E27 Page 1 of 20 IACS Req. 2022/Rev.1 2023 E27 (cont) Cyber resilience of on-board systems and equipment 1. General 1.1 Introduction Technological evolution of vessels, ports, container terminals, etc. and increased reliance upon Operational Technology (OT) and Information Technology (IT) has created an increased possibility of cyber -attacks to affect business, personnel data, human saf ety, the safety of the ship, and also possibly threaten the marine environment. Safeguarding shipping from current and emerging threats must involve a range of controls that are continually evolving which would require incorporating security features in the equipment and systems at design and manufacturing stage. It is therefore necessary to establish a common set of minimum requirements to deliver systems and equipment that can be described as cyber resilient. This document specifies unified requirements for cyber resilience of on- board systems and equipment. 1.2 Limitations This UR does not cover environmental performance for the system hardware and the functionality of the software. In addition to this UR, following URs shall be applied: - UR E10 for environmental performance for the system hardware - UR E22 for safety of equipment for the functionality of the software Note: 1. The Unified Requirement published in April 2022 was withdrawn before coming into force on 1 January 2024 2. Rev.1 to this UR is to be uniformly implemented by IACS Societies on ships contracted for construction on or after 1 July 2024 and may be used for other ships as non- mandatory guidance. 3. The “contracted for construction” date means the date on which the contract to build the vessel is signed between the prospective owner and the shipbuilder. For further details regarding the date of “contract for construction”, refer to IACS Procedural Requirement (PR) No. 29. E27 (Apr 2022 Withdrawn) (Rev.1 Sep 2023) E27 Page 2 of 20 IACS Req. 2022/Rev.1 2023 E27 (cont) 1.3 Scope of applicability The requirements specified in this UR are applicable to computer based systems specified in UR E 26 for the following types of vessels: Mandatory requirements for a) Passenger ships (including passenger high- speed craft) engaged in international voyages b) Cargo ships of 500 GT and upwards engaged in international voyages c) High speed craft of 500 GT and upwards engaged in international voyage d) Mobile offshore drilling units of 500 GT and upwards e) Self-propelled mobile offshore units engaged in construction (ie wind turbine installation maintenance and repair, crane units, drilling tenders, accommodation, etc) Non-mandatory guidance to a) Ships of war and troopships b) Cargo ships less than 500 gross tonnage c) Vessels not propelled by mechanical means d) Wooden ships of primitive build e) Passenger yachts (passengers not more than 12). f) Pleasure yachts not engaged in trade g) Fishing vessels h) Site specific offshore installations (i.e. FPSOs, FSUs, etc) For navigation and radiocommunication systems , the application of IEC 61162- 460 or other equivalent standards in lieu of the required security capabilities in UR E27 section 4 may be accepted by the Society, on the condition that requirements in IACS UR E26 are complied with. 1.3.1 Information and Communication Technology (ICT) Attention is made to additional IACS documents on Computer Based Systems and Cyber Resilience as follows: IACS UR E22 “Computer based systems ” includes requirements for design, construction, commissioning and maintenance of computer -based systems where they depend on software for the proper achievement of their functions. The requirements in E22 focus