Cyber Anchor← Back to Home
Compliance Guide

IACS E26/E27 Guide

Plain-English breakdown of the 41 compliance requirements for maritime cyber resilience

UR E26

Cyber Resilience of Ships

Defines requirements for shipyards and owners to maintain cyber resilience throughout the vessel lifecycle, including asset inventory, security zones, access control, and change management.

UR E27

Cyber Resilience of On-Board Systems

Defines requirements for equipment suppliers to provide secure systems, including 41 security capabilities (30 core + 11 for untrusted networks), design documentation, and test procedures.

UR E26Ship Cyber Requirements

4.1.1CBS Inventory

Document all CBS including make, model, serial number, software versions, and network interfaces.

4.1.2Network Topology

Maintain up-to-date network diagrams showing all CBS interconnections.

4.1.3Classification

Classify systems as Category I, II, or III based on criticality.

UR E27Equipment Supplier Requirements

⚡ Auto= Automated by CyberAnchor (26 of 41)
  • #1 Human user identification and authentication (SR 1.1)⚡ Auto
  • #2 Software process and device identification (SR 1.2)⚡ Auto
  • #3 Account management (SR 1.3)⚡ Auto
  • #4 Identifier management (SR 1.4)⚡ Auto
  • #5 Authenticator management (SR 1.5)⚡ Auto
  • #6 Wireless access management (SR 1.6)
  • #7 Strength of password-based authentication (SR 1.7)⚡ Auto
  • #8 PKI certificates (SR 1.8)⚡ Auto
  • #9 Strength of public key-based authentication (SR 1.9)⚡ Auto
  • #10 Authenticator feedback (SR 1.10)⚡ Auto
  • #11 Unsuccessful login attempts (SR 1.11)⚡ Auto
  • #12 System use notification (SR 1.12)⚡ Auto
  • #13 Access via untrusted networks (SR 1.13)
  • #14 Explicit access request approval (SR 2.1)
  • #15 Use control for portable media (SR 2.3)
  • #16 Use control for mobile code (SR 2.4)
  • #17 Session lock (SR 2.5)⚡ Auto
  • #18 Auditable events (SR 2.8)⚡ Auto
  • #19 Audit storage capacity (SR 2.9)⚡ Auto
  • #20 Response to audit processing failures (SR 2.10)⚡ Auto
  • #21 Timestamps (SR 2.11)⚡ Auto
  • #22 Protection of audit information (SR 2.12)⚡ Auto
  • #23 Malicious code protection (SR 3.2)⚡ Auto
  • #24 Security functionality verification (SR 3.3)⚡ Auto
  • #25 Input validation (SR 3.5)⚡ Auto
  • #26 Deterministic output (SR 3.6)⚡ Auto
  • #27 Communication integrity (SR 3.1)⚡ Auto
  • #28 Denial of service protection (SR 7.1)
  • #29 Control system backup (SR 7.3)⚡ Auto
  • #30 Control system recovery and reconstitution (SR 7.4)

Why CyberAnchor Automates Only 26 of 41 Capabilities

E27 defines 41 security capabilities, but not all can be verified through software alone.

  • 26 software-driven: Can be verified through documentation and testing
  • Physical/procedural: E.g., "Alternative power source", hardware screen obscuring
  • Focus: Authentication, Audit Logging, Communication Integrity, Malware Protection

These 26 are the primary focus for surveyors during plan approval.

Ready to Assess Your Compliance?

Use our free Compliance Grader to determine which requirements apply to your vessel and get a personalized compliance roadmap.

Start Free Assessment

Related Resources

Technical Whitepaper
The Digital Bulkhead: Automating IACS UR E26/E27 Compliance
SOC 2 Security Policies
Our security controls, access policies, and compliance framework