Frequently asked questions

Everything you need to know about maritime OT cyber compliance, IACS UR E26/E27, and how Tagsia works.

About Tagsia IACS UR E26 IACS UR E27 IMO requirements Class notations Existing vessels Tools & vault

About Tagsia

What is Tagsia and who is it for?

Tagsia is a maritime OT cybersecurity compliance platform built specifically for ETOs, Chief Engineers, Technical Superintendents, and DPAs working with IACS UR E26 and E27 requirements. It provides playbooks, assessment tools, vault forms, and threat intelligence — all grounded in the actual text of the standards rather than generic IT security advice. Every piece of content is written from the engine room up, not adapted from corporate IT frameworks.

Is Tagsia free to use?

Yes — all playbooks, tools, and vault forms are free to registered users during the current content phase. Registration takes under a minute and requires only an email address. There is no credit card required and no time limit. Tools including the CBS Risk Assessor, CyRA assessment tool, and E26 compliance search are all available free to registered users.

How is Tagsia different from generic cybersecurity resources?

Most cybersecurity resources are written for IT environments and adapted for maritime as an afterthought. Tagsia is written specifically for maritime OT — the playbooks reference actual E26 and E27 section numbers, the tools are built around CSDD workflows and CBS categorisation, and the threat intelligence covers maritime-specific attack vectors. Every regulatory reference in the content can be verified against the actual standard text.

Can I use Tagsia content as evidence in a Class audit?

Tagsia provides templates, guides, and frameworks — the evidence value comes from how you implement and document them on your vessel. A completed vault form (TAG-OT-SEP-01, TAG-OT-LOG-03, etc.) with vessel-specific entries, dates, and signatures is legitimate ISM evidence. The playbooks tell you what to do — the completed forms are what you show a Class surveyor. Tagsia is a documentation and knowledge tool, not a certification body.

IACS UR E26 — Cyber Resilience of Ships

Which vessels does IACS UR E26 apply to?

IACS UR E26 Rev.1 applies to vessels contracted for construction on or after 1 July 2024. The trigger is the contract date — not the keel-laying date or delivery date. Vessels contracted before 1 July 2024 are not formally required to comply with E26, although some Class societies are applying E26 voluntarily to pre-July 2024 newbuilds. Existing in-service vessels are not subject to E26 — they fall under IMO MSC-FAL.1/Circ.3 and MSC.428(98) instead.

What is the CSDD and who produces it?

The Cyber Security Design Description (CSDD) is the primary technical document submitted to Class for E26 approval. It defines the vessel’s security zones, conduit architecture, CBS register with criticality categories, exclusion register, and safe state specifications. During newbuild construction the shipyard as main integrator is responsible for producing the CSDD. At delivery, responsibility for maintaining the CSDD transfers to the shipowner — any subsequent changes must go through the MoC process and be submitted to Class.

What are the three CBS criticality categories?

E26 §4.1 defines three categories based on the consequence of failure — not on how sophisticated the system is or whether it has a backup. Category III covers systems whose failure could result in loss of propulsion, steering, navigation, power generation, or safety functions — the highest consequence systems require the most stringent controls. Category II covers systems that support vessel operations but whose failure would not immediately endanger the vessel. Category I covers administrative and non-operational systems. The category drives the security controls required, the safe state obligations, and the backup requirements for each system.

What is a safe state and why does it matter?

Under E26 §4.4.4, every Cat II and Cat III CBS must have a defined safe state — a known, documented condition the system enters when it loses integrity or is shut down. The safe state must be defined by the vendor in the E27 documentation and verified by the shipyard at commissioning. This matters because a system that fails to an undefined state — rather than a documented safe one — creates unpredictable safety risks. A well-defined safe state means the ETO knows exactly what the system will do during a cyber incident and can plan the response accordingly.

What is the Minimal Risk Condition (MRC)?

The Minimal Risk Condition is a vessel-level safe state declared by the Master when multiple CBS have lost integrity and the vessel cannot safely continue its current operation using digital systems. The MRC is not declared by the ETO — only the Master has authority to declare it. Once declared, the vessel operates using local manual controls and physical fallback systems until digital systems are restored. E26 §4.4.4 requires that the MRC procedure is documented in the SCSRP and that the crew is trained to execute it.

IACS UR E27 — Cyber Resilience of Equipment

Does E27 apply to my equipment if the vessel is not a newbuild?

E27 formally applies to equipment installed on vessels contracted for construction on or after 1 July 2024. If your equipment is being fitted to an existing vessel as a retrofit, E27 is not a mandatory requirement. However Class societies increasingly recommend E27-compliant equipment for retrofits, and some shipowners are beginning to require E27 compliance in procurement specifications regardless of vessel age. Obtaining E27 approval proactively is increasingly a commercial differentiator for equipment suppliers.

If I use third-party components in my system, are they my responsibility under E27?

Yes. E27 defines a CBS as a combination of interacting programmable devices and sub-systems. Any third-party equipment within your system boundary is within your scope of E27 responsibility. Your suppliers must either obtain their own E27 Class approval for their components, or you must include them in your system-level E27 approval submission and demonstrate that the integrated system meets all required capabilities. You cannot exclude a non-compliant component from your submission.

What is the difference between E26 and E27 responsibility?

E27 defines what the equipment vendor must deliver — a CBS that meets 30 base security capabilities, with a Type Approval Certificate, documented safe state, SBOM, and minimum restart time. E26 defines what the shipyard during construction and the shipowner during operations must do — integrate vendor CBS into a compliant zone and conduit architecture, produce the CSDD, and maintain ongoing compliance. A fully E27-compliant CBS can still generate a Class finding under E26 if it is incorrectly integrated by the shipyard.

Do I need a qualified third-party tester to certify E27 compliance?

No. E27 does not require a qualified third-party tester or certified testing organisation. The supplier performs a self-assessment against the 30 base capabilities (41 if the CBS connects to untrusted networks) and provides the documentation to Class. The Class society reviews the submission and may conduct their own verification. The supplier is responsible for the accuracy of the self-assessment — an inaccurate submission is a liability risk regardless of whether a third party was involved.

IMO requirements — MSC-FAL.1/Circ.3 & MSC.428(98)

Is MSC-FAL.1/Circ.3 mandatory or just guidance?

The circular itself is technically advisory guidelines. However Resolution MSC.428(98) — which the circular implements — is mandatory. The resolution requires ISM-certified companies to incorporate cyber risk management into their SMS by the first annual DOC verification after 1 January 2021. Port State Control officers use the circular as the benchmark for what that means in practice. The six functional elements in Rev.3 (Govern, Identify, Protect, Detect, Respond, Recover) are the effective standard against which compliance is assessed.

What changed in MSC-FAL.1/Circ.3 Rev.3 (April 2025)?

Rev.3 was approved by MSC 108 (May 2024) and FAL 49 (March 2025), with the final circular dated 4 April 2025. The key changes include: addition of Govern as a sixth functional element covering organisational accountability and senior management responsibility; updated supply chain security requirements; strengthened crew training requirements including cybersecurity familiarisation for all crew on engagement; and references to IACS UR E26 and E27 added to the list of additional standards. If your SMS cyber annex was written before April 2025, review it against Rev.3.

Does the IMO requirement apply to all vessels?

MSC.428(98) applies to all vessels subject to the ISM Code — which covers most commercial vessels of 500GT and above on international voyages, passenger vessels, and high-speed craft. Non-SOLAS vessels are not subject to the IMO requirement, though flag state rules may apply. IACS UR E26 applies only to newbuilds contracted on or after 1 July 2024 — it does not retroactively apply to existing vessels.

Can Port State Control detain a vessel for cyber non-compliance?

Yes. PSC officers operating under Paris MOU and Tokyo MOU can issue deficiencies for failure to address cyber risk in the SMS, which falls under ISM Code §8 compliance. Paris MOU and Tokyo MOU have both flagged cyber SMS gaps as grounds for inspection findings. A serious deficiency — such as no documented cyber risk management at all — can result in detention. The ISM Code is the enforcement mechanism, not E26 or the circular directly.

Class notations

Is a cyber class notation mandatory for my vessel?

For vessels contracted for construction on or after 1 July 2024, the E26-aligned notation of your Class society is effectively mandatory — it is the mechanism through which Class verifies E26 compliance. For existing vessels contracted before July 2024, the notation is voluntary. However IMO MSC-FAL.1/Circ.3 still applies to all ISM vessels since January 2021 regardless of build date.

Are notations from different Class societies equivalent?

At the E26 compliance level, yes. All IACS member societies implement UR E26 and E27 as a unified requirement — the technical baseline is identical. DNV Cyber Secure Essential, LR Cyber Resilience, BV CYBER RESILIENT, ABS Cyber Resilience (CR), and ClassNK Part X all require the same CSDD, zone and conduit architecture, and CBS security capability verification. What differs is the tier naming, the audit procedure, and the depth of published guidance available.

How long does it take to obtain a cyber class notation?

For newbuilds, the notation is obtained at vessel delivery as part of the overall Class certification process — the timeline is determined by the construction programme. For existing vessels seeking a voluntary notation, a vessel with no cyber programme in place typically takes 6–12 months to prepare documentation, implement technical controls, and pass the initial survey. A vessel with an existing IMO-compliant SMS cyber annex may complete the process in 3–6 months.

Does a cyber class notation satisfy the IMO MSC-FAL.1/Circ.3 requirement?

Yes — any tier of any Class cyber notation provides evidence of cyber risk management that satisfies the IMO MSC.428(98) SMS requirement. A vessel with a cyber Class notation has, by definition, an SMS-documented cyber risk management programme that has been independently verified. The notation is stronger evidence of compliance than a self-assessed SMS entry, and is unlikely to be challenged by PSC officers.

Existing vessels

Does IACS UR E26 apply to my existing vessel?

No — IACS UR E26 applies only to vessels contracted for construction on or after 1 July 2024. Your existing vessel is subject to IMO MSC.428(98) which requires cyber risk management to be addressed in your SMS. This has been enforceable since January 2021. If your SMS does not address cyber risk in any form, your vessel is non-compliant with IMO requirements right now, regardless of build year.

Which Tagsia playbooks should I start with for an existing vessel?

For an existing vessel starting from scratch, focus on these five first: (1) Asset Inventory & Mapping — you cannot protect what you cannot see; (2) System Criticality Mapping — identify which systems matter most; (3) Network Segmentation (retrofits) — the highest-impact technical control; (4) OT Password Policy & RBAC — often the easiest quick win; (5) Incident Severity Matrix — so the crew knows how to respond.

Does my vessel need a Class survey for cyber security?

Not necessarily. A Class cyber notation for an existing vessel is voluntary — it is something you can choose to obtain. What is mandatory is satisfying the IMO MSC.428(98) requirement through your ISM SMS. A Class notation provides external verification that your programme meets the standard, which is stronger evidence at a PSC inspection than a self-assessed SMS entry. It also provides a structured implementation framework that most companies find useful even if they do not pursue the notation itself.

Tools & vault forms

What is the CBS Risk Assessor?

The CBS Risk Assessor is an AI-powered tool that analyses your vessel’s network topology description and produces a risk assessment aligned to IACS UR E26 requirements. You describe your CBS architecture in plain language — the tool identifies risks, suggests CBS categories, and flags gaps in your current configuration. It uses the AI analysis capability (Llama 3.1) running on Tagsia’s local Ollama server. The analysis is free for registered users with a daily rate limit during the current content phase.

What is CyRA?

CyRA (Cyber Resilience Assessment) is a self-assessment tool that guides you through the five NIST phases aligned to E26 requirements. It runs entirely in your browser using localStorage — no data is sent to any server. You complete the assessment against your vessel’s current state, and CyRA generates a gap analysis showing which E26 requirements are met, partially met, or missing. Results can be exported as JSON or CSV for your records.

What are the vault forms and can I use them as official documents?

The vault forms are fillable templates for maritime OT security operations — service entry permits, access logs, audit records, MoC forms, and more. They are designed to be completed with vessel-specific information, dated, and signed by the ETO and Master. A properly completed vault form is a legitimate ISM evidence document. Tagsia provides the template — the evidential value comes from how you complete and maintain it on your vessel.

Is my data safe when using Tagsia tools?

CyRA and the assessment tools store data in your browser’s localStorage — nothing is transmitted to Tagsia’s servers. The CBS Risk Assessor sends your text description to the AI analysis endpoint for processing but does not store vessel-identifying information. The E26 compliance search tool runs on Tagsia’s local Ollama server and does not log query content. No Tagsia tool requires you to enter vessel names, IMO numbers, or any identifying information.

Still have a question?

If your question is not covered here, use the contact page to get in touch. Regulatory questions about E26/E27 application to specific vessel types or project scenarios are welcome.