The Ministry of Infrastructure and Transport, through the General Command of the Port Authority Corps – Guard Coastal and the NIS Authority – Transport Sector, announced the publication of the new Circular No. 177/2025 entitled “Maritime Cyber Risk. Updating security measures for domestic vessels, the ISM (Company ISM) and port facility operators” which will enter the fully in force from 1 November 2026.
The document introduces An advanced, modern and binding framework of cybersecurity measures intended to strengthen the resilience of the sector maritime-port sector, in light of the growing digitalisation of on-board systems, port infrastructures and procedures operational.
The new discipline, consistent with the IMO guidelines and with the the most recent international guidelines on the subject, integrates the standards contained in the main technical references of the sector and harmonises with the European framework defined by the Directive 2022/2555 – NIS2 and the related legislative decree 138/2024, which include ports, maritime administrations and Critical operators among the essential players in cybersecurity national team.
Announcing the publication of the circular, dated 16 December 2025, the General Command of the Corps of the Captaincies of Porto recalled that the widespread adoption of on-board systems such as ECDIS, AIS, GMDSS, connected OT systems, ship-port interfaces and remote access channels has increased the efficiency of the industry, but at the same time it has expanded the attack surface exposed to increasingly sophisticated cyber threats. I Computer Based Systems (CBS), which include both IT and OT systems, constitute in fact, a backbone of maritime and port operations is, precisely for this reason, they represent a potential target of attacks capable of compromising the safety of navigation, business continuity and protection of the marine environment. In this scenario, the new circular defines obligations and recommendations for shipping companies, ship masters, port facility operators and state authorities involved, requiring the adoption of a structured approach to the management of the cyber risk, the full integration of cyber measures into the Safety Management System (SMS) and ship security plans updating of internal procedures, the adoption of appropriate and proportionate technical and organisational measures, and the formalization of prevention, detection, response processes and recovery in the event of an accident.
The measure also introduces staff training, making it necessary to qualification for crews, Company Security Officer, Port Facility Security Officers and IT/OT technicians, in order to ensure a up-to-date preparation with respect to attack techniques and response requirements. Particular attention is paid management of critical systems – including propulsion, government, Power generation, charging systems, communications internal and external systems, access monitoring systems, dedicated networks port infrastructure and VTS services – which must be be subject to a periodic, documented and based on the principles of risk.
The circular also extends the focus to technologies with explicit references to autonomous systems and integrated ship-shore services used in MASS operations, recognizing its growing diffusion and the need for address new related vulnerabilities. Management of cyber incidents is also reinforced through the coordination with the notification obligations provided for by the decree 138/2024, which impose on the subjects falling within the NIS2 perimeter the reporting of significant incidents to the CSIRT Italy, thus making incident notification a key element of the national strategy for answer.
