Cyber Regulatory Landscape and Industry Responses in the Shipbuilding and Maritime Sector – Part 8: R E26 is ship-level, while SCARP is fleet-level.

Why SCARP Is an Owner’s Responsibility, Not a Newbuilding Document

Whenever UR E26 comes up on site, there’s a reaction I hear all the time:

“Isn’t that just something the yard prepares during newbuilding to satisfy Class?”

That’s not entirely wrong.
But it’s only half the story.

If you look at International Association of Classification Societies (IACS) UR E26 purely as a documentation requirement,
you miss the most important question for owners:

“Who is responsible for this ship — and this fleet — for the next 20 years, and how?”

This post reframes UR E26 from a shipowner responsibility perspective.

1️⃣ What question does UR E26 really ask?

UR E26 is actually very straightforward.
It asks only one thing:

“Does this ship have cyber resilience?”

That’s why UR E26 requires the following six Deliverables:

NoUR E26 DeliverableNature
01Ship Asset InventoryTechnical document
02Zones & Conduit DiagramNetwork architecture
03CSDDDesign description
04Risk Assessment for ExclusionTechnical risk assessment
05Compensating CountermeasuresTechnical / operational mitigation
06Cyber Resilience Test ProcedureTest & verification

At this point, the character of UR E26 is obvious:

  • It applies to one ship

  • Documents are mainly produced by the yard and system vendors

  • Class approval targets the ship and its systems

In short, UR E26 is a strictly ship-level requirement.

2️⃣ But the owner’s question is different

From an owner’s point of view, the real question is this:

“Not just this ship — how do I safely operate the entire fleet?”

At that moment, UR E26 stops being an answer.
It becomes input material.

And the thing that actually answers the owner’s question is SCARP.

3️⃣ SCARP is NOT a UR E26 Deliverable

This is where confusion happens most often.

SCARP (Ship Cybersecurity Asset & Risk Plan)
is not one of the UR E26 deliverables.

SCARP is linked to:

  • International Maritime Organization IMO MSC-FAL.1/Circ.3 (Cyber Risk Management)

  • The ISM Code

In other words, SCARP is:

👉 a company-level operational and management document,
👉 clearly under the shipowner’s responsibility.

Put simply:

  • UR E26Is this ship cyber-safe?

  • SCARPIs the owner managing cyber risk properly?

4️⃣ UR E26 documents are inputs to SCARP

Here’s the key point:

UR E26 and SCARP are not substitutes. They are connected.

The documents produced under UR E26 become technical evidence inside SCARP.

For example:

  • Asset Inventory → basis for fleet cyber asset management

  • Zones & Conduit → technical foundation for network and access control policies

  • CSDD → explanation of why certain protections were designed

  • Test Procedure → ship-level basis for drills, training, and verification

That’s why this equation holds true:

UR E26 Deliverables = the technical evidence that supports SCARP

5️⃣ SCARP is not a newbuilding document

This is where the mindset must change.

SCARP is not a newbuilding deliverable.
Its true identity is a Fleet-wide Cyber Operating Model.

If UR E26 proves:

“Was this ship built safely?”

then SCARP defines:

“How will this fleet be operated safely for the next 20 years?”

That’s why SCARP must provide fleet-wide standards, such as:

  • Minimising cyber security gaps between ships

  • Fleet standardisation

  • Annual audit readiness

  • Cyber monitoring criteria

  • Incident response scenarios

  • Management of Change (MOC) rules

👉 In short, SCARP is an operating model used throughout the vessel’s life.

6️⃣ SCARP quality depends on integration, not paperwork

When SCARP fails in real projects, the reason is almost always the same:

There is no integrator.

SCARP must combine:

  • Dozens of E27 vendor documents

  • Network architecture

  • Operational procedures

Without integration, three conditions are unavoidable.

① Owner Policy

Without a clear owner-defined risk appetite and operating philosophy,
SCARP becomes nothing more than a document bundle.

② CRSI (Cyber Resilience System Integrator)

Without a CRSI:

  • Zones don’t align

  • Risk criteria conflict

  • The same findings repeat at every audit

③ “Integratability” of E27 documents

Individual quality matters less than whether documents can fit together.

The conclusion is simple:

SCARP quality is determined by structure, not writing skills.

7️⃣ SCARP is ultimately about cost

This isn’t theory — it’s operational reality.

When SCARP is done properly

  • Lower incident response costs

  • Reduced annual audit effort

  • Faster and clearer MOC handling

  • Lower maintenance and patching costs

When SCARP is weak

  • Document inconsistency

  • Poor risk assessment

  • Zone & conduit confusion

  • Delayed Class approval

  • Escalating operational costs

  • The same findings every year

That’s why owners eventually learn this equation:

High-quality SCARP = cost reduction
Low-quality SCARP = cost explosion

Final thoughts

UR E26 asks:

“Is this ship cyber-safe?”

SCARP asks:

“How will the owner take responsibility for that safety — and for how long?”

If you only see UR E26 as paperwork, you’re seeing half the picture.
Seen through SCARP, UR E26 finally becomes what it should be:

Comments

Post a Comment