Cybersecurity and Data Protection in Wartime Ukraine

Ukraine’s legal framework for cybersecurity has not evolved in an abstract form – but rather it was forged in the immediacy of wartime necessity. The Law of Ukraine On the Basic Principles of Ensuring Cybersecurity, the Law On Personal Data Protection, and sector-specific acts, particularly for financial institutions, form the statutory backbone. Yet, practice extends beyond texts.

Financial institutions operate under intense scrutiny: They must comply with the National Bank of Ukraine’s (NBU) Resolution No. 95, which outlines stringent cybersecurity requirements, and they must also navigate the operational realities of near-daily cyberattacks. The NBU also imposes mandatory implementation of internal cybersecurity policies, internal audit of ISMS (Information Security Management Systems), and periodic penetration testing – all of which have direct legal implications.

In practice, this has created points of friction. Many financial entities struggle with legal uncertainty over data localization requirements, ambiguity in breach notification standards, and lack of harmonisation between Ukrainian regulations and GDPR. These uncertainties increase litigation risk and complicate cross-border data operations.

More broadly, a key legal weakness is the absence of an enforceable national cybersecurity policy with unified risk classification and threat response protocols across sectors. This leads to variable interpretation in court, particularly regarding the scope of liability for breaches – whether resulting from gross negligence, force majeure, or systemic failure. Legal advisors often turn to the Ukrainian Chamber of Commerce and Industry (TPP) without judicial consistency to obtain force majeure certificates, including cyber-related incidents. However, current practice shows that invoking cyberattacks as force majeure remains controversial, and the burden of proof is high.

The lack of authoritative jurisprudence in Ukrainian courts on cyber liability contrasts with trends abroad. For example, in the U.S. case in Capital One Consumer Data Security Breach Litigation, the court examined attorney-client privilege in post-breach investigations, offering valuable guidance on the intersection of legal and technical response. Ukraine lacks such precedent, creating additional uncertainty for general counsels.

Protecting IP and Know-How under Persistent Threat

While customer data remains a primary concern, the last two years have seen a sharp rise in cyber operations targeting intellectual property, proprietary algorithms, and defence-oriented R&D. These assets, frequently stored in decentralised environments and shared across borders with partners, are vulnerable not only due to their technical sensitivity but because of gaps in legal protection frameworks.

A telling case involved a Ukrainian engineering firm co-developing control software for unmanned systems. After detecting anomalies in access logs – later linked to a state-sponsored actor – the company faced a crucial question: how do you attribute digital theft and defend your position in court or in investor negotiations? The legal strategy was twofold: first, we worked with the internal team to reconstruct contractual confidentiality mechanisms, ensuring traceability and enforceability. Second, we coordinated with technical experts to structure digital evidence in line with forensic admissibility standards.

This convergence of legal and technical disciplines defines effective IP cybersecurity today. Contracts, NDAs, trade secret registers, and patent portfolios are living instruments that must be activated in response to threats. Legal teams must help leadership anticipate which assets will, if compromised, trigger contractual penalties, regulatory intervention, or reputational damage.

Recent comparative research from the European Union Agency for Cybersecurity (ENISA) emphasises the growing demand for hybrid legal-technical governance models, particularly in sectors dealing with high-value data flows and cross-jurisdictional IP commercialisation. Ukraine’s wartime experience provides a real-world sandbox for testing and refining these models. From this experience, I strongly advocate the introduction of a unified national Cyber Governance Act – a comprehensive legal framework that would consolidate sectoral requirements, standardise breach response obligations, and promote legally enforceable public-private information sharing mechanisms.

Legal Functions Embedded in Cybersecurity Operations

Perhaps the most transformative shift is the internal repositioning of legal departments – from compliance monitors to strategic operators. Inside Ukrainian companies implementing innovative management models, legal professionals are now integrated into cybersecurity task forces, participate in tabletop simulations and co-lead incident response.

This is not merely symbolic – it reflects a more profound shift in how companies perceive legal risk, reputational exposure, and operational continuity as part of their core cybersecurity strategy. It ensures that decisions made during or immediately after an incident – about disclosures, access restrictions, and service continuity – are grounded in enforceable policy. It was during a distributed denial-of-service (DDoS) campaign against a regional telecom provider, that legal staff drafted real-time notifications to service regulators and structured liability buffers through emergency contractual addenda. It worked with PR teams to avoid misstatements that could exacerbate civil exposure.

A key success factor is the availability of legal tools tailored to digital resilience. These include breach notification frameworks which comply with domestic law and GDPR Article 33, automated risk scoring models for contract termination clauses, and integration of legal review into software development life cycles (SDLC) – especially for fintech, health tech, and military tech start-ups.

Ukrainian companies are beginning to treat legal foresight not as a cost but as a resilience asset. In my experience advising Ukrainian and international enterprises, the most significant returns come from pre-emptively embedding a legal strategy into every digital infrastructure layer. One of the most effective innovations we’ve implemented is a “Legal Cyber Training Ground” – a cross-functional hub where legal, compliance, and infosec teams collaborate on threat modelling, breach simulations, and proactive regulatory engagement. Internationally, this mirrors trends that are now being seen in Australia and the EU, where legal requirements for cybersecurity are becoming prescriptive (e.g., the EU NIS2 Directive). As Ukraine moves toward EU membership, its companies and legal advisors are being stress-tested ahead of harmonisation. 

References

1. European Parliament and Council. Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union, 27 April 2016.
2. Law of Ukraine. On Personal Data Protection. No. 2297-VI, 1 June 2010.
3. Law of Ukraine. On the Basic Principles of Ensuring Cybersecurity of Ukraine. No. 2163-VIII, 5 October 2017.
4. National Security and Defense Council of Ukraine. The Cybersecurity Strategy of Ukraine was approved in
5. National Bank of Ukraine. Resolution No. 95 On Cybersecurity in the Banking Sector, 28 September 2020.
6. European Union Agency for Cybersecurity (ENISA). Cybersecurity and Data Protection Interplay, 2023.
7. S. District Court, Eastern District of Virginia. In re Capital One Consumer Data Security Breach Litigation, 2020.
8. Ukrainian Chamber of Commerce and Industry. Official Guidance on Certification of Force Majeure Circumstances, 2022.