State and Business Unite Against Cyber Threats: What Does the New Draft Law on Public-Private Partnership in Cybersecurity Entail?

Draft Law No. 14150, “On Public-Private Interaction in Cybersecurity,” has been registered in the Verkhovna Rada of Ukraine (Parliament). The development of the draft law was preceded by in-depth research into cybersecurity issues and a series of consultations with representatives of the state sector—SSSCIP (State Service of Special Communications and Information Protection), the Ministry of Defence, the SBU (Security Service of Ukraine), the NBU (National Bank of Ukraine), and the National Police—as well as private entities, including the ITU Member company Asters, the European Business Association (EBA), and the American Chamber of Commerce in Ukraine (AmCham).

 

The Draft Law defines the principles, directions, and legal forms of public-private interaction in cybersecurity, the life cycle of public-private interaction projects, the definition of tasks and powers of state participants, and also outlines the mechanisms for involving business in the implementation of joint projects, guarantees of private participants’ rights, and requirements for information protection.

 

The Draft Law was developed, in particular, by the Technology, Electronic Communications, and Cybersecurity practice team of the law firm Asters, comprising Partner Yuriy Kotliarov, Counsel Serhiy Tsyba, and Lawyer Viktoriia Kurylina.

 

Yuriy Kotliarov, who has seen this initiative develop from its authorship in 2025 to its consideration in the Verkhovna Rada as a Draft Law, notes that although the question of creating a legal basis for public-private interaction in the cybersecurity sector had been discussed in Ukraine by various stakeholders for several years, the process proved to be quite challenging.

 

The main difficulty, prior to structuring and drafting the law, was to isolate these specific relationships (since not every interaction should be regulated here), get to the core of the issues within these specific relationships, find simple solutions, and avoid complicating the existing cooperation that has intensified since the start of the full-scale war.

 

The results of the initial research and a series of collective and individual interviews demonstrated the main trend: the initiative received support for its development from both private and state stakeholders. Everyone equally supported the importance of creating a legal framework and the significance of these relationships.

 

The state sector primarily focused on the issues of restrictions and powers, which prevented them from utilising the full range of interaction forms, even when initiatives came from the private sector. The private sector focused on issues of predictability within the state sector, the transparency of their actions, matters of information protection, and guarantees. These results served as the baseline data for further work.

 

The adoption of this document is expected to be an important step towards creating a transparent, predictable partnership model between the state and business, which will allow for raising the level of cyber defence of Ukraine’s critical infrastructure and strengthening its technological sovereignty.

 

The Draft Law clearly specifies that it does not duplicate other legislative acts—such as laws on public or defence procurement, or norms regulating charitable or volunteer activities. At the same time, such processes may be part of public-private interaction projects if this contributes to the implementation of joint initiatives within the framework of the law.

 

Public-private interaction in the field of cybersecurity provides for the joint implementation of projects between state bodies and business to strengthen the protection of Ukraine’s digital space. The main directions of cooperation include:

• Information Exchange on cyberattacks, threats, and incidents;
• Monitoring and Response to cyber incidents, and restoration of critical infrastructure operation;
• Vulnerability Detection with the possibility of rewards for their disclosure (bug bounties);
• Development of standards, protocols, and recommendations for cyber defence;
• Education and Professional Development (upskilling) of cybersecurity specialists;
• Development of innovation and research, and the creation of response and analytics centres;
• Formation of state policy and stimulation of the national market for cyber products and services.

 

We draw attention to the fact that the guarantees of private participants’ rights within the framework of public-private partnership provide for full protection against unlawful interference by government bodies in the economic activities of investors. In the event of violations or inaction on the part of the state partner, the private party has the right to claim damages (compensation for losses). Furthermore, information received from a private participant cannot be used for control or sanctioning purposes, except in cases expressly defined by law or those containing signs of a criminal offence.