Cyber Law at Ukraine
Ukraine has been significantly impacted by cyber warfare, particularly since the 2014 conflict and even more so since the full-scale invasion in 2022. This has spurred a rapid evolution of its cyber law and cybersecurity framework, often with strong international support and a focus on alignment with EU standards.
Here's an overview of cyber law in Ukraine:
1. Cybersecurity Framework:
Ukraine has actively developed a comprehensive cybersecurity framework, especially given the ongoing threats it faces.
Law of Ukraine "On the Basic Principles of Cybersecurity of Ukraine" (No. 2163-VIII, 2017): This is a cornerstone law that defines the legal and organizational basis for ensuring cybersecurity, including:
Defining key terms (cybersecurity, cyber threat, cyber incident, cyber attack, cyber protection, cyber defense, etc.).
Establishing the main objectives, directions, and principles of state cybersecurity policy.
Defining the powers of state bodies, enterprises, institutions, and organizations in the field of cybersecurity.
Regulating coordination among cybersecurity actors to efficiently respond to cyber threats.
Providing a basis for international cooperation in cybersecurity.
National Security and Defense Council (NSDC): The NSDC plays a crucial role in shaping cybersecurity policy and strategies. The Cybersecurity Strategy of Ukraine is approved by presidential decree based on NSDC decisions and outlines strategic priorities for developing safe, sustainable, and reliable cyberspace, securing government information resources and critical infrastructure, and building cybersecurity capacities.
State Service of Special Communications and Information Protection of Ukraine (SSSCIP / Derzhspetszviazok): This is a key agency responsible for national cybersecurity, including operational management, incident response (through CERT-UA), and protecting critical information infrastructure.
Computer Emergency Response Team of Ukraine (CERT-UA): Operates under the SSSCIP and is responsible for detecting, preventing, and responding to cyber incidents and cyber attacks.
Critical Infrastructure Protection: Significant attention is paid to protecting critical information infrastructure facilities, with specific resolutions and procedures in place.
2. Cybercrime Laws:
Ukraine has specific legislation addressing cybercrime, primarily incorporated into its Criminal Code.
Criminal Code of Ukraine (Sections XVI, Art. 361-363-1): These articles criminalize a range of computer-related offenses, including:
Illegal access: Unauthorized interference with the operation of electronic computing machines (computers), automated systems, computer networks, or telecommunication networks.
Creation and Distribution of Malicious Software: Development or distribution of malicious software (viruses, etc.).
Data Interference and Damage: Unauthorized alteration, destruction, or blocking of information.
Computer Fraud: Fraud committed using information technologies.
Misuse of Devices: Creating or distributing special technical means for obtaining unauthorized access to information.
Illegal Interception: Unauthorized interception of computer data.
Criminal Procedure Code: Contains provisions related to the investigation of cybercrimes, including procedures for obtaining digital evidence, search and seizure of data, and real-time collection of traffic and content data.
Budapest Convention: Ukraine ratified the Council of Europe Convention on Cybercrime (Budapest Convention) in 2006. This commits Ukraine to harmonizing its cybercrime laws with international standards and facilitates international cooperation in combating cybercrime.
3. Data Protection and Privacy:
Ukraine has a dedicated data protection law, though efforts are ongoing to align it even more closely with EU standards.
Law of Ukraine "On Personal Data Protection" (No. 2297-VI, 2010): This is the main law governing personal data protection. Key aspects include:
Broad Definition of Personal Data: "Any information related to an individual who is identified or may be identified."
Consent: Generally requires the data subject's consent for processing, which must be informed and voluntary.
Data Subject Rights: Including rights to access, rectification, objection to processing, and knowledge of where their data is processed.
Obligations of Data Controllers: Requirements for lawful processing, data security, and notification.
Special Categories of Data: Strict rules for processing sensitive data (e.g., racial origin, political views, health data).
Data Transfer Abroad: Specific conditions apply to international transfers of personal data.
Ukrainian Parliament Commissioner for Human Rights (Ombudsman): This body is responsible for overseeing compliance with the data protection law.
GDPR Alignment (Ongoing): Ukraine is actively working on legislative initiatives (e.g., Draft Law No. 8153 on Personal Data Protection, which was adopted as a basis in 2024 and is expected to replace the current law) to further align its data protection framework with the EU's General Data Protection Regulation (GDPR) and the modernized Convention 108+. This includes introducing new principles (data minimization, accountability), updated consent concepts, data protection impact assessments (DPIAs), and increased administrative fines.
National Commission for Personal Data Protection and Access to Public Information (Proposed): Draft laws propose establishing an independent authority responsible for both policymaking and enforcement in data privacy and access to public information, similar to EU data protection authorities.
4. Electronic Trust Services and E-commerce:
Law of Ukraine "On Electronic Identification and Electronic Trust Services" (No. 2155-VIII, 2017): This law is crucial for the digitalization of various processes. It regulates:
Electronic Identification (eID) and Electronic Trust Services: Defines principles for providing and recognizing electronic trust services, including electronic signatures, electronic seals, and electronic time stamps.
Types of Electronic Signatures: Recognizes different levels, with Qualified Electronic Signatures (QES) having the same legal effect as handwritten signatures and a presumption of enforceability.
Mutual Recognition: Facilitates the mutual recognition of Ukrainian and foreign public key certificates and electronic signatures.
Ministry of Digital Transformation: Plays a key role in forming and implementing state policy in these areas.
Law of Ukraine "On Electronic Documents and Electronic Document Workflow" (No. 851-IV): This law establishes the legal force of electronic documents and regulates their workflow. It states that the legal force of an electronic document cannot be denied solely because it is in electronic form.
E-commerce Law: While not a single comprehensive code, e-commerce aspects are regulated by the Civil Code, Consumer Protection Law, and specific provisions in other acts that address online transactions, consumer rights, and electronic contracts.
Impact of War:
The ongoing full-scale invasion has intensified Ukraine's focus on cyber defense and resilience. It has also led to:
Rapid adaptation: The legal framework has had to adapt quickly to new threats and the need for greater cybersecurity cooperation.
International cooperation: Enhanced collaboration with international partners (EU, NATO, individual countries) on cybersecurity, intelligence sharing, and capacity building.
Digitalization acceleration: The war has paradoxically accelerated Ukraine's digitalization efforts (e.g., Diia app for digital documents and services), making robust cyber law even more critical.
Ukraine's cyber law is a dynamic field, constantly evolving to meet the challenges of digital transformation and the severe cyber threats it faces. Its ambition to align with EU standards is a significant driving force behind these legal developments.
RELATED Blog
0 comments