UR E26, After the Mandate ② — The Owner's View: Where Obligation Ends and Choice Begins

💡 Insight After the Mandate · ② UR E26 · E27 Owner-Side Advisory

The Owner's View — Where Obligation Ends and Choice Begins

Where does the mandatory floor end, and where does the owner's choice begin?

Julius
Julius
Maritime Technical Consultant · Shipboard Cybersecurity & Compliance
- LinkedIn : linkedin.com/in/abysstoinfinity

The second installment of a six-part series — the first stakeholder chapter (the Owner). If Part 1 surveyed the dual structure of the market as a whole (a mandatory floor plus a voluntary notation layer), this installment examines that same structure from the seat of the party who pays for it: the shipowner.


1. The Owner's Paradox

There is a structural paradox at the heart of UR E26 compliance: the party who bears all the cost is not the one who actually produces the mandatory deliverables. The Zone and Conduit Diagram (ZCD), the cybersecurity design description, the commissioning test procedures — all of these are produced, in the first instance, by the systems integrator (typically the shipyard) and the suppliers. The owner is not the one who writes these documents.

Yet the one who operates that vessel for twenty to thirty years, and who shoulders it, is the owner. The yard makes the choices at the design stage, but it is the owner who lives with the consequences of those choices for the life of the ship. For the owner, then, cyber resilience is not a problem of production but of specification and governance. What to nail down as a requirement, what to buy, and what not to buy.

Part 1 asked the market at large what it means that a differentiation layer sits atop a mandatory baseline. This installment recasts the same question in its most practical form, from the owner's seat — how far is what you must buy, and where does choice begin? And the answer to that question, surprisingly, is not determined by class rules alone.

2. The Owner's Real Share in E26

First, let us isolate the part for which the owner is directly responsible. E26 demands deliverables across three stages of the vessel lifecycle, and the owner's share lies mainly in the operational stage.

The design-and-build deliverables (the ZCD, the asset inventory, the design description) and the commissioning-stage test procedures are submitted by the systems integrator. The operational-stage ship cyber security and resilience programme, by contrast, is established and maintained by the owner. It includes the continuous updating of the asset inventory and, above all, vulnerability management.

And this vulnerability management is not a point-in-time exercise that ends after a single check, but a continuous process:

Monitoring the security advisories of every vendor whose equipment is installed aboard the vessel,
Assessing whether a given vulnerability affects one's own assets, and
Recording the response — all sustained throughout the vessel's operational life.

In short, the owner is in the position of inheriting a cyber architecture designed by others and operating it for the life of the ship. At delivery, the owner receives — as a package — the initial asset inventory, the class-approved architecture documents, and the E27 evidence for the installed equipment, and this becomes the baseline for all subsequent operation. It is precisely because of this structure that the owner's most important decision is made not in the operational stage but at the design stage, far earlier. The reason is taken up in Section 4.

3. "Obligation vs. Choice" Is a Spectrum, Not a Binary

The owner's question — how far is obligation, where does choice begin — looks like a clean binary at the moment of purchase, but in reality it is closer to a spectrum stretched across the lifecycle. Let us divide it into three categories.

(a) What is mandatory now

The UR E26/E27 baseline is a condition of the class certificate. Its scope, however, is limited to newbuildings whose construction contracts are signed on or after 1 July 2024. That is, the mandate is a newbuilding matter; it does not apply retroactively to the existing fleet in operation.

(b) What is converging toward de facto obligation

There are domains that are not mandated by regulation but are becoming commercially hard to avoid. The clearest is charter vetting. In the tanker sector, OCIMF's SIRE 2.0 fully replaced the former VIQ7 on 2 September 2024, and it includes cyber-security inspection items. In the dry-bulk sector RightShip, and in the chemical-tanker sector CDI, each place cyber items within their own inspection schemes (RightShip already since 2017). Added to this is the trend of Port State Control widening its inspection scope to cyber under the ISPS framework, along with the emergence of In-Operation notations aimed at existing ships.

Let us be precise about one thing: these vetting regimes do not certify E26 compliance. They merely inspect operational-level cyber readiness, and the party that decides whether to charter a vessel on the basis of the result is not OCIMF but the charterer (an oil major, for instance). The character of the pressure, therefore, is less "the rule compels it" than "my cargo counterpart demands it." But from the owner's standpoint, the practical difference between the two is small.

(c) What is genuinely a choice

Higher security-level (SL) tiers that a particular trade does not reward, additional notations that one's own charter counterpart does not require — these belong here.

Here lies a key point owners easily miss: what counts as "obligation" is determined, in part, by the owner's own commercial position. For a tanker owner trading with oil majors, a robust cyber posture is a regulatory choice but a commercial de facto obligation. Conversely, for an owner in a trade where vetting pressure is weak, the very same item may be a genuine choice. There is an interesting asymmetry, too — an existing tanker in operation has no E26 mandate at all, yet SIRE 2.0's cyber inspection applies to that ship just the same.

In other words, for some vessels a situation arises in which there is no regulatory obligation, but there is commercial pressure.

4. Decision ① — Buy Only the Floor, or Specify Above It at the Design Stage

The most important decision the owner makes is this: satisfy only the mandatory floor, or explicitly specify what sits above it at the design stage?

One fact at work here must be faced squarely: the systems integrator (the yard) and the suppliers have an incentive to minimize cost. This is an entirely natural economic motive. The problem is that a ship built precisely to the floor can lead to a result that is technically E26-compliant but operationally hard to maintain and not actually secure.

To put it in a phrase that recurs in the industry —

compliant is not the same as secure.

A ship that passes on minimum specification bills the operational stage in patchability, documentation consistency, and maintainability. And we already saw in Section 2 who receives that bill — the owner who operates it for life.

A rational owner, therefore, specifies detailed requirements directly at the design stage. This is not because class pushes for it, but because of the owner's own lifecycle cost and risk. Reducing the burden one will shoulder in operation through up-front investment at the design stage — this is very nearly the only lever by which the owner offsets the structural weakness of "operating, for life, a design made by others." The floor can be left to the yard's minimum specification, or it can be raised by the owner's explicit specification. The consequences of that choice are recovered over the twenty-five years following delivery.

5. Decision ② — The Break-Even Calculation on the Commercial Layer

The next decision concerns the voluntary notation layer: when does it pay for itself?

The answer varies by trade, charterer, cargo, and flag. As we saw, in the tanker (SIRE 2.0), dry-bulk (RightShip), and chemical-tanker (CDI) sectors, vetting looks into cyber, and the classification societies, too, make explicit use of this linkage — DNV, for instance, presents as a benefit that its cyber notation raises charterer and oil-major vetting scores and thereby improves charterability. Interest at the insurance and flag-state level is growing as well, but the degree to which it translates into actual premiums or terms varies so widely by market, vessel type, and timing that it is premature to draw conclusions.

The owner's principle here is simple: a voluntary notation is not bought reflexively but decided by whether this fleet's actual commercial counterparts reward it. If you are in a trade where vetting looks at cyber, a notation (or an equivalent, demonstrable cyber programme) is a commercial investment. Buying a higher SL tier in a trade where no one rewards it — while not wrong in itself — may be an expenditure for which the break-even does not add up. The scope distinction set out in Part 1 becomes practical here. A baseline-equivalent tier is, in any case, a means of discharging the mandatory obligation and so is not a matter of choice; the real stage for choice is the tier that goes beyond baseline.

6. Decision ③ — Fleet Asymmetry and a Consistent Policy

The final decision arises at the fleet level. An owner who distributes ships across multiple classification societies and operates newbuildings and existing ships side by side faces two layers of asymmetry.

The first is asymmetry between classification societies. As noted in Part 1, even for the same E26 compliance, each society may differ in its guidelines, review criteria, and required deliverables. This means that even sister ships of identical specification can diverge in compliance cost and procedure if classed with different societies. The second is asymmetry between newbuildings and existing ships. E26 is not retroactive for existing ships, but In-Operation notations, the expansion of PSC cyber inspection, and vetting pressure flow into that gap. Moreover, as classification societies are expected to fold this progressively into renewal surveys, the "exemption" status of existing ships is unlikely to be permanent.

The rational response to these two asymmetries is not a ship-by-ship response but a fleet-level cyber policy. Applying standard design specifications, a common vendor-management scheme, and a consistent documentation and asset-inventory structure across the whole fleet creates a buffer that absorbs both the variance between societies and the gap between newbuildings and existing ships. This is advantageous on both cost and risk — the same work need not be redone ship by ship, and if any one vessel is caught by vetting or PSC, the entire fleet is prepared to the same standard.

7. The Owner's Practical Stance

In sum, the stance of an owner standing before the mandatory floor compresses into four points.

First, defend the floor by anchoring it to the UR text itself. Rather than accepting a society's guideline as the pass criterion without question, treat the UR text as the anchor and discern what is being demanded on top of it.
Second, specify detailed requirements at the design stage to reduce the operational burden pre-emptively — the gap between compliant and secure is cheaper to close at the design stage than in operation.
Third, selectively buy only the upsell for which a commercial reward genuinely exists — invest only to the extent that one's own vetting and charter counterparts reward it.
Fourth, maintain a consistent policy at the fleet level — absorb the asymmetries between societies and between newbuildings and existing ships into a fleet standard.

What these four share is that all of them turn on reading precisely the boundary between floor and upsell. And the work of reading and holding that boundary is the core value added of owner-side advisory — a theme taken up again in the final installment of this series (⑥ The Consultant).

If the owner's question is "what must I buy," the question of the next installment's protagonist — the classification society — lies on the opposite side: "what do I guarantee and how, how far do I differentiate, and what responsibility do I bear for the result?" Across the same boundary, one faces it from the position of the buyer, the other from the position of the guarantor.

The next installment crosses to the other side of that boundary — the classification society's view. We look at how three things intertwine: guaranteeing the minimum line uniformly, differentiating above it, and managing liability and reputation between the two.


Key Sources
IACS UR E26 / E27 (revised, in force 1 July 2024) — operational-stage owner responsibilities (cyber security and resilience programme, continuous vulnerability management)
IMO Res. MSC.428(98), MSC-FAL.1/Circ.3 (2017) — cyber risk management within the SMS
Charter vetting regimes: OCIMF SIRE 2.0 (replaced VIQ7 on 2 Sep 2024, cyber inspection included), RightShip (dry bulk, cyber items since 2017), CDI SIR (chemical tankers)
DNV Cyber Secure notation — benefits related to vetting scores and charterability
Industry analysis on the need for owner specification at the design stage and "compliant ≠ secure" (e.g., Pen Test Partners)

This series is a general analysis of the market structure surrounding IACS UR E26/E27 and is not advice on any specific project, classification society, or client. For the concrete application of the rules, refer to the latest unified-requirements and guideline texts of the relevant society; for charter and vetting requirements, refer to the latest documents of the relevant programme.

#URE26 #MaritimeCyberSecurity #CyberResilience #ShipownerStrategy #Vetting #SIRE2 #FleetPolicy #OwnerSideAdvisory #Newbuilding #IACS
Julius
Julius
Maritime Technical Consultant · Shipboard Cybersecurity & Compliance

A maritime cybersecurity and compliance specialist across the ship design & build lifecycle, focused on cybersecurity architecture, governance, and regulatory conformity for the shipbuilding and offshore sectors.

🌐 More Articles ↗


⚓ Join the ShipPaulJobs Community

Join →
Share

Comments