Soft-Law Guidelines for Maritime Security Compliance, by Marex

No. 7 UCOS

By MarEx

By Simon O. Williams, BA, LLM

Despite global regulation grounded in the international Law of the Sea (specifically, UNCLOS) and a myriad of coastal, port and flag state policies, major institutional gaps remain in the regulation of private maritime security. From a governance perspective, many argue that there is a dire need for new approaches and instruments to enhance regulation, increase harmonization of rules, set standards and ensure compliance. Experts cite that the best way to catalyze such change is by developing a soft-law framework.

What Is Soft Law?

Voluntary certification schemes and codes of conduct, known as soft law, are non-legally binding instruments; often used when there is uncertainty or ineffective hard law. Parties to soft law may behave in ways they negotiate and voluntarily agree to. In this case, their actions reflect the industry attempting to preempt government or international regulation to make standardization less painful and set trends in order to shape the future hard legal requirements in their sector.

Soft-law market responses to the maritime security industry boom, such as the emergence of industry-led regulations, codes of conduct and certification schemes, add order, oversight and accountability to this industry, closing the governance gaps left open in hard-law frameworks. Their introduction stems from a widespread commercial perspective that it is better to create industry controls, even self-imposed ones, now than to launch new government regulations later that will bring the industry to a screeching halt.

To close regulatory gaps and to develop some level of oversight and legitimacy, multiple voluntary industry-wide codes of conduct, certification schemes and guidelines have cropped up. Actions have been taken through consortiums of public and private partners interested in setting standards and improving best practices in this often considered unwieldy industry. The maritime security industry has proactively created such standards and best management practices for itself, preempting government involvement. These soft-law standards have even helped shape government and international regulatory policies toward the use of privately contracted armed security personnel (PCASP).

Advantages of Soft Law

What are the advantages of soft-law? It is low-cost, involves fewer meetings, fewer procedures, less bureaucracy, and is an excellent way to provide guidelines, develop interests and build momentum to evaluate program effectiveness before rolling out a hard-law package. The disadvantage of soft law is that it does not require compliance by states or parties who do not want to change, which ironically are often the targets of the instrument.

Even if the industry has historically not been a major supporter of armed guards, all elements that reluctantly accepted the role of PCASP sought a code of practice for the use of force and a clear oversight structure for the provision of security. The industry has established “self-regulating” doctrines beyond the limited hard-law frameworks

This means that corporate management sets or adopts international industry standards for their organization to follow. Historically, if the private military contractor industry in Afghanistan and Iraq is any guide, there is a ’race to the bottom’ as providers respond to competitive pricing in an unregulated environment. But industry standards have emerged to provide a minimum threshold for quality services.

The reporting of incidents that are resolved without damage to the ship or injury to the crew is also effectively disincentivized since the reporting company may open themselves to lengthy investigation and review of certification and training. To further complicate matters, confidentiality agreements banning incidents from being reported to outside agencies are sometimes incorporated as a part of the maritime security company’s contract with the shipping company.

IMO Circulars

“Universal and uniform” is the spirit of International Maritime Organization (IMO) regulation because vessels travel through all maritime zones under the jurisdiction of multiple countries, have crew from various countries, and therefore need to be held to relatively uniform standards.

The IMO is the United Nations agency for maritime affairs. It seeks to develop coordination and policy guidance among different policy areas and various uses of the sea. Among other issues ranging from vessel source pollution to arctic shipping safety, the Maritime Safety Committee (MSC) of the IMO drafts resolutions and recommended guidelines for the employment of armed guards aboard ships.

The IMO is considered the setter of Generally Accepted International Rules and Standards (GAIRS). Even if a state is not a party to specific IMO conventions, but a member of the IMO, then the UNCLOS policy of enforcing GAIRS applies because GAIRS come from not only treaties and laws, but also resolutions of the IMO, which has near universal membership and as such are often considered customary international law. According to a 2012 statement from the office of the EU High Representative for Foreign Affairs, Catherine Ashton: “the legal basis of arming cargo vessels needed to be looked into”…. Her spokeswoman added that the EU “would like the use of armed guards regulated within IMO.”

While IMO has not, at the time of writing, issued any binding treaty or convention regarding the use of armed guards aboard merchant ships, the Organization has released certain guideline documents in the form of IMO Circulars, which can be considered soft law (or even customary international law) advising flag states (MSC.1/Circ.1406), port and coastal states (MSC.1/Circ.1408), shipowners, shipmasters, and ship operators (MSC.1/Circ.1405), and even private maritime security companies (MSC.1/Circ.1443) on best practices and reaffirming their oversight responsibilities in international law.

The IMO, however, has stated that its guidelines do not address Rules of Engagement (RoE) for vessel protection details (VPDs) as this is a military concept outside the organization’s authority.

The organization also makes specific reference to the International Code of Conduct for Private Security Providers and the Montreux Document as reference points for PCASP guidance. Although neither of these texts focus explicitly on PCASP activity in the maritime domain as they were designed with terrestrial operations in mind, they act as a solid affirmation that the principles of good conduct, compliance and accountability should apply to the maritime domain as well, and especially the rule of law and human rights law.

The MSC of the IMO has urged port and coastal states to clarify their laws regarding embarkation, disembarkation and carriage of PCASP, their weapons, ammunition and other security-related equipment along with flag states to decide whether or not they will allow PCASP aboard their vessels, and if so under what conditions.

In addition, the IMO has released the syllabus for a model course for maritime security officers. Although this is not a piece of legislation, it is noteworthy as it has had a positive effect on the industry. PCASP are completing this instruction from maritime training providers offering it as qualifying standard, often in conjunction with Flag State approval, thereby increasing PCASP benchmark competency and uniform training to respond to attacks against commercial vessels. Although this training is not compulsory by law, ship-owners, insurers, and PMSCs actively seek personnel who have completed this training and/or other standards.

The IMO guidance makes also some tactical recommendations. It approves the use of passive and non-lethal defensive measures, supporting implementation of dual-use products inter alia; water hoses, nets, long range acoustic devices, razor and electric wire in the fight against piracy. On use of firearms, IMO is not as supportive, indicating hazards of firearms discharge including dangers of flammable cargo and conflict of port state rules banning their use.


Perhaps the soft-law agreement with the widest membership, The International Code of Conduct (ICoC) for private security service providers, has been signed by 708 security companies,  states, and other groups, identifying a set of principles and process for security providers to support rule of law and human rights.

Parties, however, incur no binding legal obligations and simply acknowledge that the principles of the Code of Conduct should be reflected in their operations. Although an accountability and oversight measure is being discussed for the ICoC, it may be difficult to enforce the provisions of the Code in a complex maritime environment, as opposed to on land, where jurisdiction and political boundaries are more straight forward.

ICoC seeks to populate the absence of universal, uniform standards for performance protocols and requirements of security contractors, thus enhancing the likelihood that PCASP will respond uniformly to attacks, in this case attempts of piracy and armed robbery against their clients’ vessels.

This code of conduct, like most others, is not legally binding. It simply indicates that there are international best practice standards to govern behavior, especially in this sector, and seeks to codify them into a document for providers and procurers of security services to voluntarily pledge adherence to.

Montreux Document

The Montreux Document on Pertinent International Legal Obligations and Good Practices for States related to Operations of Private Military and Security Companies during Armed Conflict grew out of international concern over the ungoverned, or at least unwieldy, activities of PCASP supporting land operations, mostly for the U.S. government in Iraq.

The Montreux Document highlights seventy-three guidelines, reaffirming international law, specifically international human rights law and international humanitarian law. It is signed by fifty states plus the EU, OSCE, and NATO. It encourages states and organizations to enact legislation requiring the vetting of private security companies and to impose penalties including criminal prosecution for violations of law.

Although also non-binding, the Montreux Document can be considered a code of practice, signed by states and organizations, alike, to abide by already existing international law, highlighted in the document, pledging to ensure that their operations do not take place in a legal vacuum, devoid from accountability, no matter far away from home they may be. This certainly can be, and has been, applied to the maritime context as well. Moreover, just as the nationality principle applies to vessels anywhere they are in the world via flag state jurisdiction, the Montreux Document introduces other applications for the nationality principle in the private security context. It titles three new groups of states. “Contracting States” which are states that directly hire private security services. “Territorial States” being states on whose territory private security activities take place, which can arguably include maritime territories and ports. And “Home States,” which are the states of nationality of the private security company or individual PCASP. As a result of these distinctions, further concurrent, or overlapping jurisdiction can apply to the individuals and firms in question, beyond simply the flag, coastal, and port state trifecta presented in the UNCLOS framework.

ISO/PAS 28007

While the Montreux Document and the ICoC are great stepping stones to guide the industry and advise on the best practices to be taken by crew and PCASP, they do not provide a benchmark standard for compliance activities in the maritime context. 

Industry leaders and organizations sought to develop a superior standard for private maritime security companies to meet and be held accountable to. After much deliberation in the main maritime security forums of the IMO’s MSC, BIMCO, the Security Association for the Maritime Industry (SAMI) and the Security in Complex Environments Group (SCEG), it was decided that the International Organization for Standardization (ISO) would release a pilot certification program, titled ISO/PAS 28007, as the standard. 

ISO/PAS 28007 has emerged as the gold standard of compliance and best practices for private maritime security companies to follow and be certified to, indicating they are working at the highest possible standard. The ISO, which standardizes many quality assurance systems, especially in the maritime sector, volunteered to design and produce the standard. It is hoped that ISO/PAS 28007 will be considered by major Flag States as a foundation to incorporate into their oversight regulations and standards for PMSCs operating on their flagged vessels. The standard has developed in two parts, as described below.

1.    ISO PAS 28007: Part 1 – Guidelines for Private Maritime security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract)

Part 1 is a list of best practice recommendations, to which private maritime security companies should strive to follow, and subsequently achieve ISO certification to, attesting to their industry leadership, legal compliance, and good conduct. Being certified to this standard provides a clear frame reference to ship-owners and other possible clients, that the certified PMSC in question can be relied on and trusted to conduct operations in line with the highest industry standards and recommended best practices.

According to the managing director of an industry leading PMSC, it is “inevitable […] that there will be significant variances in the quality, integrity and professionalism of the services being offered. Services can range […] from a highly professional, vetted, regulated and trained company, to an opportunistic start-up that chooses not to comply with any existing standard and offers low cost maritime security to hard-pressed ship-owners. ISO 280007 represents real progress and potential.”

ISO/PAS 28007 sets a standard for private maritime security operations, and creates a common understanding amongst service providers, procurers, and all state authorities of the role PCASP play in maritime security. The certification to ISO/PAS 28007 is the only accepted international certification scheme that can allow any interested party to quickly and confidently ascertain the legitimacy, competence, and compliance of a PMSC.

2.    Part 2 – Guidelines for Private Maritime security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships- International Model Set of Maritime Rules for the Use of Force (RUF)- AKA- ‘The 100 Series Rules’

On top of the issues of oversight and accountability, PCASP lack any standardized policy for the use of force. Military service personnel follow strict Rules of Engagement (RoE); command directives on circumstances under which forces will enter into and continue combat against opposing forces.  In the military context, these are generally consistent with international law and state practice, proportionate to the opposing forces and their use of force. In the private sector, specifically private maritime security industry, military guidelines are not applicable to civilian personnel, and the international laws governing threat response, such as the Geneva Conventions, do not apply.

As a result, an industry effort emerged to clarify rules for self-defense at sea by private parties, shipowners, crews, ship masters, and PCASP, where a standardized, legal use of force policy did not earlier exist. To provide such order, an optional industry-wide guideline emerged, which if followed, can mitigate the possibility that lethal force is used inappropriately and disproportionately. This guideline, dubbed the “100 Series Rules” has been developed as a civilian Rules for the Use of Force (RUF) version of military Rules of Engagement (RoE) to be appended to the ISO/PAS 28007 guidelines. 

The 100 Series Rules provide an international model set of RUF to which PCASP can be professionally trained to follow and their actions measured and evaluated by competent authorities in the event of a use of force incident. According to the chief author of the 100 Series Rules, “The point of this document is not one of imposition upon entities, but one of choice against which one can make an informed decision when reviewing and comparing RUF. At its core is the basic principle of the individual right of self-defence; itself a universal concept.”

Together, Parts 1 and 2 of ISO/PAS 28007 along with other soft-law frameworks reaffirm international law and obligations, painting a holistic best practice standard to which the private maritime security industry can be held to, balancing operational necessities with legal compliance. – MarEx 

Simon O. Williams, BA, LLM is Director of Tactique Ltd, a Washington DC-based consultancy on maritime security and environmental affairs. This is the sixth and final article in a series on maritime security operations and the Law of the Sea for MarEx.

(This article is a summary of maritime security developments. It is provided for general information purposes only, is not legal advice and does not constitute the offering of legal consultation services. It should not be used as a primary legal resource.The opinions expressed herein are those of the author and not necessarily those of The Maritime Executive.)

The opinions expressed herein are the author’s and not necessarily those of The Maritime Executive.