NCSI FULFILMENT PERCENTAGE
Version 29 Nov 2023 Choose a version
STRATEGIC CYBERSECURITY INDICATORS
-
1. CYBERSECURITY POLICY 15/15 100%1515 100%
-
1.1. High-level cybersecurity leadership 333
Requirements
CriteriaThe country has appointed governmental leadership responsible for cybersecurity at the national level.
Accepted referencesLegal act, national strategy, official statutes or terms of reference, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2163-19#Text
State Special Communications Service of Ukraine/ State Service for Special Communications and Information Protection of Ukraine (SSSCIP), see Law of Ukraine about the main principles of ensuring cybersecurity of Ukraine, Article 8 (2) number 1, link above.
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/3475-15#Text
Law of Ukraine about the State Service of Special Communications and Information Protection of Ukraine
-
1.2. Cybersecurity policy development 333
Requirements
CriteriaThere is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.
Accepted referencesLegal act, official statute or terms of reference, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/242/2016#n9
National Coordination Center for Cyber Security, see Regulation on the National Cyber Security Coordination Center, link above.
"9) development and submission of proposals to the National Security and Defense Council of Ukraine, its Chairman in accordance with the established procedure, regarding:
a) determination of the national interests of Ukraine in the field of cyber security, priority directions, conceptual approaches to the formation and implementation of state policy regarding the safe functioning of cyberspace, its use in the interests of the individual, society and the state;
(…)
11) working out issues related to determining the ways, mechanisms and methods of solving problematic issues that arise during the implementation of state policy in the field of cyber security;"
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/856-2019-%D0%BF#n12
Ministry of Digital Transformation, Regulation on the Ministry of Digital Transformation of Ukraine, link above, see number 14
-
1.3. Cybersecurity policy coordination 333
Requirements
CriteriaThe country has a regular official format for cybersecurity policy coordination at the national level.
Accepted referencesLegal act, official statute or terms of reference, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/242/2016#n9
National Coordination Center for Cyber Security, see Regulation on the National Cyber Security Coordination Center, link above
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2469-19#Text
The Law of Ukraine about the National Security of Ukraine, link above, see Article 31 (2) – National Coordination Center for Cyber Security
-
1.4. National cybersecurity strategy 333
Requirements
CriteriaThe central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.
Accepted referencesValid official document
Evidence
Evidence presented in a foreign language
https://www.president.gov.ua/documents/4472021-40013
Cyber Security Strategy of Ukraine approved by Presidential Decree of Ukraine No. 447/2021 dated August 26, 2021
-
1.5. National cybersecurity strategy action plan 333
Requirements
CriteriaThe central government has established an action plan to implement the national cybersecurity strategy.
Accepted referencesCurrent official document, legal act, or official statement
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/n0087525-21#Text
Cybersecurity Strategy of Ukraine (2021 - 2025) Implementation Plan, approved by the President of Ukraine, from February 1, 2022, No. 37/2022
-
-
2. GLOBAL CYBERSECURITY CONTRIBUTION 4/6 67%46 67%
-
2.1. Cyber diplomacy engagements 333
Requirements
CriteriaThe government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability. (The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under other indicators.)
Accepted referencesOfficial website of the organisation or cooperation format, official statement or contribution
Evidence
https://thegfce.org/member-and-partner/ukraine/
GFCE
https://ccdcoe.org/news/2023/the-nato-ccdcoe-welcomes-new-members-iceland-ireland-japan-and-ukraine/
NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) — as a contributing participant.
OSCE
- OSCE – Permanent Council Decision No. 1106, Initial set of OSCE Confidence–Building Measures to reduce the risks of conflict stemming from the use of information and communication technologies
- Permanent Council Decision No. 1202 – OSCE confidence-building measures to reduce the risks of conflict stemming from the use of information and communication technologies.
Background information:
-
2.2. Commitment to international law in cyberspace 111
Requirements
CriteriaThe country has an official position on the application of international law, including human rights, in the context of cyber operations.
Accepted referencesOfficial document or statement, international indexes
Evidence
Evidence presented in a foreign language
https://www.president.gov.ua/documents/4472021-40013
See Cyber Security Strategy of Ukraine approved by Presidential Decree of Ukraine No. 447/2021 dated August 26, 2021, see 7. Directions of foreign policy activity of Ukraine in the field of cyber security:
"(…)
Ukraine will continue to actively participate in the international dialogue on responsible behaviour of states in cyberspace based on compliance with the principles of international law, the UN Charter, as well as norms, rules and principles of responsible state behaviour. This will require greater coordination and consolidation of interested parties at international forums, in which Ukraine will be not only a participant, but also an initiator and organizer.Ukraine will maximally support the multi-stakeholder (multilateral) model of Internet management, promoting international, regional and national discussions on this issue, involving representatives of the private sector, scientific and educational circles, civil society institutions in this process. Attempts by individual authoritarian states to sovereignize the Internet contradict the long-term interests of Ukraine and its model of socio-economic development.
Ukraine will promote further compliance with international law and standards in the field of human rights, encourage the use of best practices, and intensify its efforts to prevent abuse of new technologies. To this end, Ukraine will intensify its participation and partnership in international standardization and certification processes in the field of cyber security, expand its representation in international, regional and other standardization bodies, organizations engaged in the development of standards and certification in this field (…)."
Examples where Ukraine has aligned itself with EU statements.
-
EU Statement – UN Open-Ended Working Group on ICTs: Regular Institutional Dialogue (2023)
-
EU Statement – UN Open-Ended Working Group on ICT: International Law (2023)
-
EU Statement – United Nations Open-Ended Working Group on ICT: General exchange of views (2021)
-
EU Statement – United Nations Open-Ended Working Group on ICT: International Law (2021)
-
-
2.3. Contribution to international capacity building in cybersecurity 002
Requirements
CriteriaThe country has led or supported cybersecurity capacity building for another country in the past three years.
Accepted referencesOfficial website or project document
Evidence
-
-
3. EDUCATION AND PROFESSIONAL DEVELOPMENT 6/10 60%610 60%
-
3.1. Cyber safety competencies in primary education 002
Requirements
CriteriaPrimary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
Evidence
-
3.2. Cyber safety competencies in secondary education 002
Requirements
CriteriaSecondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
Evidence
-
3.3. Undergraduate cybersecurity education 222
Requirements
CriteriaAt least one undergraduate education programme is available in the country to train students in cybersecurity.
Accepted referencesAccredited study programme
Evidence
Evidence presented in a foreign language
- Bachelor of Cyber Security, Kyiv National University of Economics
- Bachelor. 125 Cyber Security and Information Protection, Kharkiv National University of Radio Electronics
- Bachelor’s Degree in Cyber Security at Ternopil Ivan Puluj National Technical University Cybersecurity
- Bachelor’s in cyber security and information protection, National Technical University “Kharkiv Polytechnic Institute
- Bachelor of Cyber Security Kharkiv Semyon Kuznets National University of Economics (S. Kuznets National University of Economics
- National Technical University of Ukraine "Ihor Sikorsky Kyiv Polytechnic Institute”
- Bachelor’s degree in Cybersecurity at Entrant of Karazinsky University
Evidence presented in a foreign language
https://vstup.osvita.ua/spec/1-40-2/0-0-2390-0-0-0/
An overview of various cybersecurity-related bachelor's degree's can be get with the link above.
-
3.4. Graduate cybersecurity education 333
Requirements
CriteriaAt least one cybersecurity education programme is available in the country at the graduate level.
Accepted referencesAccredited study programme
Evidence
Evidence presented in a foreign language
- SET University – Master of Cyber Defense
- Master. 125 Cyber Security and Information Protection, Kharkiv National University of Radio Electronics
- Master Cyber Security at Ternopil Ivan Puluj National Technical University Cybersecurity
- Master’s degree in cyber security and information protection, National Technical University “Kharkiv Polytechnic Institute”
- National Technical University of Ukraine "Ihor Sikorsky Kyiv Polytechnic Institute”
- Master’s degree in security of information and communication systems at Entrant of Karazinsky University
Evidence presented in a foreign language
https://vstup.osvita.ua/spec/2-0-2/0-0-2390-0-0-0/
An overview of various cybersecurity-related master's degree's can be get with the link above.
-
3.5. Association of cybersecurity professionals 111
Requirements
CriteriaA professional association of cybersecurity specialists, managers, or auditors exists in the country.
Accepted referencesOfficial website
Evidence
https://engage.isaca.org/kyivchapter/home
ISACA Kyiv Chapter
Evidence presented in a foreign language
Cybersecurity Scientific Association of Ukraine
-
-
4. CYBERSECURITY RESEARCH AND DEVELOPMENT 4/4 100%44 100%
-
4.1. Cybersecurity research and development programmes 222
Requirements
CriteriaA cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.
Accepted referencesOfficial programme or official website
Evidence
Evidence presented in a foreign language
https://cyberlab.nau.edu.ua/#about_us
Research Laboratory of Cyber Threats Counteraction in Aviation
-
4.2. Cybersecurity doctoral studies 222
Requirements
CriteriaAn officially recognised PhD programme exists accommodating research in cybersecurity.
Accepted referencesOfficial programme or official website
Evidence
Evidence presented in a foreign language
- Cyber Security and Information Protection – Kharkiv National University of Radio Electronics
- PhD in cyber security and information protection, National Technical University “Kharkiv Polytechnic Institute”
- National Aerospace University "Kharkiv Aviation Institute"
- National Aviation University – Faculty of cyber security and software engineering
- National Technical University of Ukraine "Ihor Sikorsky Kyiv Polytechnic Institute
-
PREVENTIVE CYBERSECURITY INDICATORS
-
5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE 9/12 75%912 75%
-
5.1. Identification of critical information infrastructure 333
Requirements
CriteriaThere is a framework or a mechanism to identify operators of critical information infrastructure.
Accepted referencesLegal or administrative act
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/943-2020-%D0%BF#n16
Resolution dated October 9, 2020, No. 943 on some issues of objects of critical information infrastructure see “Procedure for forming a list of critical information infrastructure objects“
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2163-19#Text
Definition of “Critical Information Infrastructure Object” can read in Article 1 (19) of Law of Ukraine About the Main Principles of Ensuring Cyber Security of Ukraine
Evidence presented in a foreign language
- Order 01/15/2021 No. 23 on the approval of Methodological recommendations on the categorization of critical infrastructure objects, see I. General Provisions, 6. The Methodology
- Law of Ukraine about Critical Infrastructure, Article 9
-
5.2. Cybersecurity requirements for operators of critical information infrastructure 333
Requirements
CriteriaOperators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal act, or mandatory cybersecurity framework or standard
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/1882-20#Text
Law of Ukraine about Critical Infrastructure, Article 21. Number 1. (1), (2), (9), (14); Article 22 (6)
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/518-2019-%D0%BF#Text
Resolution dated June 19, 2019 No. 518 on the approval of General requirements for cyber protection of critical infrastructure objects
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2163-19#Text
Law of Ukraine About the Basic Principles of Providing Cyber Security of Ukraine, see Article 6.3.
-
5.3. Cybersecurity requirements for public sector organisations 003
Requirements
CriteriaPublic sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal or administrative act, mandatory cybersecurity framework or standard
Evidence
-
5.4. Competent supervisory authority 333
Requirements
CriteriaA competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/1882-20#Text
Law of Ukraine about Critical Infrastructure, Articles 17 & 23
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/821-2022-%D0%BF#n8
Procedure for monitoring the security level of critical infrastructure facilities
"4. Monitoring is carried out by conducting once every three years an assessment of the state of security of critical infrastructure objects (hereinafter - assessment of the state of security) by sectoral and functional bodies in the field of critical infrastructure protection (hereinafter - monitoring subjects) in accordance with their powers, defined The Law of Ukraine "On Critical Infrastructure"."
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2163-19#Text
Law of Ukraine about the main principles of ensuring cybersecurity of Ukraine – Article 8 (2) number 1
"The State Service for Special Communications and Information Protection of Ukraine ensures (…) critical information infrastructure objects, carries out state control in these areas (…) ensures the implementation of information security audits at critical infrastructure facilities, establishes requirements for information security auditors, determines the procedure for their attestation (re-attestation); coordinates, organizes and conducts vulnerability audits of communication and technological systems of critical infrastructure objects"
See also the Law of Ukraine about the National Security of Ukraine:
- Article 19 (3) – Security Service of Ukraine ;
- Article 22 (1) – State Service of Special Communications and Information Protection of Ukraine
-
-
6. CYBERSECURITY OF DIGITAL ENABLERS 10/12 83%1012 83%
-
6.1. Secure electronic identification 222
Requirements
CriteriaA national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.
Accepted referencesLegal act, nationally recognised identification scheme, or official website
Evidence
Evidence presented in a foreign language
I.D.GOV.UA – Integrated Electronic Identification System – A universal platform for e-identification and authentication of users
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/546-2019-%D0%BF#Text
Regulation on the Integrated System of Electronic Identification, approved by the resolution of the Cabinet of Ministers of Ukraine of June 19, 2019 No. 546
Diia – Government Services Online
-
6.2. Electronic signature 222
Requirements
CriteriaA nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/852-15#Text
Law of Ukraine on Electronic Digital Signature
-
6.3. Trust services 222
Requirements
CriteriaTrust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2155-19#Text
Law of Ukraine about Electronic Trust Services
-
6.4. Supervisory authority for trust services 222
Requirements
CriteriaAn independent authority has been designated and given the power to supervise trust services and trust service providers.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2155-19#Text
Law of Ukraine about Electronic Trust Services, Article 33
-
6.5. Cybersecurity requirements for cloud services 222
Requirements
CriteriaRequirements are established for the secure use of cloud services in government and/or public sector organisations.
Accepted referencesLegal or administrative act, cybersecurity framework or standard
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2075-20#Text
The Law of Ukraine About Cloud Services
"Article 1. Scope of the Law
This Law defines the legal relations that arise in the provision of cloud services and establishes the specifics of the use of cloud services by state authorities (…)Article 8. Requirements for the provider of cloud services and/or data center services
(…)
The provider of cloud services and/or data center services must:
to provide the state body designated for the formation and implementation of the state policy in the field of cyber protection with the information necessary to assess the security of the electronic communication network, electronic communication service and information systems, including the documented security policy;
eliminate any non-compliance with the requirements approved by the communications services regulator. (…)Article 10. Provision of cloud services and/or data center services
(…)
3. The essential terms of the contract for the provision of cloud services and/or data center services for public users and objects of critical information infrastructure are:
(…)
the procedure for protecting data (including personal data) when providing services, including the procedure for protection against unauthorized actions (internal and external threats, cyber security incidents, cyber attacks), and the procedure for notifying the user about this;
requirements for immediate notification of a cyber security incident that has a significant impact on the provision of cloud services and/or data center services;
(…)Article 11. Peculiarities of using cloud services and/or data processing center services by public users of cloud services
(…)
3. The provision of cloud services and/or data center services to public users of cloud services is carried out in compliance with the requirements of the legislation on personal data protection, information protection and cyber security.Article 14. Protection of information when providing cloud services and/or data center services
(…)
2. At the request of the user of cloud services and/or in accordance with the procedure defined by the contract, the provider of cloud services and/or data center services provides information on the protection of information in the cloud computing system against internal and external threats, cyber attacks." -
6.6. Supply chain cybersecurity 002
Requirements
CriteriaRequirements are established to identify and manage cybersecurity risks through the ICT supply chain.
Accepted referencesLegal act or official website
Evidence
-
-
7. CYBER THREAT ANALYSIS AND AWARENESS RAISING 9/12 75%912 75%
-
7.1. Cyber threat analysis 333
Requirements
CriteriaA government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.
Accepted referencesLegal act, statute, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/242/2016#Text
National Cyber Security Coordination Center, see Regulation on the National Cyber Security Coordination Center Article 3 (2)
-
7.2. Public cyber threat reports 333
Requirements
CriteriaPublic cyber threat reports and notifications are issued at least once a year.
Accepted referencesOfficial website, official social media channel, or public report
Evidence
State Cyber Defense Center, State Service for Special Communications and Information Protection of Ukraine, Russia’s Cyber Tactics: Lessons Learned in 2022
Evidence presented in a foreign language
Cyber Digest – Overview of Developments in the Field of Cyber Security, December 2022 published by the National Cyber Security Coordination Center & prepared with the support of the USAID Project “Cybersecurity of Critically Important Infrastructure of Ukraine”
-
7.3. Public cybersecurity awareness resources 333
Requirements
CriteriaPublic authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.
Accepted referencesOfficial website, public advisories
Evidence
Evidence presented in a foreign language
- Cyber Police of Ukraine website → “Recommendations” or “No more ransom”: https://cyberpolice.gov.ua/articles/
- CERT-UA → Recommendations: https://cert.gov.ua/recommendations
- Governmental Portal – Tips for safe online behaviour and a new training course: https://www.kmu.gov.ua/news/misiats-kiberbezpeky-porady-pro-bezpechnu-povedinku-v-merezhi-ta-novyi-navchalnyi-kurs
- Ministry of Education and Sciences of Ukraine: https://mon.gov.ua/ua/news/yak-ubezpechiti-sebe-v-kiberprostori-pid-chas-onlajn-navchannya-poradi-derzhspeczvyazku & https://mon.gov.ua/ua/tag/kiberbezpeka
- Special Website of the State Intelligence Service: https://cip.gov.ua/ua/news/kibermisyac-v-ukrayini & https://cybermonth.cip.gov.ua/
- “Diia” education portal. Portal with online courses: basic digital literacy, for teachers and for parents. “Online Safety of Children.” : https://osvita.diia.gov.ua/
- State Cyber Defence Centre – State Special Communications Service of Ukraine: https://scpc.gov.ua/uk/recommendations/129
- Overview of different initiatives, tips, guides etc. can be found on the webpage of the Kropyvnytskyi City: https://kr-rada.gov.ua/informatsiyna-bezpeka-ta-kiberbezpeka/
-
7.4. Cybersecurity awareness raising coordination 003
Requirements
CriteriaThere is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.
Accepted referencesLegal act, official document, or official website
Evidence
-
-
8. PROTECTION OF PERSONAL DATA 4/4 100%44 100%
-
8.1. Personal data protection legislation 222
Requirements
CriteriaThere is a legal act for personal data protection that is applicable to the protection of data online or in digital form.
Accepted referencesLegal act
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/en/2297-17#top
Law of Ukraine – On Protection of Personal Data
-
8.2. Personal data protection authority 222
Requirements
CriteriaAn independent public supervisory authority has been designated and allocated powers to supervise personal data protection.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
Ukrainian Parliament's Commissioner for Human Rights (Ombudsman)
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/776/97-%D0%B2%D1%80#Text
Law of Ukraine – About the Commissioner for Human Rights of the Verkhovna Rada of Ukraine
-
RESPONSIVE CYBERSECURITY INDICATORS
-
9. CYBER INCIDENT RESPONSE 9/14 64%914 64%
-
9.1. National incident response capacity 333
Requirements
CriteriaThere is a CERT designated with nationwide responsibilities for cyber incident detection and response.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
CERT-UA
Evidence presented in a foreign language
See also Operational Center for Responding to Cyber Incidents, State Cyber Defense Center – Service for Special Communications and Information Protection of Ukraine'
-
9.2. Incident reporting obligations 333
Requirements
CriteriaOperators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/z0603-08#Text
Order (10.06.2008 No. 94) of the Administration of the State Service for Special Communications and Information Protection of Ukraine: On the approval of the Procedure for coordinating the activities of state authorities, local self-government bodies, military formations, enterprises, institutions and organizations regardless of the forms of ownership on issues of prevention, detection and elimination of the consequences of unauthorized actions regarding state information resources in information, electronic communication and information and communication systems
Evidence presented in a foreign language
https://cert.gov.ua/recommendation/4256181
General Rules for Exchanging Information about Cyber Incidents
See I. General provisions number 2:
"2. The rules are mandatory for use by the main subjects of the national cyber security system, other state bodies, in particular sectoral bodies in the field of critical infrastructure protection, as well as recommended for critical infrastructure objects when reporting cyber incidents."
-
9.3. Cyber incident reporting tool 002
Requirements
CriteriaA publicly available official resource is provided for notifying competent authorities about cyber incidents.
Accepted referencesOfficial website
Evidence
-
9.4. Single point of contact for international cooperation 003
Requirements
CriteriaThe government has designated a single point of contact for international cybersecurity cooperation.
Accepted referencesLegal act or official website
Evidence
-
9.5. Participation in international incident response cooperation 333
Requirements
CriteriaThe national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.
Accepted referencesOfficial website or official document
Evidence
https://www.first.org/members/teams/cert-ua
CERT-UA – FIRST
https://www.trusted-introducer.org/directory/teams/cert-ua.html
CERT-UA – TF-CSIRT Trusted Introducer
-
-
10. CYBER CRISIS MANAGEMENT 5/9 56%59 56%
-
10.1. Cyber crisis management plan 002
Requirements
CriteriaThe government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act or official website
Evidence
-
10.2. National cyber crisis management exercises 333
Requirements
CriteriaRegular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.
Accepted referencesExercise document, official website, or press release
Evidence
Evidence presented in a foreign language
Regional Command and Staff Exercises 2023 on cyber security held in the Poltava region focusing on scenarios against state bodies. Participants: Technical specialists, employees of administrations and local authorities, representatives of the regional military administration, the State Special Forces, the National Police, the SBU, representatives of critical infrastructure enterprises, including oil & gas sector, agricultural sector, and mechanical engineering.
https://www.fiiapp.org/en/noticias/european-union-ensures-cyber-security-in-ukraine/
Cybersecurity Exercise “CIREX.CYBER.Ransomware” 2023
-
10.3. Participation in international cyber crisis exercises 222
Requirements
CriteriaThe country participates in an international cyber crisis management exercise at least every other year.
Accepted referencesExercise document/website or press release
Evidence
https://www.coe.int/en/web/cybercrime/-/cybereast-fourth-regional-cyber-cooperation-exercise
Fourth Regional Cyber Cooperation Exercise 2022
-
10.4. Operational crisis reserve 002
Requirements
CriteriaA mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.
Accepted referencesLegal act or official website
Evidence
-
-
11. FIGHT AGAINST CYBERCRIME 16/16 100%1616 100%
-
11.1. Cybercrime offences in national law 333
Requirements
CriteriaCybercrime offences are defined in national legislation.
Accepted referencesLegal act
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2341-14/page15#Text
Criminal Code, see for example Chapter XVI (Criminal Offenses in the Sphere of Use of Electronic Computing Machines (Computers), Systems and Computer Networks and Electronic Communication Networks, Articles 361-363
https://www.coe.int/en/web/octopus/-/ukraine
For more detailed overview, see CoE’s country page on Ukraine → Substantive Law
-
11.2. Procedural law provisions 333
Requirements
CriteriaLegislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.
Accepted referencesLegal act
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/4651-17#Text
Code of Criminal Procedure of Ukraine
https://www.coe.int/en/web/octopus/-/ukraine
For more detailed overview, see CoE’s country page on Ukraine → Procedural Law
-
11.3. Ratification of or accession to the Convention on Cybercrime 222
Requirements
CriteriaThe country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.
Accepted referencesLegal act on Convention ratification or accession, website of the CoE Treaty Office
Evidence
https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=185
Entry into force 01/07/2006
-
11.4. Cybercrime investigation capacity 333
Requirements
CriteriaLaw enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.
Accepted referencesLegal act or official website
Evidence
-
11.5. Digital forensics capacity 222
Requirements
CriteriaLaw enforcement has a specialised function and capacity for digital forensics.
Accepted referencesLegal act, statute, official document, or official website
Evidence
Evidence presented in a foreign language
Website of the Sate Research Expert Forensic Center of the Ministry of Internal Affairs of Ukraine. Overview of types and subtypes of forensic examinations can be seen here.
In order to collect and analyze electronic evidence, the Cyber Police Department engages experts of the Forensic Science Centre of the Ministry of Interior. The experts take part in collecting, seizure, storage, analysis, examination and expert evaluation of digital evidence. Other agencies and units can invite experts of the Centre where it is necessary to collect and analyse digital evidence within investigative proceedings conducted by such other agencies / units. Cited source can be found on the country page of Ukraine, CoE.
-
11.6. 24/7 contact point for international cybercrime 333
Requirements
CriteriaThe government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.
Accepted referencesOfficial website, legal act or statute
Evidence
https://rm.coe.int/0900001680abad5e
Cyberpolice Department of the National Police of Ukraine under the Ministry of Internal Affairs
Evidence presented in a foreign language
For additional information see also Ukraine’s country page on CoE → International Cooperation → 24/7 points of contact and police cooperation
-
-
12. MILITARY CYBER DEFENCE 6/6 100%66 100%
-
12.1. Military cyber defence capacity 222
Requirements
CriteriaArmed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.
Accepted referencesLegal act, statute, other official document or official website
Evidence
Evidence presented in a foreign language
https://mil.in.ua/uk/news/v-zsu-formuyut-dva-novi-komanduvannya/
Command of the Communications and Cyber Security Troops of the Armed Forces of Ukraine (Командування військ зв’язку та кібернетичної безпеки Збройних Сил України - Komanduvannya vijsk zvyazku ta kibernetychnoyi bezpeky Zbroynykh Syl Ukrayiny)
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/z0785-16#Text
Law on the Approval of the Lists of Military Administration Bodies in which civil service positions are provided, Order 05/20/2016 No. 270, see list of military administration bodies whose jurisdiction extends to the entire territory of Ukraine, number 16.
Evidence presented in a foreign language
- White Book 2021 – Defence Policy of Ukraine, see page 99 “Figure 2. Structure of the Armed Forces of Ukraine Command and Control Authorities as of the end of 2021”, page 101 “Figure 5. Communications and Cyber Security Forces Command of the Armed Forces Structure and Composition“
- "Communications and cyber security forces are special forces designed to plan and ensure the deployment, deployment, operation of communications and information systems, combat control and warning systems, their expansion in peacetime, a special period, in the conditions of a state of emergency and war with the aim of solving the tasks of ensuring the management of the troops (forces) of the Armed Forces of Ukraine, as well as implementing measures for the functioning of the national cyber security system and repelling military aggression in cyberspace (cyber defense)." Cited source can be accessed here.
- MoD, see also Main Directorate of Communications and Cyber Security (J6)
- Facebook presence of the Command
- Doctrine of Communications and Cybersecurity of the Armed Forces of Ukraine (VKP 6-00(01).01), approved GK ZSU 09.12.2021, which can be accessed here or here. Page 3: "(…) The Doctrine takes into account the views of the leadership of the Armed Forces of Ukraine on what modern communications and cyber security forces should be in order to counter challenges and threats, achieve interoperability and cooperation with NATO member countries, experience in the training and use of communications and cyber security forces in the course of anti-terrorist operations and operations of joint forces on the territory of Donetsk and Luhansk regions. (…)". See page 9 for Tasks and Responsibilities; Military Command of the Communications Cyber Security Forces (starting at page 12); Specific Military Units (starting at page 23)
-
12.2. Military cyber doctrine 222
Requirements
CriteriaThe tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.
Accepted referencesLegal act, official doctrine, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/1932-12#Text
Articles 3, 4 & 9 of the Law about the Defense of Ukraine, link above.
"Article 3: (…) Preparation of the state for defense in peacetime includes:
(…)
implementation of cyber defense measures (active cyber defense) to protect the sovereignty of the state and ensure its defense capability, prevent armed conflict and repel armed aggression;
(…)Article 4. Repelling armed aggression against Ukraine
(…)
State authorities and military administration bodies, without waiting for the declaration of a state of war, take measures to repel aggression. On the basis of the relevant decision of the President of Ukraine, the Armed Forces of Ukraine, together with other military formations, begin military operations, including conducting special operations (intelligence, informational and psychological, etc.) in cyberspace.Article 9 Powers of the Cabinet of Ministers of Ukraine in the field of defense
Cabinet of Ministers of Ukraine:
(…)
supervises the implementation of laws in the field of defense, carries out other measures to ensure the defense capability of Ukraine in accordance with the laws, coordinates and controls their implementation and bears, within the limits of its authority, responsibility for ensuring the defense of Ukraine."
Evidence presented in a foreign language
https://www.rnbo.gov.ua/ua/Ukazy/5005.html
Decree of the President of Ukraine — On the decision of the National Security and Defense Council of Ukraine dated August 20, 2021 "On the Strategic Defense Bulletin of Ukraine"
"In accordance with Article 107 of the Constitution of Ukraine and the fourth clause of the first part of Article 13 of the Law of Ukraine "On the National Security of Ukraine", it is hereby decreed: (…)
3.8. Combat military units and units of the defense forces will be combat-capable, mobile and able to quickly advance to threatening directions, concentrate efforts in the necessary place at the specified time, act unpredictably and innovatively, taking into account the overall military advantage of the enemy. The introduction of a network-centric approach, which, on the basis of a single protected information environment, will combine the simultaneous and synchronized use of modern control systems, information exchange (intelligence), means of destruction and non-lethal influence (radio-electronic, information influence, actions in cyberspace, etc.), will increase the capabilities of the combined forces under the time of their application.
The creation of deterrence potential will be based, in particular, on the capabilities of operational-tactical missile systems, multifunctional all-weather manned and unmanned aircraft systems, medium-range anti-aircraft missile systems, forces and means of active influence in cyberspace and through cyberspace. (…)
The creation of a cyber defense system will be focused on the acquisition of the necessary capabilities by the subjects of preparation and implementation of cyber defense measures, the creation and development of forces, means and tools of combat in cyberspace and through cyberspace, which will ensure the creation of the necessary potential of the defense forces to repel military aggression in cyberspace.
In order to counteract the forces and means of the enemy, the efforts of radio-electronic warfare and warfare in cyberspace are combined.
Remote non-contact influence on the enemy will become the main way to achieve the goals of the battle and operation.
The use of high-precision weapons becomes a prerogative, robotic systems will be actively implemented.
3.9. The Armed Forces of Ukraine and other components of the defense forces will gradually be equipped with high-tech samples of weapons and military (special) equipment, which will ensure the implementation of deterrence potential, protection of troops (forces), objects, information protection and cyber protection of information infrastructure in the entire spectrum.3.14. (…) The development of the operational, combat and special capabilities of the defense forces will be aimed at achieving by the Armed Forces of Ukraine, the forces and means of other components of the defense forces, the ability to perform tasks as intended, which will ensure deterrence, stability and repulsion of armed aggression against Ukraine, countering hybrid threats, and will focus on: (…) capabilities for conducting confrontation in the information space and cyberspace as a component of the information space;"
See also Task 5.6. Achieving the capabilities to fight in cyberspace, creating a cyber defense system.
Evidence presented in a foreign language
https://www.president.gov.ua/documents/472017-21374
DECREE OF THE PRESIDENT OF UKRAINE No. 47/2017 on the decision of the National Security and Defense Council of Ukraine dated December 29, 2016 "On the Information Security Doctrine of Ukraine"
-
12.3. Military cyber defence exercises 222
Requirements
CriteriaArmed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.
Accepted referencesOfficial website or official document
Evidence
Defence Cyber Marvel 2 2023. See also "UK testing complex cyber threats on CR14's Cyber Range"
Critical Infrastructure Resilience Exercises (CIREX) 2023 – command and staff exercise
-
Information Disclaimer
The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.
What can I do to improve my country's data in NCSI?
Become a data contributor Update a specific indicator with evidence data