Cyber Anchor← Back to Home
Compliance Guide

IACS E26/E27 Guide

Plain-English breakdown of IACS UR E26 and E27 maritime cyber resilience requirements

UR E26

Cyber Resilience of Ships

Defines 17 requirements across 5 functional areas (Identify, Protect, Detect, Respond, Recover) based on the NIST Cybersecurity Framework. Shipyards must demonstrate compliance through the Cyber Security Design Description (CSDD).

UR E27

Cyber Resilience of On-Board Systems

Defines requirements for equipment suppliers to provide secure systems, including 41 security capabilities (30 core + 11 for untrusted networks), design documentation, and test procedures.

UR E26Ship Cyber Requirements

4.1.1Vessel Asset Inventory

Maintain complete inventory of all CBS including hardware, software, network interfaces, and data flows.

UR E27Equipment Supplier Requirements

⚡ Auto= Automated by CyberAnchor (26 of 41)
  • #1 Human user identification and authentication (SR 1.1)⚡ Auto
  • #2 Software process and device identification (SR 1.2)⚡ Auto
  • #3 Account management (SR 1.3)⚡ Auto
  • #4 Identifier management (SR 1.4)⚡ Auto
  • #5 Authenticator management (SR 1.5)⚡ Auto
  • #6 Wireless access management (SR 1.6)
  • #7 Strength of password-based authentication (SR 1.7)⚡ Auto
  • #8 PKI certificates (SR 1.8)⚡ Auto
  • #9 Strength of public key-based authentication (SR 1.9)⚡ Auto
  • #10 Authenticator feedback (SR 1.10)⚡ Auto
  • #11 Unsuccessful login attempts (SR 1.11)⚡ Auto
  • #12 System use notification (SR 1.12)⚡ Auto
  • #13 Access via untrusted networks (SR 1.13)
  • #14 Explicit access request approval (SR 2.1)
  • #15 Use control for portable media (SR 2.3)
  • #16 Use control for mobile code (SR 2.4)
  • #17 Session lock (SR 2.5)⚡ Auto
  • #18 Auditable events (SR 2.8)⚡ Auto
  • #19 Audit storage capacity (SR 2.9)⚡ Auto
  • #20 Response to audit processing failures (SR 2.10)⚡ Auto
  • #21 Timestamps (SR 2.11)⚡ Auto
  • #22 Protection of audit information (SR 2.12)⚡ Auto
  • #23 Malicious code protection (SR 3.2)⚡ Auto
  • #24 Security functionality verification (SR 3.3)⚡ Auto
  • #25 Input validation (SR 3.5)⚡ Auto
  • #26 Deterministic output (SR 3.6)⚡ Auto
  • #27 Communication integrity (SR 3.1)⚡ Auto
  • #28 Denial of service protection (SR 7.1)
  • #29 Control system backup (SR 7.3)⚡ Auto
  • #30 Control system recovery and reconstitution (SR 7.4)

Why CyberAnchor Automates Only 26 of 41 Capabilities

E27 defines 41 security capabilities, but not all can be verified through software alone.

  • 26 software-driven: Can be verified through documentation and testing
  • Physical/procedural: E.g., "Alternative power source", hardware screen obscuring
  • Focus: Authentication, Audit Logging, Communication Integrity, Malware Protection

These 26 are the primary focus for surveyors during plan approval.

Ready to Assess Your Compliance?

Use our free Compliance Grader to determine which requirements apply to your vessel and get a personalized compliance roadmap.

Start Free Assessment

Related Resources

Technical Whitepaper
The Digital Bulkhead: Automating IACS UR E26/E27 Compliance
SOC 2 Security Policies
Our security controls, access policies, and compliance framework