Cyberattacks targeting global maritime operations surged 103 percent in 2025, rising from 408 reported incidents in 2024 to 828 cases, according to CYTUR's 2026 Maritime Cyber Threat White Paper published in February 2026 - with satellite communication systems emerging as a primary entry point for threat actors targeting ships, ports, and logistics networks. The acceleration has prompted parallel regulatory action across three jurisdictions, confronting shipping operators with overlapping - and at times conflicting - compliance obligations.
Background
The maritime sector's deepening reliance on digital connectivity has materially expanded its cyber risk exposure. Rapid digitalization of ships, particularly the integration of satellite communications with onboard operational technology (OT), has significantly widened the industry's attack surface. As integration points between satellite communications and OT systems multiply, attack patterns once limited to data theft are evolving into destructive forms capable of disrupting navigation or triggering catastrophic physical incidents.
Intermittent satellite links can limit consistent monitoring and response, while legacy equipment and unsupported software remain common due to long asset life cycles.1Maritime Cybersecurity 2026: Ship Manager's Guide | Navatom Compounding the problem, U.S. Coast Guard assessments have found that more than half of organizations with OT network segments held an incorrect understanding of their OT network segmentation.
The geopolitical dimension is equally pronounced. Pro-Palestinian hacktivists have targeted Israeli-linked vessels using Automatic Identification System (AIS) data, Russian groups have targeted European ports supporting Ukraine, and Chinese state actors compromised classification societies that certify the world's fleets.
Details
Satellite-linked systems have proven especially vulnerable. In two separate waves in March and August 2025, communications aboard approximately 180 vessels were paralyzed in an attack on Iranian ships attributed to the Lab Dookhtegan group - exploiting weak credential management and outdated firmware to infiltrate VSAT systems. Rather than targeting individual vessels, attackers increasingly focus on critical choke points such as telecommunications providers and OEM equipment manufacturers. The tactic of disabling an entire fleet by infiltrating a single satellite provider is expected to become more common.
GPS and GNSS manipulation has also escalated sharply. Approximately 1,000 GPS disruption incidents are observed every day, affecting more than 40,000 vessels, according to Cydome's 2026 maritime OT cybersecurity report. In May 2025, the containership MSC Antonia ran ashore near Jeddah due to GPS spoofing. In June 2025, two oil tankers collided in the Gulf, reportedly setting one on fire, with GPS spoofing suspected as a contributing factor.
On the regulatory front, three major frameworks now apply simultaneously. The U.S. Coast Guard's Cybersecurity in the Maritime Transportation System rule took effect July 16, 2025, elevating cybersecurity to the same priority level as physical security for MTSA-regulated entities - including U.S.-flagged vessels, Outer Continental Shelf facilities, and port terminals.2Maritime Cyber Incidents & Digital Threats 2025 | StaunchTec The rule addresses current and emerging threats by establishing minimum requirements for risk detection and incident recovery, including development and maintenance of a Cybersecurity Plan and designation of a Cybersecurity Officer. Full cybersecurity plan submission to the Coast Guard is due by July 16, 2027.
At the European level, the EU NIS2 Directive classifies maritime shipping as essential infrastructure and imposes penalties up to EUR 10 million or 2 percent of global annual revenue, whichever is higher. The directive requires stronger risk management practices, stricter incident reporting timelines, and supply chain security assessments. However, as of mid-2025, only a minority of EU Member States had transposed NIS2 into domestic law, with 13 remaining non-compliant as of August 2025. On January 20, 2026, the European Commission published a proposal to amend NIS2, aiming to harmonize technical measures and strengthen cross-border supervision through an expanded role for ENISA.
Internationally, the International Association of Classification Societies (IACS) revised its Unified Requirements UR E26 and UR E27 in 2023; the revised versions apply to ships contracted for construction on or after July 1, 2024. CYTUR defines 2026 as the "first year of practical verification," as compliance shifts from design-stage documentation to operational enforcement during sea trials and classification inspections.
Cross-border incident coordination remains a structural weakness. A Liberian-flagged tanker navigating the high seas might suffer a cyberattack originating from servers in Europe that affects its parent company in Asia - and under current international legal frameworks, determining the appropriate investigative jurisdiction is exceptionally challenging. UNCLOS does not explicitly define or address "maritime cybercrime," creating a fundamental gap in international maritime law. Current enforcement relies on alternative frameworks such as Article 32 of the Budapest Convention.
Regulatory variability and fragmented international cooperation continue to hinder coordinated responses to cross-border threats. Implementation of IMO, IACS, and NIST standards faces practical barriers related to technology heterogeneity, legacy system constraints, and jurisdictional ambiguities.
Outlook
The proposed NIS2 amendments will proceed through the European Parliament and Council, with negotiations expected later in 2026 and a draft 12-month transposition period following entry into force. Regulatory compliance is set to become a critical operational risk factor in 2026 as stringent requirements - including IACS UR E26/E27 - become fully operational. Vessels or equipment manufacturers failing to meet security certifications face loss of sailing credentials or denial of port entry. Security researchers and classification bodies recommend that port authorities, shipping lines, and terminal operators prioritize real-time OT network monitoring, verified IT/OT segmentation, and structured participation in Maritime Security Operations Centers to align with converging international standards before enforcement windows close.
