Global maritime industry continues to address cyber risk

In its Maritime Risk Barometer Report for 2024/2025, the International Chamber of Shipping (ICS) identified cyber attacks as one of the top four high level risks to maritime operations. The global shipping industry’s increasing reliance on digital infrastructure and artificial intelligence has kept cyber risk high on the maritime agenda.

The threat that cyber risk is perceived to pose not only to maritime but also to other business sectors is reflected in the findings of the Allianz 2025 Risk Barometer, which places cyber risk as the leading perceived risk by corporates.

As has also been recognised, cyber security is an ever-changing landscape, and therefore the global shipping industry needs to be kept aware of developments. New technologies and evolving user behaviours require regular evaluation of the security controls in place.

As a result, regulations, industry guidelines and best practice documents continue to be revised on a regular basis to ensure that they provide all stakeholders in the international maritime sector with the tools and information they need to combat cyber threats through effective cyber risk management and best practice regimes.

In this article, we highlight some recent developments in this regard.

IMO

On 4 April 2025, the International Maritime Organisation (IMO) published an updated version of its Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3/Rev.3). The Guidelines are intended to assist commercial shipping in addressing cyber risk and protecting vessels from cyber-attack.

The original Guidelines were issued in 2017 and were a result of the IMO’s view that there was an urgent need to raise awareness on cyber risk threats and vulnerabilities. The Guidelines have now been updated twice, which is a remarkable pace from the IMO and is a testament to the importance and fast-moving landscape (and seascape) of the subject. The Guidelines provide high level recommendations on maritime cyber risk management and include functional elements that support effective cyber risk management.

The Guidelines provide recommendations that can be incorporated into existing risk management processes and are complementary to other existing safety and security management practices established by the IMO, such as the International Ship and Port Facility Security Code (ISPS Code).

Perhaps one of the most useful elements of the Guidelines is that they highlight the standards expected by management companies for the proper implementation of cyber risk management. Part of this is emphasising that reference should also be made to the most recent international and industry best practices. These include, but are not limited to:

• Guidelines on Cyber Security on board Ships issued by ICS, IUMI, BIMCO, OCIMF, INTERTANKO, INTERCARGO, InterManager, WSC and SYBAss.

• Consolidated IACS Recommendation on cyber resilience (Rec. 166).

• IAPH Cyber Security Guidelines for Ports and Port Facilities.

• IAPH Cyber Resilience Guidelines for Emerging Technologies in the maritime supply chain.

• ISO/IEC 27001 standard on information technology, jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Committee (IEC).

• US National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework).

UK

In July 2023, the UK Government’s Department of Transport published a Cyber Security Code of Practice for Ships (COP), a detailed 75-page document that provided an updated version of the previous Code of Practice issued in 2017. The revised COP acknowledged that since the last COP was issued, the threat landscape had changed, for example there had been a significant increase in the incidence of ransomware attacks on the maritime industry. The majority of these appeared to have been related to IT security and perpetrated through supply chains.

The COP is intended to assist organisations in maintaining Cyber Security Plans (CSPs) and Cyber Security Assessments (CSAs) alongside their Ship Security Plans (SSPs) and Ship Security Assessments (SSAs), which are mandated by the ISPS Code.

Among other things, the COP lists a Cyber Security Top 10 for Shipping to encourage wider adoption of good cyber security practices. The COP suggests that adopting the Top 10 will reduce the likelihood of successful cyber-attacks and their impact. The Top 10 are:

1. Know your data.

2. Understand your risks.

3. Manage your assets.

4. Manage identity and access.

5. Know your supply chain.

6. Train your users.

7. Manage your vulnerabilities.

8. Build your resilience.

9. Monitor your systems.

10. Manage cyber incidents.

The Shipping Top 10 are based on the UK National Cyber Security Centre’s (NCSC) 10 Steps to Cyber Security, together with other government guidance, as customised for the maritime sector.

EU

The Network and Information Systems Directive 2 (Directive 2022/2555, also known as NIS2) establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU and calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement. Among the sectors covered are transport, energy, finance and digital infrastructure.

NIS2 provides for enhanced obligations, including in respect of cybersecurity, governance and incident management. It has also established:

• A network of Computer Security Incident Response Teams (CSIRTs);

• The European cyber crisis liaison organisation network (EU-CyCLONe);

• The NIS Cooperation Group, which publishes non-binding guidelines and recommendations to support the implementation of NIS2.

NIS2 replaced NIS1 (Directive 2016/1148) and repealed NIS1 as of 17 October 2024. The corresponding Implementing Regulation (EU) 2024/2690 of 17 October 2024 sets out the rules specifying the obligations laid down in certain Articles of NIS2, including technical and methodological requirements of cybersecurity risk management measures.

With the published lead-up period to NIS2, Member States were to have implemented NIS2 into national law by 18 October 2024. However, it was reported towards the end of 2024 that only four of the 27 Member States had duly implemented NIS2 into domestic law and that consequently, the European Commission had launched infringement procedures against the remaining 23 Member States. The non-compliant Member States were given two months from 28 November 2024 to duly compete the transposition and provide the Commission with a satisfactory response.

As at August 2025, 13 Member States remained non-compliant. The European Commission has threatened legal action and/or the imposition of significant financial penalties against those States if non-compliance continues, although a number of the offending States already have draft implementing legislation that is going through the necessary legislative process.

In the meantime, on 26 June 2025, the EU Agency for Cybersecurity (ENISA) published guidance setting out security measures that Regulated Organisations should put in place to comply with NIS2. The detailed Guidance (almost 200 pages long) is non-binding but is designed to help those entities that fall within the scope of NIS2 to comply with their regulatory obligations and existing international standards.

IACS

To assist the shipping industry in dealing with the cyber threat, the International Association of Classification Societies’ (IACS) has revised its two unified requirements (URs) on cybersecurity: UR E26 and UR E27 in September 2023 and November 2023 respectively. The original versions were published in April 2022. The revised versions supersede the earlier documents and apply to ships contracted for construction on or after 1 July 2024 but can act as useful non-mandatory guidance to all IACS member ships.

UR E26 addresses cyber resilience of onboard systems and equipment. UR E27 deals with cyber resilience of ships. They aim to minimise the frequency and impact of cyber incidents at sea and offer a practical risk-based approach.

ICS/BIMCO

In October 2024, the ICS and BIMCO, together with Witherbys, published the sixth edition of a Cyber Security Workbook for Onboard Ship Use.

This is a practical workbook on identifying cyber risks and how to respond in case of a cyber-attack. It is intended to support the shipowner, master and the crew with cyber security management. It contains detailed checklists to support the day-to-day management of onboard cyber security and facilitates collaboration between ships, onshore IT departments and equipment manufacturers.

Comment

It is widely reported that successful cyber-attacks are becoming more commonplace, be that from ransom demands or terrorist interference (in particular AIS and GPS disruption). What will be interesting to see is whether a trend develops in how successful such attacks are between well managed cyber-secure vessels as compared to other vessels.

It is certainly a concern for owners/insurers and if a handle on such attacks cannot be gained, it will also be interesting to see what more can be done in 2025/2026 in terms of regulatory compliance and updated industry guidance and recommendations.

You can find more information on cybersecurity regulations in the maritime sector here.