DG Shipping Maritime Cybersecurity Requirements

How Flag State Cyber Enforcement Works

The International Maritime Organization sets requirements, but it does not inspect ships. Enforcement is delegated to the flag state administration, the national authority of the country whose flag a vessel flies. The Directorate General of Shipping (DG Shipping) is the maritime administration for vessels under its flag, and like every other administration it is responsible for ensuring that companies and vessels under its authority meet the applicable IMO instruments, including the cyber risk management requirement.

For cyber specifically, the administration's role is to verify that a company has integrated cyber risk management into its Safety Management System as required by IMO Resolution MSC.428(98). The administration, or a Recognised Organisation acting on its behalf (typically a classification society authorised to conduct ISM audits), checks this during the audits that lead to and maintain the company's Document of Compliance and each vessel's Safety Management Certificate.

This delegated, audit-based model is why flag state cyber requirements are not a separate rulebook with their own inspectors. They are the IMO requirement, verified through the administration's existing ISM machinery. The practical effect for an owner is that the cyber question arrives inside a familiar process, the ISM audit, conducted by familiar parties, the administration or its Recognised Organisation.

The Legal Basis: ISM Code and MSC.428(98)

The legal mechanism is the International Safety Management (ISM) Code, given effect through SOLAS. The ISM Code requires a company to operate an approved Safety Management System and to hold a Document of Compliance at the company level and a Safety Management Certificate for each vessel. Without these certificates, a vessel cannot trade. IMO Resolution MSC.428(98) inserts cyber risk management into this framework by affirming that an approved SMS should take cyber risk into account.

The consequence is that cyber is enforced with the ISM Code's existing authority, not through a new parallel regime. When an administration or its Recognised Organisation finds that cyber risk has not been adequately addressed in the SMS, the outcome is an ISM non-conformity. A minor non-conformity attracts a corrective action requirement with a deadline; an unresolved or serious one can escalate to a major non-conformity, which in extreme cases threatens the Document of Compliance and the affected Safety Management Certificate.

Administrations have generally taken a constructive, improvement-focused stance since the requirement took effect, working with owners to raise the baseline rather than detaining vessels at the first finding. But the underlying authority is real, and the trajectory across administrations is towards closer and more technical scrutiny of cyber at each verification cycle.

What an Administration Looks For

Whether the audit is conducted directly by the administration or by a Recognised Organisation, the cyber examination follows a recognisable pattern that mirrors the five functions of MSC-FAL.1/Circ.3. The auditor wants to see that cyber risk is genuinely integrated into the SMS and lived on board, not merely documented in a binder.

• SMS integration: cyber procedures embedded in the existing SMS sections, not a detached standalone policy
• Risk assessment: a documented per-vessel-class cyber risk assessment identifying threats, vulnerabilities, impact and residual risk
• Crew competence: the master, chief officer and chief engineer able to describe the cyber procedures in their own words, evidencing real training
• Records: training logs, an incident and drill log with recent entries, a vendor register, and management-of-change records
• Operational controls: clear, consistent USB and removable-media handling, controlled vendor remote access, and basic network segregation
• Response readiness: a cyber incident response plan with defined vessel-to-shore communication and recent drill evidence

Flag State Versus Port State Attention

Owners should distinguish two kinds of scrutiny. Flag state attention comes from the administration whose flag the vessel flies, through the ISM audit cycle, and is the primary route by which cyber compliance is verified. Port State Control (PSC) attention comes from the authority of a port the vessel visits, regardless of flag, through inspections under regional PSC regimes.

Historically PSC focused on physical, structural and operational safety. Cyber has been entering PSC consciousness gradually: inspectors increasingly ask cyber-adjacent questions, look for the existence of cyber procedures within the SMS, and check that the crew is aware of them. A vessel that is well prepared for its flag state cyber audit is generally well prepared for cyber questions during a PSC inspection too, because the underlying evidence (SMS integration, training records, drill logs) is the same.

The practical implication is that cyber readiness is not something an owner can scope to a single jurisdiction. A vessel trades into many ports under many PSC regimes, and the cyber posture travels with it. Building a robust, BIMCO-aligned, IMO-compliant programme satisfies the flag state and equips the master to answer port state cyber questions with confidence wherever the vessel calls.

How Owners Prepare for a Flag State Cyber Audit

Preparation for a flag state cyber audit is essentially the IMO cyber implementation done well, with particular attention to the evidence and crew-competence elements that auditors sample. The work is the same regardless of which administration holds the flag, because all administrations are verifying the same underlying IMO requirement.

The preparation sequence is a gap assessment against the five MSC-FAL.1/Circ.3 functions, integration of cyber procedures into the existing SMS rather than a separate manual, deployment of the achievable technical controls (network segregation between bridge OT, engine OT, vessel IT and crew networks, USB and removable-media controls, controlled vendor access, account hygiene), per-vessel risk assessments, crew training tailored to the roles the auditor will interview, a documented incident response plan with at least one rehearsed tabletop, and a coherent evidence pack reviewed annually and accessible both ashore and on board.

The most common reasons owners stumble at a flag state cyber audit are not technical. They are the master who cannot describe the cyber procedures from memory because training was paper-only, the dormant programme with no drill entries in the last year, inconsistent USB handling between bridge and engine room, and an asset inventory that is missing or stale. Each of these is closable in weeks if addressed before the audit. Codesecure supports owners through the full cycle, running the gap assessment, helping integrate cyber into the SMS, delivering role-specific crew training, conducting a vessel walkthrough, and standing alongside the Designated Person Ashore during the audit itself.

Beyond Compliance: Why It Matters Commercially

Meeting the flag state cyber requirement is the floor, not the ceiling. The same evidence pack that satisfies an administration increasingly does double and triple duty in commercial contexts. Charterers issue cyber questionnaires as a condition of fixture. P&I clubs and hull underwriters factor cyber posture into risk assessment at renewal. Major ports and terminals ask cyber-adjacent questions as part of pre-arrival inquiries. A clean, well-documented cyber programme is becoming a commercial asset, not merely a regulatory obligation.

Conversely, a weak cyber posture creates friction beyond the audit room. A charter can stall on an unanswered security questionnaire, an insurer can price in uncertainty, and a port can add scrutiny that slows turnaround. The owners who treat cyber as an integrated part of how the fleet is managed, rather than a once-a-year audit scramble, find the marginal cost of staying ready is low and the commercial dividend is real.

Codesecure helps shipowners and managers build cyber programmes that satisfy the flag state administration and serve these wider commercial demands at the same time, from gap assessment and SMS integration through crew training, vessel and shore penetration testing, and the evidence packs that charterers, clubs and ports increasingly expect. ISO/IEC 27001:2022 certified delivery with named consultants, across India, Singapore, UAE, Malaysia and the wider region.