Italy Just Made Maritime Cyber Compliance Binding. : Effective 1 November 2026 - Here Is What Circular 177/2025 Actually Requires.
Italy Just Made Maritime Cyber Compliance Binding. Here Is What Circular 177/2025 Actually Requires.
Regulatory Analysis · Italy MIT Circular No. 177/2025 · Effective 1 November 2026
⚠️ Editorial Transparency
Content labelled Fact is sourced from official documents or cited publications. Content labelled Author's View reflects this author's professional judgment and experience — it is not an officially confirmed position.
On 16 December 2025, Italy's Ministry of Infrastructure and Transport (MIT — Ministero delle Infrastrutture e dei Trasporti) issued Circular No. 177/2025 "Navigation Safety" through the General Command of the Italian Coast Guard (Guardia Costiera). The circular updates cybersecurity obligations for national ships, ISM management companies, and port facility operators, and becomes fully enforceable on 1 November 2026. Sources: AdriaPorts, Jan 2026 · Ports Europe, Jan 2026
Ⅰ. Why Italy Moved First — Three Regulatory Frameworks Converging
ISM Code (International Safety Management Code): A mandatory international standard incorporated into SOLAS Chapter IX. It applies to companies and ships engaged in international voyages above certain vessel types (passenger ships, tankers, bulk carriers, etc.) and requires a documented safety management system to be established and maintained.
SMS (Safety Management System): The structured, documented system a shipping company must establish under the ISM Code. It covers safety policies, operational procedures, emergency preparedness, hazard reporting, and — since 2021 — cyber risk management. A DOC (Document of Compliance) is issued to the company; a SMC (Safety Management Certificate) is issued to each ship.
DPA (Designated Person Ashore): Required under ISM Code Section 4. Each company must appoint a DPA who provides a direct link between the ship and senior management ashore, monitors the safety and pollution-prevention aspects of each ship, and receives hazard reports from the vessel.
Circular 177/2025 did not appear in isolation. It is Italy's domestic enforcement instrument at a point where three international and European frameworks converge.
Adopted at the 98th session of IMO's Maritime Safety Committee on 16 June 2017. It affirms that an approved SMS should take into account cyber risk management in accordance with the ISM Code, and encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems no later than the first annual verification of the DOC after 1 January 2021. The operative word is "encourages" — this creates no directly enforceable legal obligation.
Source: IMO Resolution MSC.428(98) PDF · Supporting guidance: MSC-FAL.1/Circ.3 — IMO Guidelines on Maritime Cyber Risk Management
The EU's binding directive governing cybersecurity obligations for essential entities and important entities across sectors including energy, transport (air, rail, maritime and road), banking, healthcare, and digital infrastructure. Maritime ports and transport operators are classified as essential entities in the transport sector. Italy transposed NIS2 via Legislative Decree No. 138 of 4 September 2024, published in the Gazzetta Ufficiale on 1 October 2024 and entering into force on 16 October 2024.
Source: NIS2 Directive Transposition — Italy · SWOT Legal — Italy NIS2 Incident Reporting
Italy's national administrative instrument that converts the IMO's "encouragement" into a domestic enforceable obligation, and translates NIS2's sector-generic IT security requirements into concrete operational duties for ships, ISM companies, and port facilities.
Confirmed fact: Circular 177/2025 designates ports, maritime administrations, and critical maritime operators as "entities essential to national cybersecurity." This classification links to the Legislative Decree 138/2024 framework, meaning non-compliance could carry administrative liability under national cybersecurity law — not merely a survey deficiency. — Source: AdriaPorts, Jan 2026
Ⅱ. Who Is Covered — Scope and Subjects
ISPS Code (International Ship and Port Facility Security Code): A mandatory international security standard under SOLAS Chapter XI-2, applying to ships and port facilities. It requires security assessments, security plans, security drills, and the designation of security officers.
CSO (Company Security Officer): The person designated by a shipping company under the ISPS Code, responsible for developing and maintaining ship security plans, conducting security assessments, and liaising with Ship Security Officers and Port Facility Security Officers.
PFSO (Port Facility Security Officer): Designated at each port facility under the ISPS Code. Responsible for developing, implementing, and reviewing the Port Facility Security Plan (PFSP), coordinating security activities, and liaising with Ship Security Officers.
Circular 177/2025 covers three categories of entity. (Source: AdriaPorts, Jan 2026):
Ⅲ. What the Circular Actually Requires — Four Core Obligations and Their Regulatory Basis
Circular 177/2025 structures its obligations around four security functions. Each function's connection to the relevant regulatory article is noted alongside.
Operators must implement technical and organisational measures proportionate to the risk level of each critical system. The circular explicitly names the systems requiring periodic and documented assessments: propulsion, steering, power generation, communications, passenger networks, VTS services, and port infrastructure.
📌 NIS2 Directive — Article 21 (Security Measures): "Essential entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems." Specific measures include: risk analysis and information system security policies; incident handling; business continuity and disaster recovery; supply chain security; network and information system security; cybersecurity training. — Source: NIS2 Directive Article 21
CBS (Computer Based Systems): Defined in IACS UR E26 as the collective term for all IT and OT systems on board a ship, regardless of whether they are networked. CBS includes ECDIS, propulsion control systems, cargo management systems, crew Wi-Fi networks, and any other digital system involved in vessel operations. — Source: IACS UR E26/E27
Operators must be capable of identifying anomalous activity on CBS. The circular does not mandate specific detection technologies, but the requirement for documented procedures implies that improvised crew responses will not satisfy a competent authority audit.
📌 IACS UR E26 — Detect Function: E26 structures ship-level cyber resilience across five functions: Identify → Protect → Detect → Respond → Recover. Under the Detect function, operators must be able to detect anomalous events on CBS, monitor network traffic for unexpected activity, and maintain alerting mechanisms that flag deviations from expected operational parameters. — Source: Pen Test Partners — IACS UR E26/E27 Guidance
CSIRT Italia (Computer Security Incident Response Team Italia): Italy's national cybersecurity incident response team, operating under the National Cybersecurity Agency (ACN — Agenzia per la Cybersicurezza Nazionale). Established under Legislative Decree 138/2024. Essential entities must report significant cyber incidents to CSIRT Italia within the timelines prescribed by NIS2 Article 23. — Source: SWOT Legal, Italy NIS2 Reporting
A formalised incident response plan must be integrated into the SMS. The reporting chain links directly to NIS2 Article 23's three-stage timeline:
📌 NIS2 Article 23 — Three-Stage Incident Reporting (Confirmed Fact)
Sources: NIS2 Directive Article 23 · Italy D.Lgs. 138/2024 commentary
Business continuity and recovery procedures must be documented and tested. For ships, this connects directly to the ISM Code's emergency preparedness requirements — now extended to cover cyber-induced loss of critical system function.
📌 ISM Code Element 8 — Emergency Preparedness: "The Company should establish procedures to identify, describe and respond to potential emergency shipboard situations." Cyber-induced loss of critical system function falls within the scope of "emergency shipboard situations" under this provision. — Source: ISM Code (IMO official page)
Ⅳ. Training Requirements — Scope and the Practical Challenge
STCW (Standards of Training, Certification and Watchkeeping for Seafarers): The IMO convention establishing minimum standards for the training, certification, and watchkeeping of seafarers internationally. As of the time of this article, the STCW convention does not include a mandatory cybersecurity module at the level of specificity implied by Circular 177/2025. The qualification pathways required by the circular must therefore be established under a separate Italian national certification framework.
A dedicated chapter of Circular 177/2025 addresses personnel qualifications. The following groups must follow updated qualification pathways. (Source: AdriaPorts):
⚠️ Author's View: For the "updated qualification pathways" referenced in the circular to carry evidentiary weight in a flag state or PSC inspection, they must be delivered by an accredited body under a recognised framework. As of this writing (July 2026), this author is not aware of a published, unified Italian maritime cybersecurity training standard. Operators should monitor guidance from the Italian Coast Guard and MIT for the approved training framework — and should not treat generic commercial cyber awareness courses as a substitute. This is the author's observation, not a confirmed official position.
Ⅴ. MASS — Autonomous Systems Explicitly in Scope
MASS (Maritime Autonomous Surface Ships): Vessels that operate with reduced or no crew on board, with varying degrees of automation and remote control. IMO categorises MASS autonomy across four degrees — from ship with automated processes to fully autonomous ship. The IMO's Maritime Safety Committee is actively developing a regulatory framework for MASS operations. Circular 177/2025 explicitly references MASS operations and ship-to-shore services, acknowledging their expanding presence and the new vulnerabilities they introduce. — Source: AdriaPorts · SuperYacht24
The circular's explicit mention of MASS and ship-to-shore interfaces signals that Italy is not waiting for a MASS-specific incident before establishing a regulatory baseline. Most national maritime regulations have been silent on autonomous systems. The depth of MASS-specific provisions within the circular's full text cannot be confirmed from available English-language reporting — the following observations therefore represent the author's analysis of the general MASS cyber risk context, not confirmed regulatory requirements.
Ⅵ. The Gap Between the Text and Operational Reality — Author's View Section
⚠️ Section notice: This entire section reflects the author's professional judgment based on practical experience. The observations below are the author's claims — not officially confirmed positions.
The circular requires cyber risk management to be integrated into the SMS. In this author's experience, many existing SMS documents reference a cyber section without operationally connecting it to drill logs, risk assessment matrices, or emergency procedures. True integration means cyber drills appear in the drill log, cyber risks appear in the risk register, and cyber officer responsibilities appear in the accountability structure — not as a polished annex that a surveyor ticks and moves on from.
NIS2 Article 23's 24-hour early warning requirement is demanding in an office environment. For a ship at sea experiencing a cyber incident, the crew must simultaneously manage the incident, notify the Master, contact the DPA ashore, and initiate the CSIRT Italia reporting chain — all within 24 hours. In this author's assessment, few existing maritime incident response procedures explicitly address this timeline. This is the author's observation, not a confirmed statistic.
The circular requires "periodic and documented assessments" of critical systems but does not define the frequency. In this author's judgment, operators who do not internally define their assessment frequency, methodology reference (NIST CSF, IEC 62443, or IACS UR E26-aligned), and documentation format before November 2026 risk a terminology dispute with inspectors on the day. Establishing those parameters now is preferable to resolving them reactively after a deficiency notice.
Ⅶ. What To Do Before November 2026
The circular does not directly bind you. However — in this author's view — ensure your cyber risk management documentation is current, your incident response contacts include Italian Coast Guard reporting channels, and your crew cyber training records are available for inspection. The trend across EU member states is regulatory convergence: what Italy requires today, others may adopt as PSC inspection criteria in future.
Guidance is what regulators produce when they are uncertain.
A circular is what they produce when they have decided.
Italy has decided. November 2026 is the deadline. The question is whether the industry uses the remaining months to comply — or to prepare explanations for why it could not.
The technical requirements of Circular 177/2025 are not revolutionary. They are consistent with the direction IACS UR E26, the IMO guidelines, and NIS2 have been pointing toward for years. What Italy has done is convert that direction into a binding deadline with an enforcement mechanism attached.
In this author's view, the operators who will struggle in November 2026 are not those who lack awareness — maritime cybersecurity awareness has rarely been higher. They are the operators who have been treating cyber compliance as a document-management exercise rather than an operational one. A binder of cyber procedures that nobody has read, nobody has drilled, and nobody has connected to the actual CBS on the vessel is not compliance. It is paperwork waiting for a deficiency notice.
References & Sources
Maritime cybersecurity professional specializing in IACS UR E26/E27 compliance, OT system architecture, and shipyard-level cyber resilience design. Writing for engineers, superintendents, and operators navigating Maritime 4.0.
⚓ Join the ShipPaulJobs Community
Join →
Comments
Post a Comment