Global Maritime Regulatory Compliance Review: IACS UR E26 & E27 Implementation Analysis (H2 2025)

1. Executive Summary

The second half of 2025 represents a watershed moment in the maritime industry's transition toward a fully cyber-resilient operational framework. Following the mandatory entry into force of the International Association of Classification Societies (IACS) Unified Requirements (UR) E26 and E27 on July 1, 2024, the subsequent twelve months were characterized by initial friction, interpretive ambiguity, and preparatory calibration. However, the period spanning July 1, 2025, to December 31, 2025, has witnessed a definitive maturation of the compliance landscape. The industry has shifted from theoretical preparation to tangible, certified execution, evidenced by a surge in Type Approvals for critical Operational Technology (OT) and the successful delivery of the first generation of "cyber-notated" vessels.

This report provides an exhaustive analysis of the compliance ecosystem during this critical semester. It synthesizes data from classification society rule updates, manufacturer certifications, shipyard announcements, and major industry events to construct a comprehensive picture of the current state of maritime cyber resilience. The analysis reveals that the "compliance lag"—the temporal gap between regulatory mandates and industrial adoption—is rapidly closing, driven by the aggressive mobilization of the supply chain and the rigorous enforcement of new class rules.

A defining characteristic of H2 2025 has been the convergence of cyber resilience with decarbonization. The data indicates a strong correlation between "green" vessel technologies and cyber certification. A significant proportion of the Approvals in Principle (AiP) granted during this period—particularly those unveiled at Gastech 2025—were for next-generation assets such as ammonia-fueled carriers, electric propulsion container ships, and autonomous systems. This suggests that the industry no longer views cyber resilience as a standalone regulatory hurdle but as an intrinsic, non-negotiable quality of the "smart" and "sustainable" vessel transition.

Furthermore, the latter half of 2025 saw the emergence of distinct regional strategies. Japanese stakeholders, led by ClassNK and major manufacturers like Furuno and Nabtesco, have emphasized hardware certification and rigorous guideline adherence. In contrast, the South Korean shipbuilding cluster, dominated by HD Hyundai and Samsung Heavy Industries (SHI), has focused on integrated system approvals that bundle cyber security with complex alternative fuel technologies. Meanwhile, European entities have pioneered the application of these standards in the specialized offshore wind sector.

This report dissects these developments through a structured analysis of regulatory evolution, supply chain dynamics, shipyard integration strategies, and strategic industry events, offering a detailed roadmap of the maritime sector's digital fortification.

2. Regulatory Evolution and Classification Society Dynamics (H2 2025)

The enforcement mechanism for IACS URs lies with the individual classification societies. In the latter half of 2025, these organizations moved beyond the initial adoption phase to refine their rule sets, offering granular guidance that addresses the practical challenges encountered during the first year of mandatory compliance. This period was marked by a shift from generic interpretations to specific, operationally adaptable frameworks.

2.1 DNV: The "Fleet-in-Service" and Rule Overhaul

DNV, maintaining its position as a dominant force in maritime standardization, executed a comprehensive update to its regulatory framework in July 2025. This update was crucial for integrating cyber resilience into the standard vessel lifecycle management, moving it from a design-phase consideration to a continuous operational requirement.

2.1.1 July 2025 Rule Edition

The July 2025 edition of DNV's Rules for Classification of Ships introduced critical clarifications regarding the Cyber Secure (Essential) notation.¹ This notation, which became mandatory for newbuilds contracted after July 1, 2024, is fully aligned with IACS UR E26 and E27. The 2025 update formalized the transition of this requirement from a "new rule" to a standard operational procedure for shipyards and owners.

One of the most significant structural changes in the 2025 rules was the bifurcation of class notations into "Design" and "In-Operation" categories.² Previously, cyber security notations often conflated technical design features with operational management. The new structure explicitly distinguishes between the physical and technical design of the vessel—covered under the CYBER SECURE design notation—and the operational management systems, covered under the Cyber Security Management System (CSMS) in-operation notation.² This nuance is critical for shipowners, as it acknowledges that a vessel designed with robust cyber resilience can still be operated insecurely if management processes fail. It allows for a more targeted compliance assessment, where a lapse in operational procedure does not necessarily invalidate the vessel's design certification.

2.1.2 Fleet-in-Service Rules (Effective July 2025)

Perhaps the most impactful bureaucratic development was the release of the new Fleet-in-Service rules, which became available via the DNV Veracity portal starting June 14, 2025.² These rules clarify retention schemes for vessels already in operation. While UR E26 is primarily a newbuild standard, the Fleet-in-Service update provides a clear pathway for "In-Operation" notations to be applied to existing fleets. This creates a bridge for owners who wish to harmonize the cyber posture of their legacy tonnage with their newbuilds, ensuring a consistent fleet-wide security standard.

The update also introduced the CO2 RECOND notation in July 2025.³ While primarily a decarbonization notation focused on the reconditioning of carbon dioxide for capture and storage, its introduction parallels the cyber updates. The complex process control systems required for CO2 reconditioning fall squarely under the scope of "Essential Systems" in UR E26, highlighting the increasing interdependence of environmental compliance and cyber resilience.

2.2 ClassNK: The August 2025 Guidelines

ClassNK (Nippon Kaiji Kyokai) adopted a proactive educational approach in H2 2025. In August 2025, the society released updated editions of its guidelines for both E26 and E27, reflecting the "lessons learned" from the first year of mandatory implementation.

2.2.1 Guidelines for Cyber Resilience of Ships (Edition 1.1)

Published in August 2025, Edition 1.1 serves as a detailed commentary on Part X (UR E26) of ClassNK's Rules.⁴ The revision was driven by a need for "more practical examples" and "enhanced explanations," addressing specific areas of confusion that arose during the initial implementation phase.⁴

A primary focus of the updated guidelines is the clarification of the document submission process during the commissioning phase. This phase is a critical bottleneck where the physical verification of cyber defenses—such as network segmentation tests and access control validation—must occur before vessel delivery. The guidelines provide explicit instructions for Systems Integrators (typically the shipyards) on how to document these tests, ensuring that the transition from construction to operation is seamless and compliant.⁴

2.2.2 Guidelines for On-Board Systems (UR E27)

Simultaneously, ClassNK updated its guidance for UR E27 in August 2025.⁵ This document is critical for manufacturers, as it interprets the IEC 62443 standards within the context of ClassNK's approval process. The guidelines place a renewed emphasis on the Secure Development Lifecycle (SDL) requirements.⁵ They mandate that suppliers must provide evidence not just that the final product is secure, but that the process used to build it incorporated security at every stage. This includes requirements for secure coding practices, vulnerability testing during development, and rigorous change management procedures.

2.3 ABS: The "Cyber Resilience (CR)" Expansion

The American Bureau of Shipping (ABS) focused heavily on extending cyber resilience concepts into the offshore and retrofit markets in H2 2025, demonstrating that compliance is not limited to conventional commercial shipping.

2.3.1 The "CR-Ex" Notation

In a landmark development in September 2025, ABS awarded the first CR-Ex (Cyber Resilience-Existing) notation to Jana Marine Services for three self-elevating units: JANA 505, JANA 508, and JANA 509.⁶ This event is significant because it represents the successful migration of E26 principles—originally designed for newbuilds—into the existing fleet. The "Ex" designation explicitly acknowledges that these are not new vessels but have undergone retrofits or procedural upgrades to meet the cyber resilience standards. This signals a growing market appetite for retrofitting cyber compliance, likely driven by charterer requirements in high-value sectors like offshore energy, where asset integrity is paramount.

2.3.2 Wireless Safety Systems Approval

In October 2025, ABS awarded an Approval in Principle (AiP) to Samsung Heavy Industries (SHI) for a novel wireless fire and gas detection system.⁷ Wireless systems have historically been viewed with caution in cyber resilience frameworks due to their susceptibility to jamming and interception. By granting an AiP, ABS has signaled that wireless safety systems can meet E26 requirements if they employ robust countermeasures, such as proprietary encryption protocols and signal monitoring. This approval challenges traditional hard-wired architectures and opens the door for more flexible, cost-effective safety system designs in the future.

2.4 Bureau Veritas (BV) and Korean Register (KR)

Bureau Veritas (BV) and the Korean Register (KR) also made significant strides in H2 2025, focusing on collaborative projects and the integration of cyber standards with green technologies.

2.4.1 BV's Dynamic Testing JDP

In December 2025, BV launched a Joint Development Project (JDP) with Hyundai LNG Shipping and Igloo Corporation.⁸ This project is notable because it moves beyond static certification to testing "security policy, monitoring, and response" in an operational environment using Igloo's SPiDER OT platform. This represents a shift toward dynamic, real-time compliance monitoring, where the vessel's cyber posture is continuously assessed rather than just checked at delivery.

2.4.2 KR's Green-Cyber Nexus

Korean Register's announcements, particularly at Gastech 2025, underscored the deep connection between cyber resilience and alternative fuels. By certifying the cyber resilience of systems like the Ammonia Safety System (Hi-CLEARS) and LNG Boil-Off Gas (BOG) Treatment ⁹, KR is ensuring that the new risks introduced by volatile alternative fuels are managed through secure digital systems.

3. The Supply Chain Revolution: UR E27 Implementation

The second half of 2025 saw a rapid acceleration in the issuance of Type Approvals for onboard systems. Under IACS UR E27, critical systems (Essential Systems) must be certified for cyber resilience. The diversity of systems receiving approval—from navigation and internal communications to propulsion control and remote monitoring—indicates that the supply chain has largely mobilized to meet the new standards. This "compliance surge" suggests that suppliers who failed to secure certification in the first half of the year are now scrambling to catch up, as shipyards enforce strict vendor lists for post-2024 contracts.

3.1 Navigation and Bridge Systems

The bridge remains the most interconnected, and therefore most scrutinized, zone on a vessel. Manufacturers in this domain have been among the first to achieve compliance, driven by the immediate need to integrate these systems into newbuild designs.

• Furuno (July 2025): In July 2025, Furuno announced the completion of its compliance assessment for DNV Security Profile 1.¹¹ This profile is DNV's specific mapping of IACS UR E27 requirements. Furuno's compliance covers a broad suite of equipment, including the FAR-series Radars, ECDIS, and crucially, the HermAce remote monitoring platform.¹²

  • Context: The inclusion of "HermAce" is particularly significant. Remote maintenance platforms act as gateways between the ship's trusted OT network and untrusted shore networks. By certifying the platform itself, Furuno secures the entire remote-access conduit, satisfying a key requirement of UR E26 regarding third-party connectivity.

• NACOS Platinum (December 2025): Wärtsilä/NACOS Marine announced that its NACOS Platinum Integrated Navigation System (INS) received DNV Type Approval in December 2025.¹³

  • Context: This approval explicitly cites compliance with IEC 61162-460 Edition 3, a standard specifically designed for maritime navigation networks. This highlights the "standards interoperability" that manufacturers are leveraging. By adhering to IEC 61162-460, NACOS ensures that its system can be easily integrated into broader shipboard networks while meeting the rigorous segmentation requirements of E27.

• Danelec (July 2025): On July 1, 2025, Danelec received DNV E27 Type Approval for its Onboard Insights solution.¹⁴

  • Context: Danelec had previously secured approvals for its Voyage Data Recorders (VDRs). Onboard Insights is a data collection and analytics platform that aggregates high-frequency data from various ship sensors.

  • Significance: As a system that centralizes data flow from multiple critical systems to the cloud, Onboard Insights represents a high-value target. Its certification is vital for shipowners who need to prove that their performance monitoring tools do not introduce vulnerabilities into the vessel's critical infrastructure.

3.2 Communication and Safety Systems

Internal communication systems, previously considered low-risk, are now recognized as critical safety systems requiring E27 compliance. Their integration into the ship's IP network makes them potential vectors for lateral movement if left unsecured.

• Zenitel (November 2025): In November 2025, Zenitel's EXIGO PAGA (Public Address and General Alarm) system achieved DNV Type Approval (Cyber Secure – Essential).¹⁵

  • Context: PAGA systems are SOLAS-mandated safety equipment. A cyberattack disabling the alarm system during an emergency could have catastrophic consequences. Zenitel's approval confirms that even audio systems are now being hardened with secure boot, encryption, and strict access controls.

  • Restriction: The approval applies only to new deliveries from Zenitel's headquarters in Horten and covers specific hardware and firmware versions. It explicitly excludes existing installations, emphasizing the difficulty and limitations of retrofitting E27 compliance onto legacy hardware.¹⁵

• MarPoint (H2 2025): MarPoint's Evo2 MultiRouter and UNI Vessel Virtualization Server achieved ABS Type Approval under UR E27 standards.¹⁶

  • Context: The Evo2 MultiRouter acts as the central gateway for vessel communications, managing satellite links and crew internet access. Securing this device is paramount for network segregation (UR E26). The UNI server, which hosts virtual machines for various shipboard applications, represents a modern, consolidated IT/OT architecture. Its certification allows shipowners to deploy virtualized applications with the assurance that the hosting environment meets rigorous cyber resilience standards.

3.3 Operational Technology (OT) & Automation

The engine room and power management systems are the core of UR E26/E27 concern due to the risk of physical damage and loss of propulsion.

• Høglund (May 2025 / H2 Impact): Høglund's Integrated Automation System (IAS) received DNV's Cyber Secure (Essential) notation, confirming compliance with Security Profile 1 and IACS UR E27.¹⁷

  • Context: The IAS is the brain of the ship's machinery, controlling engines, power management, and cargo systems. Certification of the IAS is a prerequisite for the entire vessel's E26 compliance.

  • Documentation: The approval requires that each delivery be accompanied by a vessel-specific product certificate (PC), based on an assessment of the specific topology and asset inventory for that ship.¹⁸ This underscores that E27 is not just a "type" approval but requires per-vessel verification of configuration.

• Kongsberg Maritime (May 2025 / Valid to 2030): Kongsberg issued a Statement of Compliance for its LVD-1/LVD-2 Low Voltage Drives.¹⁹

  • Context: These drives control propulsion motors and thrusters. For Dynamic Positioning (DP) vessels, the drive controller is effectively the steering system.

  • Crucial Distinction: The statement explicitly notes: "Regardless of the assessment... an assessment in accordance with UR E26 has to be carried out on a project-specific basis." This highlights a critical friction point in the industry: E27 equipment certification facilitates, but does not automatically grant, E26 vessel compliance. The integration of the certified drive into the ship's specific network architecture must still be verified by the shipyard and class society.

• Nabtesco (Japan): Nabtesco's marine engine remote control system (M-800 series) obtained Type Approval from DNV.²⁰

  • Context: This was the first such approval for a Japanese marine equipment manufacturer. As a dominant supplier of engine controls, Nabtesco's compliance ensures that the interface between the bridge and the main engine—one of the most critical conduits on a ship—is secured against manipulation.

• Bachmann: Bachmann received Bureau Veritas Type Approval for its M200 series controllers.²¹ These industrial controllers are widely used in maritime automation. The certificate attests to compliance with relevant standards, ensuring that the foundational hardware used in various automation systems is secure.

3.4 Cybersecurity Solutions (The "Cyber" Supply Chain)

A new category of "Type Approval" has emerged for software specifically designed to provide cybersecurity monitoring and management.

• Rakuten Maritime (October 2025): Rakuten Maritime's cybersecurity solution was honored with the SAFETY4SEA Cyber Security Award in October 2025.²²

  • Context: The solution had previously received a ClassNK Innovation Endorsement.²⁴

  • Significance: The award recognized its "Secure by Design" strategy and comprehensive compliance with E26/E27. This validates the business model of third-party "Cybersecurity as a Service" providers entering the maritime market. These providers offer the tools (CSMS software, monitoring platforms) that shipowners need to manage their ongoing E26 obligations.

4. Shipyard Integration & Newbuild Delivery: UR E26 in Action

While suppliers focus on E27, the burden of UR E26 falls on the shipyards, acting as Systems Integrators. In H2 2025, major shipyards, particularly in South Korea and Europe, demonstrated their ability to deliver compliant vessels. Gastech 2025, held in Milan from September 9-12, served as a primary stage for these demonstrations.

4.1 HD Hyundai Group: The "Smart Green" Integration

HD Hyundai (comprising HHI, KSOE, and Mipo) utilized Gastech 2025 to showcase a unified strategy that bundles cyber resilience with advanced green technologies. They effectively communicated that a sustainable ship must also be a secure ship.

• 16,000 TEU Electric Propulsion Container Ship (September 2025): HD KSOE and HD HHI received an ABS Approval in Principle (AiP) for this massive electric vessel design.²⁵

  • Integration Challenge: An electric ship functions as a massive battery on water, managed entirely by software. The Battery Management System (BMS) and Power Management System (PMS) are safety-critical OT systems. A cyberattack on these systems could lead to power loss or thermal runaway.

  • Compliance: The ABS AiP implies that the vessel's electrical architecture was reviewed against ABS's cyber standards, ensuring that the complex data flows controlling the electric propulsion are protected by E26-compliant zones and conduits.

• LNG Boil-Off Gas (BOG) Treatment System (September 2025): HD HHI and Donghwa Pneutec received a Korean Register (KR) AiP for a new BOG treatment system.⁹

  • Integration Challenge: BOG systems involve precise pressure and temperature control. Automation failure here can lead to tank overpressure or venting. The automation must be isolated from general IT networks to prevent external manipulation.

  • Compliance: The KR approval under E27 (for the system) allows it to be integrated into E26-compliant LNG carriers, providing a "pre-validated" block for the shipyard to insert into the vessel's larger cyber architecture.

• IoT-Based Smart Accommodation System (September 2025): HD Hyundai Mipo received a KR AiP for this crew welfare system.⁶

  • Integration Challenge: This directly addresses the "Crew Welfare" vector, which E26 brings into scope if connected to the ship's network. Securing IoT devices in crew quarters (smart lights, HVAC control) is notoriously difficult due to the proliferation of consumer-grade hardware.

  • Compliance: The AiP suggests a managed architecture where the crew welfare network is strictly segmented (via VLANs and firewalls) from the vessel's operational backbone, allowing for comfort without compromising safety.

• Ammonia Safety System (Hi-CLEARS) (September 2025): HD HHI and KSOE received KR AiP for this system.¹⁰

  • Integration Challenge: Ammonia is highly toxic. The release mitigation system is a critical life-safety system. It relies on sensors to detect leaks and trigger scrubbers.

  • Compliance: Cyber resilience is essential to prevent false negatives (masking a leak) or false positives (triggering shutdowns unnecessarily). The certification ensures the integrity of the sensor data and the availability of the control logic.

4.2 Samsung Heavy Industries (SHI)

SHI focused on certifying specific safety and maintenance technologies that support the broader smart ship ecosystem.

• Wireless Fire & Gas Detection (October 2025): ABS awarded an AiP to SHI for a novel wireless fire and gas detection system.⁷

  • Innovation: Wireless systems introduce unique risks, such as signal jamming or spoofing (Layer 1/2 attacks), which are generally frowned upon in strict cyber frameworks.

  • Compliance: Obtaining an AiP for a wireless safety system in the post-E26 era is a major technical achievement. It implies that SHI demonstrated robust countermeasures—such as proprietary encryption, frequency hopping, and continuous signal health monitoring—that satisfied ABS's concerns about "Casual or Coincidental Access" (a key E27 requirement).

• Condition-Based Maintenance (November 2025): SHI's condition-based maintenance system received certification (likely from LR or DNV).²⁶

  • Compliance: CBM systems require the continuous export of data from ship machinery to shore-based analytics platforms. This "trusted-to-untrusted" gateway is a focal point of any E26 review. The certification ensures that the data diode or gateway used prevents any reverse flow of malicious traffic from the shore to the ship's engines.

4.3 North Star & VARD: Offshore Wind Resilience

The delivery of the Grampian Kestrel ²⁶ serves as a prime case study for European compliance in the specialized offshore sector.

• The Vessel: Built by VARD for North Star, the Grampian Kestrel is a Commissioning Service Operation Vessel (CSOV).

• Operational Context: CSOVs are highly automated vessels that use Dynamic Positioning (DP) to hold station next to wind turbines. They serve as "floating data centers," connecting physically to turbines and digitally to wind farm control networks.

• Compliance: The vessel achieved Lloyd's Register's (LR) E26 certification. This was not just a box-ticking exercise but a commercial necessity. Wind farm operators (the clients) demand that connecting vessels do not introduce cyber risks into their critical infrastructure. The E26 notation provides this assurance, proving that cyber resilience is now a "license to operate" in the renewable energy supply chain.

5. Strategic Event Analysis: Gastech 2025

Gastech 2025, held in Milan from September 9-12, 2025 ²⁸, emerged as the single most significant event for maritime technology news in the second half of the year. It effectively functioned as a "Cyber Shipping" conference, despite its energy focus.

5.1 The Catalyst for Approvals

The sheer volume of cyber-related announcements at Gastech 2025 (HD Hyundai's multiple AiPs, DNV's awards, KR's green technology certifications) illustrates that the industry was holding back major validations to present them on this global stage. The event served as a forcing function, driving shipyards and class societies to finalize approvals in time for the show.

5.2 Thematic Convergence

The event highlighted the inextricable link between the energy transition and digitalization. Every major cyber announcement was tied to a new fuel or propulsion technology (Electric, Ammonia, LNG). The message from Gastech 2025 was clear: You cannot build the ships of the future with the analog mindset of the past. The complexity of managing alternative fuels requires advanced digital control systems, and those systems require advanced cyber protection.

6. The Intersection of Decarbonization and Cyber Resilience

A critical insight from H2 2025 is the correlation between decarbonization and cyber resilience. The data suggests that UR E26 is effectively becoming a supporting regulation for the IMO's Greenhouse Gas (GHG) strategy.

6.1 Alternative Fuels as Digital Risks

New fuels like ammonia and hydrogen require vastly more complex monitoring and safety automation than traditional heavy fuel oil.

• Ammonia: Requires toxic gas detection, scrubber automation, and precise temperature control.

• Electric Propulsion: Requires millisecond-level management of power loads and battery cell health.

• Wind-Assist: Requires automated control of sails/rotors based on wind data.

All of these are OT systems. Therefore, a "Green" ship is by definition a "Digital" ship, and thus a "Cyber-exposed" ship. The widespread certification of these green technologies under E26/E27 frameworks in H2 2025 confirms that the industry has accepted this reality.

6.2 The "CO2 RECOND" Example

DNV's introduction of the CO2 RECOND notation in July 2025 ³ is a perfect example. While technically a process notation for carbon capture, the systems it covers (compressors, liquefaction plants) are high-consequence OT. Their inclusion in the rule set necessitates their inclusion in the vessel's cyber asset inventory and risk assessment, effectively merging environmental and digital compliance.

7. Retrofit and Fleet-in-Service: The Existing Fleet Challenge

While UR E26 focuses on newbuilds, H2 2025 saw the first serious moves to address the existing fleet.

7.1 The CR-Ex Precedent

ABS's award of the CR-Ex notation to Jana Marine's liftboats ⁷ challenges the notion that E26 is only for new ships. It suggests that for high-value assets operating in critical infrastructure (like offshore oil and gas fields), charterers are beginning to demand cyber resilience standards comparable to newbuilds. This could trigger a wave of "voluntary" retrofits in 2026, as owners of older tonnage seek to remain competitive against newer, cyber-certified rivals.

7.2 Fleet-in-Service Rules

DNV's updated Fleet-in-Service rules ² provide the administrative framework for this transition. By defining clear "In-Operation" notations, DNV has given shipowners a tool to demonstrate the cyber hygiene of their existing fleets, focusing on management systems (CSMS) even if the hardware cannot be fully upgraded to E26 standards.

8. Future Outlook (2026-2030)

Based on the trajectory observed in late 2025, several strategic trends are likely to define the next phase of maritime cyber resilience.

8.1 Port State Control (PSC) Integration

With the major class societies (DNV, ClassNK) having solidified their "In-Operation" rules, the next logical step is regulatory enforcement at the port level. It is anticipated that Port State Control regimes will begin to include Cyber Security Management Systems (CSMS) in their inspection criteria, likely leveraging the new class notations as prima facie evidence of compliance.

8.2 The "System of Systems" Integration Crisis

As more E27-certified equipment arrives at shipyards in 2026, the burden shifts entirely to the integrators. The industry will likely face challenges in getting diverse certified systems (e.g., a Furuno radar, a Wärtsilä engine, and a Zenitel alarm) to communicate securely without breaking the encrypted "handshakes" required by their individual E27 profiles. This will drive a demand for standardized, cross-vendor security protocols.

8.3 The Rise of "Cybersecurity as a Product"

The success of companies like Rakuten Maritime ²³ and Hanwha Systems ²⁹ suggests a booming market for third-party cybersecurity solutions. Shipowners, lacking internal cyber expertise, will increasingly outsource their CSMS management to these specialized providers, effectively buying "compliance as a service."

In conclusion, the second half of 2025 marked the maritime industry's successful pivot from planning to execution. The regulatory frameworks have been stress-tested and refined, the supply chain has mobilized, and the first generation of compliant vessels is entering service. Cyber resilience has ceased to be a theoretical discussion; it is now a fundamental, operational reality of modern shipping.

9. Appendix: Summary of Key Compliance Milestones (H2 2025)

The following table summarizes the significant compliance events, certifications, and rule updates that occurred in the second half of 2025, providing a quick reference to the "news" data points underpinning this analysis.