Skip to main content
Blog Industry Updates
Industry Updates

Cybersecurity Compliance for Yachts: The 2025-2026 Timeline

Maritime cybersecurity requirements are tightening. From IMO guidelines to IACS standards, here's what yacht operators need to implement and when.

Superyacht Docs 9 min read

Maritime cybersecurity is no longer a “nice to have.” Since January 2021, the IMO has required cyber risk to be addressed within Safety Management Systems under the ISM Code. Yet many superyachts still treat cybersecurity as an IT problem rather than a safety management obligation.

The regulatory landscape is tightening rapidly. IACS Unified Requirements E26 and E27 came into force for new builds in 2024, the US Coast Guard finalises its cyber rule in 2025, and flag states are increasingly checking for evidence of cyber risk management during ISM audits. If your yacht’s SMS does not address cyber risk in a meaningful way, you are exposed — both to actual threats and to audit findings.

Who Needs This?

  • Owners and operators of ISM-certified yachts (500GT and above, or voluntary compliance)
  • Designated Persons Ashore (DPA) responsible for SMS oversight
  • Captains and senior officers managing onboard systems
  • Management companies preparing for ISM audits
  • New build project teams specifying IT/OT systems on yachts under construction

The Regulatory Timeline

Here is how maritime cyber requirements have evolved and where they are heading:

DateRequirementScope
June 2017IMO MSC.428(98) adoptedRequires cyber risk in SMS by first DOC annual verification after 1 Jan 2021
January 2021IMO cyber requirements activeAll ISM-certified vessels must address cyber risk in SMS
December 2021IMO MSC-FAL.1/Circ.3 publishedUpdated guidelines on maritime cyber risk management
January 2024IACS UR E26 & E27 in forceCyber resilience requirements for new build vessels and onboard systems
July 2025US Coast Guard cyber rule (expected)Mandatory cyber requirements for vessels in US waters
2026 onwardIncreased PSC focusCyber compliance expected as CIC topic

IMO Guidelines: MSC-FAL.1/Circ.3

The IMO’s primary guidance document is MSC-FAL.1/Circ.3, “Guidelines on Maritime Cyber Risk Management.” It replaced the earlier Circ.3 from 2017 and provides a framework aligned with the NIST Cybersecurity Framework.

The guidelines recommend five functional elements:

  1. Identify — Determine systems, assets, data, and capabilities that pose a cyber risk
  2. Protect — Implement safeguards to ensure delivery of critical services
  3. Detect — Define activities to identify cyber events in a timely manner
  4. Respond — Plan activities to take action against detected cyber incidents
  5. Recover — Identify measures to restore capabilities after a cyber incident
Note: MSC-FAL.1/Circ.3 is guidance, not mandatory in itself. However, MSC.428(98) makes it mandatory to address cyber risk in your SMS — and auditors use these guidelines as the benchmark for assessing whether you have done so adequately.

Integrating Cyber Risk into Your SMS

The ISM Code does not mention “cyber” explicitly. What it does require (Section 1.2.2) is that the SMS addresses all identified risks to the ship, its personnel, and the environment, and establish appropriate safeguards.

Cyber risk falls squarely within this scope. Here is where cyber fits into ISM Code requirements:

ISM Code SectionCyber Application
1.2.2 — Risk assessmentInclude IT and OT systems in your risk assessment
6 — Resources and personnelCyber awareness training for crew
7 — Shipboard operationsProcedures for safe use of onboard systems
8 — Emergency preparednessCyber incident response procedures
9 — Non-conformities and corrective actionsProcess for reporting and addressing cyber incidents
10 — MaintenanceSoftware updates, patch management, system maintenance
11 — DocumentationCyber risk documentation, network diagrams, asset inventories
12 — Verification and auditInclude cyber in internal audit scope

Your SMS should contain, at minimum, a cyber risk assessment, a cyber security policy, procedures for common cyber scenarios, and evidence of crew awareness training.

Common Vulnerabilities on Superyachts

Superyachts present unique cyber risks due to their mix of complex navigation systems, entertainment networks, and guest connectivity demands. The most common vulnerabilities I see:

Bridge and Navigation Systems

  • ECDIS — Electronic Chart Display and Information Systems often run on outdated Windows installations with no patching schedule
  • AIS — Automatic Identification Systems can be spoofed if not properly configured
  • GPS — Vulnerable to jamming and spoofing, particularly in congested waters
  • Radar/ARPA — Increasingly networked and software-dependent
  • Dynamic positioning — Critical system often connected to the ship’s network

Engineering Systems

  • Alarm and monitoring systems — Networked PLC-based systems controlling machinery
  • Power management — Automated load sharing and generator control
  • HVAC and hotel systems — Often on shared networks with operational systems

IT and Guest Systems

  • Guest Wi-Fi — Frequently poorly segregated from operational networks
  • Entertainment systems — AV systems bridging guest and crew networks
  • VSAT and communications — Satellite terminals as network entry points
  • Crew personal devices — Unmanaged devices on crew networks
Critical risk: The most dangerous vulnerability on most yachts is the lack of network segregation between IT (guest, entertainment, internet) and OT (navigation, engineering, safety) systems. A malware infection from a guest device should never be able to reach your ECDIS or machinery monitoring system. If it can, you have a serious problem.

IACS UR E26 and E27

The International Association of Classification Societies published two Unified Requirements that apply to new builds contracted from 1 January 2024:

UR E26 — Cyber Resilience of Ships requires that the vessel is designed, constructed, commissioned, and maintained to be cyber resilient. This includes network architecture design, system hardening, and lifecycle security management.

UR E27 — Cyber Resilience of On-Board Systems and Equipment requires that individual systems and equipment suppliers demonstrate their products meet defined cyber security capabilities, including access control, software integrity, and secure communications.

For existing yachts, UR E26/E27 are not retroactively mandatory. However, they represent the direction of travel and are increasingly used as a reference standard by flag states and classification societies during surveys.

US Coast Guard Cyber Rule

The US Coast Guard has been developing mandatory cybersecurity regulations under 33 CFR and 46 CFR. The proposed rule, expected to be finalised by mid-2025, will require vessels calling at US ports to:

  • Designate a Cybersecurity Officer (similar to the SSO under ISPS)
  • Maintain a Cybersecurity Plan approved by the vessel’s flag state or a recognised organisation
  • Conduct cybersecurity drills and exercises
  • Report cyber incidents to the National Response Center

If your yacht visits US waters — including popular destinations like Florida, New England, and the Caribbean — this rule will apply to you.

Practical Implementation Steps

Here is how to build cyber risk management into your yacht’s SMS:

  1. Conduct an asset inventory. Map every IT and OT system on board. Include hardware, software, firmware versions, and network connections. You cannot protect what you do not know about.

  2. Map your network. Create a network topology diagram showing how systems interconnect. Identify where IT and OT networks meet (or where they should be separated and are not).

  3. Perform a cyber risk assessment. For each system, assess the likelihood and consequence of a cyber incident. Focus on safety-critical systems first: navigation, propulsion, power management, fire detection.

  4. Implement network segregation. Ensure guest Wi-Fi, crew networks, and operational systems are on separate network segments with controlled access between them. Use firewalls and VLANs.

  5. Establish access controls. Implement strong passwords, multi-factor authentication where possible, and role-based access. No shared admin accounts.

  6. Create a patch management procedure. Define how and when software updates are applied to bridge systems, engineering systems, and IT infrastructure. Test updates before deploying to critical systems.

  7. Write cyber incident response procedures. Document what to do if a system is compromised. Include isolation steps, communication protocols, and recovery procedures. Add these to your SMS emergency procedures.

  8. Train the crew. Conduct cyber awareness training for all crew. Cover phishing, removable media risks, password hygiene, and how to report suspected incidents. Record the training in your SMS training matrix.

  9. Include cyber in internal audits. Add cyber risk management to your ISM internal audit checklist. Verify that procedures are being followed and documentation is current.

  10. Review and update annually. Cyber threats evolve. Review your risk assessment, network diagram, and procedures at least annually or after any significant system change.

Common Mistakes and Audit Findings

  • Generic cyber policy with no yacht-specific content. Auditors want to see that your cyber documentation reflects your actual onboard systems, not a copied template with no customisation.
  • No network diagram. If you cannot show how your systems are connected, you cannot demonstrate that you have assessed the risks.
  • No evidence of crew training. A policy nobody has read is worthless. Record training sessions and keep signed acknowledgements.
  • IT and OT on the same network. This is the single most common technical finding. If your ECDIS is on the same subnet as guest Wi-Fi, fix it immediately.
  • No incident response procedure. When asked “what do you do if ransomware hits your bridge systems?”, the crew should have an answer that goes beyond “call the IT company.”
  • Outdated software on bridge systems. ECDIS, radar, and AIS units running unsupported operating systems with no update plan will attract attention from both auditors and classification surveyors.

How We Can Help

Our SMS Essentials Package includes a cyber risk management section designed specifically for superyachts. It provides a structured cyber risk assessment template, network documentation frameworks, incident response procedures, and crew training records — all integrated into your Safety Management System so that cyber compliance is part of your normal ISM audit cycle rather than a separate exercise.

Frequently Asked Questions

Is cybersecurity mandatory for yachts under 500GT?

The ISM Code applies to vessels of 500GT and above on international voyages. However, many flag states (particularly Red Ensign Group states) require or strongly recommend ISM compliance for commercially operated yachts from 24m. If your yacht voluntarily complies with the ISM Code, cyber risk should be addressed in your SMS regardless of tonnage. Even without ISM, the ISPS Code (applicable from 500GT) now considers cyber threats within its scope.

Do I need a dedicated Cybersecurity Officer on board?

Currently, the IMO guidelines do not mandate a specific Cybersecurity Officer role. Cyber risk management can be assigned to an existing role — typically the Master, ETO, or a senior officer with appropriate training. However, the upcoming US Coast Guard rule will require a designated Cybersecurity Officer for vessels in US waters. Consider assigning the role now to stay ahead of the requirement.

What happens during an ISM audit regarding cyber?

Auditors will typically ask to see your cyber risk assessment, review your SMS for cyber-related procedures, check for crew training records, and may ask crew members about cyber awareness. They may request your network diagram and ask how IT and OT systems are segregated. The depth of scrutiny varies by flag state and auditor, but the trend is clearly toward more thorough cyber examination at every audit cycle.

Share LinkedIn Email

Related Template

SMS Essentials Package

Complete Safety Management System documentation for superyachts. A 12-document ISM Code compliant package with manual, companion guide, 13 forms, 6 quick reference cards, and implementation checklist. Survey-proven across Red Ensign Group, Marshall Islands, and Malta flag states.

€499
Preview all templates →

Related Articles

Industry Updates

Port State Control Inspections: How to Prepare Your Yacht

A practical guide to preparing your superyacht for Port State Control inspections. Know what PSCOs check, common deficiencies, and how to prepare.

Superyacht Docs 9 min
Environmental

IHM for Superyachts: The Complete Lifecycle Management Guide

A comprehensive guide to Inventory of Hazardous Materials (IHM) compliance for superyachts 500GT+. Covers the EU Ship Recycling Regulation, Hong Kong Convention, IHM Parts I–III, ongoing maintenance obligations, refit procedures, and survey preparation — with a focus on why IHM is a vessel lifecycle asset, not a one-time checkbox.

Superyacht Docs 10 min
MARPOL

SOPEP Requirements for Yachts: A Complete Guide

Detailed guide to SOPEP template yacht requirements under MARPOL Annex I. What your plan must contain, flag state approval, and how to prepare for survey.

Dylan 9 min

Ready to Get Compliant?

Professional documentation templates developed by experienced maritime engineers. Save weeks of work.

Browse All Templates