EU Cyber Resilience Act Guide for Maritime Navigation & Vessel Systems Vendors

Maritime navigation and vessel management products sold to EU operators — including ECDIS systems, AIS Class A and B transponders, integrated bridge systems (IBS), voyage data recorders (VDR), engine management and monitoring systems, and port management information systems — are products with digital elements under Article 3(1) of the CRA. Classification requires function-specific analysis: ECDIS and navigation systems directly affecting vessel collision avoidance and safe navigation are strong candidates for Class II Important Products under Annex III. Engine monitoring systems and cargo management platforms with no direct safety-critical output may qualify as Class I. Vendors must document the classification rationale, taking into account whether the product is part of a safety management system under SOLAS requirements. The CRA applies irrespective of whether the product also satisfies IMO or flag-state type approval requirements.

Maritime systems present unique security engineering challenges: they must operate reliably in isolated environments with limited connectivity, while increasingly being accessed remotely by shore-side technical teams. Annex I obligations for maritime vendors include: ensuring that remote access functionality — whether via satellite, cellular, or VSAT — is authenticated and encrypted with no unauthenticated bypass; eliminating default credentials on all management interfaces; providing firmware update mechanisms that function in both connected and air-gapped vessel environments; implementing tamper-evident audit logging that survives power interruptions; and documenting all external interfaces including NMEA 0183/2000 ports, USB interfaces, and network connections to other vessel systems. The SBOM requirement must cover navigation chart software components, database engines, and any real-time operating system components embedded in navigation hardware.

Article 13 requires a published coordinated vulnerability disclosure policy. Maritime system vendors have historically operated in a sector with limited security researcher engagement, but this is changing rapidly as the sector's digital connectivity increases. Vendors should establish CVD policies that accommodate: reports from maritime security researchers and classification society cyber teams; interaction with the European Maritime Safety Agency (EMSA) and national maritime CSIRTs; and the operational reality that vessel operators may not be able to apply patches immediately due to voyage schedules and flag-state approval requirements. The CVD policy must specify how vendors communicate vulnerability information and available mitigations to vessel operators when immediate patching is not feasible. A machine-readable security.txt file at the vendor domain is the standard discovery mechanism for researchers.

Article 14 requires maritime system vendors to notify the relevant national CSIRT within 24 hours of becoming aware of active exploitation of a vulnerability in a deployed product. For navigation systems, active exploitation could compromise vessel positioning data, enable unauthorised route modifications, or disrupt communications — scenarios with direct safety implications. Vendors must maintain incident response procedures capable of meeting the 24-hour notification window, including out-of-hours escalation paths. When a vulnerability affects vessels at sea, vendors should also establish direct communication channels with vessel operators and ship managers, separate from the regulatory notification process. EMSA and relevant maritime CSIRTs should be included in the vendor's notification contact registry. Incidents involving actual maritime safety consequences must also be reported through existing flag-state and port-state control channels, creating parallel reporting obligations.

Maritime navigation systems often require type approval from flag-state authorities or classification societies under SOLAS and IMO performance standards. The CRA conformity assessment is a separate and additional requirement — CE marking under the CRA does not replace maritime type approval, nor does type approval substitute for CRA conformity. Class II maritime products require notified body assessment. Vendors should investigate whether any notified body offers joint or coordinated assessment services that align with classification society cyber requirements (e.g. IACS UR E26 and E27), which could reduce duplicated audit burden. Class I products may use self-declaration, but must compile full technical documentation including the maritime-specific threat model, SBOM, and security testing evidence. The declaration of conformity must be maintained throughout the product support period.