Real-time maritime weather conditions including wind speed, wave height, barometric pressure and sea state — updated for the vessel's current position.
📡 Visitor Intel
Visitor intelligence panel — displays connection origin, language, timezone and maritime region context for site visitors.
🛰 Vessel & Fleet Analysis
Live AIS vessel tracking map — displays real-time positions of commercial vessels including cargo ships, tankers and bulk carriers operating in Korean and East Asian waters.
By the end of 2027, a single merchant ship trading to the EU will sit under three different cyber regulations at once. NIS2 targets the company that operates the ship; the Cyber Resilience Act targets the digital products loaded onto it; IACS UR E26 targets the ship itself. They differ in intent, jurisdiction, and entry-into-force date — yet all converge on the same asset: one hull. The catch is that they do not overlap cleanly.
Unit of RegulationEvidence ReuseSeam RiskIEC 62443 BackboneOne Asset, Three Layers
1. One Ship, Three Directions of Regulation
Meet NIS2, the CRA, and E26 for the first time and they look like three independent checklists. The real difference lies in the unit of regulation.
▸NIS2 regulates the organization. Directive (EU) 2022/2555 places risk, governance, and reporting duties on the company operating the ship.
▸The CRA regulates the product. Regulation (EU) 2024/2847 makes cybersecurity a market condition for "products with digital elements" — though a large share of shipboard equipment falls outside it.
▸IACS UR E26 regulates the ship. Class treats the vessel as one collective asset and requires secure OT/IT integration; UR E27 targets the individual suppliers aboard.
·In maritime transport (Annex I), large enterprises (250+ staff or €50M+ turnover) are essential entities; medium ones (50–249 staff or €10M+) are important. A Member State may also designate operators as essential.
·Duties: risk management, supply-chain security, management accountability, and a 24h early warning → 72h notification → 1-month final report (Article 23).
·Penalties: up to €10M or 2% of global turnover (essential); €7M or 1.4% (important).
Product
CRA — Regulation (EU) 2024/2847
"In force 10 Dec 2024 · reporting from 11 Sep 2026 · full application 11 Dec 2027."
·Duties: a machine-readable SBOM (at least top-level dependencies), vulnerability handling, and reporting of exploited vulnerabilities. Widely described as one of the first frameworks to make an SBOM a binding legal obligation.
·Reporting (Article 14): 24h early warning → 72h notification → 14-day final report to ENISA and the CSIRT. Product classes: Default → Important I/II → Critical.
·Key carve-out: Article 2 excludes products covered by other EU sectoral law — medical devices, motor vehicles, civil aviation, and marine equipment inside the Marine Equipment Directive (2014/90/EU), under Article 2(4).
Ship
IACS UR E26 / E27
"New ships contracted for construction on or after 1 July 2024."
·The original 1 January 2024 date was withdrawn; the revised texts apply from the July 2024 contract date.
·E26 treats the vessel as one entity across five pillars — identify, protect, detect, respond, recover. E27 requires suppliers to harden individual equipment.
·Both derive from IEC 62443, the standard for industrial automation and control system security.
Instrument
Unit
Key date
NIS2
Organization
Applied 18 Oct 2024
IACS UR E26/E27
Ship
Contracts from 1 Jul 2024
CRA — reporting
Product
11 Sep 2026
CRA — full application
Product
11 Dec 2027
3. Where They Overlap — the Evidence You Can Reuse
Run the three as separate projects and you build the same artifact three times. The main points of overlap:
▸Asset & component identification. E26's "identify" and the CRA's SBOM ask the same question — what is inside this ship, this product? — and draw on the same source data.
▸Vulnerability management. All three demand a way to track and remediate known vulnerabilities; one process partly covers all three axes.
▸The front end of incident reporting. NIS2 and the CRA share the same opening timeline — 24h early warning → 72h notification — so the internal trigger and first-response steps align into one procedure.
▸Risk assessment & governance. NIS2's organizational risk management and E26's risk-based ship design share IEC 62443's risk and zone/conduit concepts.
4. Where They Diverge — Mind the Seams
Overlap does not mean substitution. The critical differences:
?The unit differs. Buying CRA-conformant parts does not make the ship E26-compliant — integration remains the yard's and owner's responsibility.
?The CRA has a marine-equipment hole. MED-covered equipment is carved out, so "CRA-conformant" never covers every digital box. Within one hull, CRA-regulated and CRA-exempt equipment sit side by side.
?Jurisdiction and enforcer differ. NIS2/CRA are EU law (authorities, ENISA); E26/E27 are enforced by class. A non-EU flag still meets NIS2/CRA once it serves the EU.
?Deadlines differ at the back end. NIS2's final report is due at one month; the CRA's vulnerability final report at 14 days. The front end aligns; the documentation schedule does not.
E26-compliant ship+CRA-conformant parts−NIS2 procedures→gaps at reporting & supply chain
Compliance is not the sum of three certificates. It is what survives at the seams between them.
5. The Common Backbone — IEC 62443
The thread running through all three is IEC 62443. E26/E27 derive from it explicitly, it is widely cited as the de facto framework for meeting NIS2, and the CRA's product-security requirements share the same principles — zones and conduits, security levels, component requirements.
Build a 62443-based asset model, zone design, and evidence set once
and answer much of all three regulations with the same underlying documents.
6. The Unified Framework — "One Asset, Three Layers"
1 · Model the asset once
Draw the ship as IEC 62443 zones and conduits, then tag per-equipment CRA/MED applicability, whole-ship E26 conformity, and the operator's NIS2 status.
2 · Share the evidence
Manage the SBOM, asset inventory, vulnerability log, and incident procedure as common artifacts all three regulations reference.
3 · Own the seams explicitly
Fix it in contract — component security to the supplier (CRA or MED), integration to the yard/class (E26), operating procedure to the owner (NIS2). Leave no grey zone.
4 · Run one calendar
Overlay the different trigger dates and reporting deadlines onto a single project schedule.
NIS2, the CRA, and E26 are not three competing rulebooks — they are three layers stacked on the same ship. Only the unit of regulation differs.
What is inside this ship, and how is it kept secure? Reading that boundary in a single pass is where owner-side compliance design begins.
Owner-side maritime cybersecurity advisor covering IACS UR E26/E27 compliance, zone and conduit design, and OT/IT security architecture for commercial vessels — working across LR, ClassNK, DNV, ABS, and BV newbuilding projects.
Comments
Post a Comment