Getting the Deal Through: Cybersecurity 2019. Ukraine
Author: Julia Semeniy, Yuriy Kotliarov, Sergiy Glushchenko, Sergiy Tsyba
Source: Getting the Deal Through: Cybersecurity 2019

1. Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

The main statutes and regulations that promote cybersecurity are as follows:

  • the Law on the Main Principles of Maintaining Cybersecurity of Ukraine (the Cybersecurity Law);
  • the Law on Protection of Information in Information and Telecommunication Systems;
  • Budapest Convention on Cybercrime;
  • Decree of the Cabinet Ministers of Ukraine on Approval of the Concept of Establishment of a State System for Critical Infrastructure Protection;
  • Resolution of the Ukrainian National Security and Defence Council on the National Security Strategy of Ukraine, approved by Presidential Decree (the National Security Strategy); and
  • Resolution of the Ukrainian National Security and Defence Council on the Cybersecurity Strategy of Ukraine, approved by Presidential Decree.

The Cybersecurity Law establishes the regulatory framework for a number of measures in the cybersecurity domain. It lays down the main directions of the state policy in the area as well as the roles of the major responsible stakeholders. The Cybersecurity Law introduces the concept of critical infrastructure (CI) and critical information infrastructures, mandating stringent security requirements for organisations running the CI. Overall, the Law is a high-level set of rules defining competence of and delegating to the governmental authorities the right to regulate many other issues in the cybersecurity domain.

The National Security Strategy is a document that states the priorities of the national security policy. Its main goal is to create conditions necessary to ensure safe cyberspace and its use in the interests of individuals, society and government. This effectively paved the way for passing the dedicated law that comprehensively addresses a broad range of issues in the cybersecurity area: the Cybersecurity Law.

At the end of 2017, the government approved the Concept of Establishment of a State System for Critical Infrastructure Protection in Ukraine. The Concept identifies the main directions, mechanisms and timetables for implementation of legal measures aimed at protecting critical infrastructure.

A draft law ‘On critical infrastructure and its protection’ has been developed. Its goal is to increase the critical infrastructure protection capability and to help reduce vulnerabilities concerning critical infrastructures.

2. Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

The Cybersecurity Law envisages stringent rules for CI. This is a new concept that is defined rather broadly and may potentially catch any company, which is essential for the maintenance of vital civil services, the disruption or destruction of which would have a significant impact on national security. In particular, the Cybersecurity Law names the following industries: chemicals, energy, utilities, transport, information technologies, electronic communications, banking and finance, healthcare, food production and agriculture.

Most of these sectors have no specific cybersecurity regulations at the moment, and these should be developed by the goverment. The banking sector is still ranked first towards promoting cybersecurity.

The Cybersecurity Law determines the National Bank of Ukraine (NBU) as one of the subjects of providing cybersecurity, authorised to develop and implement preventive, organisational, educational and other measures in cybersecurity and cyber defence.

The NBU adopted Decree on Approval of the Measures to Ensure Information Security in the Banking System of Ukraine (Decree No. 95). Decree No. 95 for the first time provides for mandatory regulation by the NBU of information security and cyber defence issues in Ukraine’s banking system. It also provides for the appointment of a chief information security officer in banks with the authority to take relevant managerial decisions, and defines the principles of information security management based on the new national standards of Ukraine on information security and the principles of information security and cyber defence.

The NBU intends to resolve the issue of ensuring the proper level of cyber defence and information security in the area of money transfer for the first time.

At the end of September 2018, the NBU proposed a draft of the Decree on Approval of the Regulations on Cybersecurity and Information Security in Payment Systems and Settlement Systems for public discussion.

Specifically, the draft Decree stipulates:

  • requirements in regard to building information and cybersecurity systems;
  • procedures for detecting cyber attacks; and
  • requirements in regard to organisational and technical measures to ensure protection of information and cybersecurity by the respective market players, etc.

3. Has your jurisdiction adopted any international standards related to cybersecurity?

This site uses cookies to offer you better browsing experience.
Toggle high contrast
Toggle normal contrast
Toggle big fonts
Toggle normal fonts