Maritime Cybersecurity 2026: From Compliance Checkbox to Operational Imperative

Inmarsat's NexusWave achieves ClassNK Type Approval — as the industry confronts a 103% surge in attacks and a generational shift in how cyber resilience is defined

A Landmark Certification in a Stormy Threat Environment

Inmarsat Maritime's NexusWave — its fully managed, bonded multi-network connectivity service — has become one of the first integrated onboard ICT systems to receive Cyber Security Type Approval from ClassNK, one of the world's leading ship classification societies. The award follows a rigorous assessment of NexusWave's complete onboard architecture against IACS Unified Requirement UR E27 (Rev.1), the international standard governing the cyber resilience of shipboard systems and equipment.

UR E27 applies to onboard systems and equipment, and together with UR E26 — which applies to ships as a whole — aims to establish minimum requirements for the cyber resilience of newly built vessels. 

What makes the NexusWave certification particularly notable is the scope of ClassNK's evaluation. Rather than assessing individual components in isolation, ClassNK verified the system within the context of NexusWave's onboard ICT architecture — including onboard network equipment, relevant orchestration processes, and managed service edge infrastructure components. By assessing the system as an integrated onboard ICT architecture, the certification supports system-level cyber resilience in line with the intent of UR E27. 

This systems-level approach reflects a broader philosophical shift in maritime cybersecurity: the recognition that a vessel's digital attack surface cannot be understood — or defended — one component at a time.

Why Now: The Numbers Behind the Urgency

The timing of this certification is no coincidence. Maritime cyber incidents in 2025 surged by 103% compared to 2024, emerging as a critical threat to maritime safety. DDoS attacks, ransomware, and malware infections account for most of these attacks, with their growth rate more than doubling over the past year.

This isn't simply more of the same threat at greater volume. The nature of attacks is shifting. AI-driven sabotage is expected to enter a new phase in 2026 defined by agent-based autonomous attacks. The 2025 case involving the China-linked group GTG-1002 demonstrated that AI agents can perform up to 90% of the attack lifecycle — from vulnerability analysis to data exfiltration — without human intervention. This development lowers the barrier to entry, enabling less-skilled actors to conduct highly sophisticated, nation-state-level attacks at scale.

Against this backdrop, the incident data from 2024 and 2025 proves that maritime cybersecurity is no longer an "option" but a matter directly linked to a vessel's "right to operate." 

The IACS Regulatory Framework: UR E26 and UR E27 Explained

The twin pillars of the new maritime cybersecurity regulatory landscape are IACS Unified Requirements E26 and E27, which entered into force in July 2024 for vessels contracted for new construction.

UR E26 treats the vessel as one integrated, cyber-resilient system across four lifecycle phases: design and construction (asset inventory, security zone diagrams, cyber design description); commissioning (executing a cyber-resilience test procedure on all security controls); operation (maintaining a Ship Cyber Security and Resilience Programme); and maintenance (ensuring all software updates to critical systems follow controlled change management).

UR E27 aims to support manufacturers and OEMs of onboard operational systems and equipment in evaluating and improving their cyber resilience. It offers comprehensive instructions relating to security philosophy, documentation, system requirements, secure development lifecycle requirements, and plan approval.

Together, the two URs create an interlocking compliance architecture: E26 ensures the ship is designed as a secure system; E27 ensures each piece of equipment within that system meets a defined security baseline before it is ever installed onboard.

CYTUR defines 2026 as the "first year of practical verification," as cybersecurity compliance under UR E26 and UR E27 shifts from design-stage documentation to operational enforcement. Vessels contracted after July 2024 are now approaching delivery, meaning compliance will be tested during sea trials and classification inspections — not assessed solely on technical drawings. Failure to meet these cybersecurity standards during sea trials may render ship delivery impossible.

What NexusWave's Approval Means in Practice

NexusWave is Inmarsat Maritime's flagship multi-network bonded connectivity service, aggregating VSAT, LEO, and terrestrial LTE signals into a single managed pipe. Its approval under UR E27 carries significance beyond a single product milestone — it signals that managed connectivity services, not just standalone hardware, are entering the formal certification ecosystem.

The assessment covered not just onboard hardware but the full stack: network equipment, orchestration processes, and the managed service edge infrastructure that connects ship to shore. This matters because, as past incidents have demonstrated, connectivity services are a primary attack vector. The DNV ShipManager ransomware attack in January 2023 affected approximately 1,000 vessels across 70 customers globally. The attack targeted DNV's cloud-based fleet management software, forcing complete shutdown of IT servers connected to vessel operations — exposing UR E26's failure to address dependencies on shore-based software providers and SaaS platforms critical to vessel operations. 

NexusWave's certification, by encompassing managed service edge infrastructure alongside onboard components, represents an attempt to close exactly this kind of gap — bridging the ship-to-shore boundary that has historically been a blind spot in maritime cyber assurance.

The Deeper Challenge: Legacy Fleets and the OT/IT Integration Problem

While new-build regulations are tightening, the majority of the world's operating fleet was contracted before July 2024 and falls outside the mandatory scope of UR E26 and E27. The IACS E26 and E27 cyber requirements are mandatory for new ships contracted for construction, and recommended for existing fleets.

This creates a two-speed maritime cybersecurity environment: a growing cohort of new, cyber-resilient vessels operating alongside thousands of older ships protected only by IMO MSC.428(98)'s requirement to incorporate cyber risk management into Safety Management Systems — a standard widely acknowledged as less prescriptive and harder to enforce uniformly.

The challenge is compounded by the structural complexity of modern vessels. Ships increasingly integrate legacy Operational Technology (OT) — propulsion controls, navigation systems, cargo management — with modern IT networks and connectivity services. These systems were designed in different eras, with different assumptions about security. Higher-speed and lower-latency connectivity through LEO services, while operationally valuable, also makes vessels more attractive targets for malicious attacks. More bandwidth means more attack surface.

Industry Fragmentation: The Systemic Obstacle

Even where the will exists to improve, coordination remains elusive. Industry associations and classification societies need to develop prescriptive technical requirements for UR E26/E27 implementation while creating cybersecurity notation programs beyond minimum requirements. Industry-wide cybersecurity information sharing initiatives, common standards development, and mutual support mechanisms for incident response would provide collective defense capabilities. 

The absence of such coordination is a documented weakness. Incident intelligence remains siloed between shipowners, flag states, port authorities, and service providers. Attack patterns observed in one fleet rarely reach others in time to prevent replication. Maritime Security Operations Centres (MSOCs) are emerging, but coverage remains uneven across geographies and vessel types.

The Road Ahead: From Type Approval to Operational Culture

Certification is a necessary condition for maritime cyber resilience — but not a sufficient one. While implementation of UR E26/E27 will provide full visibility of a vessel's computer assets and network infrastructure, the URs' limitations include the opportunity for a more in-depth risk-assessment process and for organisations to apply additional attention to cybersecurity policy and associated procedures.

In other words, standards define the floor, not the ceiling. A vessel that meets every requirement of UR E27 can still be compromised if its crew lacks training to detect anomalies, if its incident response plan hasn't been tested under realistic conditions, or if its shore-based operations centre lacks the monitoring capability to detect intrusions in real time.

Maritime organisations must move from reactive defense to a proactive security posture driven by Maritime Cyber Threat Intelligence. Real-time monitoring of GPS spoofing, ransomware campaigns, and VSAT vulnerabilities, combined with intelligence sharing through Maritime Security Operations Centres, enables preventative action such as preemptive patching and heightened surveillance in high-risk waters. A lifecycle-based threat modelling framework, applied from vessel design to decommissioning, is essential to identify vulnerabilities across IT and OT systems.

The NexusWave UR E27 approval is a meaningful step in the right direction — and a benchmark the wider industry will increasingly be measured against. But with cyberattacks more than doubling in a single year and AI-powered adversaries arriving on the horizon, the industry has no margin for treating certification as an end point.

The sea is a harder place to patch than a data centre. Security must be built in from the start — and continuously verified thereafter.