Frequently Asked
Questions

IACS UR E26 (Unified Requirements E26) is the global mandatory cybersecurity standard for ships, issued by the International Association of Classification Societies (IACS).

It establishes baseline cyber resilience requirements for all vessels over 500 GT and all manned vessels classed by Recognised Organisations, ensuring ships can withstand, recover from, and adapt to cyber threats.

Compliance is verified during classification surveys by your Classification Society (e.g., DNV, KR, Lloyd's Register, Bureau Veritas).

July 1, 2024 — UR E26 became mandatory for all vessels with a keel laid on or after this date.

Vessels already in service are subject to compliance verification during their next annual or renewal classification survey.

• April 2022 — IACS formally adopted UR E26 & E27
• January 2024 — Implementation preparation deadline
• July 2024 — Full mandatory enforcement begins
• 2026+ — Ongoing surveys require demonstrated compliance

UR E26 applies to:

• All vessels over 500 Gross Tonnage (GT)
• All manned vessels classed by IACS member organizations
• Vessels with keel laid on or after July 1, 2024 (new builds)
• Existing vessels at their next scheduled classification survey

High-risk vessel types include tankers, LNG carriers, container ships, cruise vessels, and offshore platforms with complex OT/IT systems.

UR E26 — Ship Level: Addresses the vessel as a whole system. Covers network architecture, personnel training, access control, monitoring, and incident response at the ship level.

UR E27 — System/Equipment Level: Focuses on individual onboard systems and equipment (e.g., ECDIS, AIS, engine management systems). Applies to equipment manufacturers and system integrators.

Both standards work together — E26 sets the ship-level framework while E27 ensures each critical system meets cybersecurity requirements. Full compliance requires addressing both.

UR E26 aligns with the NIST Cybersecurity Framework and mandates compliance across five functional areas:

• Identify — Asset inventory, risk assessment, system boundary definition
• Protect — Access control, network segmentation, crew training, software integrity
• Detect — Continuous monitoring, anomaly detection, audit logging
• Respond — Incident response planning, containment procedures, stakeholder communication
• Recover — Business continuity, system restoration, evidence documentation

Yes. UR E26 explicitly requires logical and physical separation between Operational Technology (OT) networks and Information Technology (IT)/administrative networks.

This includes:

• Firewall segmentation between OT and IT zones
• No direct internet connectivity for critical OT systems
• Data diodes or unidirectional gateways where appropriate
• Documented and auditable network architecture diagrams

Classification societies require demonstrable evidence across multiple domains:

• Cyber Risk Assessment report with risk register
• Network architecture diagrams (OT/IT separation evidence)
• Access control policy documentation
• Crew cybersecurity training records
• Software and firmware inventory
• Incident Response Plan (IRP)
• Audit logs and monitoring reports
• Vulnerability assessment records

Automated evidence generation platforms significantly reduce the burden of documentation preparation for surveys.

E26 compliance is verified at each scheduled classification survey:

• Annual Surveys — Basic compliance check, updated documentation review
• Intermediate Surveys (2.5 years) — Deeper technical assessment
• Renewal Surveys (5 years) — Full compliance verification

Additionally, significant cyber incidents must be reported to your Classification Society and may trigger an unscheduled compliance review.

Implementation timelines vary significantly based on existing infrastructure maturity:

• Vessels with modern, documented systems: 3–6 months
• Vessels with mixed legacy/modern systems: 6–12 months
• Older vessels requiring significant OT modernization: 12–24 months

Key phases include gap assessment, architecture redesign, technology deployment, documentation, crew training, and classification society verification. Starting well ahead of your next survey is strongly recommended.

In most cases, yes — but it depends on the system. The approach varies:

• Modern systems (post-2018): Often require firmware updates and configuration changes only
• Legacy OT systems: May need compensating controls (monitoring, access restrictions, network isolation)
• End-of-life systems: May require replacement if they cannot meet minimum security requirements

A formal gap assessment against E26 requirements is the essential first step to determine the scope and cost of compliance for your specific vessel.

UR E26 mandates cybersecurity awareness training for all crew members who interact with onboard digital systems. Requirements include:

• Role-based training appropriate to crew responsibilities
• Awareness of phishing, social engineering, and physical security threats
• Incident reporting procedures and escalation paths
• Safe use of removable media and personal devices
• Annual refresher training with documented completion records

Training records must be maintained and available for classification survey review.

Failure to demonstrate E26 compliance during a classification survey can result in:

• Conditions of Class — Mandatory remediation within a specified timeframe
• Suspension of Class — Vessel cannot operate commercially until resolved
• Withdrawal of Class — In severe or repeated non-compliance cases

Insurance implications may also arise, as P&I clubs and hull underwriters increasingly require E26 compliance evidence. Early preparation and a structured compliance program significantly reduces survey risk.

Classification surveyors use a combination of documentation review and technical verification:

• Review of cyber risk assessment and risk register
• Network architecture diagram review and physical inspection
• Access control policy and implementation verification
• Crew training record audit
• Monitoring system log review
• Incident response plan tabletop exercise (in some cases)

Automated compliance evidence platforms can generate survey-ready reports that map directly to classification society checklists, dramatically simplifying the survey process.

Yes. UR E26 applies to offshore units including:

• FPSOs (Floating Production Storage and Offloading vessels)
• Semi-submersible drilling rigs
• Jack-up drilling units
• Offshore accommodation vessels over 500 GT

These vessels often have complex OT environments (production systems, dynamic positioning, subsea controls) that require specialized E26 implementation approaches compared to conventional merchant vessels.

TGM (TeraGrid-M) is a purpose-built maritime cybersecurity platform that integrates four core capabilities aligned with E26 requirements:

• SIEM — Security event correlation and compliance logging
• IDS — Network intrusion detection for OT/IT environments
• EDR — Endpoint detection and response for crew workstations and servers
• NMS — Network monitoring and topology visualization

Most importantly, TGM automatically generates E26-compliant audit evidence reports — mapping system logs and events directly to classification society survey requirements.

Yes — automated evidence generation is TGM's core differentiator for E26 compliance.

The platform continuously collects, correlates, and formats compliance evidence across all monitored systems, generating survey-ready reports that include:

• Access control audit trails mapped to E26 requirements
• Network monitoring logs with anomaly detection records
• Incident response documentation and timelines
• System integrity verification reports

This eliminates the weeks of manual documentation preparation typically required before classification surveys.

You can request a TGM platform demonstration through the contact form on this site or directly via our team.

Demonstrations are tailored to your vessel type and compliance requirements, covering:

• Live platform walkthrough with your vessel profile
• E26 compliance gap assessment review
• Sample evidence report generation
• Implementation timeline and deployment options

Contact us at info@ure26.com or use the Get Started form on the main page.