The Cybersecurity Act and Shipping – What Does It Mean for Shipowners and Operators?
When the new Cybersecurity Act enters into force on 15 January 2026, both the requirements and the responsibility will be tightened. Cybersecurity will become a matter for executive management and the board – not just an IT issue. For shipowners and operators, this means that organisation, ways of working and IT environments must be reviewed, both onboard and ashore.
A Growing Threat Landscape in Shipping
In recent years, the shipping industry has seen a clear increase in cyber incidents, IT disruptions and targeted attacks. At the same time, dependence on digital systems for operations, navigation, cargo handling and communications has grown significantly. Today, an IT incident can have direct consequences for safety, operations and business continuity.
Cybersecurity: The Wake-Up Call for Management and Boards
The Cybersecurity Act is a response to a tougher threat landscape and increased demands for control and structure in how IT environments are managed. Among other things, it requires:
- A systematic approach to risks and security measures
- Established processes for incident management and reporting
- Clear governance, roles and follow-up
- Control over suppliers and external IT dependencies
In the past, cyber and IT security were often seen as the responsibility of the IT department. Today, the situation is different. The formal responsibility always lies with company management and the board – and that responsibility cannot be delegated. At the same time, the day-to-day management of the IT environment plays a crucial role in how well the organisation is actually prepared for incidents and threats.
What Does This Mean in Practice for Shipowners and Managers?
For most shipping companies, compliance with the Cybersecurity Act is not primarily a technical exercise. It is a management task that affects how the organisation is governed and operated.
In practice, this means that management and boards need to ensure that:
- Cyber risks are identified, assessed and handled as part of overall business risk management
- Responsibilities, mandates and escalation paths are clearly defined
- Incident management is not only documented, but tested and exercised
- Dependencies on IT suppliers and partners are understood and actively managed
- Cybersecurity is followed up at management level – not only in the IT department
This also means being able to demonstrate, to authorities and auditors, that cybersecurity is managed in a structured and systematic way.
What Is Actually New?
Many of the technical security measures are not new. What is new is the level of formality, accountability and follow-up.
The Cybersecurity Act strengthens:
- Requirements for management involvement and oversight
- Documentation, traceability and proof of governance
- Incident reporting and response capabilities
- Control over critical suppliers and outsourced IT services
In short: it is no longer enough to “work with security”. Companies must be able to prove that they govern, manage and follow up cybersecurity in a structured way.
What Happens If You Are Not Prepared?
A serious IT or cyber incident today can lead to:
- Operational stoppages and delayed or cancelled voyages
- Safety risks for crew, vessels and cargo
- Contractual and financial consequences
- Regulatory scrutiny and reputational damage
With the new legislation, it can also lead to direct consequences for the company’s management and governance.
This is why cybersecurity must now be treated as a business-critical and operational issue – not just a technical one.
The Onboard IT Environment – A Central Part of the Whole
Working with the right IT partner does not remove responsibility – but it can significantly reduce complexity. For many shipping companies, the vessels are the most complex part of the IT environment – with many systems, high requirements for reliability, and often several external parties involved. At Soya IT Marine Solutions, we work daily with the operation, management and development of onboard IT environments. Our way of working meets the requirements of the NIS2 Directive and the new Cybersecurity Act. This means that our customers already have onboard IT environments that are managed according to the same principles that the new legislation now requires.
With the Right Partner Part of the Work Is Already in Place
“Responsibility can never be outsourced, but the choice of IT partner has a major impact on the transition. For our customers, large parts of the IT environment are already managed in line with NIS2 and Cybersecurity Act requirements, allowing more focus on governance, organisation and ways of working ashore” says Oskar Schager, Key Account Manager at Soya IT Marine Solutions
The Cybersecurity Act is a step in a long-term development towards more robust and controlled digital operations in shipping. At Soya IT Marine Solutions, we see this as a confirmation of the direction we have been taking for a long time.
A Simple Self-Check
If you cannot clearly answer these questions, you likely have work to do:
- Do we have a clear cyber risk ownership at management level?
- Do we know which systems and suppliers are business-critical?
- Are incidents handled in a structured and tested way?
- Can we demonstrate governance, not just technical measures?
Let´s Start the Conversation
If you want to build a more resilient and secure fleet, let’s start the conversation. Contact us today to see how we can help safeguard your operations.
