Ukraine intends to regulate the procedure for identifying critical infrastructure facilities and the measures for their protection

These are not the first initiatives in Ukraine to regulate the procedure for identification of critical infrastructure facilities.

The legal regulation of the critical infrastructure protection and sustainability system is a long-overdue issue for Ukraine.

In 2018, basic legislation entered into force obliging the Cabinet of Ministers of Ukraine to implement a system of relevant regulatory acts, starting with the formation of a list of critical infrastructure facilities. But none of them have been adopted yet.

Obviously, Ukraine is being in legal regulation vacuum. In this regard, Ukraine is not able to respond systematically, transparently and successfully to challenges in the sphere of critical infrastructure.

Therefore, all existing public initiatives should be considered as the state's logical response to close this gap.

According to preliminary estimates of Asters experts, some current initiatives have a high probability of being accepted by the Cabinet of Ministers of Ukraine (the "CMU") in the near future. Therefore, potential facilities of critical infrastructure should actively engage in the process of public discussions of regulation drafts presented by state bodies. Moreover, some of them should already start planning the implementation measures.

Asters continues to analyze the impact of the initiatives on the business in Ukraine, and actively participates in public discussions of all developed initiatives in the sphere of critical infrastructure along with the business community, state bodies and initiators of the regulatory acts.

Find below a brief overview of recent initiatives on critical infrastructure regulation. 

Legislative base

The Law "On the Main Principles of Maintaining Cybersecurity of Ukraine" (the "Cybersecurity Law") was adopted in 2017 and entered into force in 2018.

The Cybersecurity Law introduced the concept of critical infrastructure and critical information infrastructures, established the legal and regulatory framework for a number of protective measures, and the competence of the governmental authorities in the cybersecurity domain. It lays down the main areas of the state policy as well as the roles of the major responsible stakeholders in cybersecurity. The Cybersecurity Law established a specific regime for operators of critical infrastructures. However, the concept of critical infrastructures is defined very broadly and does not establish criteria for identifying critical infrastructure facilities.

In particular, the Cybersecurity Law prescribes that any company, institution or organization operating or providing services in energy, chemicals, transportation, information technologies, electronic communications, banking and finance, and other industries, may be determined as a critical infrastructure facility.

SSSCIP initiatives

In implementation of the Cybersecurity Law, the State Service of Special Communication and Information Protection of Ukraine (the "SSSCIP") has developed:

Regulations on designation of critical infrastructure facilities:

• draft Regulation of the CMU "On Adoption of Rules of Designation of Critical Infrastructures Facilities";
• draft Regulation of the CMU "On Adoption of Rules of Establishing of Registers of Critical Information Infrastructures, Placing of Critical Information Infrastructures on the State Register of Critical Information Infrastructures, Its Formation and Administration" (the "CI drafts").

The regulations define sectors of critical infrastructure; the list of 'essential services' provided by the critical infrastructure facilities; authorized sectoral state bodies.

The facilities could be categorized within the facilities of critical infrastructure by economic sectors on the basis of the provided 'essential services'.

For example, if a legal entity produces or provides services on distribution of electricity, provides cloud services; produces or processes agricultural and/or food products; provides intelligent transport systems management services, it could be designated as a critical infrastructure facility.

The owner/executive officer of the critical infrastructure facility is responsible for ensuring the cyber protection of communication and technological systems and protection of technological information; informing CERT-UA team on cyber incidents; and organizing and conducting independent cybersecurity audits.

Regulations on cybersecurity audit:

• draft Regulation of the CMU "On Approval of Requirements for Conducting Independent Cybersecurity Audit of Critical Infrastructure Facilities";
• draft Regulation of the CMU "On Approval of Rules for Conducting Independent Cybersecurity Audit of Critical Infrastructure Facilities" (the "Cybersecurity Audit Drafts").

Regulations on security measures and information protection:

• draft law "On Security of Information and Communication and Information Systems"

This draft law provides for many innovations and has caused the greatest number of discussions among all initiatives presented by the SSSCIP. Currently, an updated version of the draft is expected to be published on the national regulator's official web-site based on public discussions with experts and business community.

It is proposed to cancel the complex system of information protection and implement the accreditation procedure for information and communication systems instead; cancel the licensing in the sphere of cryptographic and technical protection of information and establish the register of entities carrying out information protection activities; and introduce a new national regulator on security of information, information and communication systems (most likely, the SSSCIP will be envisaged to assume this capacity).

• the first among the initiatives for implementation of the Cybersecurity Law is the adopted Decree of the CMU No. 518 dated June 19, 2019 "On the Adoption of the General Requirements for Cyber Protection of Critical Infrastructure Facilities."

Other public initiatives in regulation of critical infrastructure facilities

The Ministry of Economic Development, Trade and Agriculture of Ukraine has developed and published on its official web-site for public discussion the draft law "On Protection of Critical Infrastructure."

The draft law establishes the main principles of state policy for critical infrastructure protection; defines the authority of state bodies in the sphere of protection of critical infrastructure; categorization, certification of critical infrastructure facilities, etc.

Also, the draft law provides authority to the SSSCIP for formation and implementation of the state policy for protection of critical technological information and cybersecurity of critical information infrastructure facilities. Moreover, the SSSCIP will exercise state control in this matter and participate in formation of general requirements to the cybersecurity of critical infrastructure facilities, and formation and administration of the register of critical infrastructure information facilities.

For further information, please contact Asters' partner Yuriy Kotliarov.