This new law, effective immediately upon publication, establishes a robust legal framework for safeguarding Ukraine’s state information assets against cyber threats.
1. National Cyber Incident Response System
-
Defined Roles & Responsibilities:
-
Establishes clear mandates for Ukrainian Computer Emergency Response Teams (CERTs), Security Operations Centers (SOCs), and other key entities.
-
Specifies service functions and inter-agency cooperation protocols across a multi‑level response network.
-
-
Service Functioning Principles:
-
Introduces standardized procedures for detecting, reporting, and mitigating cyber incidents.
-
Ensures rapid coordination between government agencies, private sector partners, and critical infrastructure operators.
-
2. Crisis‑Mode Cybersecurity Operations
-
Crisis Response Activation:
-
Outlines triggers for elevating to crisis status during large‑scale attacks.
-
Defines streamlined decision‑making channels and emergency response measures.
-
-
Risk Management Lifecycle:
-
Mandates continuous risk assessment throughout the full lifecycle of information systems.
-
Requires the adoption and maintenance of security profiles aligned with international best practices.
-
3. Information Sharing & Transparency
-
Incident Notification Obligations:
-
Enforces timely disclosure of cyber incidents to authorized stakeholders, while restricting technical attack details that could aid adversaries.
-
Balances transparency with operational security—only the nature and technical characteristics of attacks may be classified, not the fact of an incident itself.
-
-
Protected Information Exchange:
-
Establishes secure channels for sharing threat intelligence among state bodies and critical infrastructure operators.
-
Implements confidentiality measures to protect sensitive data without hiding breaches from the public record.
-
4. Auditing & Cyber Defense Assessment
-
Independent Cyber Audits:
-
Introduces regular, non‑intrusive audits of state information systems to evaluate cyber defense maturity.
-
Reduces excessive state control by delegating audit tasks to qualified third‑party experts.
-
-
Continuous Improvement:
-
Requires agencies to publish audit findings and remediation plans, driving ongoing enhancement of cybersecurity posture.
-
5. Dedicated Cybersecurity Personnel
-
New Full‑Time Positions:
-
Creates mandatory roles for Chief Information Security Officers (CISOs) and cybersecurity specialists within all state bodies.
-
Extends staffing requirements to operators of Critical Information Infrastructure (CII)—including energy, transportation, finance, and healthcare sectors.
-
Addressing Previous Concerns
-
Clarified Transparency:
-
Early drafts proposed blanket classification of cyberattack information.
-
Final version limits classification to detailed technical parameters, ensuring the public is informed of incidents while safeguarding sensitive forensic data.
-
-
Enhanced Disclosure Requirements:
-
Lawmaker Oleksandr Fedienko confirms that the act strengthens disclosure duties, not obscures them, by mandating routine publication of incident summaries.
-
Why It Matters
-
Strengthening National Resilience:
-
Builds on lessons from the December 2024 and January 2025 Russian cyberattacks, which temporarily disrupted state registers.
-
Ensures faster recovery and better defense against future large‑scale cyber offensives.
-
-
Aligning with EU Standards:
-
Brings Ukraine’s cybersecurity framework closer to the EU’s Network and Information Security (NIS 2) directive.
-
Paves the way for deeper collaboration and mutual recognition of cyber incident response protocols.
-
Looking Ahead:
With the new cyber protection law in force, Ukrainian state agencies and critical infrastructure operators must swiftly adapt their policies, staffing, and technology investments. Over the coming months, implementing regulations and training programs will translate these legal provisions in
