Requirement to report cyber incidents

This circular provides guidance on the reporting of incidents and attacks on digital infrastructure and capacities threatening safety at sea. The guidance is applicable in connection with the Regulations of 27 June 2008 No. 744 on the obligation to notify and report marine accidents and other incidents at sea.

Our society is facing an increasing number of cyber incidents, which increases the probability of direct attacks on digital infrastructure on ships. Cyber incidents are likely to affect safety at sea. Indirect cyber incidents are also likely to affect digital systems which ships rely on to maintain a safe operation.

In this context, incidents which are related to or attacks on digital infrastructure means intentional or unintentional attacks using malware affecting digital infrastructure such as information systems (IT) or operational systems (OT) on board ships, and have, or are likely to have, a negative effect on the operation or safety of a ship, persons on board or the cargo.

Requirement to report incidents or attacks on digital infrastructure

Norwegian ships, mobile offshore units and fishing vessels have a duty to report cyber incidents and attacks on digital infrastructure.

Furthermore, they have a duty to report incidents that do not necessarily directly attack or threaten the ship's physical integrity but where the objective is to cause loss by penetrating the ship's digital infrastructure.

Legal basis

The Ministry of Trade, Industry and Fisheries has laid down the Regulations on the obligation to notify and report marine accidents and other incidents at sea under the Ship Safety and Security Act section 47 fourth paragraph. Section 47 third paragraph of the Ship Safety and Security Act imposes a duty on companies to submit reports on other matters which are in the interest of the Norwegian Maritime Authority.

With the increased number of threats and incidents related to cyber attacks, as well as the introduction of digital safety as part of the safety management for ships and companies, the NMA finds it necessary to keep records of cyber incidents to be able to implement necessary measures. Sabotage and piracy have been specifically mentioned as reportable. Cyber attacks may largely be compared to or regarded as a form of sabotage or piracy even if they take place digitally, not physically.

Therefore, it is the opinion of the NMA that the duty to notify and report in section 47 of the Ship Safety and Security Act also applies to cyber incidents, and we request that cyber incidents are reported to the NMA.

Report form

A form for the reporting of cyber incidents is found on the NMA's website under the headline "Report an accident or incident".

Requirement to report cyber incidents

Requirement to report incidents or attacks on digital infrastructure

Legal basis

Report form

Legislation