Summary
On April 20, 2025, Ukraine introduced a new cybersecurity law that overhauls its previous regulatory framework, aiming to enhance cybersecurity measures and align with European standards, specifically the NIS 2 Directive. The law introduces significant changes for public entities and foreign vendors interacting with Ukraine’s critical infrastructure.
Key Points
- The law introduces a new “security authorization” framework, replacing the outdated Comprehensive of Information Security System (CISS).
- Public entities must now prepare declarations of security authorisations, shifting more responsibility to system owners.
- Certification for systems not handling state secrets is permitted, provided it is from recognised assessment bodies.
- Hardware and software used in public sector systems must avoid banned products and undergo security evaluations.
- The State Service for Special Communication and Information Protection (SSSCIP) retains key oversight responsibilities and expands its mandate.
- Enhanced cybersecurity requirements apply to critical infrastructure, with mandatory reporting of significant incidents.
- The law establishes a national cyber incident response system to strengthen coordination among different agencies.
- Foreign vendors must ensure their cybersecurity products are properly certified for use in Ukraine’s public sector.
- 30+ secondary legislative acts will be required to fully implement the provisions of this law.
Why should I read this?
If you’re involved in tech or cybersecurity, this legislation is critical to understand—especially if you’re dealing with Ukrainian public sector projects. It’s a major step in modernising their approach, setting the stage for how cyber threats will be managed going forward. We’ve sifted through the details so you can get the gist without the hassle of reading a legal document!
