Skip to content
World Watch/Ukraine/Cybersecurity

Cybersecurity ยท Ukraine

Cybersecurity law & regulation in Ukraine (2026)

Comprehensive lawLaw of Ukraine No. 2163-VIII 'On the Basic Principles of Ensuring Cyber Security of Ukraine' (2017), substantially reformed by Law No. 4336-IX (in force 20 April 2025); supervised by the State Service of Special Communications and Information Protection (SSSCIP) with CERT-UA as the national incident response authorityCountry index 74 ยท B+

Ukraine shaded by its cybersecurity status

Cybersecurity in Ukraine: comprehensive law, anchored by Law of Ukraine No. 2163-VIII 'On the Basic Principles of Ensuring Cyber Security of Ukraine' (2017), substantially reformed by Law No. 4336-IX (in force 20 April 2025); supervised by the State Service of Special Communications and Information Protection (SSSCIP) with CERT-UA as the national incident response authority.

Ukraine has a comprehensive national cybersecurity regime anchored in the 2017 foundational law and a sweeping April 2025 reform (Law No. 4336-IX) that explicitly aligns the framework with the EU NIS2 Directive. The 2025 law replaces the outdated certification-based Comprehensive Information Security System model with a lifecycle risk-based approach and mandates designated cybersecurity officers across government bodies and critical information infrastructure (CII) operators. Incident reporting to CERT-UA is mandatory for CII operators, and a multi-tiered National Cyber Incident Response System has been formally established.

Key points

Foundational 2017 cybersecurity law

Law No. 2163-VIII established the legal and organisational basis for national cybersecurity, defined competences for SSSCIP, CERT-UA, and the National Security and Defence Council, and imposed mandatory notification of significant cyber incidents by owners of critical information infrastructure objects.

2025 comprehensive reform, Law 4336-IX

Passed by parliament on 27 March 2025 and signed by President Zelenskyy on 17 April 2025 (in force 20 April 2025), Law 4336-IX introduces risk-based security profiles, requires dedicated cybersecurity officers in all ministries and CII sectors, and creates a Cyber Incident Information Exchange System.

NIS2 alignment

Law 4336-IX explicitly implements EU NIS2 Directive (2022/2555), replacing the legacy SSSCIP-certified CISS regime with owner-led declarations of security authorisation and continuous lifecycle oversight, bringing Ukraine's obligations in line with EU candidate-country expectations.

Incident reporting and CERT-UA

Operators of CII objects must report significant cyber incidents to CERT-UA, which maintains the State Register of Cyber Incidents and coordinates response together with SSSCIP and sectoral/regional teams; the 2025 law formalises a crisis-response protocol for large-scale or nation-state attacks.

Critical infrastructure law

Law No. 1882-IX 'On Critical Infrastructure' defines 16 critical-infrastructure sectors and sets baseline cybersecurity obligations on their operators, complementing the cybersecurity-specific legislation and underpinning the designation of CII objects subject to mandatory incident reporting.

Supervisory authority, SSSCIP

SSSCIP is the primary national cybersecurity supervisory and policy authority. Under the 2025 reform it defines criticality criteria, establishes risk-assessment procedures for system owners, and validates supplier compliance, replacing its prior role as certifier of CISS implementations.

Ukraine - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’