Maritime cyber doesn't have one regulator — it has dozens. IMO, IACS, every class society's notation, oil-major vetting, dry-bulk vetting, port-state cyber, EU NIS 2, plus the underlying technical standards (NIST CSF, IEC 62443, ISO/IEC 27001, CIS Controls). Navis Arca maps live agent telemetry to all of them — pre-mapped to the headline frameworks, aligned to the rest, exportable for any audience that asks.
Every fleet we work with faces these four — usually in the same year, sometimes the same week. Navis Arca answers all four with the same live evidence base, exportable as a polished PDF in two clicks. Per-class-society notations, port-state regimes, vetting bodies and underlying standards are covered in the matrix below.
Cyber Resilience of Ships & Onboard Systems
The International Association of Classification Societies' Unified Requirements for cyber resilience of new-build ships (UR E26) and the systems aboard them (UR E27). Mandatory for vessels contracted on or after 1 July 2024 across IACS member societies — DNV, ABS, Lloyd's Register, Bureau Veritas, ClassNK, RINA, KR and others.
Maritime Security & Cyber Risk Management
OCIMF's Tanker Management & Self-Assessment, third edition. Element 13 is the cyber-risk element scored against by oil-major vetting inspectors before a tanker is chartered. Stage-1 and Stage-2 questions cover policy, training, technical controls and audit — the same areas Navis Arca generates evidence for automatically.
Cyber Security Onboard Ships
The fifth edition of the industry-wide guidelines published by BIMCO together with ICS, INTERTANKO, INTERCARGO, OCIMF and other maritime associations. Practical, operationally grounded, and directly referenced by class societies — Navis Arca implements the technical controls the guidance calls for.
Maritime Cyber Risk Management in SMS
The International Maritime Organization's resolution requiring cyber risk to be addressed within a vessel's Safety Management System under the ISM Code. In effect since the first annual DOC verification after 1 January 2021. Navis Arca produces the operational evidence flag-state and port-state inspectors look for.
Every framework below is reachable from the same agent telemetry that powers the headline four. We use three coverage tiers so you know exactly what arrives turnkey, what's ready on request, and what's a documented alignment.
Beyond the IACS unified requirements, each society publishes its own optional notation. Navis Arca produces evidence that maps to the technical control elements of each.
The questions vetting inspectors ask before your tonnage is accepted on a charter — answered with evidence, not assertions.
Where Navis Arca produces the operational evidence inspectors expect during boarding, audit, or regulatory verification.
Every maritime framework above leans on these underlying technical standards. Navis Arca's controls implement them directly so the same evidence satisfies multiple frameworks at once.
The cyber clauses your hull, cargo and P&I underwriters increasingly require evidence of — to bind cover, to defend a claim, or to negotiate premium.
The international baseline that sits behind every flag-state cyber expectation under the ISM Code.
Tier definitions — Live · pre-mapped: turnkey export of an inspection-ready PDF in two clicks. Coverage-ready: evidence base is in place; a framework-formatted report is produced on request during onboarding. Aligned: Navis Arca controls map cleanly to the framework; we work with your team and inspector to produce the format the audience expects. Trademarks belong to their respective owners and are referenced for factual descriptive purposes only.
Every control in every framework is wired to the agent telemetry that proves it is operating. When an inspector arrives, the proof is already collected — no scramble, no spreadsheet, no screenshots taken at midnight.
Agent posts posture, scan results, audit events and policy state to the platform continuously.
Each framework's controls are pre-mapped to telemetry signals — no manual mapping work for your team.
Per-vessel and fleet-wide scores update as posture changes. Gaps are visible before an inspector points them out.
Pick a framework, pick a vessel (or fleet), download a polished, signed coverage report ready for the surveyor.
A quick read of the questions class-society and charterer auditors most commonly bring to a Navis Arca-protected fleet — and where the answer lives.
Each enrolled endpoint reports OS, hostname, role, last-seen timestamp and software inventory — visible per vessel and exportable as the asset register IACS UR E27 expects. No spreadsheet to maintain by hand.
Continuous vulnerability assessment matches installed software against authoritative CVE feeds (NVD and vendor advisories). Each finding is shown with severity, the affected device, and the vendor-published remediation. The detection date and the date you closed it are both retained.
Per-host CIS benchmark report — 600+ checks, scored, with the corrective action against each failed check. Score is tracked over time so you can show trend, not just snapshot.
USB events are recorded per device, per vessel, with timestamp and operator (if applicable). The cryptographically chained audit trail makes the record defensible — no one can quietly remove an event after the fact.
Role-based access with mandatory MFA, session controls, and a per-action audit log. Operator activity is queryable per vessel and per timeframe.
Walk through a live coverage report against IACS UR E26 / E27, TMSA 3, BIMCO V5 and IMO MSC-FAL — using a real fleet of demo vessels.