On 20 April 2025, a new cybersecurity law entered into force in Ukraine. The law introduces substantial institutional, procedural, and compliance-related changes to Ukrainian cybersecurity regulatory framework with potential implications for foreign providers of cloud services, IT solutions, and critical infrastructure technologies engaging with public bodies or critical sectors in Ukraine. The law also aims to align Ukrainian legislation with the NIS 2 Directive.
1. Security Authorization for Information Systems
Previously, public sector systems handling secret or official information were required to implement a so-called a Comprehensive of Information Security System (CISS) certified by the State Service for Special Communication and Information Protection (SSSCIP).
The CISS framework was widely regarded as outdated and not adequately suited to address modern threats and align with the best cybersecurity practices.
The new law modernizes this approach by replacing CISS with a “security authorization” framework. A security authorization, in essence, is a formal decision made by a public entity confirming that a system will operate in compliance with legislative requirements, national standards, and regulatory documents in technical, cryptographic, and cyber protection spheres.
Under the new framework, security measures should be implemented and maintained throughout the system's lifecycle based on the defined security profiles: basic, target, and sectoral. A basic security profile is defined by SSSCIP, the sectoral profile is set jointly by sectoral regulator and SSSCIP, while the target profile is developed by the specific public entity after system’s risk assessment and based on the basic or sectoral security profile.
Unlike the previous certification of CISS by SSSCIP, the new regime allows the owner or administrator of a system to prepare a declaration of system’s security authorization.
This marks a shift in responsibility towards system owners and reflects a more decentralized, risk-based approach.
2. Information Security Certification
As an alternative to security authorization for systems not processing state secrets, the law permits conformity certification with information security standards. Certification must be issued by a conformity assessment body accredited by Ukraine's national accreditation body or a foreign national accreditation body recognized in Ukraine through membership in international or regional accreditation organizations with mutual recognition agreements.
3. Conformity Assessment Requirements for Products
The law prohibits the use of software and network (communication) equipment included in a publicly available list of banned products for systems processing state information resources, including state secrets and official information, or supporting critical information infrastructure.
In addition, technical and cryptographic protection tools used in public sector systems must undergo security evaluation. For systems requiring security authorization or conformity certification, such tools must either be certified by SSSCIP (fir systems handling classified data) or possess a recognized document of conformity from an accredited assessment body (for non-classified systems).
4. SSSCIP Oversight
The SSSCIP remains the key cybersecurity regulator with an expanded mandate under the new law.
Its responsibilities include policy development, standard-setting, control and supervision, threat analysis, incident response coordination (including CERT-UA), defining and approving basic and sectoral security profiles, maintaining repository of cyber incidents.
5. Sector-Specific Cybersecurity Governance
The National Bank of Ukraine sets cybersecurity requirements for financial and payment systems under its jurisdiction.
The Ministry of Defence and Security Service of Ukraine are responsible for defining security profiles for military and national security systems.
6. Enhanced Protection for Critical Infrastructure
The security authorization and alternative certification compliance framework also applies to public sector-owned critical information infrastructure systems.
Additionally, owners and operators of such systems must report significant security incidents, ensure secure backup of state data and verify that no system components are located in occupied territories or aggressor states.
7. Supply Chain Security Requirements
The law introduces new requirements for suppliers of goods, works, or services that support the state information systems or critical information infrastructure.
Specifically, suppliers must implement security measures proportionate to the risk posed by their goods, works or services.
The SSSCIP is tasked with defining criteria for the criticality of such goods, works, and services, establishing procedures for risk assessment by owners/managers of relevant systems, determining corresponding security measures, and outlining the process for suppliers to demonstrate compliance with these security requirements.
8. National System for Cyber Incident Response
The law establishes a multi-tiered national system for responding to cyber incidents, attacks, and threats, with defined roles for the SSSCIP, CERT-UA, and sectoral/regional response teams. This system should enhance coordination and rapid response capabilities.
9. Implications and Further Developments
The new law has significant implications for both public entities and private sector stakeholders, particularly those involved with critical information infrastructure.
While this primarily affects Ukrainian entities, foreign vendors of cybersecurity products need to ensure their offerings obtain the necessary certification if they are to be deployed in Ukrainian public-sector networks or critical information infrastructures operated by public sector entities.
While the law sets the general framework, many of its provisions require further implementation through secondary legislation. More than 30 implementing acts are expected to be adopted under the new law. These acts will further shape the practical compliance landscape in Ukraine and may necessitate adjustments in compliance strategies by relevant stakeholders.
For further information, please contact Asters Partner Yuriy Kotliarov and Counsel Sergiy Tsyba.