The National Bank of Ukraine has introduced updated requirements for information security and cyber protection for providers in the nonbank financial services market, including insurers, credit unions, financial companies, and pawnshops. The regulation entered into force on 13 December 2025, and market participants are expected to align their operations with the new requirements within one year.
For investors, lenders, and strategic buyers, this is not just a compliance update. It is a signal that the regulator is pushing the sector toward more predictable operational resilience and governance, while also raising the near term cost of doing business for weaker or underinvested players.
What the regulation requires in practice
The new framework focuses on a risk oriented approach and formal accountability inside each institution. It sets expectations for how cyber risk is identified, controlled, and escalated, and it ties day to day technology decisions to governance processes.
- Cyber and information security risk management: an обязательный process for managing cyber risks and information security risks as part of ongoing operations.
- Named responsibility: management must appoint a responsible person for implementing information security and cyber protection requirements, or the head performs these functions personally.
- Internal policies: institutions must develop, approve, and review internal documents on information security at least annually.
- Staff acknowledgement: users and privileged users must confirm that they have read internal security documents.
- Technology baseline: use software and hardware in line with applicable Ukrainian legal requirements, including restrictions related to sanctioned products and suppliers.
- Supported software only: use official software versions with vendor security support and updates.
- Legacy exceptions with controls: if unsupported software is used, the institution must perform a risk analysis, introduce compensating controls such as monitoring, audit, and backups, and implement an approved migration plan.
- Time bound modernization: a transition plan for moving to supported software should be approved at the supervisory board level and implemented within a period not exceeding two years.
Why this matters for market economics
Cybersecurity upgrades are usually unevenly distributed across the nonbank segment. Larger insurers and well capitalized financial companies often already run structured controls, while smaller players may rely on legacy stacks and informal processes. A one year alignment window creates a compliance investment cycle that can accelerate consolidation and increase demand for managed security services, compliant infrastructure providers, and audit capabilities.
At the same time, stronger baseline controls can improve customer trust, reduce incident driven losses, and lower operational volatility. In a market where service continuity and data protection directly affect brand value, this has real financial implications.
Investor checklist for 2026
For investors and acquirers assessing targets in the nonbank segment, the key question is not whether policies exist, but whether governance and execution are real. Practical due diligence can focus on the gap between written rules and operational controls.
- Clear ownership of cyber risk at management level and a functioning reporting line.
- Updated policies with evidence of annual review and staff acknowledgement.
- Software inventory and vendor support status, including a plan for legacy systems.
- Incident management process, logs, and evidence of monitoring and backups.
- Budget and timetable that matches the one year alignment requirement.
In short, the new NBU requirements raise the compliance floor for the nonbank financial market. For disciplined operators, it can become a competitive advantage. For underprepared institutions, it is a deadline that will surface hidden operational risk.
