LinkedIn : https://www.linkedin.com/in/abysstoinfinity/

In March 2026, the U.S. Coast Guard (USCG) introduced, as a pilot program, a new performance-driven Certificate of Compliance (COC) inspection regime targeting foreign tank vessels.

Grounded in the National Defense Authorization Act for Fiscal Year 2026 (NDAA FY2026), the regime is, for now, applied on a limited basis to vessels arriving at ports under the jurisdiction of Sector Corpus Christi and Port Arthur, and is at the stage of validating the effectiveness of the data-driven model ahead of full implementation. The key point is this: for high-performing vessels only, the annual (intermediate) inspection between the two-year COC renewal inspections is replaced with a USCG comprehensive review in place of an on-site boarding inspection. The comprehensive boarding inspection for the two-year renewal itself remains in place. The specifics may change depending on the results of the pilot.

At first glance, this policy might look like nothing more than "a scheme that reduces the number of inspections." But look a little deeper, and this is not a simple change in inspection policy.

Rather, it can be read as a shift toward a risk-based oversight regime — one that evaluates a vessel's safety and regulatory-compliance level on a data-driven basis, and applies inspection intensity differentially according to those results.

And this change closely mirrors the direction of the vessel cyber resilience that IACS UR E26 demands.

The Common Ground Between IACS UR E26 and USCG Policy

Regulation in the past mostly worked like this:

"Do you have the required documents?"
"Did you complete the checklist?"
"Did you declare that the requirements were met?"

Recent regulation, by contrast, is shifting toward questions like these:

"Is the vessel actually being operated safely?"
"Do the controls written in the documents actually work?"
"Can it recover when an incident occurs?"

The preliminary details released by the USCG define the evaluation method as a "comprehensive review of the vessel's safety and performance profile."

While it does not specify the concrete evaluation items, judging by how the USCG has assessed vessel performance under its existing PSC targeting matrix and the QUALSHIP 21 program, the following elements appear likely to be central:

▸ PSC detention history

▸ Violation history

▸ Marine casualty history

▸ The safety-management level of the operator and the owner

In other words, the direction is to evaluate not simply "did you pass the inspection," but "is the vessel actually being operated safely."

IACS UR E26 holds the same philosophy. The purpose of E26 is not the production of documents in itself. It is to design the vessel so that its essential functions can be maintained even when a cyberattack or a system failure occurs.

In the end, both regimes converge on the same question.

Can the vessel function safely in a real operating environment?

---

The Real Risk Owners and Shipyards Should Be Watching

In many projects, cybersecurity is still understood as a certification-acquisition activity:

▸ Requirements mapping complete

▸ Cyber Security Plan drafted

▸ Asset Inventory drafted

▸ Class approval obtained

Once these are done, people think the project is finished. From an operational perspective, however, this point is closer to the starting line.

What USCG showed with this policy is clear.

A vessel's actual operational performance determines the intensity of oversight.

Cybersecurity is no different. After an incident occurs, questions like these are raised:

▸ Did the network segmentation actually work?

▸ Were the remote-access controls actually applied?

▸ Were the backups in a recoverable state?

▸ Were the logs at a level usable for incident analysis?

▸ Is the system-change history traceable?

If you cannot answer these questions, then no matter how many documents you have produced, actual resilience has not been secured.

---

What Owners Should Consider in Designing Vessel Cyber Resilience

Owners often think, "Isn't it enough for the shipyard to satisfy E26?" But E26 is not a regulation that applies only up to the point of delivery. The responsibility for maintaining resilience in the actual operating phase ultimately rests with the owner.

Owners should therefore demand the following.

① An operable security architecture

Is it a structure that can be maintained after delivery?

▸ Whether accounts can be managed

▸ Whether patches can be managed

▸ Whether remote access can be controlled

▸ Whether logs can be collected

A security regime that the operating organization cannot manage will, in the end, be neutralized.

② A recoverable backup regime

Many projects only confirm whether a backup exists. But what matters is this: "Can it actually be recovered?" When ransomware strikes, what matters far more is:

▸ How quickly recovery is possible

▸ Which functions can be recovered first

▸ Whether recovery has been validated

③ Supply chain management

A vessel's OT environment involves dozens of suppliers. A single supplier's weak remote-access regime can become a risk for the entire vessel. Supplier security requirements must therefore be defined from the contracting stage.

---

What Shipyards Should Consider in Designing Vessel Cyber Resilience

Shipyards commonly run projects with "obtaining class approval" as the goal. Going forward, however, this alone is likely to be insufficient. Shipyards should consider the following.

Design consistency

▸ Network diagram

▸ Firewall policy

▸ Data flow diagram

▸ System functional description

The documents above must connect to one another without contradiction. One of the problems most frequently found in the actual review process is inconsistency between documents.

Operability

A technically perfect design and an actually operable design are different things. For example:

▸ An overly complex VLAN structure

▸ An unmanageable firewall policy

▸ Excessive access controls

will, in the end, be bypassed or disabled during operation.

Evidence-generation capability

In a future incident investigation, it must be possible to explain:

▸ Who

▸ When

▸ What

▸ Why it was changed

This kind of traceability is becoming increasingly important.

---

The Problems That Arise From Doing Only the Basics

"The documents exist, but they can't be explained"

The deliverables of many projects are sufficient at the class-approval level. But from an actual operational perspective, they are often inadequate. For example, an Asset Inventory has a list of equipment. But the following are not defined:

▸ The relationship to essential functions

▸ The network path

▸ The party responsible for security

▸ The recovery priority

As a result, its value when an incident occurs is diminished.

"The network diagram exists, but the data flows are unknown"

In actual breach response, what matters far more than equipment-connection information is which data moves where. In a great many projects, however, data-flow analysis is lacking. As a result, the following are discovered during the operating phase:

▸ Unnecessary communications

▸ Excessive privileges

▸ Hidden remote-access paths

"Backups exist, but the recovery time is unknown"

Whether a backup exists does not mean resilience. The real questions are:

▸ What is the recovery time for ECDIS?

▸ What is the recovery time for the IAS server?

▸ What is the recovery time for the Cargo Control System?

▸ What is the recovery time for propulsion-related systems?

If you cannot answer these questions, resilience has not been verified.

The difference between "class-approval documents" and "operational documents"

Many projects proceed with approval at the center. But the actual operating organization wants:

▸ What to do when a problem occurs

▸ Whom to contact

▸ In what order to recover

In other words, operable documents. Going forward, approval documents and operational documents must be managed as distinct things.

---

Conclusion

USCG's performance-driven COC policy is not a mere overhaul of an inspection regime. It shows that the maritime industry as a whole is moving from evaluating "whether requirements are met" toward evaluating "actual performance and resilience."

IACS UR E26 sits on the same current. What matters now is not the number of documents. What matters is whether you can answer the following questions:

▸ What happens if you are attacked?

▸ What happens if a failure occurs?

▸ Can you recover?

▸ Can you prove it?

Future competitiveness will be determined not by obtaining E26 certification in itself,

but by the ability to continuously prove cyber resilience in the real operating environment.

#USCG #CyberResilience #IACSURE26 #PerformanceBasedCOC #QUALSHIP21 #OperationalResilience #Newbuilding

Julius

Maritime Technical Consultant · Shipboard Cybersecurity & Compliance

A maritime cybersecurity and compliance specialist across the ship design & build lifecycle, focused on cybersecurity architecture, governance, and regulatory conformity for the shipbuilding and offshore sectors.

🌐 More Articles ↗