The European Union, in response to the unprecedented cyber-attacks of recent years, is introducing a comprehensive reform in the field of cybersecurity. Ukraine, with its unique practical experience in countering hybrid threats, is becoming a reliable partner for the EU in shaping the new system of digital resilience.
The European regulatory package in the field of cyber protection includes three fundamental acts:
- NIS2 (Network and Information Security Directive) — establishes personal accountability for company management regarding the implementation of cyber risk management measures, control, and staff training;
- DORA (Digital Operational Resilience Act) — unifies requirements for managing ICT risks and the interaction between financial institutions and IT service providers;
- Cyber Solidarity Act — creates a joint EU ‘Cyber Shield’ that will ensure rapid response to large-scale incidents.
Furthermore, the Cyber Resilience Act (CRA) mandates a ‘secure-by-design’ approach for all digital-element products, from hardware devices to software. Producers must establish a transparent update policy, maintain a Software Bill of Materials (SBOM), and ensure timely remediation of vulnerabilities.
Ukraine is actively harmonising its legislation with European standards. In 2025, key regulatory acts were adopted that strengthened the national cyber protection system:
- The Law of Ukraine on the Protection of Information and Cybersecurity of State Information Resources;
- Cabinet of Ministers of Ukraine Resolution No. 367 on security risk management at Category I critical infrastructure facilities;
- Cabinet of Ministers of Ukraine Resolution No. 712, which introduced security profiles—basic, sectoral, and targeted—to standardise policies and agreements in the field of cyber protection.
Moreover, by joining ENISA (the EU Agency for Cybersecurity) and the NATO CCDCOE, Ukraine is now able to engage in international drills and best practice sharing. This marks a further step in its integration into the European digital sphere.
Companies Should Take the Following Steps:
- Approve a cyber-risk policy and train management on the principles of NIS2, DORA, and CRA. This is necessary to meet the requirements for the board’s role (NIS2), mitigate the risk of sanctions, and successfully pass compliance checks by European partners and auditors.
- Update incident response procedures using the 24–72–30 timeline. This ensures compliance with EU standards, reduces downtime (MTTD/MTTR), and provides ready-made notification templates for clients and regulators, as this directly impacts trust and SLAs (Service Level Agreements).
- Revise contracts with EU clients (security clauses / DORA clauses). The goal is to ensure contractual compatibility, including an ICT service register, audit and testing rights, sub-outsourcing rules, and incident notification protocols. This is a condition for entering and remaining in the EU market and for preventing penalties or contract termination.
- Conduct a CRA gap-analysis (secure-by-design, SBOM, CVD, update policy). This is vital to meet the application deadlines (11.09.2026/11.12.2027), avoid market access barriers for products entering the EU, and reduce the cost of last-minute changes in the future.
- Unify internal policies and public/CI (Critical Infrastructure) contracts according to security profiles (CMU No. 712) and risk management requirements (CMU No. 367). This is to ensure compliance with Ukrainian rules for critical infrastructure and maintain consistent requirements for contractors across the entire supply chain.
Ukraine possesses not only the legislative framework but also genuine, real-world experience. Attacks on the energy system (BlackEnergy, 2015), the financial sector (NotPetya, 2017), and government resources (since 2022) have positioned Ukrainian specialists among the world’s best in matters of cyber resilience.
The harmonisation of Ukrainian legislation with European acts is not a formality but a step towards building a resilient digital space. Ukraine is not only adapting to EU norms but also sharing its own experience, which is already helping to strengthen Europe’s cyber defence
states Martha Kindrys, Director, IT industry development and advocacy Center, IT Ukraine Association
A unified European cyber-defence front is currently taking shape, with Ukraine positioned as a vital contributor. While the shift to NIS2 compliance is a long-term undertaking, it will ultimately result in a secure digital ecosystem where business, state entities, and society function as a cohesive whole.
Click here to read the full material
