IACS UR E26 & E27: Cybersecurity Regulations for Superyachts

Cyber security for newbuild and refit yachts is quietly moving from “best practice” to “basic safety.” For crew, especially those involved in builds or yard periods, that has some very practical consequences.

1. Cyber is now part of “designing a safe yacht”

Regulators and class bodies expect cyber risk to be managed in the same structured way as fire, stability or machinery:

• The network must be designed with clear “zones” (e.g. navigation, propulsion, safety, hotel IT, crew Wi‑Fi) and controlled connections (“conduits”) between them.
• There has to be an asset inventory of all computer‑based safety‑relevant systems: ECDIS, DP, autopilot, engine control, power management, steering, fire detection, radio, internal comms, etc.
• The design must show how critical systems are protected from non‑critical ones (for example, crew internet or guest Wi‑Fi should not be able to directly affect navigation or propulsion).

For crew: expect more questions about “which zone is this system in?” and “what else shares that network?”

2. Every safety‑relevant system is being re‑labelled from a cyber point of view

Shipyards and suppliers now have to classify each system roughly as:

• Out of scope: Not part of safety for ship control and not connected to those networks (e.g. some hotel systems).
• Negligible risk: Very simple, no network, no USBs, often physically locked down (e.g. a purely mechanical system or a fixed‑firmware device in a sealed cabinet).
• In scope: Any system that is computer‑based and connected – especially if it can affect propulsion, steering, power, navigation, fire, or emergency response.

Remote access systems are always treated as in scope because they provide a path from shore onto the yacht.

For crew: if you’re responsible for a system, you’ll increasingly be asked:

• Does it have network or USB access?
• Who can log in, from where, and with what credentials?
• What happens if it misbehaves or is unavailable?

3. Remote access is no longer a casual convenience

Historically, many AV/IT and OT suppliers had always‑on remote access so they could “jump in and fix it.” Under the new mindset:

• Remote access should go through controlled gateways, with logs and permissions.
• There should be a permit‑to‑work style process: who requested access, for what, when, and when it’s switched off again.
• Permanent “back doors” into navigation, propulsion, or power systems are being phased out or heavily restricted.

For crew: you’ll likely be expected to:

• Know which vendors have remote access to which systems.
• Be able to enable/disable access on demand and record it.
• Push back if a supplier wants always‑on access without controls.

4. Onboard cyber testing becomes a normal part of sea trials

As delivery approaches, there will be formal tests, witnessed by the class or surveyors, to demonstrate that the cyber design actually works. These typically include:

• Network segregation tests:
  • Confirm that a compromise in one zone (e.g. crew internet) cannot directly affect safety‑critical zones.
  • Verify firewalls and VLANs behave as designed.
• Access control checks:
  • User accounts and roles are set correctly (no generic “admin/admin”).
  • Password policies, MFA where appropriate, and account removal upon crew members' departure.
• Remote access and USB procedures:
  • Demonstrate how remote sessions are controlled and logged.
  • Show how USBs are handled (blocked, scanned on a dedicated station, or both).
• Backup and recovery drills:
  • Evidence that critical systems are backed up.
  • A realistic demonstration of how the yacht would recover key functions after a major cyber incident (e.g. corrupted navigation PC, infected automation station).

For crew: think of this like a fire drill for your IT/OT systems. You may be involved in:

• Running the tests
• Providing evidence (screenshots, logs, procedures)
• Fixing gaps found during the trial

5. Timelines are tight - 2026-27 will be busy

There is a big wave of newbuilds all coming through with similar contractual dates. That means:

• Classification societies and suppliers will be extremely busy checking drawings, issuing approvals, and supporting tests.
• Projects that leave cyber to the last minute could face delays, re‑work and cost overruns if systems aren’t ready or documentation is incomplete.
• Yachts nearing delivery may discover that missing cyber paperwork or failed tests can hold up class notation and handover.

For crew: if you’re on a build or heavy refit, getting cyber right early protects your own timelines too – fewer last‑minute crises and fewer “why didn’t anyone tell us?” moments.

6. What this means day‑to‑day for superyacht crew

You don’t have to be a cyber engineer, but you will be expected to:

• Treat cyber controls as part of safety management, not just “IT stuff.”
• Understand, at a high level, which systems are critical, which networks they’re on, and who can touch them.
• Follow and enforce remote access, password, and USB policies, even when it’s inconvenient.
• Help keep asset inventories and documentation up to date when systems change or new equipment is fitted.
• Participate in training and drills around cyber incidents, just as you do for fire, man overboard, or abandon ship.

If you’re a Captain, Chief Engineer, ETO/AVIT, or head of department, this is where you can really add value: by making sure cyber requirements are built into everyday operations, not bolted on at the end.