The U.S. Coast Guard has enacted a new maritime cybersecurity rule, applying it across the Marine Transportation System (MTS) as of July 18. 

According to Industrial Cyber, the rule mandates reporting of cyber incidents, annual cybersecurity training, and submission of a Cybersecurity Plan by 2027. Foreign-flagged vessels should also prepare for heightened Port State Control scrutiny related to cybersecurity under the ISM Code.

The new rule is aimed at U.S.-flagged vessels, outer continental shelf (OCS) facilities, and facilities subject to the Maritime Transportation Security Act of 2002 (MTSA), and was executed in continuation of updates to the Captain of the Port authority that definitively designated cybersecurity vulnerabilities as a potential threat to the security and safety of U.S. ports. 

According to Nicolas Furgé, president of Cyber at Marlink, a cybersecurity and IT firm, these latest cybersecurity rules represent a major shift in how cybersecurity is addressed by U.S.-flagged vessels and U.S. maritime facilities.

The regulation includes a phased implementation schedule. As of the effective date, July 16, 2025, all reportable cyber incidents must be reported to the National Response Center. By Jan. 12, next year, and annually after that, all personnel are required to complete the training outlined in 33 CFR 101.650. By July 16, 2027, owners and operators must designate a Cybersecurity Officer, conduct a Cybersecurity Assessment, and submit a Cybersecurity Plan for approval.

Meeting these new requirements will require investment to perform assessments, documentation and training, said Furgé in a post on MarineLink July 24. However, this must be set against the cost of non-compliance which span denial of port entry, regulatory penalties or increased insurance premiums.

"Cybersecurity readiness is also becoming a factor in vendor evaluations," Furgé warned. "Starting early in planning for compliance may help operators gain a competitive edge in an increasing risk-aware market."