Summary
On 20 April 2025, Ukraine implemented a new cybersecurity law aiming to modernise its regulatory framework. The legislation brings significant changes affecting public bodies, foreign cloud service providers, and critical infrastructure sectors within Ukraine. It aligns local laws with the NIS 2 Directive, enabling better cybersecurity practices across various sectors.
Key Points
- The new law replaces the outdated Comprehensive Information Security System (CISS) with a security authorisation framework.
- It introduces a more decentralised, risk-based approach, placing greater responsibility on system owners for compliance.
- Certification options are provided for systems not handling state secrets.
- Regulatory oversight remains with the State Service for Special Communication and Information Protection (SSSCIP), which now has an expanded role.
- New requirements are established for critical infrastructure and suppliers to ensure robust cybersecurity measures are in place.
- The legislation also sets up a national cyber incident response system with defined roles for various cybersecurity entities.
- With over 30 implementing acts expected, compliance strategies may need adjustment by stakeholders.
Why should I read this?
If you’re in the cybersecurity field or do business with Ukrainian public entities, this article is essential reading. The new law could significantly impact compliance and operational strategies, including for foreign vendors. Staying informed can help you navigate these changes and seize potential opportunities in a rapidly evolving regulatory landscape.
