These are not the first initiatives in Ukraine to regulate the procedure for identification of critical infrastructure facilities.
The legal regulation of the critical infrastructure protection and sustainability system is a long-overdue issue for Ukraine.
In 2018, basic legislation entered into force obliging the Cabinet of Ministers of Ukraine to implement a system of relevant regulatory acts, starting with the formation of a list of critical infrastructure facilities. But none of them have been adopted yet.
Obviously, Ukraine is being in legal regulation vacuum. In this regard, Ukraine is not able to respond systematically, transparently and successfully to challenges in the sphere of critical infrastructure.
Therefore, all existing public initiatives should be considered as the state's logical response to close this gap.
According to preliminary estimates of Asters experts, some current initiatives have a high probability of being accepted by the Cabinet of Ministers of Ukraine (the "CMU") in the near future. Therefore, potential facilities of critical infrastructure should actively engage in the process of public discussions of regulation drafts presented by state bodies. Moreover, some of them should already start planning the implementation measures.
Asters continues to analyze the impact of the initiatives on the business in Ukraine, and actively participates in public discussions of all developed initiatives in the sphere of critical infrastructure along with the business community, state bodies and initiators of the regulatory acts.
Find below a brief overview of recent initiatives on critical infrastructure regulation.
The Law "On the Main Principles of Maintaining Cybersecurity of Ukraine" (the "Cybersecurity Law") was adopted in 2017 and entered into force in 2018.
The Cybersecurity Law introduced the concept of critical infrastructure and critical information infrastructures, established the legal and regulatory framework for a number of protective measures, and the competence of the governmental authorities in the cybersecurity domain. It lays down the main areas of the state policy as well as the roles of the major responsible stakeholders in cybersecurity. The Cybersecurity Law established a specific regime for operators of critical infrastructures. However, the concept of critical infrastructures is defined very broadly and does not establish criteria for identifying critical infrastructure facilities.
In particular, the Cybersecurity Law prescribes that any company, institution or organization operating or providing services in energy, chemicals, transportation, information technologies, electronic communications, banking and finance, and other industries, may be determined as a critical infrastructure facility.
In implementation of the Cybersecurity Law, the State Service of Special Communication and Information Protection of Ukraine (the "SSSCIP") has developed:
Regulations on designation of critical infrastructure facilities:
The regulations define sectors of critical infrastructure; the list of 'essential services' provided by the critical infrastructure facilities; authorized sectoral state bodies.
The facilities could be categorized within the facilities of critical infrastructure by economic sectors on the basis of the provided 'essential services'.
For example, if a legal entity produces or provides services on distribution of electricity, provides cloud services; produces or processes agricultural and/or food products; provides intelligent transport systems management services, it could be designated as a critical infrastructure facility.
The owner/executive officer of the critical infrastructure facility is responsible for ensuring the cyber protection of communication and technological systems and protection of technological information; informing CERT-UA team on cyber incidents; and organizing and conducting independent cybersecurity audits.
Regulations on cybersecurity audit:
Regulations on security measures and information protection:
This draft law provides for many innovations and has caused the greatest number of discussions among all initiatives presented by the SSSCIP. Currently, an updated version of the draft is expected to be published on the national regulator's official web-site based on public discussions with experts and business community.
It is proposed to cancel the complex system of information protection and implement the accreditation procedure for information and communication systems instead; cancel the licensing in the sphere of cryptographic and technical protection of information and establish the register of entities carrying out information protection activities; and introduce a new national regulator on security of information, information and communication systems (most likely, the SSSCIP will be envisaged to assume this capacity).
Other public initiatives in regulation of critical infrastructure facilities
The Ministry of Economic Development, Trade and Agriculture of Ukraine has developed and published on its official web-site for public discussion the draft law "On Protection of Critical Infrastructure."
The draft law establishes the main principles of state policy for critical infrastructure protection; defines the authority of state bodies in the sphere of protection of critical infrastructure; categorization, certification of critical infrastructure facilities, etc.
Also, the draft law provides authority to the SSSCIP for formation and implementation of the state policy for protection of critical technological information and cybersecurity of critical information infrastructure facilities. Moreover, the SSSCIP will exercise state control in this matter and participate in formation of general requirements to the cybersecurity of critical infrastructure facilities, and formation and administration of the register of critical infrastructure information facilities.
For further information, please contact Asters' partner Yuriy Kotliarov.