The new EU Cybersecurity Directive (NIS2) strengthens cyber resilience across critical infrastructure and mandates operators to maintain an up-to-date risk management model. Regulation is a powerful catalyst for investment, with 66% of maritime sector respondents in DNV Cyber’s Maritime Cyber Priority 2024/2025 survey citing it as the primary driver.
Still, regulation should be viewed as the beginning of a broader cybersecurity journey, not the end. While NIS2 drives new cybersecurity investments in the maritime sector, these investments can create a false sense of security, as single vessels are explicitly excluded from the scope, and focus is put on the coordination and management of the entire fleet.
The real challenge lies in whether organizations can develop effective strategies to identify and mitigate cyber risks. Traditionally, cyber and IT in the maritime sector have been seen as back-office functions rather than strategic enablers. There are risks to be aware of, especially around supply chains and operational technology (OT).
Cybersecurity of the supply chain and connected vessels
With over 42,000 ships now connected via satellite, the ‘air gap’ that once protected maritime infrastructure is gone. Ship managers often struggle to detect cyberattacks, often relying on the crew’s alertness rather than automated systems that can detect cyber threats in IT and OT networks.
Maritime companies of all sizes face heightened risks due to outdated systems and increased exposure to supply chain vulnerabilities.
Highly connected vessels, where OT, navigation, and engine systems are integrated, are especially vulnerable to cyber threats, as an attack can impair multiple systems at once if the segregation of these systems is not well managed. Brand-new vessels benefit from built-in cybersecurity by design but even ships as old as a year may not have implemented baseline cybersecurity design. Older ships are less exposed to risks due to limited connectivity, but retrofitting new systems can introduce fresh vulnerabilities.
In recent years, serious threats have stemmed from supply chain breaches rather than direct attacks on the maritime organizations themselves. Maritime organizations need to be engaged in exchanging information and best practices, which means sharing details of critical incidents, attacks and near-misses. Sharing knowledge and skills will help to address these knowledge gaps. This calls for greater transparency throughout the industry.
Turning risk assessments into a competitive advantage
Demonstrating a commitment to exceed regulatory standards can build trust with stakeholders, including customers, partners, and regulatory bodies. This helps organizations keep pace with evolving threats and technologies that often outstrip the speed of regulatory updates – and can also offer a competitive advantage.
Conducting cyber risk assessments of organizations and vessels helps safeguard critical processes and maintain operational continuity even in the face of disruptions. Cyber risk assessments can identify further vulnerabilities and help in prioritizing measures to secure the weakest points in cyber defence.
Beyond compliance and building future resilience
Now that the NIS2 Directive has come into effect, early adopters may be ready to invest in cybersecurity beyond compliance. However, many shipowners and system vendors are still likely to follow the lead of the regulators. Looking ahead, further regulation seems inevitable, potentially in the form of goal-based requirements aimed at protecting the maritime industry and its vessels. Over time, these could become mandatory through enforcement by the International Maritime Organization (IMO) or the EU.
This regulatory momentum is already visible. Since July last year, the International Association of Classification Societies (IACS) has enforced mandatory cybersecurity rules for newbuilds and their deployed systems. As a result, manufacturers will need to demonstrate secure life-cycle processes and robust supply chains for both hardware and software. Even shipyards will need to build competence to securely integrate systems across entire vessels and execute secure retrofit projects for their customers.
Yet, as the industry moves toward more stringent requirements, a major challenge remains: talent. The Maritime Cyber Priority 2024/2025 Report reveals that the top concern across the sector is access to skills and expertise that can meet evolving demands.
One way to address this challenge is for maritime organizations to subscribe to smart services that provide updates on current threat trends while monitoring compliance and driving continuous improvement. Collaboration is also essential for driving progress and building resilience across the maritime industry, as mastering everything alone is becoming increasingly challenging.
Text: Svante Einarsson, DNV Cyber, Head of Cybersecurity Advisory EMEA, APAC & Maritime
