Cybersecurity regulation in Ukraine (2026)

Law No. 2163-VIII established the legal and organisational basis for national cybersecurity, defined competences for SSSCIP, CERT-UA, and the National Security and Defence Council, and imposed mandatory notification of significant cyber incidents by owners of critical information infrastructure objects.

Passed by parliament on 27 March 2025 and signed by President Zelenskyy on 17 April 2025 (in force 20 April 2025), Law 4336-IX introduces risk-based security profiles, requires dedicated cybersecurity officers in all ministries and CII sectors, and creates a Cyber Incident Information Exchange System.

Law 4336-IX explicitly implements EU NIS2 Directive (2022/2555), replacing the legacy SSSCIP-certified CISS regime with owner-led declarations of security authorisation and continuous lifecycle oversight, bringing Ukraine's obligations in line with EU candidate-country expectations.

Operators of CII objects must report significant cyber incidents to CERT-UA, which maintains the State Register of Cyber Incidents and coordinates response together with SSSCIP and sectoral/regional teams; the 2025 law formalises a crisis-response protocol for large-scale or nation-state attacks.

Law No. 1882-IX 'On Critical Infrastructure' defines 16 critical-infrastructure sectors and sets baseline cybersecurity obligations on their operators, complementing the cybersecurity-specific legislation and underpinning the designation of CII objects subject to mandatory incident reporting.

SSSCIP is the primary national cybersecurity supervisory and policy authority. Under the 2025 reform it defines criticality criteria, establishes risk-assessment procedures for system owners, and validates supplier compliance, replacing its prior role as certifier of CISS implementations.