Home Resources IACS UR E26 & E27

IACS UR E26 & E27, explained.

The two unified requirements that made cyber resilience a class-society matter for new-builds — what they mean, who they apply to, and what a surveyor expects to see.

Guide · 8 min read · Last reviewed 27 April 2026

What are UR E26 and UR E27?

The International Association of Classification Societies (IACS) publishes Unified Requirements (URs) that its member societies — including DNV, ABS, Lloyd's Register, Bureau Veritas, ClassNK, RINA and Korean Register — adopt into their own rules. Two of them put cyber resilience squarely into the class survey:

  • UR E26 — Cyber resilience of ships. Addresses the vessel as a whole: how the ship's networks and connected systems are designed, integrated and operated so the vessel remains safe and functional during a cyber incident.
  • UR E27 — Cyber resilience of on-board systems and equipment. Addresses the individual systems and equipment — and their suppliers — so that the components integrated into the vessel meet defined cyber requirements.

Read together, E26 is the ship-level picture and E27 is the system-level detail beneath it.

Who is in scope, and from when?

UR E26 and E27 apply to vessels contracted for construction on or after 1 July 2024. That makes them a new-build matter first and foremost: if the construction contract is dated on or after that date, the requirements apply through design, integration and delivery, and are verified by the vessel's classification society.

Existing tonnage contracted before that date is not directly compelled by E26/E27 — but the controls they describe are increasingly expected anyway. Charterers, P&I clubs and port-state regimes are converging on the same baseline, so many operators apply equivalent controls across their existing fleet voluntarily, both to satisfy vetting and to avoid running two different standards across one fleet.

What do they actually require?

The requirements are built around the now-familiar cyber lifecycle — identify, protect, detect, respond and recover — translated into ship terms. In practice, satisfying them means being able to demonstrate things like:

  • Asset inventory. A maintained inventory of computer-based systems and their connections — you cannot protect what you have not catalogued.
  • Network protection & segregation. Evidence that critical systems are appropriately segregated and protected from less-trusted networks.
  • Access control. Controlled, accountable access to systems — including multi-factor authentication and least-privilege where applicable.
  • Malware & vulnerability management. Protection against malicious code and a process for identifying and remediating vulnerabilities.
  • Detection & logging. The ability to detect anomalous activity and retain logs that show what happened.
  • Recovery. Backups and recovery procedures so the vessel can return to a known-good state.

For UR E27 specifically, much of the burden sits with system suppliers, who must show their equipment meets the requirements before it is integrated — but the operator still has to evidence that the integrated whole is maintained in service.

What evidence satisfies a surveyor?

The recurring theme at survey is operational evidence, not paperwork written the week before. A surveyor wants to see that the controls are actually running and that there is a defensible record: the current asset inventory, patch and vulnerability status, access and authentication configuration, the audit log, and the recovery arrangements — per vessel, current, and exportable.

The gap most operators hit is not capability but continuity of proof: the controls may exist, but assembling current, per-vessel evidence on demand — across a fleet, over VSAT, before a survey window closes — is where the scramble happens.

How Navis Arca helps

This is the problem Navis Arca was built for. The same agent that runs the active controls on every vessel endpoint also produces the live evidence behind them, pre-mapped to UR E26 and E27, exportable as a coverage PDF in two clicks — no spreadsheet maintained by hand, no screenshots taken at midnight. See the full compliance matrix for how the mapping works, or the platform overview for the controls themselves.

Key takeaways
  • UR E26 is ship-level cyber resilience; UR E27 is system-level.
  • Both apply to vessels contracted on or after 1 July 2024, verified by class.
  • Existing tonnage isn't compelled, but the same baseline is expected via vetting and port state.
  • Surveyors want current, per-vessel operational evidence — the hard part is producing it on demand.

This guide is general information for fleet operators and does not constitute compliance or legal advice. Always confirm requirements with your classification society.

See a live UR E26/E27 coverage report.

30 minutes on a demo fleet — the evidence a surveyor would take away, generated live.

Book a walkthrough →