The first phase of the US Coast Guard's final rule, Cybersecurity in the Marine Transportation System (90 FR 6298), took effect July 16, 2025, marking a watershed moment for maritime security. As of that date, all reportable cyber incidents must be reported to the National Response Center immediately upon discovery — a significant shift from previous voluntary reporting practices.

Key Implementation Dates

Under the final rule, other important dates include:

• By January 12, 2026, and annually thereafter, all personnel must complete the training specified in 33 CFR 101.650. New personnel hired after the effective date must complete this training within 30 days of gaining system access.
• The final phase requires that owners and operators of covered facilities designate the Cybersecurity Officer, conduct the Cybersecurity Assessment, and submit the Cybersecurity Plan for approval by July 16, 2027.

Core Requirements

Requirements in the final rule include developing and maintaining a Cybersecurity Plan, designating a Cybersecurity Officer (CySO), and taking various measures to maintain cybersecurity within the MTS. The CySO will serve as the primary point of contact for all cybersecurity matters and must possess appropriate expertise to manage cyber risks effectively.

This final rule is effective for all US-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities subject to Maritime Transportation Security Act of 2002.

Enhanced Enforcement Measures

The Coast Guard will intensify Port State Control (PSC) scrutiny on foreign-flagged vessels, examining indicators of poor cybersecurity practices. Vessels failing to demonstrate adequate cybersecurity measures may face deficiencies, detention, or denial of entry to US ports — underscoring the rule's international reach and enforcement teeth.

What Constitutes a Reportable Incident?

Reportable cyber incidents include unauthorized access to systems, malware infections, denial of service attacks, or any event that could potentially impact vessel or facility operations. The immediate reporting requirement ensures rapid response and information sharing across the maritime sector.

Industry Action Items

We recommend industry participants begin evaluating their current capabilities and developing comprehensive compliance strategies. Specifically:

• Assess existing cybersecurity measures against the new requirements
• Identify qualified candidates for the CySO role
• Budget for required training and assessment activities
• Review and update incident response procedures to ensure immediate reporting capability

The July 16, 2025, effective date represents not just a regulatory milestone, but the beginning of a fundamental transformation in maritime cybersecurity posture. Organizations that embrace these requirements proactively will be best positioned to protect their operations and contribute to a more secure marine transportation system.

This final rule is effective on July 16, 2025 for all U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities subject to Maritime Transportation Security Act of 2002 (MTSA).