IACS UR E27 Cybersecurity Frequently Asked Questions (FAQs)

If a computer-based system is completely independent, with no internet connection, no physical interfaces (e.g., USB, CD drive), and no links to external systems, it is not required to comply with UR E26 and UR E27.

Additionally, if the system falls under the categories listed in ABS MVR 4-9-13/5.1, the Exclusion evaluation in ABS MVR 4-9-13/17 may apply.

Yes. The term "human users" includes both crew members and commissioning engineers. This definition covers all individuals who interact with the system, from commissioning through operation, to help ensure safety and usability throughout its lifecycle.

Yes. According to the definition of “System” in UR E27 (Section 1.4), a system is a combination of interacting programmable devices and/or sub-systems organized to achieve one or more specified purposes. Therefore, any third-party equipment within the system’s scope must also demonstrate compliance.

The supplier or manufacturer of that equipment should provide evidence of meeting the required security capabilities.

No, UR E10 and UR E22 are not within the scope of UR E27. However, they are expected to be applied as relevant for classification purposes. Specifically:

• UR E10 addresses environmental performance of system hardware.
• UR E22 covers safety and functionality of software and hardware in computer-based systems.

If you're applying for or revalidating a Product Design Assessment (PDA) certificate, it's recommended to combine compliance with UR E10, E22, and E27 to help ensure full alignment with classification requirements.

If the Layer 2 (L2) switch is part of a system that manages communication either within the applicable system or with external systems, then UR E27 approval is required.

However, if the L2 switch is an unmanaged switch, meaning it does not have configuration capabilities or software-based control, then UR E27 approval is not required.

Yes. Please refer to the check sheet and templates provided at the end of the IACS E27 documentation for guidance on required submissions.

Submission is required during the supplier phase approval for the following documents:

• Secure development lifecycle documentation (Section 3.1.5)

• Maintenance and verification plans for the computer-based system (Section 3.1.6) 

• Information supporting the owner’s incident response and recovery plan (Section 3.1.7)

• Management of change plan (Section 3.1.8)

No. UR E27 does not require the use of a qualified person or a certified testing organization to carry out tests for secured capabilities.

UR E27 approval is generally not required under the following conditions:

• The system is not a computer-based system (CBS).

• It is a CBS but does not qualify as an applicable OT system. 

• It is a CBS and qualifies as an applicable OT system but is exempted under ABS MVR 4-9-13/17.5 (refer to Chapter 6 of E26).

Yes. A standalone component can receive UR E27 approval. However, the entire configured CBS must also be evaluated and approved under UR E27.

No. A service engineer’s work computer that is used temporarily for maintenance is not considered an “other system” under UR E26 Section 1.3.2.

•  The approved service engineer from the supplier is to implement appropriate cybersecurity measures for their laptop connection

• The OT system is not classified as connected to an untrusted network in this scenario. 

The approved service engineer from the supplier is to implement appropriate cybersecurity measures for their laptop connection

Yes. If the firewall controls communication within the applicable system or with external systems, it must comply with UR E27.

These systems are typically not submitted to class for review. However, compliance is expected through alternative standards such as:

• IEC 61162-460

• IEC 63154 

These standards must provide cyber resilience equivalent to or greater than that required by UR E26 and UR E27.

No. ABS does not require submission of actual software code or proprietary functionality.

References to databases and protocols in UR E27 are intended for informational purposes only (e.g. listing the types of software used) and not for detailed review of their internal workings.

This approach respects intellectual property concerns while still supporting cybersecurity evaluation.