Italy Just Made Maritime Cyber Compliance Binding. : Effective 1 November 2026 - Here Is What Circular 177/2025 Actually Requires.

📋 Regulation Analysis 🇮🇹 Italy · MIT Circular 177/2025 NIS2 Directive SMS Compliance OT Security

Italy Just Made Maritime Cyber Compliance Binding. Here Is What Circular 177/2025 Actually Requires.

Regulatory Analysis · Italy MIT Circular No. 177/2025 · Effective 1 November 2026

⚠️ Editorial Transparency

Content labelled Fact is sourced from official documents or cited publications. Content labelled Author's View reflects this author's professional judgment and experience — it is not an officially confirmed position.

Captain Paul
Captain Paul
Maritime 4.0 · AI & Cyber Intelligence · July 2026

On 16 December 2025, Italy's Ministry of Infrastructure and Transport (MIT — Ministero delle Infrastrutture e dei Trasporti) issued Circular No. 177/2025 "Navigation Safety" through the General Command of the Italian Coast Guard (Guardia Costiera). The circular updates cybersecurity obligations for national ships, ISM management companies, and port facility operators, and becomes fully enforceable on 1 November 2026. Sources: AdriaPorts, Jan 2026 · Ports Europe, Jan 2026

Ⅰ. Why Italy Moved First — Three Regulatory Frameworks Converging

📖 Term Glossary — ISM Code & SMS

ISM Code (International Safety Management Code): A mandatory international standard incorporated into SOLAS Chapter IX. It applies to companies and ships engaged in international voyages above certain vessel types (passenger ships, tankers, bulk carriers, etc.) and requires a documented safety management system to be established and maintained.

SMS (Safety Management System): The structured, documented system a shipping company must establish under the ISM Code. It covers safety policies, operational procedures, emergency preparedness, hazard reporting, and — since 2021 — cyber risk management. A DOC (Document of Compliance) is issued to the company; a SMC (Safety Management Certificate) is issued to each ship.

DPA (Designated Person Ashore): Required under ISM Code Section 4. Each company must appoint a DPA who provides a direct link between the ship and senior management ashore, monitors the safety and pollution-prevention aspects of each ship, and receives hazard reports from the vessel.

Circular 177/2025 did not appear in isolation. It is Italy's domestic enforcement instrument at a point where three international and European frameworks converge.


Three Frameworks — One Circular
① IMO Resolution MSC.428(98) — Adopted June 2017, effective January 2021

Adopted at the 98th session of IMO's Maritime Safety Committee on 16 June 2017. It affirms that an approved SMS should take into account cyber risk management in accordance with the ISM Code, and encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems no later than the first annual verification of the DOC after 1 January 2021. The operative word is "encourages" — this creates no directly enforceable legal obligation.

Source: IMO Resolution MSC.428(98) PDF · Supporting guidance: MSC-FAL.1/Circ.3 — IMO Guidelines on Maritime Cyber Risk Management

② EU NIS2 Directive 2022/2555 — Transposed into Italian law in 2024

The EU's binding directive governing cybersecurity obligations for essential entities and important entities across sectors including energy, transport (air, rail, maritime and road), banking, healthcare, and digital infrastructure. Maritime ports and transport operators are classified as essential entities in the transport sector. Italy transposed NIS2 via Legislative Decree No. 138 of 4 September 2024, published in the Gazzetta Ufficiale on 1 October 2024 and entering into force on 16 October 2024.

Source: NIS2 Directive Transposition — Italy · SWOT Legal — Italy NIS2 Incident Reporting

③ MIT Circular 177/2025 — Binding and maritime-specific (effective November 2026)

Italy's national administrative instrument that converts the IMO's "encouragement" into a domestic enforceable obligation, and translates NIS2's sector-generic IT security requirements into concrete operational duties for ships, ISM companies, and port facilities.

Source: AdriaPorts — Cyber risk at sea: new MIT rules

Confirmed fact: Circular 177/2025 designates ports, maritime administrations, and critical maritime operators as "entities essential to national cybersecurity." This classification links to the Legislative Decree 138/2024 framework, meaning non-compliance could carry administrative liability under national cybersecurity law — not merely a survey deficiency. — Source: AdriaPorts, Jan 2026

Ⅱ. Who Is Covered — Scope and Subjects

📖 Term Glossary — ISPS Code, CSO, PFSO

ISPS Code (International Ship and Port Facility Security Code): A mandatory international security standard under SOLAS Chapter XI-2, applying to ships and port facilities. It requires security assessments, security plans, security drills, and the designation of security officers.

CSO (Company Security Officer): The person designated by a shipping company under the ISPS Code, responsible for developing and maintaining ship security plans, conducting security assessments, and liaising with Ship Security Officers and Port Facility Security Officers.

PFSO (Port Facility Security Officer): Designated at each port facility under the ISPS Code. Responsible for developing, implementing, and reviewing the Port Facility Security Plan (PFSP), coordinating security activities, and liaising with Ship Security Officers.

Circular 177/2025 covers three categories of entity. (Source: AdriaPorts, Jan 2026):

🚢
Italian-Flagged Vessels
All national ships subject to the ISM Code. Cyber risk management must be integrated into the ship's existing SMS and security plans — not maintained as a separate document. Integration means cyber procedures should appear in drill logs, risk assessments, and emergency procedures, not as a standalone annex.
🏢
ISM Management Companies (DOC holders)
Ship management companies holding a Document of Compliance (DOC) under the ISM Code. The CSO now carries an explicitly defined cyber security mandate — not just the physical security role the ISPS Code historically assigned to the position.
Port Facility Operators
ISPS Code-regulated terminals and port facilities, VTS (Vessel Traffic Service — a shore-based system that monitors and manages vessel movements within a port or traffic separation scheme) operators, and port infrastructure managers. Terminal operating systems, VTS platforms, and port IT/OT networks are formally in scope.
⚠️ Author's View (not an officially confirmed position): The circular directly applies to Italian-flagged ships and Italian port facilities — not to foreign-flagged vessels calling at Italian ports. However, in this author's judgment, Italian Port State Control (PSC) inspections are likely to increasingly treat cyber documentation as a deficiency category. This is the author's inference, not a confirmed enforcement position.

Ⅲ. What the Circular Actually Requires — Four Core Obligations and Their Regulatory Basis

Circular 177/2025 structures its obligations around four security functions. Each function's connection to the relevant regulatory article is noted alongside.

① Prevention — Technical and Organisational Protection Measures

Operators must implement technical and organisational measures proportionate to the risk level of each critical system. The circular explicitly names the systems requiring periodic and documented assessments: propulsion, steering, power generation, communications, passenger networks, VTS services, and port infrastructure.

📌 NIS2 Directive — Article 21 (Security Measures): "Essential entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems." Specific measures include: risk analysis and information system security policies; incident handling; business continuity and disaster recovery; supply chain security; network and information system security; cybersecurity training. — Source: NIS2 Directive Article 21

② Detection — Monitoring for Anomalous Activity

CBS (Computer Based Systems): Defined in IACS UR E26 as the collective term for all IT and OT systems on board a ship, regardless of whether they are networked. CBS includes ECDIS, propulsion control systems, cargo management systems, crew Wi-Fi networks, and any other digital system involved in vessel operations. — Source: IACS UR E26/E27

Operators must be capable of identifying anomalous activity on CBS. The circular does not mandate specific detection technologies, but the requirement for documented procedures implies that improvised crew responses will not satisfy a competent authority audit.

📌 IACS UR E26 — Detect Function: E26 structures ship-level cyber resilience across five functions: Identify → Protect → Detect → Respond → Recover. Under the Detect function, operators must be able to detect anomalous events on CBS, monitor network traffic for unexpected activity, and maintain alerting mechanisms that flag deviations from expected operational parameters. — Source: Pen Test Partners — IACS UR E26/E27 Guidance

③ Response — Incident Response and Mandatory Reporting

CSIRT Italia (Computer Security Incident Response Team Italia): Italy's national cybersecurity incident response team, operating under the National Cybersecurity Agency (ACN — Agenzia per la Cybersicurezza Nazionale). Established under Legislative Decree 138/2024. Essential entities must report significant cyber incidents to CSIRT Italia within the timelines prescribed by NIS2 Article 23. — Source: SWOT Legal, Italy NIS2 Reporting

A formalised incident response plan must be integrated into the SMS. The reporting chain links directly to NIS2 Article 23's three-stage timeline:

📌 NIS2 Article 23 — Three-Stage Incident Reporting (Confirmed Fact)

24 H Early Warning: Within 24 hours of becoming aware of a significant incident, notify CSIRT Italia (or the competent authority). This is a preliminary alert — a detailed root-cause analysis is not required at this stage.
72 H Incident Notification: Within 72 hours, submit an updated notification including the incident's severity, scope, initial assessment, and any mitigation measures taken.
1 Month Final Report: Within one month of the incident notification, submit a comprehensive report covering root cause analysis, impact, mitigation actions taken, and any cross-border effects.

Sources: NIS2 Directive Article 23 · Italy D.Lgs. 138/2024 commentary

④ Recovery — Business Continuity and System Restoration

Business continuity and recovery procedures must be documented and tested. For ships, this connects directly to the ISM Code's emergency preparedness requirements — now extended to cover cyber-induced loss of critical system function.

📌 ISM Code Element 8 — Emergency Preparedness: "The Company should establish procedures to identify, describe and respond to potential emergency shipboard situations." Cyber-induced loss of critical system function falls within the scope of "emergency shipboard situations" under this provision. — Source: ISM Code (IMO official page)

Confirmed fact: Circular 177/2025 requires these four functions to be integrated into ISM Code SMS documentation — not maintained as a parallel compliance track. — Source: AdriaPorts

Ⅳ. Training Requirements — Scope and the Practical Challenge

📖 Term Glossary — STCW

STCW (Standards of Training, Certification and Watchkeeping for Seafarers): The IMO convention establishing minimum standards for the training, certification, and watchkeeping of seafarers internationally. As of the time of this article, the STCW convention does not include a mandatory cybersecurity module at the level of specificity implied by Circular 177/2025. The qualification pathways required by the circular must therefore be established under a separate Italian national certification framework.

A dedicated chapter of Circular 177/2025 addresses personnel qualifications. The following groups must follow updated qualification pathways. (Source: AdriaPorts):

Seafarers Officers and ratings with access to or responsibility for CBS. Training must cover cyber threat recognition, anomaly reporting, and cyber emergency procedures.
CSO The Company Security Officer must now demonstrate cyber-specific competency — not just the ISPS Code physical security knowledge that has historically defined the role.
PFSO The Port Facility Security Officer carries equivalent obligations on the shore side, with specific focus on terminal OT systems, crane control networks, and VTS interfaces.
IT/OT Staff Technical personnel responsible for onboard or shore-side CBS. The explicit joint mention of IT and OT signals that siloed competency — "our IT team handles the network; our engineers handle the control systems" — is no longer adequate.

⚠️ Author's View: For the "updated qualification pathways" referenced in the circular to carry evidentiary weight in a flag state or PSC inspection, they must be delivered by an accredited body under a recognised framework. As of this writing (July 2026), this author is not aware of a published, unified Italian maritime cybersecurity training standard. Operators should monitor guidance from the Italian Coast Guard and MIT for the approved training framework — and should not treat generic commercial cyber awareness courses as a substitute. This is the author's observation, not a confirmed official position.


Ⅴ. MASS — Autonomous Systems Explicitly in Scope

📖 Term Glossary — MASS

MASS (Maritime Autonomous Surface Ships): Vessels that operate with reduced or no crew on board, with varying degrees of automation and remote control. IMO categorises MASS autonomy across four degrees — from ship with automated processes to fully autonomous ship. The IMO's Maritime Safety Committee is actively developing a regulatory framework for MASS operations. Circular 177/2025 explicitly references MASS operations and ship-to-shore services, acknowledging their expanding presence and the new vulnerabilities they introduce. — Source: AdriaPorts · SuperYacht24

The circular's explicit mention of MASS and ship-to-shore interfaces signals that Italy is not waiting for a MASS-specific incident before establishing a regulatory baseline. Most national maritime regulations have been silent on autonomous systems. The depth of MASS-specific provisions within the circular's full text cannot be confirmed from available English-language reporting — the following observations therefore represent the author's analysis of the general MASS cyber risk context, not confirmed regulatory requirements.

The MASS Cyber Attack Surface — Context (Author's Analysis)
[Fact] Remote operation centres maintain continuous bidirectional data links to the vessel. If that link is compromised, it becomes an intrusion path into both the onboard OT and the shore-side control infrastructure simultaneously.
[Author's View] Sensor spoofing (GPS, AIS, radar) on a MASS vessel is not merely a navigation safety risk — it is a command-and-control attack: feed false sensor data to the autonomous decision system, and the vessel acts on a false picture of the world. This erases the traditional boundary between a cyber incident and a physical casualty.

Ⅵ. The Gap Between the Text and Operational Reality — Author's View Section

⚠️ Section notice: This entire section reflects the author's professional judgment based on practical experience. The observations below are the author's claims — not officially confirmed positions.

📂 SMS Integration — The Difference Between "Integrated" and "Appended" [Author's View]

The circular requires cyber risk management to be integrated into the SMS. In this author's experience, many existing SMS documents reference a cyber section without operationally connecting it to drill logs, risk assessment matrices, or emergency procedures. True integration means cyber drills appear in the drill log, cyber risks appear in the risk register, and cyber officer responsibilities appear in the accountability structure — not as a polished annex that a surveyor ticks and moves on from.

⏱ The 24-Hour CSIRT Reporting Clock — Operational Burden at Sea [Author's View]

NIS2 Article 23's 24-hour early warning requirement is demanding in an office environment. For a ship at sea experiencing a cyber incident, the crew must simultaneously manage the incident, notify the Master, contact the DPA ashore, and initiate the CSIRT Italia reporting chain — all within 24 hours. In this author's assessment, few existing maritime incident response procedures explicitly address this timeline. This is the author's observation, not a confirmed statistic.

🔍 "Periodic Assessments" Without a Defined Standard [Author's View]

The circular requires "periodic and documented assessments" of critical systems but does not define the frequency. In this author's judgment, operators who do not internally define their assessment frequency, methodology reference (NIST CSF, IEC 62443, or IACS UR E26-aligned), and documentation format before November 2026 risk a terminology dispute with inspectors on the day. Establishing those parameters now is preferable to resolving them reactively after a deficiency notice.


Ⅶ. What To Do Before November 2026

🚢 Italian Shipowners & Ship Management Companies (DOC Holders)
Conduct a gap assessment of your current SMS against the four PDRR functions. Identify where cyber obligations are referenced but not operationally embedded.
Build a comprehensive CBS asset inventory: ECDIS, propulsion control, power management, GMDSS, cargo management systems, and crew Wi-Fi networks — all fall within scope.
Draft a CSIRT Italia 24-hour early warning procedure and integrate it into the existing ISM emergency communication chain. Test it in a documented drill before November 2026.
Assess the CSO's current cyber competency profile and identify required training. Monitor Italian Coast Guard and MIT guidance for the approved certification framework.
⚓ Port Facility Operators (ISPS / VTS)
Add a formal cyber risk annex to the Port Facility Security Plan (PFSP). Ensure the PFSO has documented authority and process for cyber incident escalation — separate from the physical security incident chain.
Map IT/OT network boundaries across terminal operating systems, crane control, gate access, and VTS platforms. Assess segmentation against the circular's protection requirements.
Confirm your facility's "essential entity" classification with the NIS Authority – Transport Sector and understand the audit rights that classification triggers under Legislative Decree 138/2024.
🌍 Foreign Operators Calling Italian Ports

The circular does not directly bind you. However — in this author's view — ensure your cyber risk management documentation is current, your incident response contacts include Italian Coast Guard reporting channels, and your crew cyber training records are available for inspection. The trend across EU member states is regulatory convergence: what Italy requires today, others may adopt as PSC inspection criteria in future.

Guidance is what regulators produce when they are uncertain.

A circular is what they produce when they have decided.

Italy has decided. November 2026 is the deadline. The question is whether the industry uses the remaining months to comply — or to prepare explanations for why it could not.

Captain's Take — Author's View

The technical requirements of Circular 177/2025 are not revolutionary. They are consistent with the direction IACS UR E26, the IMO guidelines, and NIS2 have been pointing toward for years. What Italy has done is convert that direction into a binding deadline with an enforcement mechanism attached.

In this author's view, the operators who will struggle in November 2026 are not those who lack awareness — maritime cybersecurity awareness has rarely been higher. They are the operators who have been treating cyber compliance as a document-management exercise rather than an operational one. A binder of cyber procedures that nobody has read, nobody has drilled, and nobody has connected to the actual CBS on the vessel is not compliance. It is paperwork waiting for a deficiency notice.

#MITCircular177 #MaritimeCyberItaly #ItalyMaritime #NIS2Maritime #ISMCode #SMSCybersecurity #OTSecurity #MASS #MaritimeCyber #Maritime40 #CSIRTItalia #IACSE26

References & Sources

📋 Primary Regulatory & Official Documents
📄
IMO Resolution MSC.428(98) — Maritime Cyber Risk Management in Safety Management Systems
IMO official PDF · Adopted 16 June 2017 · Encourages SMS integration of cyber risk, effective first DOC annual verification after 1 Jan 2021
🌐
IMO MSC-FAL.1/Circ.3 — Guidelines on Maritime Cyber Risk Management
IMO official page · Practical implementation guidance accompanying MSC.428(98) · Issued June 2017
📋
ISM Code (International Safety Management Code) — IMO Official Page
SOLAS Chapter IX · The legal basis for Safety Management System (SMS) requirements
🇪🇺
NIS2 Directive 2022/2555 — Article 23: Reporting Obligations
24-hour early warning · 72-hour incident notification · 1-month final report
⚖️
Italy Legislative Decree 138/2024 — NIS2 Transposition: Incident Reporting Obligations
SWOT Legal · 24/72/30-day reporting framework and CSIRT Italia role in detail
🚢
IACS UR E26 & E27 — Cyber Resilience of Ships (Effective 1 July 2024)
IACS official press release · Mandatory for newbuilds contracted on or after 1 July 2024
📰 Reporting & Analysis
🇮🇹
Cyber Risk at Sea: New MIT Rules for Ships and Ports — AdriaPorts
AdriaPorts, January 7, 2026 · Most detailed English-language primary report on Circular 177/2025 content and obligations
Italy Updates Cybersecurity Measures for Ships and Ports — Ports Europe
Ports Europe, January 8, 2026 · Confirms the binding framework and alignment with NIS2 and IMO standards
🛳️
Navigation and Cybersecurity: New Circular — SuperYacht24
SuperYacht24, January 7, 2026 · Includes MASS and autonomous systems reference
📊
Maritime Cyber Incidents Jump 103% — CYTUR 2026 White Paper (Industrial Cyber)
Industrial Cyber · 828 incidents in 2025 vs 408 in 2024; OT attacks up 150% — threat context underpinning Circular 177/2025
🔒
IACS UR E26 and E27 Guidance — Pen Test Partners
Pen Test Partners · Technical explanation of CBS definition, Security Zones and Conduits architecture
Captain Paul
Captain Paul
Maritime 4.0 · AI & Cyber Intelligence

Maritime cybersecurity professional specializing in IACS UR E26/E27 compliance, OT system architecture, and shipyard-level cyber resilience design. Writing for engineers, superintendents, and operators navigating Maritime 4.0.

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments