2025 Maritime Cybersecurity Regulations: A Simplified Breakdown
📊 Subscribe to the Ship Universe Weekly Newsletter
Cybersecurity in the maritime industry isn’t just a technical challenge, it’s a critical component of global shipping operations. With increasing threats targeting ships, ports, and digital systems, understanding and complying with cybersecurity regulations is no longer optional. Whether you’re navigating IMO guidelines or country-specific rules, this guide simplifies the complex web of global requirements to help shipowners safeguard their fleets and operations.
Section Breakdown
Global: Universal Cybersecurity Standards
Regional: Cybersecurity Regulations broken down by Region
Flag State: Cybersecurity Regulations by Flag State
Checklist: ShipUniverse 15 Point Maritime Cybersecurity Checklist
** Regulations and requirements may change over time. Always verify details with the relevant authorities before making decisions or implementing compliance measures. Please email your feedback, suggestions, corrections, and ideas for enhancements to editor at shipuniverse.com **
Global Overview: Understanding IMO and Universal Cybersecurity Standards
As maritime operations become increasingly reliant on digital systems, cybersecurity has evolved into a critical focus for the industry. To ensure vessels and their operations are protected from cyber threats, international organizations like the IMO have established comprehensive guidelines and regulations. This section explores the key universal standards shaping maritime cybersecurity and provides shipowners with actionable insights to maintain compliance and safeguard their fleets.
IMO Resolution MSC.428(98)
International Safety Management (ISM) Code Integration
BIMCO Guidelines on Cyber Security Onboard Ships
1️⃣ IMO Resolution MSC.428(98): Cyber risk inside the SMS (since 2017)
Scope & obligation
Companies must address cyber risk within the Safety Management System (SMS) under the ISM Code. Compliance was required no later than the first annual verification of the company’s DOC after 1 January 2021.
Who is in scope
Ships subject to SOLAS/ISM (e.g., passenger ships and cargo ships ≥500 GT; MODUs on international voyages).
What changed in 2025
The IMO updated its supporting guidance to MSC-FAL.1/Circ.3/Rev.3 (4 Apr 2025), keeping recommendations high-level but clarifying “functional elements” and stressing continuous improvement across IT and OT. Keep your SMS aligned to Rev.3.
Operational focus (map to SMS evidence)
Risk identification for IT and OT; protective controls; detection/monitoring; response/communication; recovery/backup/restore and lessons learned. Auditors will look for practical procedures and drill records, not just policies.
Non-compliance & commercial risk
Gaps can be flagged in ISM verifications or Port State Control; downstream effects include schedule disruption and charterparty/friction if a cyber event halts operations. (The resolution itself ties cyber risk to safe operation under ISM.)
Example
Malware impacts ECDIS and engine monitoring during a passage. If the SMS lacks tested response/restore steps, you face delayed sailings and findings at the next verification. (Align your drill logs to Rev.3’s respond/recover elements.)
2️⃣ ISM Code implementation: Treat cyber like any other safety risk
How it fits
The ISM Code wasn’t rewritten; rather, MSC.428(98) requires companies to apply the ISM framework to cyber risks and show this in the SMS and DOC audits. In practice: risk assessment, procedures, training, drills, and continual improvement—same cycle you use for physical hazards.
Evidence to maintain
System inventories (including OT), access control and vendor-access procedures, backup/restore tests, training records, and tabletop/technical drill reports tied to corrective actions. (These align to Rev.3’s functional elements.)
3️⃣ Industry Guidelines (BIMCO/ICS/INTERTANKO, etc.): Practical playbook
Latest version
The Industry Guidelines on Cyber Security Onboard Ships (Version 5, 14 Nov 2024) remain the de facto operational handbook used alongside IMO guidance. They add threat-operator insights and emphasize keeping assessments current as networks and vendors change.
What they cover
Threat identification (phishing, ransomware, unauthorized access), vulnerability assessment (obsolete software, weak configs, limited training), protective/detective controls (segmentation, AV/EDR, logging), contingency/communications, and recovery/restore with secured backups.
Why to use them
They translate IMO expectations into checklists and procedures you can embed in the SMS and ship/shore routines, improving audit readiness and incident response quality.
📑 Summary
Regional Cybersecurity Regulations: Key Requirements by Region
As cybersecurity becomes a critical component of maritime operations, compliance with regional regulations is essential for shipowners to maintain operational security and avoid penalties. Each region implements its own framework and guidelines, tailored to address specific threats and challenges in their waters and ports. Understanding these regional differences helps shipowners align their operations with legal requirements and industry best practices. Below is an overview of the key regions and their unique cybersecurity regulations, starting with the European Union.
European Union (EU) / United States (US) / Asia-Pacific / Middle East / Africa / South America / Australia and Oceania
1️⃣ European Union 🇪🇺
The NIS2 Directive replaces the original NIS and brings maritime into scope as essential or important entities within the transport sector. In scope typically includes water transport companies, managing bodies of ports and port facilities, and vessel traffic services. Member states had to transpose by 17 Oct 2024, with application from 18 Oct 2024.
Key requirements
- Risk management measures across IT and OT, including governance, incident handling, business continuity and disaster recovery, supply chain security, testing and auditing, and basic practices such as access control and vulnerability management.
- Incident reporting cadence: early warning within 24 hours, incident notification within 72 hours, and a final report within one month. Keep evidence of detection, assessment, and remediation steps.
- Supplier controls and accountability at management level. Entities must be identifiable at national level and subject to supervision and audits.
Penalties for non compliance
Maximum fines can reach the higher of €10 million or 2 percent of worldwide annual turnover for essential entities, and €7 million or 1.4 percent for important entities. Supervisory authorities can issue binding instructions and conduct inspections.
Practical tips for shipowners
- Conduct regular risk assessments for shipboard and shore systems that touch EU ports and services. Map critical OT and vendor access, and document controls.
- Strengthen incident response so the team can meet the 24, 72, and one month reporting deadlines with prewritten notifications and a clear decision tree.
- Align with port and national transposition specifics where you trade, and keep supplier due diligence and contract clauses ready for audits.
2️⃣ United States 🇺🇸
Maritime cybersecurity sits under the Maritime Transportation Security Act and is enforced by the US Coast Guard. A final rule published on 17 Jan 2025, effective 16 Jul 2025, sets minimum cybersecurity requirements for vessels and MTSA facilities. Cyber must be integrated into security planning and inspections, and certain incidents must be reported to the National Response Center without delay.
Key requirements
- Cyber integrated into security plans
Vessels and facilities must address cyber risk within existing security plans or in a designated Cybersecurity Plan that aligns with MTSA. - Designated roles and governance
A Cybersecurity Officer is required with clear responsibilities for ship and shore coordination, vendor access oversight, and exercises. - Training, drills, and exercises
Regular crew and shoreside training, plus documented cyber drills or exercises that test detection, reporting, containment, and recovery. - Incident reporting
Significant cyber incidents that impact the safe operation or security of a vessel or facility must be reported to the National Response Center without delay. Coordinate with the local Captain of the Port as directed by your Sector. - Phased implementation
Core obligations begin in 2025 with additional plan content and submission milestones phasing in through 2026 and 2027. Keep an eye on Sector guidance and inspection expectations.
Penalties for non compliance
- Civil penalties and operational controls for MTSA deficiencies that include inadequate cybersecurity.
- Possible detention or departure delays for security plan gaps related to cyber.
- Commercial impacts such as higher insurance scrutiny and contract friction after a reportable incident.
Practical tips for shipowners
- Integrate cyber into VSPs
Update Vessel Security Plans to list critical IT and OT assets, vendor and remote access controls, backup and restore steps, and an incident reporting SOP. - Rehearse the reporting clock
Run a tabletop that walks through recognizing a significant incident, calling the National Response Center, and notifying the Captain of the Port as required. - Use the NIST profile for structure
Map controls to identify, protect, detect, respond, and recover so you can show clear evidence during inspections. - Tighten vendor access
MFA for remote vendors, time boxed credentials, change logs for PLC and navigation changes, and immediate revocation on contract end. - Keep proof ready
Training records, drill and exercise write ups, and backup restore test results that are easy to show during inspections or Port State Control.
3️⃣ Asia-Pacific
APAC is a patchwork of national regimes. For shipping, the most operationally relevant touchpoints are Singapore’s port-state requirements and incident reporting, China’s data transfer and localization rules that affect ship-to-port and vendor data, and Japan’s class-driven newbuild cyber resilience rules.
Singapore 🇸🇬
Key requirements and landscape
- MPA operates national maritime cyber monitoring and assurance capabilities. In 2025 it announced the Maritime Cyber Assurance and Operations Centre and commissioned the MariOT shipboard OT testbed to support training and solution testing. Treat this ecosystem as your counterpart for port interactions and drills.
- Security and marine incident reporting applies to Singapore-registered ships. Use MPA’s prescribed incident forms and contacts when a security-related event occurs.
Accuracy note
There is no blanket, statutory rule that every crew member on all Singapore-flagged vessels must complete a specific MPA-mandated cyber awareness course. Training is strongly encouraged and often required by company SMS, but not universally mandated by law across all crews. Align company training with MPA circulars and your SMS.
Practical tips
Map your Singapore port calls to an incident playbook that includes MPA notification steps, keep OT backup and restore evidence handy for inspections, and use the MariOT-style scenarios as a model for drills.
China 🇨🇳
Key requirements and landscape
- Cross-border data rules were eased in March 2024 for routine trade and transport data that do not contain personal or important data, reducing when security assessments are needed.
- A certification pathway for certain personal data exports takes effect on 1 January 2026. Operators should check whether ship-to-port, vendor, or crew data fall into categories that require certification or security assessment before transmitting outside China.
Practical tips
Inventory data flows tied to Chinese port calls, segregate “important data” and personal data, and pre-position a lawful transfer mechanism for 2026. Keep vendor contracts and remote access logs aligned to these rules.
Japan 🇯🇵
Key requirements and landscape
- Class societies in Japan implement IACS UR E26 and E27 for ships contracted on or after 1 July 2024. E26 addresses ship-level cyber resilience and E27 addresses onboard systems and equipment. Newbuild specs and vendor equipment should evidence compliance.
Practical tips
For newbuilds or major retrofits in Japan, require suppliers to demonstrate UR E26/E27 conformity, include cyber test and acceptance criteria in contracts, and store artifacts in your SMS for audits.
Penalties and exposure across APAC
- Singapore: sanctions can include administrative actions tied to reporting and port-facility requirements. Keep evidence of timely reporting.
- China: non-compliance with cross-border transfer rules can lead to investigations, fines, or operational constraints. Track the 2026 certification start.
- Japan: non-conformity with class rules can affect newbuild approval and delivery. Verify class acceptance early.
Owner playbook
Train crews per your SMS, run OT-realistic drills, and keep a single APAC incident checklist covering MPA reporting steps, China data transfer decisions, and UR E26/E27 evidence for Japan. This keeps port calls smooth and documentation audit-ready.
4️⃣ Middle East
Major hubs like the UAE and Saudi Arabia are formalizing cyber controls for critical infrastructure and ports. Regional practice aligns with IMO and ISPS expectations, with national rules that cover governance, incident response, and protection of operational technology.
Key requirements by country
United Arab Emirates 🇦🇪
Smart port programs and national standards set expectations for cyber governance, risk management, and resilience across critical infrastructure. The UAE Information Assurance Standard was refreshed in 2025 under the Cyber Security Council, and authorities maintain national cyber readiness and incident guidance. For port interactions, operators should be prepared to notify the port and relevant national contacts when cyber events affect operations.
Saudi Arabia 🇸🇦
The National Cybersecurity Authority updated its Essential Cybersecurity Controls to ECC-2:2024 and maintains Operational Technology Cybersecurity Controls for ICS and port-adjacent facilities. Organizations can be subject to supervision, audits, and compliance checks against these baselines. Port and terminal operators, oil and bulk facilities, and connected service providers should map their systems to ECC-2 and OTCC and keep evidence of implementation.
Penalties for non-compliance
Authorities can impose administrative measures, inspections, or directives. Under Saudi ECC-2, entities are expected to implement minimum controls and can face regulatory action for gaps. In the UAE, national standards and port requirements can be enforced through permitting, access, or operational constraints.
Practical tips for shipowners
- Strengthen defenses for smart ports
Before calls at Jebel Ali, Khalifa, Dammam, or Ras Tanura, verify segmentation between shipboard networks and shore connections, restrict vendor remote access, and test restore procedures for OT systems. Keep change logs and remote-access records handy for checks. - Align with national baselines
For Saudi calls, map policies and technical controls to ECC-2 and OTCC and maintain self-assessment or audit artifacts. For UAE calls, align your SMS and vendor clauses to the refreshed Information Assurance Standard and national cyber guidance. - Clarify incident notification paths
Build a one-page notification playbook per port that lists who you call at the terminal and which national contacts apply when a cyber event impacts safe operation or causes delays. Rehearse this during drills so watch officers can meet timing expectations.
5️⃣ Africa
Africa’s maritime cybersecurity posture is building through international cooperation and national programs. The African Union’s 2050 AIM Strategy promotes common information sharing and risk management for maritime safety and security, while IMO-supported initiatives and the Djibouti Code of Conduct with the Jeddah Amendment strengthen regional coordination and capacity building around maritime crime and security readiness.
Key developments
- IMO capacity building
Recent IMO workshops and roadmaps in East Africa have focused on national coordination centers, information sharing, and operational cooperation aligned to the Djibouti Code of Conduct framework. Expect continued drills, playbooks, and contact-point formalization. - Regional initiatives
The Djibouti Code of Conduct, expanded by the Jeddah Amendment, now addresses a wider set of maritime crimes and promotes cooperation, information exchange, and joint capacity building for states around the western Indian Ocean and Gulf of Aden.
Country snapshots
- South Africa 🇿🇦
The 2021 ransomware incident at Transnet exposed vulnerabilities across port and freight systems and drove ongoing resilience planning and investment focus for port infrastructure and digital services. Preparation now emphasizes governance, incident response, and hardening of cargo and gate systems. - Nigeria 🇳🇬
Port-security compliance efforts continue to stress inter-agency coordination, baseline controls for facilities, and readiness for cyber incidents that could disrupt oil export terminals and logistics chains. Guidance and legal frameworks highlight organizational responsibilities and sector oversight. - Kenya 🇰🇪
Work under the Djibouti Code of Conduct includes national roadmap development for maritime information sharing and operational coordination, reinforcing procedures for reporting and response.
Penalties and exposure
Authorities and port operators can impose access limits, added inspections, or operational constraints for security deficiencies. Cyber incidents that disrupt cargo or port IT may trigger detentions, delay costs, and follow-on insurance or contractual scrutiny. Regional cooperation frameworks also enable increased supervision and directed corrective actions.
Practical tips for shipowners
Track national updates
Monitor evolving requirements and guidance in key hubs such as South Africa and Nigeria, and keep evidence of incident detection, reporting, and recovery plans ready for inspections.
Engage regional programs
Participate in exercises and information-sharing channels associated with the Djibouti Code of Conduct and national centers where you trade. Align ship procedures with those drills and contact lists.
Secure ship-to-port connections
Use encryption, strict vendor access, and change logs for EDI and gate interfaces, cargo systems, and any remote OT links used during calls at African ports. Keep restore steps tested and documented.
6️⃣ South America
South American jurisdictions are tightening cybersecurity around ports and logistics while aligning shipboard expectations to IMO MSC.428(98) through SMS evidence. Brazil advanced a national strategy in 2025, Chile stood up a dedicated cybersecurity agency under its framework law, and Argentina approved a federal plan that raises preparedness and coordination.
Key developments
- Adoption of IMO-aligned practices
Flag and port-state oversight increasingly expect cyber risk to appear in SMS procedures, drills, and restore evidence for IT and OT systems. Class guidance mirrors this expectation. - Port security focus
The Port of Santos issued 2025 tenders for network security licensing and digital services and reported rising IT modernization spend, signaling stricter controls at Latin America’s largest port.
Country snapshots
- Brazil 🇧🇷
A new National Cybersecurity Strategy (E-Ciber) was established by decree in August 2025, building on a 2023 national policy and moving toward a formal legal framework that would create a national authority. Expect increasing scrutiny on critical-infrastructure operators and port-system interfaces. - Chile 🇨🇱
The 2024 Cybersecurity Framework Law created the National Cybersecurity Agency and imposes obligations on operators of essential services, including incident reporting and resilience requirements. The law became fully enforceable in 2025 with registration and supervisory mechanics ramping up. - Argentina 🇦🇷
A 2025 Federal Plan for the Prevention of Cybercrime and Strategic Management of Cybersecurity strengthened national coordination and preparedness, with expectations on operators that support trade and logistics to align procedures and reporting.
Penalties and exposure
Non-compliance can trigger administrative actions by national authorities or port operators, added inspections, and schedule impacts. Contracts and insurance reviews often follow significant cyber incidents that disrupt cargo or port IT.
Practical tips for shipowners
Monitor national updates
Watch Brazil’s E-Ciber implementation and proposed legal framework, Chile’s agency procedures, and Argentina’s federal plan deliverables, then reflect changes in your SMS and vendor clauses.
Ensure IMO/SMS alignment
Maintain asset and network inventories, vendor access rules, backup/restore tests, and drill records that align with IMO expectations and class guidance.
Coordinate with ports early
For Santos, Buenos Aires, Valparaíso and other major calls, confirm any port cyber notifications, access-control prerequisites, and remote-access practices before arrival. Track 2025–2026 upgrades that may change interface requirements.
7️⃣ Australia and Oceania
Australia is tightening national cyber rules for critical infrastructure while AMSA continues to expect cyber risk management in ship Safety Management Systems. New Zealand emphasizes coordinated incident response through its national security agencies. Pacific partners are building regional capacity through operational networks.
Key developments
- Australia 🇦🇺
• National cyber strategy for 2023–2030 with an action plan that places ports and transport in critical focus.
• Mandatory cyber-incident reporting for critical infrastructure assets: report significant impact incidents within 12 hours and other relevant impact incidents within 72 hours to the national center.
• Domestic commercial vessels: revised SMS requirements took effect on 1 June 2025. Operators should keep cyber controls inside the SMS consistent with IMO/ISM practice and AMSA guidance. - New Zealand 🇳🇿
• National Cyber Security Centre provides incident response pathways and annual threat reporting to guide preparedness across sectors, including transport and ports operating under ISPS. Coordinate incident reporting via national channels alongside port-facility security processes. - Pacific partnerships
• The Pacific Cyber Security Operational Network (PaCSON) connects Pacific Island governments for operational cooperation, information sharing, and regional exercises that affect port and maritime readiness. Expect ongoing regional workshops and joint drills.
Penalties and exposure
Failure to meet national requirements can trigger inspections, directives, or administrative actions. In Australia, critical-infrastructure entities face statutory reporting obligations with follow-up written reports after verbal notification. Non-compliance or disruptive cyber events may also drive operational delays, added scrutiny at inspection, and commercial impacts.
Practical tips for shipowners
- Comply with AMSA expectations
Keep cyber inside the ship SMS: asset and network inventories, vendor and remote-access controls, backup and restore tests, drills, and clear incident communications. Be ready to show evidence during Port State Control. - Meet critical-infrastructure clocks when applicable
For Australian critical-port interactions, rehearse the 12-hour and 72-hour reporting pathways and document who calls, what is reported, and how follow-ups are filed. Align governance to national guidance so shore teams can act without delay. - Coordinate in New Zealand
Pre-plan incident triage and reporting through New Zealand’s national channels and ensure ISPS port-facility contacts are built into the ship’s notification sheet. - Leverage regional programs
When calling Pacific Island ports, watch for PaCSON-aligned exercises or templates and include them in drills so ship and shore follow the same playbook.
📑 Summary
Cybersecurity Regulations by Flag State
Understanding the cybersecurity requirements of different flag states is critical for shipowners aiming to maintain compliance and avoid costly penalties. Each flag state applies its own approach to integrating IMO standards, with additional national regulations tailored to specific maritime needs. This table breaks down key cybersecurity regulations, implementation deadlines, and enforcement practices across major flag states, helping shipowners navigate the complexities of global compliance.
** Regulations and requirements may change over time. Always verify details with the relevant authorities before making decisions or implementing compliance measures.
15 Point Maritime Cyber Security Checklist
