IMO MASS Code Enters into Force 1 July 2026 - Autonomous Ships Enter the Era of International Rules
Autonomous Ships Enter the Era of International Rules — IMO MASS Code Enters into Force 1 July 2026
Maritime Cyber Weekly · July 2026 · Issue #02-A
On 1 July 2026, the IMO's MASS Code (International Code of Safety for Maritime Autonomous Surface Ships) officially entered into force. Since the birth of SOLAS in 1914, every international maritime safety regime has been built on one fundamental assumption — a human being is on board. The MASS Code formally dismantles that assumption for the first time. Degree classifications, Remote Operations Centre (ROC) requirements, cybersecurity provisions — the international safety baseline for the smart ship era has been drawn for the first time.
Ⅰ. What Is the MASS Code — Background and Scope
In May 2026, the IMO Maritime Safety Committee (MSC) adopted the world's first international safety code for Maritime Autonomous Surface Ships (MASS). Entering into force on 1 July 2026, the code applies initially to cargo ships and is structured as a Goal-Based framework covering ship design, navigation, remote control, connectivity, fire protection, cybersecurity, and search and rescue (SAR).
Existing IMO conventions — SOLAS, MARPOL, STCW — all presuppose the presence of humans on board. The MASS Code is the first international framework to address situations where that presence is reduced or absent. In the cybersecurity domain in particular, it formally recognises that shipboard connectivity is not merely a convenience feature, but the infrastructure that constitutes the operation itself.
Ⅱ. Four Degrees of Autonomy — From Degree 1 to Degree 4
The structural core of the MASS Code is a four-tier classification of vessel autonomy. These degrees are not merely technical categories — the applicable cybersecurity requirements and accountability structures differ at each level, making this classification a direct design reference for shipyards, classification societies, and shipowners alike.
Degrees 1 and 2 are extensions of the existing vessel operating paradigm, but from Degree 3 onwards a qualitatively different security model is required. No crew on board also means no personnel available to respond immediately to a cyber incident at sea.
Ⅲ. Cybersecurity Provisions — ROC Requirements and Connectivity Security
The code's cybersecurity provisions focus primarily on Degree 3 and above. For vessels with no crew on board, a ROC (Remote Operations Centre) provides continuous oversight and must meet the following requirements:
The Master retains ultimate responsibility for the vessel regardless of whether they are on board. In Degrees 3 and 4, ROC operators effectively become the primary navigation decision-makers, and their qualifications, training, and certification standards also fall within the code's scope.
The ROC↔vessel communication link is both the structural centrepiece of the MASS Code and its largest cyber attack surface. VSAT satellite terminals (including Starlink), onboard routers, firewalls, and VPN gateways must remain continuously open — which means that until a vulnerability is patched, attackers have a permanently accessible entry point into the vessel's operational systems.
Ⅳ. Roadmap and Industry Implications — Why 2030/2032 Matters Now
The MASS Code is currently non-mandatory. However, the IMO has set out a roadmap targeting mandatory code adoption in July 2030 and entry into force in January 2032. This gives shipyards, classification societies, and equipment suppliers approximately six years to prepare — while making it clear that cybersecurity requirements will become embedded in newbuild contract specifications. In my view, deferring MASS Code compliance planning now is equivalent to accepting a full design review obligation after 2032. — Captain Paul
While IACS UR E26/E27 addresses OT security on existing vessels, the MASS Code defines — for the first time — the cybersecurity baseline for next-generation ships where connectivity is the operation. The two frameworks target different subjects but point in the same direction: a vessel is now cyber infrastructure.
- 1 Review ROC Communication Channel Security Architecture — For vessels targeting Degree 2 or above, the ROC↔vessel link must not become a Single Point of Failure. Redundancy and encryption design should be reviewed at the earliest design stage.
- 2 Identify Vessels Subject to Both IACS UR E26 and MASS Code — Newbuilds contracted from 2024 onward targeting Degree 1–2 must satisfy both E26 compliance and MASS Code requirements simultaneously. A gap analysis at the design stage is essential to ensure no blind spots emerge at the intersection of the two frameworks — particularly around CBS classification and ROC-connected system definitions.
The attack surface expanded by the MASS Code is already being weaponised by AI within 48 hours. The threat that AI-driven autonomous cyberattacks pose to maritime OT environments is examined in a separate article.
→ AI-Driven Autonomous Cyberattacks — Maritime OT Vulnerability Weaponization Within 48 Hours
Maritime 4.0 · AI & Cybersecurity Intelligence from Real Shipyard Experience
www.shippauljobs.com
⚓ Join the ShipPaulJobs Community
Join →

Comments
Post a Comment