TECHNICAL AND REGULATORY NEWS No.

17/2022 – TECHNICAL

IACS UNIFIED REQUIREMENTS FOR

CYBER SECURITY MANDATORY FROM
1 JANUARY 2024
Relevant for ship owners and managers, design offices, shipyards and suppliers. June 2022

The International Association of Classification Societies (IACS) has recently published new Unified
Requirements for cyber security: E26 and E27. These will be be mandatory for classed ships and
offshore installations contracted for construction on or after 1 January 2024. Find out more about
the Unified Requirements in this statutory news.

The new IACS Unified Requirements (URs) are based on

recognized international standards for the cyber security of
industrial automation and control systems, such as IEC 62443.
In brief, the new IACS URs cover the following main topics:

• Scope of applicability, including OT systems for important

vessel functions
• Identification and protection against cyber threats
• Detection of incidents
• Means to respond and recover
• Hardening and security capabilities of systems and
components

The URs will be mandatory for classed ships and offshore

installations contracted for construction on or after
1 January 2024. Consequently, the DNV class notation
Cyber secure(Essential) will be mandatory from this date.

The technical security requirements of the IACS URs E26 and

E27 are fully aligned with DNV’s class notations for cyber
Recommendations
security and are covered by the current edition of the DNV
Until the new URs are in force, DNV encourages product
class notation Cyber secure(Essential).
suppliers, shipyards, and ship owners to implement cyber
security into control systems, ship design and relevant
For customers who would like, on a voluntary basis, to imple-
management systems on board. Special attention is recom-
ment the new IACS cyber security requirements before
mended for product suppliers of systems within the scope
1 January 2024, the following items outline how to achieve
of the URs, as these systems may need further development
this in line with the current DNV rules:
and design changes to comply with the URs.
• Systems type approval (TA) in accordance with the cur-
References
rent edition of DNV rules for the class notation Cyber
• IACS news on new requirements on cyber security
secure(Essential) / security profile 1 will meet the IACS URs
• IACS UR E (electrical and electronic installations)
E26 and E27. The TA process will be amended with the
• DNV cyber secure class notation
audit of the relevant additional development activities in
• DNV cyber security approval of components and systems
accordance with IACS UR E27 section 5.
• Ships and offshore installations assigned the class notation
Cyber secure(Essential, +) as per the current edition of DNV
rules, will meet the IACS URs E26 and E27. The additional Contact
CONTACT
qualifier (+) is needed to extend the scope of systems in For customers:
accordance with the scope of applicability in IACS UR E26. DATE – Direct Access to Technical Experts via My Services on Veracity.
Otherwise:
DNV will arrange a webinar on the upcoming IACS URs for Use our office locator to find the nearest office.
cyber security on 23 August 2022. The invitation will follow in
mid-August.

DNV AS, Veritasveien 1, 1363 Høvik, Norway, Phone: +47 67 57 99 00, www.dnv.com/maritime DNV GL Disclaimer of Liability Page 1/1