On January 17, 2025, the MTSA Cybersecurity Final Rule was published in the Federal Register establishing baseline cybersecurity measures for Maritime Transportation Security Act (MTSA) facilities. However, with the issuance of President Trump’s Executive Order (EO) “Regulatory Freeze Pending Review,” questions have arisen about the Rule’s timeline and implementation.
Specifically, Section (3) of the EO encourages federal agencies to delay the effective date of published rules for 60 days to review potential questions of fact, law, or policy. For the MTSA Cybersecurity Final Rule, the 60-day delay would extend to March 20, 2025, without affecting its current July 16, 2025, effective date. During this review period, agencies can open a comment period to evaluate issues and potentially propose further delays if needed.
In the case of the MTSA Cybersecurity Rule, there appear to be no substantial questions of fact, law, or policy:
- Fact: Cybersecurity is a recognized security risk for the maritime sector.
- Law: The U.S. Coast Guard has longstanding authority to regulate under the MTSA.
- Policy: There is no new policy. Existing policy under Navigation and Vessel Inspection Circular remains in place.
Despite this, some stakeholders suggest the Rule may not go far enough. For instance, the exemption for foreign-flagged vessels has drawn scrutiny. It’s also worth noting that regulatory freezes are not new. The Biden Administration issued a similar “freeze” in 2021, with language nearly identical to the Trump Administration’s 2025 order. For now, the MTSA Cybersecurity Final Rule remains on track.