Legal Environment

The Constitution of Ukraine enshrines the right to privacy through a general ban on interference in personal and family life, except for cases provided for by it. Additionally, the Constitution declares that the protection of information security is one of the most important functions of the state and the affair of the whole Ukrainian nation. 

Ukraine has established a legal framework for both cybersecurity and personal data protection. However, while the cybersecurity law is adapting dynamically to evolving challenges, the personal data protection law remains comparatively static for over a decade. The current personal data protection law is notably outdated, suffering from a weak enforcement mechanism applied by the under-resourced authority. As a result, the role of personal data protection laws in ensuring data security in Ukraine has been diminished. 

The Law of Ukraine “On the Protection of Information in Information and Communication Systems” is the basic law in the area of information security. This law establishes general conditions for processing information in the system depending on the type of information. It defines responsibilities for protecting information in systems, including the obligation of the system owner to report attempts and/or actual unauthorised activities in systems handling specific types of classified information. This law also establishes overall state governing mechanisms in information security, specifying the roles and powers of state bodies. 

The Law of Ukraine “On Basic Principles of Cyber Security of Ukraine” is the fundamental law in the sphere of cybersecurity which defines the main goals and principles of state policy in the field of cybersecurity in Ukraine, as well as the main subjects of the national cybersecurity system and their powers in the specified field. 

The Cybersecurity Strategy of Ukraine defines the priorities, goals and tasks of ensuring the cybersecurity of Ukraine. Complementing this strategy, the Government of Ukraine adopts action plans, detailing a comprehensive suite of specific measures along with their implementation deadlines.

Regulatory acts of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) constitute a significant part of the Ukrainian legislative framework in the sphere of cybersecurity. Its regulatory acts cover a broad spectrum of areas, including information security and cybersecurity, cryptography, digital signatures, security of electronic trust services, protection of state information and classified information, and critical information infrastructures. 

Beyond its regulatory functions, the SSSCIP also contributes to the cybersecurity field by issuing guidelines, scientific and practical commentaries on the existing legislation. 

Cyber protection of critical infrastructure (CI) facilities is governed by specific regulations. Key among these are: 

• the basic requirements for cyber protection of CI facilities, which is mandatory for all operators of CIs;
• the procedure for conducting an independent audit of information security at CI facilities. Such audit is mandatory for CI facilities and is carried out by certified auditors in accordance with the procedure established by the SSSCIP. The frequency of these audits depends on the criticality category of each facility.

Regarding sector-specific legislation, distinct regulatory bodies are responsible for adopting cyber protection measures within their respective domains. The National Bank of Ukraine, for instance, adopts regulations governing cyber protection in financial organisations. Similarly, the Ministry of Energy of Ukraine is tasked with establishing cybersecurity requirements for CIs in fuel and energy sectors. 

The Law of Ukraine “On Personal Data Protection” governs issues related to the protection and processing of personal data. Despite a number of amendments made to this law since its adoption in 2010, it currently does not fully meet the international best standards of personal data protection. 

In addition, the Ukrainian Parliament Commissioner for Human Rights ("the Commissioner"), a competent authority in personal data protection, has enacted a number of regulations addressing data protection issues. However, none of them mandate the reporting of data breach incidents. Instead, they primarily focus on general requirements for documenting violations in personal data processing, notifying senior management about such violations and engaging with the Commissioner on issues of prevention and elimination of such violations.

Specific provisions regarding cybersecurity, data protection and data classification are also contained in other laws such as Laws of Ukraine “On Electronic Communications”, “On Electronic Commerce”, “On Electronic Identification and Electronic Trust Services”, “On Payment Services”, “On Access to Public Information”, “On Information”.

Enforcement and Penalty Environment

Personal data protection

The Commissioner oversees compliance with personal data protection legislation by conducting inspections of personal data controllers and processors. These inspections can be scheduled, unscheduled, on-site and off-site. Upon identifying infringements, the Commissioner has the authority to issue either a directive for rectifying these infringements or a protocol that imposes administrative liability on the offending person.

The Code of Ukraine on Administrative Offenses establishes liability for specific violations of personal data protection, namely:

• failing to notify or delaying notification to the Commissioner about the processing of sensitive personal data, or any modifications thereof, as well as providing incomplete or inaccurate information;
• failing to comply with legal directives (prescriptions) issued by the Commissioner or his appointed officials regarding measures to prevent or rectify violations of the personal data protection legislation;
• failing to comply with the personal data protection procedure established by the relevant legislation, resulting in illegal access to personal data or violation of the data subject’s rights.

The Code imposes administrative liability for non-fulfilment of the Commissioner’s legal directives or those of its representatives.

This liability is imposed in the form of fines ranging from UAH170 to UAH34,000 (approximately EUR4 to EUR817).

While the Criminal Code of Ukraine imposes liability for violation of privacy, including illegal collection, storage, usage, destruction, dissemination of confidential personal information, as well as illicit alterations of such information, the prosecutions under this specific provision for the breaches of personal data are rare in practice.

Cybersecurity/Information Security

The SSSCIP as a principal regulatory authority in cybersecurity employs various oversight mechanisms to ensure compliance with the legal requirements. 

For example, the SSSCIP can conduct both scheduled and unscheduled inspections to verify: (i) compliance with cryptographic and technical protection requirements for particular types of classified information (“state information resources” and “information, the requirement for the protection of which is established by law”); (ii) compliance with licensing conditions by entities offering certain kinds of cryptographic and technical protection services; (iii) compliance with the legal requirements in the field of electronic trust services. 

In instances of non-compliance, particularly concerning electronic trust services law, the SSSCIP is authorised to demand correcting actions. If the required actions are not taken within the specified timeframe, the SSSCIP may propose to the Central Certifying Body the removal of a qualified provider of electronic trust services from the Trust List. The SSSCIP can also initiate court proceedings to enforce the corrective measures.

Additionally, the SSSCIP is empowered to impose fines for the following administrative offences:

• failure to comply with the directives of the SSSCIP or creation of obstacles to the fulfilment of SSSCIP’s duties, punishable by fines ranging from UAH850 to UAH2,550 (approximately EUR21 to EUR63); 
• failure to comply with the requirements of cryptographic and technical protection laws relating to secret information, leading to a real threat of a breach of confidentiality, integrity and availability of this information, punishable by fines ranging from UAH170 to UAH2,550 (approximately EUR4 to EUR63).

Additionally, the Criminal Code of Ukraine features a separate anti-hacking section, which outlines six distinct criminal offences pertaining to cybersecurity and information security. Among these, the most notable offence is the unauthorised interference with the functioning of information and electronic communication systems. Depending on various factors such as severity and the resulting consequences, penalties for this offence can range from UAH17,000 (approximately EUR416) to 15 years of imprisonment. In 2022, amendments were introduced to this section aiming to decriminalise “white hat” activities conducted in accordance with the established rules and procedures.     

Personal data security incidents v cybersecurity incidents

Under the current Ukrainian legislation on personal data protection, there is no specific definition of a "personal data security incident", nor is there a general requirement for reporting such incidents. However, an exception exists in the context of electronic trust services. In these cases, any breach of confidentiality and/or integrity of personal data related to the service users must be reported.

Conversely, the cybersecurity legislation defines a “cybersecurity incident”, which may or may not include a personal data breach, and imposes reporting obligations on certain entities in the event of such incidents. 

Please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.8 Reporting Triggers for more details. 

Key Authorities

The principal regulators and their respective areas of jurisdiction include:

• the SSSCIP along with the State Cyber Protection Center, the CERT-UA and the Center for Active Countering Aggression in Cyberspace; 
• the National Cyber Security Coordination Center, under the National Security and Defence Council of Ukraine (NCSCC);
• the Cyber Police Department of the National Police of Ukraine; 
• the Security Service of Ukraine, including the Cyber Security Situation Center established within its structure; 
• the Ministry of Defense of Ukraine and the General Staff of the Armed Forces of Ukraine; 
• intelligence agencies of Ukraine; 
• the National Bank of Ukraine.

The data protection authority is the Ukrainian Parliament Commissioner for Human Rights.

For a detailed description of their functions and tasks please see 2.2 Regulators to 2.6 Other Relevant Regulators and Agencies.

Administration and Enforcement Process in the Field of Personal Data Protection

The Ukrainian legislation defines the procedure for the Commissioner to oversee compliance with personal data protection legislation. Planned inspections are carried out in accordance with annual or quarterly plans. The grounds for conducting unscheduled inspections are defined by legislation and typically occur in response to substantiated requests from individuals and legal entities, or through the Commissioner's own initiative. 

Administration and Enforcement Process in Cybersecurity

The SSSCIP employs various oversight tools to ensure compliance with the legal requirements. 

For example, the SSSCIP can conduct both scheduled and unscheduled inspections to verify compliance with laws and regulations on cryptographic and technical protection, licensing conditions by entities offering certain kinds of cryptographic and technical protection services, and compliance with the legal requirements in the field of electronic trust services.

For more information please see 1.1 Laws.

Recently some attempts were made to expand the cybersecurity enforcement powers of the SSSCIP.  Draft law No. 8087, currently pending the second reading in the Parliament of Ukraine, suggests granting the SSSCIP the right to conduct scheduled and unscheduled inspections related to cyber protection of critical information infrastructure (CII). It also proposes to include into the SSSCIP the authority to mandate corrective actions for identified violations and responses to cyber threats and incidents for CIs of I and II criticality categories.

In 2022 the procedure for monitoring the security level of CIs was adopted. This procedure establishes a monitoring mechanism for ensuring compliance with the requirements and offering methodological assistance for enhancing protection. Sectoral and functional bodies in the field of CI protection perform this assessment once every three years.

Following the assessment, a security evaluation report is drafted, outlining proposals for improving protection systems and rectifying any violations or deficiencies, with specified deadlines for corrective actions. The CI operator must notify the monitoring entity and the authorised CI protection body about implementation of proposed actions and any measures taken to address identified issues within specified timeframes.

The Budapest Convention on Cybercrime (ETS No.185) entered into force in Ukraine in 2006. Over 16 years, Ukraine has enacted various laws to implement this convention. 

In 2022, Ukraine also signed the Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence, though it is yet to be ratified. 

Furthermore, Ukraine is trying to update its personal data protection legislation to align it with the GDPR and the Convention 108+. In 2017, the Ukrainian government adopted the Plan of Measures for Implementing the EU-Ukraine Association Agreement, which includes measures for enhancing its personal data protection law referring specifically to the GDPR. To this end, draft laws have been introduced to the Ukrainian Parliament. 

However, the timeframe for consideration of these legislative changes remains unclear. Current martial law conditions and other urgent wartime priorities continue to dominate in the Parliament's agenda, potentially delaying advances in data protection reforms.

Cybersecurity policy in Ukraine is based on the principle of public-private collaboration, achieved inter alia through the information exchange about cyber threats and incidents between state bodies, the private sector and citizens. This interaction primarily focuses on protecting CIs against various threats. 

The CERT-UA can receive information about cyber incidents from citizens and provide practical assistance in their prevention, detection and elimination of their consequences.

The NCSCC actively engages with the private sector, primarily through information exchange memoranda.

Key documents have been adopted to facilitate effective information exchange, including general rules for exchanging information about cyber incidents based on ENISA Considerations on the Traffic Light Protocol and the FIRST Standards Definitions and Usage Guidance. These rules determine the method for marking cyber incidents reports to restrict access only to designated parties. They are mandatory for government bodies and recommended for CIs.

The list of categories of cyber incidents is based on the ENISA Reference Incident Classification Taxonomy and the Common Taxonomy for Law Enforcement and The National Network of CSIRTs. The list aims to implement a unified taxonomy as a tool for sharing information about cyber incidents.

The Cybersecurity Strategy of Ukraine requires the development of a system for cybersecurity state indicators. It also anticipates formation of the National Plan to address emergencies in cyberspace and the establishment of a framework for systematic sharing information about cyber attacks, incidents and threat indicators.

The Cyber Security Incident Response Team in the banking system of Ukraine (CSIRT-NBU) provides advisory assistance to the financial sector on cyber protection, incident detection, threat response, and remediation, and develops recommendations for cyber protection. 

The National Bank of Ukraine and the Ukrainian banks exchange information on cyber threats and cyber attacks. This includes operational messages on the Cyber Protection Center portal of the National Bank of Ukraine and official correspondence. CSIRT-NBU shares information about cyber threats and threat indicators through operational messages on MISP-NBU and/or via email.

The Legal System

Ukraine’s legal framework for cybersecurity comprises a mix of horizontal and sector-specific laws and regulations. 

Horizontal laws and regulations provide a general framework, outlining governance principles, roles and responsibilities of public and private stakeholders, and implementation mechanisms. Key examples include the Law of Ukraine “On Basic Principles of Cyber Security of Ukraine”, “On the Protection of Information in Information and Communication Systems”, and “On Personal Data Protection”.

The key examples of sectoral laws are the Law of Ukraine “On Electronic Communication Services” and the Law of Ukraine “On Payment Services”. While these laws generally align with horizontal legislation, they incorporate sector-specific provisions, especially in energy and financial sectors. 

The National Bank of Ukraine maintains a distinct and somewhat autonomous status in cybersecurity as compared to other sectoral regulators, administering a well-developed, adaptable cybersecurity framework.

Enforcement

Enforcement across sectors is uneven. Outside the financial sector, enforcement of horizontal and sector-specific laws is hampered by weak mechanisms usually associated with limited authorities of sectoral agencies, inefficient sanctions, and resource constraints. Common enforcement tools include the Code of Ukraine on Administrative Offences which incorporates a limited range of cybersecurity-related offences and non-deterrent sanctions. Another common tool is the Criminal Code of Ukraine. However, the latter is primarily used for prosecuting hacking-related criminal offences and is generally viewed as ineffective in enforcing compliance with horizontal or sectoral cybersecurity regulatory requirements. 

Critical Infrastructures

Operators of CII, which encompasses both information and operational technologies, must comply with the Basic Requirements for Cyber Protection of CI. 

This includes implementing an information security system, conducting independent audits, and reporting incidents to CERT-UA. 

Additionally, cryptographic products used in CII must comply with the Technical Regulation for Cryptographic Means of Information Protection. 

Furthermore, if CII handles such specific classes of information as “state secrets” and “official information”, operators must employ a security management system with technical and cryptographic means certified in result of state expertise.

For handling so-called “state informational resources’’ and “information, the requirement for the protection of which is established by law”, operator of CII must also use cryptographic products certified in the result of state expertise. 

A number of regulatory acts were developed, including:

• a procedure for the response to various types of events in cyberspace and relevant methodological recommendations;
• a procedure for identifying potential vulnerabilities in information and communication systems.

Special attention has been paid to the detection of cyber attacks and implementation of countermeasures against cyberterrorism and cyber espionage targeting CIIs. To this end, the SSSCIP has developed a standard plan format for protecting CIs based on the projected threat of the national level "cyber attack/cyber incident" along with recommendations for developing these plans. 

Moreover, a mandatory independent audit of information security at CIs has been introduced.

Pending Changes in Personal Data Protection Framework

A new framework for personal data protection is expected in Ukraine. The pertinent draft law is currently pending parliamentary hearings. 

This draft law seeks to bring data protection legislation in line with the GDPR and the modernised Convention 108+.

Pending Changes in Cybersecurity Framework

In 2024 Ukraine plans to focus on several key areas of cybersecurity:

• creation of a system of effective cyber defence and combating cybercrime, which includes the creation of cyber command in the system of the Ministry of Defence, as well as the creation of technological capabilities for automatic detection of cyber attacks in real time and establishing a systematic exchange of information about destructive activities in cyberspace with international partners;
• development of public-private partnership; 
• implementation of a certification system for the products used in the operation and protection of information and communication systems, primarily for CIIs.

In addition, a new cybersecurity framework for CIs, influenced by the EU NIS 2 Directive and best practices in the field, is under active development. Among other things this framework is expected to: 

• update the basic requirements for cyber protection of CIs;
• develop the National Plan for responding to emergencies in cyberspace, outlining response and recovery mechanisms to national-scale cyber attacks on CIIs.

Draft law, currently under consideration in Parliament, aims to strengthen the cyber resilience of state information resources and CIIs. Along with expanding the powers of the SSSCIP, it proposes: (i) implementing the regulatory oversight of certain categories of entities, including suppliers and their subcontractors of CIIs; and (ii) creating a national system for exchanging information about cybersecurity incidents.

For information on which laws apply to data, systems, infrastructure and software, see 1.1 Laws.

The State Service of Special Communications and Information Protection of Ukraine

The SSSCIP is a state authority responsible for the formation and implementation of state policy in cryptographic and technical protection of information, cyber protection, and other related areas. It is also responsible for state policy in the field of cyber protection of CIIs and oversight in these spheres. 

In August 2022 the mission of the SSSCIP was broadened to include active countermeasures against cyber aggression and operation of the Center for Active Countering Aggression in Cyberspace.

The SSSCIP also carries out state control over compliance with the requirements in the fields of electronic trust services.

The SSSCIP was designated as the authorised body for CI protection during martial law and 12 months after its termination. In normal time, legislation calls for the creation of a separate authority responsible for CI protection.

The SSSCIP also operates :

• the State Cyber Protection Center, responsible for operation of vulnerabilities detection system, cyber incidents response, information security audit and cyber protection of CIIs;
• CERT-UA, assisting in preventing, detecting and mitigating the consequences of cyber incidents as well as in solving issues of cyber protection and combating cyber threats. It collects and analyses data on cyber incidents, and interacts within the FIRST Incident Response Team Forum.

The National Cyber Security Coordination Center

Under the National Security and Defence Council of Ukraine, the NCSCC:

• co-ordinates and controls cybersecurity activities of security and defence sector entities;
• analyses the state of cybersecurity (situational awareness);
• participates in the improvement of the regulatory and legal cybersecurity framework.

The National Police of Ukraine

The National Police of Ukraine, through the separate Cyber Police Department, carries out measures to prevent, detect, stop and investigate cybercrimes.

The Security Service of Ukraine

The Security Service of Ukraine is responsible for:

• preventing, detecting, terminating and disclosing criminal offences against peace and security in cyberspace;
• combating cyberterrorism and cyber espionage;
• secretly checking the readiness of CIs for possible cyber attacks;
• investigation of cyber incidents and cyber attacks on specific types of classified information;
• responding to cyber incidents in the sphere of state security.

The Cyber Security Situation Center is established within the structure of SSU. On the basis of this centre there operates the system of security information and event management (SIEM), which monitors events in real time and allows analysis of the state of information security.

The Ministry of Defence of Ukraine

Itdevelops and approves a cyber protection plan in the sphere of its competence based on the specifics of data and systems handled by the Ministry of Defence of Ukraine, and military formations of the Armed Forces of Ukraine (provided that such systems do not interact with other systems and are not used for the provision of electronic public services).

In addition, the Ministry of Defence of Ukraine conducts military co-operation with NATO, carries out international co-operation in the field of cyber defence and determines, within its competence, the specifics of information security requirements for suppliers (their subcontractors) of defence goods, works and services.

The Cybersecurity Strategy of Ukraine requires the creation of MIL.CERT-UA in the interests of the Ministry of Defence of Ukraine and the Armed Forces, as well as for co-operation with the European military CERT network.

Intelligence agencies of Ukraine carry out intelligence activities regarding threats to Ukraine’s national security in cyberspace.

Currently, the SSSCIP is the authority performing a leading role in the field of cybersecurity in Ukraine and co-ordinating cyber protection activities of other entities. For more information see 2.2 Regulators.

Data Protection Authority

Since 2014, the Ukrainian Parliament Commissioner for Human Rights ("the Commissioner") has been the data protection authority supervising compliance with the legislation on personal data protection.

For more information see 2.2 Regulators.

The Financial Sector

The National Bank of Ukraine (NBU) determines and supervises requirements for cyber protection and information security applicable to: 

• banks;
• other financial organisations whose activities are regulated and supervised by the NBU (such as insurers, credit unions, financial companies);
• operators and/or participants of payment systems;
• technological operators of payment services.

The NBU is tasked with assessing the state of cyber protection and conducting information security audit at CIs in the banking sector.

In addition, in 2017 the NBU established a Cyber Protection Center to enhance the effectiveness of the cybersecurity system in both banking and non-banking financial sectors. 

Additionally, since 2018 the CSIRT-NBU has been operational as part of the Cyber Protection Center of the NBU.

The Energy Sector

The Ministry of Energy of Ukraine regulates cybersecurity protection in the fuel and energy sector by establishing specific requirements for CIIs.

The Military Sector

The Ministry of Defence of Ukraine adopts a cyber protection plan within its competencies and performs other functions described in 2.2 Regulators.

The Ministry of Digital Transformation of Ukraine plays a significant role in shaping national policy in digital domain, including cybersecurity. 

In recent years, the Ministry has undertaken several initiatives in cybersecurity, including the launch of training programs for cybersecurity specialists, the conclusion of memorandums of co-operation with a number of international organisations and companies (the European Cyber Security Organisation (ECSO), Cyberfame GmbH and others).

Ukraine allows the application of various standards and international best practices in information security depending on the particular context.

For systems handling less sensitive types of classified information (such as “state information resources” and “information, the protection of which is required by law”), the law permits the use of information security management systems implemented in accordance with the national standards. Ukrainian national standards adopt many ISO standards, including the ISO 27xxx series. 

Critical Infrastructures

The SSSCIP has also issued several Methodological Guidelines relating to cybersecurity of CIIs. 

Based on the NIST Cybersecurity Framework, these guidelines include the list of the national and international standards like ISO 27001, COBIT 5, NIST-SP 800-53. 

Financial services

The National Bank of Ukraine regulations in cybersecurity are primarily based on such international standards as the ISO 27xxx series. 

The Payment Card Industry Data Security Standards (PCI DSS) is also extensively applied in Ukraine’s payment industry. 

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices. 

Public Sector

Ukrainian information security law requires the implementation of the so-called Comprehensive Information Security System (CISS) in systems handling special types of classified information such as “state secrets”, “official information”, and “state registers the creation of which is required by law”. 

The CISS is generally created in line with specific “normative documents”, adopted by the regulator, describing specific goals, technical and organisational measures. 

In particular, the CISS requires the establishment of security policy, threats and threat actors models, an information security unit, and a training plan. The selection of specific security controls depends on the type of system, class of information and the design of the CISS.

For systems handling less sensitive types of classified information (such as “state information resources” and “information, the protection of which is required by law”), the law permits the use of information security management systems implemented in accordance with the national standards, including ISO 27xxx series. In the latter case, requirements of a specific standard will apply.   

Critical Infrastructure

Under the Law of Ukraine “On Critical Infrastructure” operators of CIIs are required to implement a plan of measures for protecting and ensuring resilience of CI, which should include overall risk management measures, cybersecurity, physical security, response and recovery measures. 

Operators of CIIs are also required to comply with the Basic Requirements for Cyber Protection of CIs, which mandates implementing an information security system, conducting independent audits, and reporting incidents to CERT-UA. 

Operators of CII must conduct risk assessment and implement appropriate technical and organisational measures. 

Specifically, operators of CII have to: (1) create a unit or appoint an officer responsible for information security; (2) adopt information security risk management policy, including risk assessment methodology; (3) incorporate the principles of least privilege and separation of duties; (4) enforce policies for the minimum strength of passwords, and similar authenticators, and employ, as a rule, multi-factor authentication; (5) establish business contingency policy, including data back-up; (6) implement cyber incident response management policy, including incident taxonomy and procedure for incident reporting to CERT-UA; (7) provide basic cybersecurity awareness and training to employees; (8) use security information and event management or other tools to continuously monitor and log events of malicious and suspicious activity; (9) perform at least annually penetration testing to identify opportunities to improve the security posture of its systems; (10) not to use hardware and software components originated from a country under sanctions imposed by Ukrainian law; (11) place information technology components in third-party data centres provided that they are located in Ukraine and their owner is a Ukrainian resident; (12) place components of industrial control systems only in the operator’s own data centres; (13) implement policy for updates (patches) and system configuration.       

Energy Sector

The Ministry of Energy has adopted sectoral cybersecurity regulation, which is based on the NIST Cybersecurity Framework. 

Among other requirements, this cybersecurity regulation mandates operators of CIs in the energy sector to develop and implement a supply chain risks management plan, an incident response plan (cyber incident response, and business continuity), an incidents recovery plan, and a vulnerability management plan.

Financial Sector

The National Bank of Ukraine’s information security regulation establishes minimum requirements relating to information security and cybersecurity measures. 

Generally, the regulations require banks to establish information security management system in accordance with the national ISO 27001 standard, considering specific requirements.   

Among other requirements, banks must: (1) form or designate a collective management body responsible for implementation and maintenance of an information security management system and define its roles and responsibilities; (2) appoint a CISO from the executive-level managers; (3) create an information security unit; (4) develop an information security strategy aligned with the bank’s general strategy objectives; (5) develop business continuity and incident response plans; (6) implement policy for using cryptographic products, including cryptographic keys management, use of particular cryptographic algorithms, protocols and standards; (7) perform periodic penetration testing; (8) use Open Web Application Security Project (OWASP) standards for web application development. 

Ukraine’s Cybersecurity Strategy emphasises the development of international relationships in the cybersecurity domain, particularly with the EU, USA, NATO and NATO member countries.   

Following Russia’s full-scale invasion, Ukraine has received an unprecedented level of international support, establishing multifaceted co-operation in cybersecurity at strategic and operational levels, involving both public and private organisations. 

In late 2023, Ukraine, Canada, Denmark, Estonia, France, Germany, the Netherlands, Poland, Sweden, the UK and the USA announced the launch of a new tool for co-operation in the field of cybersecurity - the Tallinn Mechanism. 

The purpose of this mechanism is to co-ordinate and deliver cyber capacity building assistance to Ukraine across short, medium and long-term lines of effort, focusing on assistance, recovery, and resilience in both military and civilian areas.

In 2023 the SSSCIP signed the Working Arrangement with the ENISA. The arrangement encompasses main areas of co-operation: cyber awareness and capacity building, best practice and information exchange, specifically related to legislation alignment with a focus on telecommunications and energy sectors.

In 2022 the US CISA and the Ukrainian SSSCIP signed a Memorandum of Cooperation. This memorandum focuses on information exchanges and best practices on cyber incidents, technical exchanges on CI security, and joint cybersecurity training and exercises.

In 2023 Ukraine officially joined the NATO Cooperative Cyber Defence Centre of Excellence, a NATO-accredited cybersecurity centre and think tank that specialises in interdisciplinary applied research, analysis, information exchange, and cyber defence training and exercises.

Throughout 2022-2023, numerous co-operation arrangements were established with a broad network of private businesses operating in such areas as cloud technologies, threat intelligence, cyber capacity building, cyber defence, and training and exercises.

General Requirements

The Law of Ukraine “On Personal Data Protection” mandates controllers, processors and third parties to safeguard personal data from accidental loss or destruction, and illegal processing, including unlawful destruction or access.

State and local authorities, as well as controllers and processors handling personal data posing a significant risk to data subjects’ rights and freedoms, are required to establish either a data protection unit or appoint a data protection officer. In these cases, controllers and processors must notify the Commissioner as the competent authority in personal data protection. 

Specific Requirements

Controllers and processors must implement technical and organisational data protection measures throughout the entire data processing cycle. Controllers and processors select such measures based on the requirements of data protection and information security laws. 

Organisational measures include: (i) establishing an employee data access procedure; (ii) setting up a procedure for recording personal data processing operations and access to them; (iii) implementing a response plan in case of unauthorised access to personal data, damage to technical equipment, or other emergencies; (iv) conducting regular training for employees who work with personal data.

Controllers and processors are required to maintain a list of employees with access to personal data and determine the level of that access based on their job requirements, adhering to the “need to know” principle.

They must also keep a detailed record of all personal data processing activities, including date, time and source of collection of personal data, modifying, access, transfer, copy of personal data, date and time of deletion or destruction of personal data, along with an employee involved in, and purpose and grounds for these actions.

Technical measures, while not specified, should, among other measures, prevent an unauthorised access to personal data and processing systems. 

Special Cases

As mentioned above, while implementing data protection measures, controllers and processors must consider the requirements of information security laws.

In line with that, the implementation of a CISS is required for handling specially classified information like “state secrets”, “official information”, and “state registers the creation of which is required by law”. 

For less sensitive types of classified information the information security law permits the use of information security management systems implemented in accordance with standards like ISO 27xxx series. 

Therefore, if personal data fall under the classifications above, security measures must comply with either the CISS’s normative framework or a relative standard. 

Reporting

Ukrainian legislation does not explicitly require reporting data security breaches or losses to state authorities or data subjects. 

However, the data protection unit or an officer (if designated under the law) must: (i) inform the head of the controller or processor about violations of the personal data protection to initiate corrective measures; (ii) document facts of such violations; (iii) interact with the Commissioner to prevent and rectify breaches of data protection law; (iv) ensure the realisation of data subjects’ rights.

Before Russia’s 2022 full-scale invasion, Ukrainian cloud law imposed data localisation requirements on the public sector, prohibiting the storage and processing of data in cloud infrastructures located outside Ukraine. 

In response to the invasion, Ukraine amended its laws to permit the migration of most public sector workload into cloud infrastructures abroad. This change is applicable for the duration of martial law plus six months after its conclusion. 

Despite this temporary relaxation of restrictions, the Law of Ukraine “On Cloud Services” still contains this data localisation requirement. 

A similar regulatory environment exists in the banking sector. Under normal circumstances, the NBU requires Ukrainian banks to process and store information related to banking operations on servers and equipment physically located within Ukraine. 

Following a full-scale invasion by Russia, the NBU temporarily relaxed these restrictions, as a result of which Ukrainian banks can process and store information on banking operations, client personal data, and banking secrets using cloud resources located in EEU countries, the US, the UK and Canada. 

However, as with the public sector, this allowance is temporary, enacted only for the period of martial law plus two years after its conclusion.

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices. 

The Basic Requirements for Cyber Protection of CI stipulate that when it is impossible to physically isolate the CII from external networks or systems, an operator of CII must install network security devices with the minimum set of functionalities, one of which is protection against denial-of-service attacks. 

A similar requirement is established in cybersecurity regulations applicable to the banking sector. Banks are required to implement security measures specifically designed to protect against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks at the external perimeter of their networks.

Internet of Things

The Basic Requirements for Cyber Protection of CI stipulate that for transmitting data between components outside the controlled territory of CI or between CII and other (external) information and communication systems, a secured connection must be used. This is to ensure the confidentiality and integrity of this data.

CII is permitted to connect to global data transmission networks, such as the internet, only through service providers that have secured access nodes to those networks with established CISS. Contracts between CII operators and service providers must obligate the latter to comply with these requirements.

Furthermore, industrial control systems may only connect to global data transmission networks, including the Internet, under specific conditions: if the technological process necessitates such connection and all security measures outlined in the Basic Requirements are implemented. 

Supply Chain Security

The Basic Requirements for Cyber Protection of CI require operators of CIs to develop and implement an information security policy that incorporates security requirements for dealing with suppliers.

Operators of CI must also use software and hardware components for their CII that are still supported by the manufacturer. 

Additionally, the Basic Requirements prohibit the use of software and hardware components originating from any country subject to sanctions as per Law of Ukraine "On Sanctions". This prohibition extends to products developed or manufactured by entities which include residents of such a country that have a significant portion of their authorised capital owned by that foreign state, or are controlled by entities from the sanctioned country.

There are no specific requirements applicable to ransomware attacks or extortion.

However, the Basic Requirements for Cyber Protection of CI establish general requirements, such as:        

• periodic creation of back-up copies of information resources for their prompt recovery in case of damage or destruction;
• redundancy and duplication of software and hardware components critical for the functioning of the CII and the business/operational processes of the CI.

Ukrainian legislation provides the following definitions:

• a cybersecurity incident is defined as an event or series of adverse events, either unintentional (natural, technical, technological, or due human or non-human error) or indicative of a cyber attack that threatens the security of electronic communications systems or process control systems, and may disrupt their normal  operation, block their work, or enable unauthorised control of system resources, thereby endangering the security of electronic information resources; 
• a cyber attack is defined as deliberate actions in cyberspace using electronic communications (including information and communication technologies, software, firmware, other technical and technological means and equipment) as aimed at compromising the confidentiality, integrity, availability of electronic information resources, obtaining unauthorised access to such resources, disrupting secure, stable, reliable and normal operation of communication or technological systems or using the communication system, its resources and means of electronic communications to commit cyber attacks.

For state information resources and information, the requirement for the protection of which is established by law, any attempts or actual unauthorised actions are subject to mandatory reporting. Unauthorised actions in the system are defined as those contravening the legally established procedure for access to this information.

Additionally, in the context of electronic trust and electronic identification services, any breaches of confidentiality and/or integrity of information that affect the provision of relevant services or involve personal data of service users must be reported.

Information about a cybersecurity incidentincludes, in particular, targeted objects, conditions under which they were attacked, cyberattacks that were successfully detected, neutralised and prevented, and cyber protection measures, including cyber threat indicators that were used.

In cases of unauthorised actions in relation to state information resources, the SSSCIP has established a standard format for an electronic report. This report includes time and date of detection, a description of unauthorised actions (in particular, methods and means employed, versions and types of software, details of software hardware vulnerabilities exploited, attack sources and its targets, server log files, any other important information).

Incidents reporting obligations encompass the following systems: (i) systems operated by government authorities and other public bodies; (ii) systems that process classified information such as “state informational resources” and “information, the protection of which is required by law”; and (iii) CIIs, defined as a communication or technological system within CI, a cyber attack on which could directly impact the sustainable functioning of such infrastructure. 

In Ukraine, medical devices are governed by Technical Regulation on Medical Devices (MDR), Technical Regulation on Medical Devices for In-Vitro Diagnostics, and Technical Regulation on Implantable Medical Devices.

Aligned with the former EU directives on medical devices, these Ukrainian technical regulations do not incorporate the specific cybersecurity requirements outlined in the new Regulation 2017/745. 

However, Ukrainian technical regulations include other provisions that may have security-related implications for manufacturers of medical devices. 

For instance, the MDR requires that devices incorporating software, or software being considered as devices in themselves, must be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, verification and validation. 

The primary approach to security verification and validation is testing. This includes methods like security feature testing, vulnerability scanning and penetration testing. 

Additionally, the MDR requires that devices with electronic programmable systems must be designed to ensure repeatability, reliability, and effectiveness of these systems in line with their intended use. In the event of a single fault condition, appropriate measures must be adopted to eliminate or reduce resultant risks. 

These requirements indirectly address operational and information security concerns. In effect, they necessitate safeguards against the workflow corruption or unintended outcomes, and ensure the integrity, availability and confidentiality of data, processes, and systems.

The Basic Requirements for Cyber Protection of CI applies also to SCADA. 

In particular, Basic Requirements stipulates that CII (which by definition includes SCADA) is permitted to connect to global data transmission networks, such as the internet, only through service providers that have secured access nodes to those networks with established CISS. Contracts between CII operators and service providers must obligate the latter to comply with these requirements.

Furthermore, Basic Requirements mandate placing components of industrial control systems only in operator’s own data centres.

Ukrainian legislation does not provide for specific requirements related to IoT. Therefore, general provisions of legislation on data protection and cybersecurity apply.

There are no requirements for secure software development.

The banking cybersecurity regulation only mandates using Open Web Application Security Project (OWASP) standards for web application development.

Mandatory Reporting Requirements

Critical infrastructure facilities

The operator of the CI is responsible for prompt notification of CERT-UA and, if applicable, the sectoral CERT, and  the Cyber Security Situation Centre of the Security Service of Ukraine (or the regional body of the SSU) on cyber incidents and attacks related to their CII.

Owners of systems processing special classes of information

Owners of information and communication systems notify the SSSCIP about attempts or actual unauthorised actions in systems handling “state information resources” or “information with limited access, the requirement for the protection of which is established by law”.

Banks

Banks inform the Cyber Protection Centre of the NBU of cyber attacks and incidents and provide relevant information upon the request of the CSIRT-NBU.

Providers of electronic services

Providers of electronic identification and trust services are obliged to:

• notify the SSSCIP and, if applicable, the Commissioner (as the data protection authority) about violations of confidentiality and integrity of information impacting service provisions or involving personal data of users. This must be done within 24 hours of becoming aware of such a violation;
• notify service users within two hours of becoming aware of such a violation.

The SSSCIP informs the public if it receives information about such violations from service providers or based on inspection results.

In addition, national legislation establishes a declarative obligation for a broad range of entities, including state and local governments, their officials, organisations regardless of ownership, and individuals about their assistance in ensuring cybersecurity, by reporting known information about cyber threats, cyber attacks and any related circumstances that could help in the prevention, detection and eradication of such threats, as well as in combating cybercrimes, cyber attacks and minimising their consequences.

Under current Ukrainian legislation, there are no defined “risk of harm” thresholds for notification obligations. Mandatory reporting encompasses all cyber incidents and cyber attacks targeting CIs. This also includes any attempts or actual unauthorised activities within systems handling state information resources or information, the requirement for the protection of which is established by law. 

However, specific obligations are in place for providers of electronic trust services. These providers are required to report incidents only if there is a breach of confidentiality and/or integrity of information that impacts the provision of their services or involves personal data of service users.

Interception/Surveillance: General Requirements

Operators of electronic communications networks are required to grant access to their networks to authorised state authorities for lawful interception/surveillance. This access is granted only in cases and according to procedures established by law. The Criminal Procedure Code of Ukraine is the primary law that outlines the procedural requirements that law enforcement bodies must meet to conduct such interception/surveillance activities.

Scanning: State Information Resources

The State Centre for Cyber Protection (SCCP) of SSSCIP is authorised to scan information and communication systems, or their components, which handle state information resources accessible via the internet. The aim is to detect vulnerabilities that could compromise confidentiality, integrity and availability of the information or the functionality of these systems.

The SCCP performs scanning pursuant to the established procedure on the assessment of security state of information state resources in information and communication systems.

Scanning can be initiated either: (i) upon written request from state or local authorities, military formations, or state-owned entities; or (ii) automatically, based on a predetermined list of scanning objects, formulated during the planning of security assessments in state and local authorities, military formations, private and public entities.

The SCCP compiles a report outlining the findings and recommendations. This report is then submitted to the operator of the respective information or communication system. Within one month of receiving the report, the operator must inform the SSSCIP in writing about measures taken to address the recommendations. 

Sectoral Requirements

Financial sector

The National Bank of Ukraine’s cybersecurity regulations mandates banks to:

• develop and implement an email usage policy, containing information transmission restrictions, categories of permissible email content, and limitations on the use of third-party email services unrelated to duties performed by bank’s personnel;     
• install tools for scanning all incoming and outgoing email messages, including attachments, for malicious code.   

The CSIRT-NBU is authorised to monitor information space and the internet to identify vulnerabilities, potential compromises of protected assets, and data leaks related to banks. 

Energy Sector

The Ministry of Energy of Ukraine’s cybersecurity regulation mandates operators of CI in energy sector to:

• continuously monitor the access of personnel, processes, and devices to information and communication systems, including CIIs;   
• monitor personnel activity to detect potential cybersecurity events. Personnel activity monitoring should be integrated into incident management system;
• constantly monitor for unauthorised personnel, connections, devices, and software. 

Please see ‘Legal environment’ in 1.1 Laws.

In addition to the comments at 5.8 Regarding Triggers on the required sharing of cybersecurity information, the Ukraine is actively developing a framework for the authorised exchange of information about cyber attacks, cyber incidents and cyber threats indicators. This initiative aims to encompass all key stakeholders in cyber security, primarily state bodies and CI operators. The technological platform of the NCSCC will facilitate this exchange. Efforts are also being made to standardise the formats for this information exchange, ensuring uniformity and efficiency in communication among these stakeholders.

Ukrainian legislation currently neither specifies nor imposes any restrictions on the mechanisms for sharing cybersecurity-related information among private sector entities.

Opportunities for voluntary information sharing are primarily facilitated through the activities of CERT-UA. CERT-UA plays a crucial role in processing the received information and providing practical assistance.

Please see ‘Enforcement’ in 1.6 System Characteristics for more details.

A notable incident was the cyber attack on Kyivstar, Ukraine’s largest mobile network operator.

On 12 December 2023 the Kyivstar cybersecurity team detected suspicious activities within its system. 

In response, Kyivstar shut down its entire network. This left subscribers nationwide without mobile communication and home internet services. The attack also disrupted systems associated with the operator’s network and services, such as ATMs and payment terminals of several Ukrainian banks.

Within three days, Kyivstar managed to restore most of its services, and by 21 December announced the full restoration of all its basic services.   

The company’s CEO described the incident as “the largest cyber attack on telecom infrastructure in the world.” Reportedly, the attackers targeted Kyivstar’s core network, destroying 40% of its infrastructure. The attack led to extensive server and data damage, and the complete destruction of the subscribers’ database. However, Kyivstar assured that no personal data leakage occurred. 

The loss of revenue due to compensation to customers through waived services monthly fees was estimated at about UAH3.6 billion (approximately USD95 million). 

The Security Service of Ukraine initiated investigations under eight criminal offences: (1) unauthorised interference with information and communication systems; (2) development for unlawful use, distribution or sale of malicious software or hardware, their distribution or sale; (3) encroachment on Ukraine’s territorial integrity; (4) high treason; (5) sabotage; (6) planning, preparation, initiation and conduct of aggressive war; (7) violation of laws and customs of war; (8) establishing, managing a criminal community or criminal organisation.

These allegations seem to suggest that, additional to typical hacking offences, the cyber attack on Kyivstar may involve violation of the International Humanitarian Law, such as, for example, the prohibition of attacking civilian objects, prohibition of terror attacks, indiscriminate use of means and methods of warfare. 

Responsibility for the attack was claimed by a group called Solntsepek, allegedly linked to the Sandworm group associated with the Russian intelligence services. 

It is believed that hackers gained access to Kyivstar’s systems through a compromised employee account.

The criminal cases and further details of the attack are still under investigation.

Please see 1.1 Laws (with regard to 'Enforcement and penalty environment')and 1.3 Administration and Enforcement Process.

There is no applicable information in this jurisdiction.

The procedural framework in Ukraine offers certain modalities for “collective lawsuits”. However, it does not implement principles of protection of collective interests and collective compensation, as seen in the class action suits in the US or the collective redress system in the EU such as those outlined in the EU Directive 2020/1828. 

Please see 3.3 Legal Requirements and Specific Required Security Practices. 

In the context of the Ukrainian cybersecurity legal requirements, the due diligence should focus on issues related to CIs, information security and personal data protection.

For example, if the potential target is a CI, it must comply with the general and sectoral laws and regulations. As discussed above, under the Law of Ukraine “On Critical Infrastructure” operators of CII are required to develop and implement a plan of measures for protecting and ensuring the resilience of CI, which should include overall risk management measures, information protection, cybersecurity, physical security, response and recovery measures. 

Operators of CII are also required to comply with the Basic Requirements for Cyber Protection of CI, which mandates implementing an information security system, conducting independent audits, and reporting incidents to CERT-UA. 

Under current non-cybersecurity-specific Ukrainian legislation there are no specific requirements for organisations to publicly disclose cybersecurity-related information. 

However, the Law of Ukraine "On Electronic Identification and Electronic Trust Services" authorises the SSSCIP to inform the public in the event of receiving information about violations. 

Ukraine is adopting a pragmatic, bottom-up approach to the regulation of artificial intelligence. 

Specifically, the Conception on the Development of AI in Ukraine calls for the integration of AI into the national cybersecurity system. This integration is expected to provide necessary tools for analysing and classifying various threats and developing effective response strategies. 

Various state authorities are involved in this endeavour, including the National Police of Ukraine, the SSSCIP, the Security Service of Ukraine, the National Security and Defence Council, and the Ministry of Digital Transformation.     

In October 2023 the Ukrainian National Center for Cybersecurity Coordination and IP3 Corporation, a leading energy security developer, declared the establishment of the Collective Defense AI Fusion Center (CDAIC) in Ukraine. 

The CDAIC is envisioned as a secure collaboration platform for real-time sharing of threat intelligence that aims to address the mutual cybersecurity concerns of Ukraine and its allies. Its goal is to establish an AI-based, networked defence system for the future of the proactive protection of Ukraine and its allies. The network will provide early warnings about various types of attacks and malware, particularly those associated with Russia and other similar adversaries.