diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index 7ab9faac6d..030de47438 100644
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -941,6 +941,13 @@
           <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term><varname>Activate=</varname></term>
+        <listitem>
+          <para>Takes a boolean. If enabled, then the security association is activated. Defaults to
+          unset.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
   <refsect1>
@@ -986,6 +993,12 @@
           <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term><varname>Activate=</varname></term>
+        <listitem>
+          <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
   <refsect1>
diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index 977c03eeb1..ee1f15909e 100644
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -32,6 +32,12 @@ static void security_association_clear(SecurityAssociation *sa) {
         free(sa->key_file);
 }
 
+static void security_association_init(SecurityAssociation *sa) {
+        assert(sa);
+
+        sa->activate = -1;
+}
+
 static void macsec_receive_association_free(ReceiveAssociation *c) {
         if (!c)
                 return;
@@ -76,6 +82,8 @@ static int macsec_receive_association_new_static(MACsec *s, const char *filename
                 .section = TAKE_PTR(n),
         };
 
+        security_association_init(&c->sa);
+
         r = ordered_hashmap_ensure_allocated(&s->receive_associations_by_section, &network_config_hash_ops);
         if (r < 0)
                 return r;
@@ -209,6 +217,8 @@ static int macsec_transmit_association_new_static(MACsec *s, const char *filenam
                 .section = TAKE_PTR(n),
         };
 
+        security_association_init(&a->sa);
+
         r = ordered_hashmap_ensure_allocated(&s->transmit_associations_by_section, &network_config_hash_ops);
         if (r < 0)
                 return r;
@@ -295,6 +305,12 @@ static int netdev_macsec_fill_message_sa(NetDev *netdev, SecurityAssociation *a,
                         return log_netdev_error_errno(netdev, r, "Could not append MACSEC_SA_ATTR_KEY attribute: %m");
         }
 
+        if (a->activate >= 0) {
+                r = sd_netlink_message_append_u8(m, MACSEC_SA_ATTR_ACTIVE, a->activate);
+                if (r < 0)
+                        return log_netdev_error_errno(netdev, r, "Could not append MACSEC_SA_ATTR_ACTIVE attribute: %m");
+        }
+
         r = sd_netlink_message_close_container(m);
         if (r < 0)
                 return log_netdev_error_errno(netdev, r, "Could not append MACSEC_ATTR_SA_CONFIG attribute: %m");
@@ -849,6 +865,60 @@ int config_parse_macsec_key_id(
         return 0;
 }
 
+int config_parse_macsec_sa_activate(
+                const char *unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+
+        _cleanup_(macsec_transmit_association_free_or_set_invalidp) TransmitAssociation *a = NULL;
+        _cleanup_(macsec_receive_association_free_or_set_invalidp) ReceiveAssociation *b = NULL;
+        MACsec *s = userdata;
+        int *dest;
+        int r;
+
+        assert(filename);
+        assert(section);
+        assert(lvalue);
+        assert(rvalue);
+        assert(data);
+
+        if (streq(section, "MACsecTransmitAssociation"))
+                r = macsec_transmit_association_new_static(s, filename, section_line, &a);
+        else
+                r = macsec_receive_association_new_static(s, filename, section_line, &b);
+        if (r < 0)
+                return r;
+
+        dest = a ? &a->sa.activate : &b->sa.activate;
+
+        if (isempty(rvalue))
+                r = -1;
+        else {
+                r = parse_boolean(rvalue);
+                if (r < 0) {
+                        log_syntax(unit, LOG_ERR, filename, line, r,
+                                   "Failed to parse activation mode of %s security association. "
+                                   "Ignoring assignment: %s",
+                                   streq(section, "MACsecTransmitAssociation") ? "transmit" : "receive",
+                                   rvalue);
+                        return 0;
+                }
+        }
+
+        *dest = r;
+        TAKE_PTR(a);
+        TAKE_PTR(b);
+
+        return 0;
+}
+
 static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
         _cleanup_free_ uint8_t *key = NULL;
         size_t key_len;
diff --git a/src/network/netdev/macsec.h b/src/network/netdev/macsec.h
index 36c90d47ab..167e9ca8eb 100644
--- a/src/network/netdev/macsec.h
+++ b/src/network/netdev/macsec.h
@@ -31,6 +31,7 @@ typedef struct SecurityAssociation {
         uint8_t *key;
         uint32_t key_len;
         char *key_file;
+        int activate;
 } SecurityAssociation;
 
 typedef struct TransmitAssociation {
@@ -78,3 +79,4 @@ CONFIG_PARSER_PROTOTYPE(config_parse_macsec_packet_number);
 CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_id);
 CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key);
 CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_file);
+CONFIG_PARSER_PROTOTYPE(config_parse_macsec_sa_activate);
diff --git a/src/network/netdev/netdev-gperf.gperf b/src/network/netdev/netdev-gperf.gperf
index d06ef23a8b..20d7c143a0 100644
--- a/src/network/netdev/netdev-gperf.gperf
+++ b/src/network/netdev/netdev-gperf.gperf
@@ -141,12 +141,14 @@ MACsecTransmitAssociation.PacketNumber, config_parse_macsec_packet_number, 0,
 MACsecTransmitAssociation.KeyId,   config_parse_macsec_key_id,           0,                             0
 MACsecTransmitAssociation.Key,     config_parse_macsec_key,              0,                             0
 MACsecTransmitAssociation.KeyFile, config_parse_macsec_key_file,         0,                             0
+MACsecTransmitAssociation.Activate, config_parse_macsec_sa_activate,     0,                             0
 MACsecReceiveAssociation.Port,     config_parse_macsec_port,             0,                             0
 MACsecReceiveAssociation.MACAddress, config_parse_macsec_hw_address,     0,                             0
 MACsecReceiveAssociation.PacketNumber, config_parse_macsec_packet_number, 0,                            0
 MACsecReceiveAssociation.KeyId,    config_parse_macsec_key_id,           0,                             0
 MACsecReceiveAssociation.Key,      config_parse_macsec_key,              0,                             0
 MACsecReceiveAssociation.KeyFile,  config_parse_macsec_key_file,         0,                             0
+MACsecReceiveAssociation.Activate, config_parse_macsec_sa_activate,      0,                             0
 Tun.OneQueue,                      config_parse_bool,                    0,                             offsetof(TunTap, one_queue)
 Tun.MultiQueue,                    config_parse_bool,                    0,                             offsetof(TunTap, multi_queue)
 Tun.PacketInfo,                    config_parse_bool,                    0,                             offsetof(TunTap, packet_info)
diff --git a/test/fuzz/fuzz-netdev-parser/directives.netdev b/test/fuzz/fuzz-netdev-parser/directives.netdev
index 344ffdf9b0..f09b92d28e 100644
--- a/test/fuzz/fuzz-netdev-parser/directives.netdev
+++ b/test/fuzz/fuzz-netdev-parser/directives.netdev
@@ -184,6 +184,7 @@ PacketNumber=
 KeyId=
 Key=
 KeyFile=
+Activate=
 [MACsecReceiveChannel]
 Port=
 MACAddress=
@@ -192,3 +193,4 @@ PacketNumber=
 KeyId=
 Key=
 KeyFile=
+Activate=