NCSI FULFILMENT PERCENTAGE
Version 29 Nov 2023
STRATEGIC CYBERSECURITY INDICATORS
-
1. CYBERSECURITY POLICY 15/15 100%1515 100%
-
1.1. High-level cybersecurity leadership 333
Requirements
CriteriaThe country has appointed governmental leadership responsible for cybersecurity at the national level.
Accepted referencesLegal act, national strategy, official statutes or terms of reference, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2163-19#Text
State Special Communications Service of Ukraine/ State Service for Special Communications and Information Protection of Ukraine (SSSCIP), see Law of Ukraine about the main principles of ensuring cybersecurity of Ukraine, Article 8 (2) number 1, link above.
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/3475-15#Text
Law of Ukraine about the State Service of Special Communications and Information Protection of Ukraine
• What is measured: This indicator identifies whether responsibility for cybersecurity has been formally assigned at the highest governmental or political level. Ideally, this should be assigned permanently through legislation or national strategy to a position or institution exercising the country’s executive power with a governmental mandate, such as the cabinet, a government minister, or a ministry.
• Importance: Without clearly identified political leadership at the highest level, cybersecurity does not get represented in political decision-making. A lack of representation in turn leads to a lack of government ownership, accountability, and appropriate resources.
• Evidence: Legal act or policy document assigning high-level political responsibility for cybersecurity.
-
1.2. Cybersecurity policy development 333
Requirements
CriteriaThere is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.
Accepted referencesLegal act, official statute or terms of reference, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/242/2016#n9
National Coordination Center for Cyber Security, see Regulation on the National Cyber Security Coordination Center, link above.
"9) development and submission of proposals to the National Security and Defense Council of Ukraine, its Chairman in accordance with the established procedure, regarding:
a) determination of the national interests of Ukraine in the field of cyber security, priority directions, conceptual approaches to the formation and implementation of state policy regarding the safe functioning of cyberspace, its use in the interests of the individual, society and the state;
(…)
11) working out issues related to determining the ways, mechanisms and methods of solving problematic issues that arise during the implementation of state policy in the field of cyber security;"
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/856-2019-%D0%BF#n12
Ministry of Digital Transformation, Regulation on the Ministry of Digital Transformation of Ukraine, link above, see number 14
• What is measured: This indicator measures the presence of a specifically designated and empowered entity within the central government that holds national-level responsibility for leading and directing cybersecurity policy development. The same entity may lead national cybersecurity strategy development and oversee its implementation and periodic review. The indicator does not consider institutions whose mandate is limited to cybersecurity legislation or policy within a limited domain (e.g. a single ministry), without a lead role and mandate among stakeholders.
• Importance: While cybersecurity policymaking is not an exclusive competence and a broad range of stakeholders should be involved in the process, a permanent body that is equipped and responsible for leading and overseeing cybersecurity policy development should be tasked with ensuring the coherence and sustainability of the national approach. Among others, such a body can ensure the effective implementation and sustainability of the national cybersecurity strategy.
• Evidence: A dedicated government entity or unit, with terms of reference established by a legal act or national strategy.
-
1.3. Cybersecurity policy coordination 333
Requirements
CriteriaThe country has a regular official format for cybersecurity policy coordination at the national level.
Accepted referencesLegal act, official statute or terms of reference, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/242/2016#n9
National Coordination Center for Cyber Security, see Regulation on the National Cyber Security Coordination Center, link above
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2469-19#Text
The Law of Ukraine about the National Security of Ukraine, link above, see Article 31 (2) – National Coordination Center for Cyber Security
• What is measured: This indicator checks for the presence of an official mechanism that regularly engages relevant intragovernmental, public, and private actors in cybersecurity policy coordination and cooperation. Such mechanisms may take various forms, such as permanent committees, councils, or working groups.
• Importance: Cybersecurity policy development and implementation involve multiple stakeholders, each responsible for their own area of governance and activities but working toward common goals over an extended period of time. Thus, there is a constant need for up-to-date inter-agency/whole- of-society communication, organisation, and coordination of efforts. Such coordination and cooperation formats should include stakeholders from the public and private sectors as well as civil society.
• Evidence: A legal act endowing the coordination body or format with the relevant responsibility. Secondary sources such as official websites where such responsibility is cited may also be considered.
-
1.4. National cybersecurity strategy 333
Requirements
CriteriaThe central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.
Accepted referencesValid official document
Evidence
Evidence presented in a foreign language
https://www.president.gov.ua/documents/4472021-40013
Cyber Security Strategy of Ukraine approved by Presidential Decree of Ukraine No. 447/2021 dated August 26, 2021
• What is measured: This indicator tracks the existence of a high-level national strategic document that outlines the country’s agenda, objectives, and priorities with regard to improving the nation’s cybersecurity, resilience, and related interests. A national cybersecurity strategy typically addresses topics such as clarifying the roles and responsibilities of various government institutions and other actors with regard to cybersecurity, protecting the country’s critical information infrastructure and other important assets, prevention and management of cyber incidents, cybersecurity awareness raising and education, fighting cybercrime, and national and international cooperation. It considers various tools and mechanisms for strengthening cybersecurity: technological and organisational measures, risk management, legislation, and capacity building. The ‘Guide to Developing a National Cybersecurity Strategy” provides a comprehensive overview of what constitutes successful cybersecurity strategies around the globe.
• Importance: A national cybersecurity strategy, formally adopted at the highest level, signifies a country’s willingness to treat cybersecurity as a national priority. More specifically, a national cybersecurity strategy communicates a commitment to intentionally and systematically developing a country’s cybersecurity by identifying the priorities and objectives of various stakeholders and aligning them.
• Evidence: A high-level official document containing the country’s cybersecurity objectives and priorities as described above, regardless of its title (strategy, policy, policy framework). The cybersecurity strategy may be a structural part of another national strategy (e.g. a Cyberspace Strategy or Digital Agenda, National Security Strategy, or other) if the necessary substantive elements are present. It must be currently valid and publicly available in order to be accepted.
-
1.5. National cybersecurity strategy action plan 333
Requirements
CriteriaThe central government has established an action plan to implement the national cybersecurity strategy.
Accepted referencesCurrent official document, legal act, or official statement
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/n0087525-21#Text
Cybersecurity Strategy of Ukraine (2021 - 2025) Implementation Plan, approved by the President of Ukraine, from February 1, 2022, No. 37/2022
• What is measured: This indicator tracks the existence of an action plan (also known as an implementation plan or implementation matrix) to ensure the implementation of the national cybersecurity strategy. The plan should contain concrete steps on how to achieve the desired goals, including specific tasks, entities responsible for the execution of these tasks, and relevant timelines. The action plan should also set forth the financial and other resources necessary to implement the strategy. Preferably, the strategy should define performance indicators or metrics against which implementation progress may be tracked, and a clearly defined accountability mechanism, such as regular implementation reviews.
• Importance: An action plan translates the national cybersecurity strategy priorities and objectives into concrete initiatives to be implemented, allocates the human and financial resources necessary for implementation, and establishes timeframes and metrics. An action plan thereby establishes a clear and actionable outline for the effective implementation of the strategy.
• Evidence: The action plan must be currently valid and be no more than five years old to be accepted. Secondary evidence, such as an official statement, minutes of a government session, or press release, can be accepted if the action plan is not a publicly releasable document. For action plans integrated into the cybersecurity strategy, the same criteria apply.
-
-
2. GLOBAL CYBERSECURITY CONTRIBUTION 4/6 67%46 67%
-
2.1. Cyber diplomacy engagements 333
Requirements
CriteriaThe government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability. (The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under other indicators.)
Accepted referencesOfficial website of the organisation or cooperation format, official statement or contribution
Evidence
https://thegfce.org/member-and-partner/ukraine/
GFCE
https://ccdcoe.org/news/2023/the-nato-ccdcoe-welcomes-new-members-iceland-ireland-japan-and-ukraine/
NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) — as a contributing participant.
OSCE
- OSCE – Permanent Council Decision No. 1106, Initial set of OSCE Confidence–Building Measures to reduce the risks of conflict stemming from the use of information and communication technologies
- Permanent Council Decision No. 1202 – OSCE confidence-building measures to reduce the risks of conflict stemming from the use of information and communication technologies.
Background information:
• What is measured: This indicator assesses the commitment of the country to engage in dialogue on international cybersecurity and stability in regional and international fora. This may include bilateral or multilateral platforms and multistakeholder cooperation formats, and involve topics such as the development and furtherance of cyber norms and CBMs, international law, capacity building, or fighting cybercrime. Some relevant examples include participating in discussions at the United Nations Open-Ended Working Group (OEWG) and the Ad Hoc Committee on Cybercrime and submitting statements or contributions; contributing to the Organisation for Security and Co-operation in Europe’s (OSCE) efforts on CBMs; contributing to the cybersecurity efforts of organisations such as the African Union, the Association of Southeast Asian Nations (ASEAN), the Organisation of American States (OAS), or to the Shanghai Cooperation Organisation’s efforts on cooperation in the field of ensuring international information security, and to other such initiatives; membership in the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the Global Forum of Cyber Expertise (GFCE), the Paris Call, and similar groups or initiatives. The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under NCSI capacity areas 9-12.
• Importance: Whereas national security remains the competence of governments, it is generally acknowledged that international cooperation is vital for reaching and maintaining a high level of security of information and communication technologies (ICTs) with the aim of enhancing international security and stability.
• Evidence: Formalised engagement in cybersecurity¬-oriented organisations or fora and/or in an international organisation with a specific unit or format dedicated to cybersecurity, and/or other established cyber-specific formats. Mere membership in an international organisation that deals with cybersecurity among an array of other topics is not sufficient.
-
2.2. Commitment to international law in cyberspace 111
Requirements
CriteriaThe country has an official position on the application of international law, including human rights, in the context of cyber operations.
Accepted referencesOfficial document or statement, international indexes
Evidence
Evidence presented in a foreign language
https://www.president.gov.ua/documents/4472021-40013
See Cyber Security Strategy of Ukraine approved by Presidential Decree of Ukraine No. 447/2021 dated August 26, 2021, see 7. Directions of foreign policy activity of Ukraine in the field of cyber security:
"(…)
Ukraine will continue to actively participate in the international dialogue on responsible behaviour of states in cyberspace based on compliance with the principles of international law, the UN Charter, as well as norms, rules and principles of responsible state behaviour. This will require greater coordination and consolidation of interested parties at international forums, in which Ukraine will be not only a participant, but also an initiator and organizer.Ukraine will maximally support the multi-stakeholder (multilateral) model of Internet management, promoting international, regional and national discussions on this issue, involving representatives of the private sector, scientific and educational circles, civil society institutions in this process. Attempts by individual authoritarian states to sovereignize the Internet contradict the long-term interests of Ukraine and its model of socio-economic development.
Ukraine will promote further compliance with international law and standards in the field of human rights, encourage the use of best practices, and intensify its efforts to prevent abuse of new technologies. To this end, Ukraine will intensify its participation and partnership in international standardization and certification processes in the field of cyber security, expand its representation in international, regional and other standardization bodies, organizations engaged in the development of standards and certification in this field (…)."
Examples where Ukraine has aligned itself with EU statements.
-
EU Statement – UN Open-Ended Working Group on ICTs: Regular Institutional Dialogue (2023)
-
EU Statement – UN Open-Ended Working Group on ICT: International Law (2023)
-
EU Statement – United Nations Open-Ended Working Group on ICT: General exchange of views (2021)
-
EU Statement – United Nations Open-Ended Working Group on ICT: International Law (2021)
• What is measured: This indicator assesses the commitment of the country to uphold the rules-based international order in cyberspace. The indicator takes into account the country’s official statements in the context of international law and cyber operations as well as joining relevant multilateral treaties. Importantly, the country should demonstrate commitment to its international obligations, including human rights obligations, in the online environment.
• Importance: International law forms the foundation for stability and predictability among states in cyberspace as it reflects common views of acceptable state behaviour. The UN GGE as well as OEWG have affirmed that international law, in particular the Charter of the United Nations, is applicable and essential to maintaining peace, security, and stability in the ICT environment. In particular, the UN Universal Declaration on Human Rights guides states to protect human rights and fundamental freedoms online as well as offline.
• Evidence: Documented official statements made on behalf of the state. Examples of such commitment are sharing the country’s views on the interpretation of international law in the context of the UN GGE or OEWG processes, and officially publishing a domestic interpretation or statements made in response to breaches of international obligations. Publications by reputable international human rights observers (e.g. Freedom House).
-
-
2.3. Contribution to international capacity building in cybersecurity 002
Requirements
CriteriaThe country has led or supported cybersecurity capacity building for another country in the past three years.
Accepted referencesOfficial website or project document
Evidence
• What is measured: This indicator assesses the readiness of the country to finance, organise, or otherwise contribute to capacity building project(s) targeted at specific countries or a group of countries. Capacity building may address issues in both the public and the private sector, and focus on technical, organisational, policy, strategic and/or legal matters. The support may, for example, involve direct funding or organising/co-organising capacity building projects or events.
• Importance: A secure and stable cyberspace relies on each country’s ability to prevent and mitigate the impact of malicious cyber incidents. Such abilities depend on a wide array of capabilities in the technical, strategic, policy, and legal domains. Capacity building activities address the development of national institutions, policies, skills, and human resources. Importantly, CBMs support countries’ adherence to international law as well as to the implementation of cyber norms.
• Evidence: The activity must have the financial and/or organisational contribution of the country and evidence of the event(s) or programme(s) must be publicly available.
-
-
3. EDUCATION AND PROFESSIONAL DEVELOPMENT 6/10 60%610 60%
-
3.1. Cyber safety competencies in primary education 002
Requirements
CriteriaPrimary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
Evidence
• What is measured: Primary education should set the ground rules for safe, responsible, and ethical online behaviour. This can be established through national curricula that introduce cyber/computer safety and cyber/computer hygiene at the primary education levels. The scope of this indicator includes cybersecurity competencies in the public education system, that is, the most accessible form of primary education available in the country.
• Importance: Through early training on secure online behaviour and ways to safeguard the ICT devices that children use, the younger generation can grow up to become safe and responsible online users and be better prepared to face the challenges of cyberspace. Especially because children are exposed to ICT early on through the inclusion of computer skills, programming, robotics, etc. in general education, it is important that such training also involve security skills.
• Evidence: The evidence must demonstrate an established practice, such as specific or integrated curricula intended for long-term use. Sporadic events such as one-time guest lectures do not qualify.
-
3.2. Cyber safety competencies in secondary education 002
Requirements
CriteriaSecondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
Evidence
• What is measured: Like the previous indicator, this one considers the inclusion of cybersecurity skills in national general education curricula, but the focus here is on secondary-level education. The relevant curricula should address cyber/computer safety and cyber/computer hygiene as a part of the secondary education available in the public education system, that is, the most accessible form of secondary education available in the country.
• Importance: As students become more exposed to the online environment and grow into more experienced users, their cybersecurity knowledge and practical skills should grow appropriately.
• Evidence: The evidence must demonstrate an established practice, such as specific or integrated curricula at the secondary education level. Sporadic events such as one-time guest lectures do not qualify.
-
3.3. Undergraduate cybersecurity education 222
Requirements
CriteriaAt least one undergraduate education programme is available in the country to train students in cybersecurity.
Accepted referencesAccredited study programme
Evidence
Evidence presented in a foreign language
- Bachelor of Cyber Security, Kyiv National University of Economics
- Bachelor. 125 Cyber Security and Information Protection, Kharkiv National University of Radio Electronics
- Bachelor’s Degree in Cyber Security at Ternopil Ivan Puluj National Technical University Cybersecurity
- Bachelor’s in cyber security and information protection, National Technical University “Kharkiv Polytechnic Institute
- Bachelor of Cyber Security Kharkiv Semyon Kuznets National University of Economics (S. Kuznets National University of Economics
- National Technical University of Ukraine "Ihor Sikorsky Kyiv Polytechnic Institute”
- Bachelor’s degree in Cybersecurity at Entrant of Karazinsky University
Evidence presented in a foreign language
https://vstup.osvita.ua/spec/1-40-2/0-0-2390-0-0-0/
An overview of various cybersecurity-related bachelor's degree's can be get with the link above.
• What is measured: The indicator measures the availability of undergraduate cybersecurity or equivalent (ICT security, electronic information security) education at the national level – that is, a bachelor’s degree, vocational training, or equivalent. It acknowledges both distinct cybersecurity programmes and the integration of cybersecurity into undergraduate ICT education.
• Importance: A cybersecurity programme at the undergraduate level should provide the knowledge and skills necessary to build safer ICT systems, as well as teach how to defend against and manage cyberattacks and incidents. Theoretical knowledge should be supported by practical studies, such as labs or practice lessons.
• Evidence: Both national curricula focused on cyber/computer security, and curricula with distinct cybersecurity modules count as evidence. Curricula with a single cybersecurity course will not be accepted as evidence.
-
3.4. Graduate cybersecurity education 333
Requirements
CriteriaAt least one cybersecurity education programme is available in the country at the graduate level.
Accepted referencesAccredited study programme
Evidence
Evidence presented in a foreign language
- SET University – Master of Cyber Defense
- Master. 125 Cyber Security and Information Protection, Kharkiv National University of Radio Electronics
- Master Cyber Security at Ternopil Ivan Puluj National Technical University Cybersecurity
- Master’s degree in cyber security and information protection, National Technical University “Kharkiv Polytechnic Institute”
- National Technical University of Ukraine "Ihor Sikorsky Kyiv Polytechnic Institute”
- Master’s degree in security of information and communication systems at Entrant of Karazinsky University
Evidence presented in a foreign language
https://vstup.osvita.ua/spec/2-0-2/0-0-2390-0-0-0/
An overview of various cybersecurity-related master's degree's can be get with the link above.
• What is measured: The indicator measures the availability of graduate cybersecurity or equivalent (ICT security, electronic information security) education in the country – that is, a master’s degree or equivalent. It acknowledges both distinct cybersecurity programmes and the integration of cybersecurity into graduate ICT education.
• Importance: A graduate (master’s-level) cybersecurity programme trains students in subjects such as computer security, cybersecurity governance and risk management, networking and infrastructure, and information security analysis and monitoring from the individual system-level perspective or that of large, mission-critical networks. Such cybersecurity graduate programmes are typically designed for students with a technical background (computer science, mathematics, or others), but they can also be cybersecurity programmes designed for students with an undergraduate degree in a non-technical discipline.
• Evidence: Both national curricula focused on cyber/computer security, and curricula with distinct cybersecurity modules count as evidence. Curricula with a single cybersecurity course will not be accepted as evidence.
-
3.5. Association of cybersecurity professionals 111
Requirements
CriteriaA professional association of cybersecurity specialists, managers, or auditors exists in the country.
Accepted referencesOfficial website
Evidence
https://engage.isaca.org/kyivchapter/home
ISACA Kyiv Chapter
Evidence presented in a foreign language
Cybersecurity Scientific Association of Ukraine
• What is measured: An established and functioning association of professionals in cybersecurity, (electronic) information security, or the equivalent. For example, associations that promote international cybersecurity expert certifications (e.g. CISSP), such as ISACA country chapters or organisations of cybersecurity auditors, are recognised here. Their membership may include cybersecurity specialists, managers, and others. The index does not consider organisations that limit membership based on criteria other than professional qualification. In addition to specialist members, the organisation may have corporate members.
• Importance: As digital technologies advance, cyber threats and risks are constantly evolving, and cybersecurity professionals need to keep their knowledge and skills up to date. Professional associations for information security officers, IT auditors, and others are a widespread and valuable form of exchanging experience and best practices. The associations organise events for their members and for the general public and manage information exchange channels for members. There are also training and collaboration opportunities available via such associations that make membership a worthwhile investment for professionals who need to stay current with the developments in the field.
• Evidence: Website of the professional association that demonstrates the existence and activities of that association. Information published by a government authority that confirms these elements can also be considered.
-
-
4. CYBERSECURITY RESEARCH AND DEVELOPMENT 4/4 100%44 100%
-
4.1. Cybersecurity research and development programmes 222
Requirements
CriteriaA cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.
Accepted referencesOfficial programme or official website
Evidence
Evidence presented in a foreign language
https://cyberlab.nau.edu.ua/#about_us
Research Laboratory of Cyber Threats Counteraction in Aviation
• What is measured: The indicator measures government engagement in cybersecurity research and development, demonstrated through formal recognition and/or public funding and support for a relevant research programme. The criterion is inclusive of both government and industry programmes, but in order to be considered for the purposes of national capacity, the involvement of formal governmental support is required, whether through a (co-)funding commitment, research grants, or cooperation agreement.
• Importance: Established research and development programmes can ensure that scientific knowledge results in actual prototypes, patents, products, and solutions. In particular, cooperation arrangements between the government, academia, and industry can ensure that the country’s strategic cybersecurity priorities are reflected in its research agenda, so that the country’s needs are sustainably met.
• Evidence: Official documents or other official references indicating fundamental or applied research and development programmes with a demonstrable government contribution.
-
4.2. Cybersecurity doctoral studies 222
Requirements
CriteriaAn officially recognised PhD programme exists accommodating research in cybersecurity.
Accepted referencesOfficial programme or official website
Evidence
Evidence presented in a foreign language
- Cyber Security and Information Protection – Kharkiv National University of Radio Electronics
- PhD in cyber security and information protection, National Technical University “Kharkiv Polytechnic Institute”
- National Aerospace University "Kharkiv Aviation Institute"
- National Aviation University – Faculty of cyber security and software engineering
- National Technical University of Ukraine "Ihor Sikorsky Kyiv Polytechnic Institute
• What is measured: The indicator recognises the availability of PhD study programmes that allow students to develop substantive knowledge in cybersecurity, and design, and conduct original, specialised research in cybersecurity. Research topics may range from technical matters (for example cryptography, computer and network security, or digital forensics) to relevant social sciences issues (for example strategic or behavioural issues). The PhD programme does not necessarily have to be limited to cybersecurity, broader ICT doctoral programmes are accepted if they produce cybersecurity graduates.
• Importance: A PhD programme provides a structured and sustained setting to develop talent and innovate beyond preparing the workforce for existing market needs. PhD students are trained in research methods and gain a deeper understanding of cybersecurity issues.
• Evidence: Officially accredited or otherwise officially recognised PhD programme that is focused on cybersecurity or produces cybersecurity degrees.
-
PREVENTIVE CYBERSECURITY INDICATORS
-
5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE 9/12 75%912 75%
-
5.1. Identification of critical information infrastructure 333
Requirements
CriteriaThere is a framework or a mechanism to identify operators of critical information infrastructure.
Accepted referencesLegal or administrative act
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/943-2020-%D0%BF#n16
Resolution dated October 9, 2020, No. 943 on some issues of objects of critical information infrastructure see “Procedure for forming a list of critical information infrastructure objects“
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2163-19#Text
Definition of “Critical Information Infrastructure Object” can read in Article 1 (19) of Law of Ukraine About the Main Principles of Ensuring Cyber Security of Ukraine
Evidence presented in a foreign language
- Order 01/15/2021 No. 23 on the approval of Methodological recommendations on the categorization of critical infrastructure objects, see I. General Provisions, 6. The Methodology
- Law of Ukraine about Critical Infrastructure, Article 9
• What is measured: This indicator measures the presence of a legally established framework or mechanism to identify the information infrastructure component of CI or essential services. This objective may be addressed within the scope of defining critical sectors, infrastructure or services, or through a standalone mechanism for identifying CII. National legislation that is limited to contingency planning and disaster recovery without evident application to cybersecurity is not counted under this indicator.
• Importance: Certain sectors and services are commonly recognised to be essential to the normal functioning of society, the economy, and the state. These typically include energy production and supply, communications, financial services, healthcare, utilities, and others. A solid national framework for managing cyber risks to such critical sectors or services is built on the premise that such sectors/services/operators should first be identified, and then the information infrastructure components within them upon which service provision critically depends should be addressed. While not all information infrastructure within such critical sectors/infrastructure/services are necessarily critical to the continuity of the sector/infrastructure/service, certain assets are such that their loss or compromise could have a major detrimental impact on the availability or integrity of the actual CI or essential service. Therefore, governments must have an established methodical framework to address such risks.
• Evidence: The indicator recognises both legislation that foresees a CI identification process, or the designation of such infrastructure by an administrative act. In either case, it is required that such designation have cybersecurity implications for the infrastructure operator.
-
5.2. Cybersecurity requirements for operators of critical information infrastructure 333
Requirements
CriteriaOperators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal act, or mandatory cybersecurity framework or standard
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/1882-20#Text
Law of Ukraine about Critical Infrastructure, Article 21. Number 1. (1), (2), (9), (14); Article 22 (6)
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/518-2019-%D0%BF#Text
Resolution dated June 19, 2019 No. 518 on the approval of General requirements for cyber protection of critical infrastructure objects
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2163-19#Text
Law of Ukraine About the Basic Principles of Providing Cyber Security of Ukraine, see Article 6.3.
• What is measured: The indicator tracks whether operators that are critical/essential are required to take preventive and reactive measures to manage cybersecurity risks to their network and information systems. This could include an obligation to assess cyber risks and implement appropriate technical and organisational measures, according to international standards such as the ISO 27000 family, U.S. NIST framework, or other recognised regional or sectoral standards or best practices. It could also include an obligation to comply with nationally established cybersecurity requirements or standards. On the reactive side, incident notification and response requirements should be established; however, the mere existence of responsive requirements does not satisfy the criteria for this indicator. The criteria need not be applied to micro and small enterprises.
• Importance: The implementation of cybersecurity requirements for CII safeguards the continuity or undisrupted operation of CI and critical services that are essential for the normal functioning of the state and society. Making these requirements mandatory ensures that they are implemented consistently and that operators are accountable for the implementation.
• Evidence: Legislation or regulatory measures that foresee a mandatory cybersecurity standard for CII operators, or obligations to operators to assess and manage cyber risks. The regulation may be established in a standalone act or be explicitly addressed in a legal act imposing security and continuity requirements upon CI owners or operators.
-
5.3. Cybersecurity requirements for public sector organisations 003
Requirements
CriteriaPublic sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal or administrative act, mandatory cybersecurity framework or standard
Evidence
• What is measured: The indicator assesses the mandatory implementation of cybersecurity (or ICT security/information security) measures in the public sector. Such requirements may be defined directly in legislation, or they may refer to a national or widely recognised international cybersecurity standard. The obligation should at a minimum include mandatory cybersecurity measures applicable to the information infrastructure used in executing state functions and tasks (that is, legislative, administrative, and judicial powers), but may further include certification of products and services for procurement by state, municipal, local, and government authorities. The existence of mandatory cybersecurity measures for the public sector remains a distinct indicator due to the frequent practice of not including the government in the scope of CII/essential service operators. If the government falls under the same CII/essential service requirements, separate regulation is not required.
• Importance: When it comes to ensuring the state’s cybersecurity, it is of key importance that the state’s organs and entities adhere to a set of basic security requirements stemming from information security solutions, at least at the level required by a domestic legal act. The basis for ensuring information security at public sector institutions is adherence to national or widely recognised cyber/information security requirements and standards.
• Evidence: Legal or administrative act laying down cybersecurity requirements for public sector organisations, or a legal or administrative act explicitly including public sector services under the national cybersecurity requirements for CII, where these exist.
-
5.4. Competent supervisory authority 333
Requirements
CriteriaA competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/1882-20#Text
Law of Ukraine about Critical Infrastructure, Articles 17 & 23
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/821-2022-%D0%BF#n8
Procedure for monitoring the security level of critical infrastructure facilities
"4. Monitoring is carried out by conducting once every three years an assessment of the state of security of critical infrastructure objects (hereinafter - assessment of the state of security) by sectoral and functional bodies in the field of critical infrastructure protection (hereinafter - monitoring subjects) in accordance with their powers, defined The Law of Ukraine "On Critical Infrastructure"."
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2163-19#Text
Law of Ukraine about the main principles of ensuring cybersecurity of Ukraine – Article 8 (2) number 1
"The State Service for Special Communications and Information Protection of Ukraine ensures (…) critical information infrastructure objects, carries out state control in these areas (…) ensures the implementation of information security audits at critical infrastructure facilities, establishes requirements for information security auditors, determines the procedure for their attestation (re-attestation); coordinates, organizes and conducts vulnerability audits of communication and technological systems of critical infrastructure objects"
See also the Law of Ukraine about the National Security of Ukraine:
- Article 19 (3) – Security Service of Ukraine ;
- Article 22 (1) – State Service of Special Communications and Information Protection of Ukraine
• What is measured: The indicator tracks whether a cybersecurity regulator/competent authority has been esblished with a relevant mandate and enforcement powers. Its constituency may include operators of esstaential services/CI, public sector organisations, or a broader range of actors. In any case, a cybersecurity supervising system to monitor essential services should be established, and critical (information) infrastructure operators should regularly provide evidence of the effective implementation of cybersecurity measures. The supervisory competence should be concentrated in the cybersecurity authority and not be decentralized among sectoral authorities performing supervision in their respective sectors.
• Importance: Cyber threats are universal and do not differ significantly between different essential sectors and services. In addition, the cross-sectoral impact of cyber threats, as well as the cross-sectoral dependencies of CII are more pronounced and potentially time-critical than in traditional critical sectors. A national supervisory system to oversee the implementation of cybersecurity measures is more mature if the respective competence is concentrated in a single supervisory authority and not dispersed between sectoral regulators.
• Evidence: The indicator does not require a distinct cybersecurity regulatory body per se but the presence of supervisory powers over the implementation of cybersecurity measures. Regular supervision means that supervisory activities, including audits or similar assessments, are conducted at least once every three years.
-
-
6. CYBERSECURITY OF DIGITAL ENABLERS 10/12 83%1012 83%
-
6.1. Secure electronic identification 222
Requirements
CriteriaA national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.
Accepted referencesLegal act, nationally recognised identification scheme, or official website
Evidence
Evidence presented in a foreign language
I.D.GOV.UA – Integrated Electronic Identification System – A universal platform for e-identification and authentication of users
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/546-2019-%D0%BF#Text
Regulation on the Integrated System of Electronic Identification, approved by the resolution of the Cabinet of Ministers of Ukraine of June 19, 2019 No. 546
Diia – Government Services Online
• What is measured: A nationally recognised solution that allows for the secure and reliable identification of individuals in online transactions. Such a solution must, at the minimum, be available for interaction with public sector organisations with the possibility to be adopted in the private sector. The index does not take into account eIDs that do not cover the majority of the population or are, by design, only limited to certain sectors or services.
• Importance: In legal transactions, it is important to securely identify the parties. Traditionally, this is done by relying on identity documents issued by the government. In online transactions, equivalent assurances can be provided through a secure digital identity, that is, a certificate that can be definitely associated with a specific person. The best method to uniquely identify a natural or legal person is by a nationally recognised unique, population-wide identifier. Such an identifier may be created during the population registration process, or another identifier (such as a social security number or a taxpayer account identifier) may be extended to the whole population. From an interoperability perspective, it is important that eID uses the same identifier that is used in identity documents. For eID to have legally binding significance, its issuance must be regulated by law, assuring equivalent protection to what is assured for passports or other identity documents. The protection of cryptographic keys or other security features must be guaranteed by law. The availability of secure eID also reduces the likelihood of crimes related to online identity theft.
• Evidence: The evidence must establish the legal recognition and availability of a national (nationwide) eID solution. A legal act, nationally recognised identification scheme, or official website demonstrating the required elements is suitable evidence.
-
6.2. Electronic signature 222
Requirements
CriteriaA nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/852-15#Text
Law of Ukraine on Electronic Digital Signature
• What is measured: A software or service to issue secure electronic signatures, which are generated using a digital certificate and cryptographically bound to the document through public key infrastructure (PKI), are publicly available and legally accepted by the country without their use being limited to specific sectors or purposes. The use of up-to-date secure cryptography is required to accept the signature as legally binding.
• Importance: Like with a signature on paper, it must be possible to verify individuals’ declarations of intent in cyberspace to trust and consider them valid. For this, the concerned procedure must be regulated by law and the electronic signature must be given protection and legal consequences equivalent to those given to paper signatures. For the subsequent verification of the validity of the electronic signature of the signed document, it must be possible to verify at the time of signing the validity of the certificate used for signing. For the claimed signing time to be reliable, it is important to have a trustworthy time service that issues the timestamp attached to the document with the signature. The requirements for the trust service (such as certificate validity check and time stamping) must be provided by law.
• Evidence: The evidence must establish the legal recognition and availability of electronic signatures. A legal act or official website demonstrating the required elements would be suitable.
-
6.3. Trust services 222
Requirements
CriteriaTrust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2155-19#Text
Law of Ukraine about Electronic Trust Services
• What is measured: Regulations lay down minimal security and liability obligations (including, but not limited to, accepted cryptographical parameters) for trust service providers and their services, as well as the process and conditions for supervision and liability. Established requirements should be applicable to the trust services that are provided on the market (e.g. digital certificates, timestamps, private key management service, or others), at least where these are used in the public sector and public sector services.
• Importance: Trust services are based on cryptography. The evolution of hacking technologies may mean that algorithms become weak over time and need to be replaced. Where the provision and use of trust services are widespread in society, the renewal of technical systems related to algorithms affects a very large number of parties. Therefore, to maintain the reliability of trust services, organisational and technical requirements must be established in national legislation to determine which cryptographical algorithms and cybersecurity mechanisms are allowed.
• Evidence: The evidence must establish the legal regulation and recognition for trust services provided in the country. A legal act or official website demonstrating the required elements would be suitable.
-
6.4. Supervisory authority for trust services 222
Requirements
CriteriaAn independent authority has been designated and given the power to supervise trust services and trust service providers.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2155-19#Text
Law of Ukraine about Electronic Trust Services, Article 33
• What is measured: The state must have a designated authority that oversees the reliability of trust services throughout its lifecycle. This includes authorisation to launch a service into the market and supervision over compliance with existing requirements throughout the period of operation. Regulations must either set requirements for trust service providers or assign this mandate to a competent institution or authority. This may be a supervisory body, a technical regulatory authority, or a similar institution. The powers of the supervisory body must stem from and be specified in a legal act.
• Importance: A duly authorised supervisory authority is a necessary guarantor for the reliability of trust services throughout their lifecycle. The role of the supervisory authority is to oversee that both the organisation providing the trust service and the services themselves comply with existing requirements.
• Evidence: The evidence must establish the presence of a legal act that defines a supervisory authority together with its tasks and supervisory mandate.
-
6.5. Cybersecurity requirements for cloud services 222
Requirements
CriteriaRequirements are established for the secure use of cloud services in government and/or public sector organisations.
Accepted referencesLegal or administrative act, cybersecurity framework or standard
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2075-20#Text
The Law of Ukraine About Cloud Services
"Article 1. Scope of the Law
This Law defines the legal relations that arise in the provision of cloud services and establishes the specifics of the use of cloud services by state authorities (…)Article 8. Requirements for the provider of cloud services and/or data center services
(…)
The provider of cloud services and/or data center services must:
to provide the state body designated for the formation and implementation of the state policy in the field of cyber protection with the information necessary to assess the security of the electronic communication network, electronic communication service and information systems, including the documented security policy;
eliminate any non-compliance with the requirements approved by the communications services regulator. (…)Article 10. Provision of cloud services and/or data center services
(…)
3. The essential terms of the contract for the provision of cloud services and/or data center services for public users and objects of critical information infrastructure are:
(…)
the procedure for protecting data (including personal data) when providing services, including the procedure for protection against unauthorized actions (internal and external threats, cyber security incidents, cyber attacks), and the procedure for notifying the user about this;
requirements for immediate notification of a cyber security incident that has a significant impact on the provision of cloud services and/or data center services;
(…)Article 11. Peculiarities of using cloud services and/or data processing center services by public users of cloud services
(…)
3. The provision of cloud services and/or data center services to public users of cloud services is carried out in compliance with the requirements of the legislation on personal data protection, information protection and cyber security.Article 14. Protection of information when providing cloud services and/or data center services
(…)
2. At the request of the user of cloud services and/or in accordance with the procedure defined by the contract, the provider of cloud services and/or data center services provides information on the protection of information in the cloud computing system against internal and external threats, cyber attacks."• What is measured: This indicator tracks the emerging trend of establishing secure use requirements or principles for the use of cloud services. Such security requirements should, at the minimum, extend to the use of cloud services in the government sector.
• Importance: The use of cloud computing for collaboration is growing in prevalence among both governments and businesses. To ensure the confidentiality, integrity, and availability of data and applications stored on the cloud, security measures must be implemented to protect them from cyber threats.
• Evidence: A legal act, government guideline, or similar that defines cybersecurity requirements or principles, applicable as mandatory at least for governmental institutions.
-
6.6. Supply chain cybersecurity 002
Requirements
CriteriaRequirements are established to identify and manage cybersecurity risks through the ICT supply chain.
Accepted referencesLegal act or official website
Evidence
• What is measured: This is a new indicator of the NCSI, appraising whether controls and processes are enforced to manage potential cyber risks to the supply chain. ‘Supply chain’ involves the whole cycle of design, development, production, deployment, and support for products, services, or processes. These could involve, for example, regular supply chain audits, risk assessments and management, and/or specific requirements for suppliers based on their risk profiles. Supply chain attacks are malicious activities at any location in the supply chain (technology development, engineering and manufacturing development, production and deployment, and operation and support). The relevant security mechanisms should be established at least for operators of essential services and/or public sector organisations, and preferably also for their third-party providers and vendors.
• Importance: In order to ensure the continuity of essential services and infrastructure, it is important that the technology comes from a reliable manufacturer and that risk management processes and measures are in place to ensure that the technology used to provide the essential service is not manipulated by a potentially malicious actor.
• Evidence: The criterion accepts national-level and sector-based standardisation and certification schemes, as well as other cyber/information security measures. It is deliberately designed to be broad, to allow the recognition of all countries that have addressed this issue in law.
-
-
7. CYBER THREAT ANALYSIS AND AWARENESS RAISING 9/12 75%912 75%
-
7.1. Cyber threat analysis 333
Requirements
CriteriaA government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.
Accepted referencesLegal act, statute, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/242/2016#Text
National Cyber Security Coordination Center, see Regulation on the National Cyber Security Coordination Center Article 3 (2)
• What is measured: This indicator assesses the capacity and practice of conducting national-level cyber threat and trend assessments. The assessments may, for example, be compiled by an established government entity or unit (such as a department or an agency) or an interagency joint task force. Whether a centralised or distributed approach is followed, the inputs of various sources should be consolidated into a national-level threat picture, and the outcome should assess the cyber threat and cybersecurity status at the national level, covering all sectors.
• Importance: National cyber threat assessments and reports enable consistent characterisation of cyber threats and risks and allow the identification of trends and changes in the activities of malicious actors, new vulnerabilities, or key technological developments impacting national resilience. Information about cyber incidents, threats, and vulnerabilities is analysed and aggregated to provide timely and actionable information to government planning and decision-making entities.
• Evidence: An established unit that has been assigned the task of analysing cyber threat information, or a legal or administrative act assigning the relevant responsibility to an existing body.
-
7.2. Public cyber threat reports 333
Requirements
CriteriaPublic cyber threat reports and notifications are issued at least once a year.
Accepted referencesOfficial website, official social media channel, or public report
Evidence
State Cyber Defense Center, State Service for Special Communications and Information Protection of Ukraine, Russia’s Cyber Tactics: Lessons Learned in 2022
Evidence presented in a foreign language
Cyber Digest – Overview of Developments in the Field of Cyber Security, December 2022 published by the National Cyber Security Coordination Center & prepared with the support of the USAID Project “Cybersecurity of Critically Important Infrastructure of Ukraine”
• What is measured: This indicator tracks the practice of sharing cyber threat awareness, including both timely cyber threat notification and forward-looking insights, anticipating how changes in the cyber landscape may affect public and private institutions.
• Importance: No single organisation can defend against cyber threats on its own; it is vital that the public and private sectors work together to be aware of and understand the challenges they face. To support public threat awareness, the government should regularly publish public cyber threat reports or notices. The purpose is to inform the public about significant cyber incidents, major threats and/or vulnerabilities, and to give insight into trends. Such reports and notices may also alert the public to current cyberattack campaigns or systemic vulnerabilities. By sharing timely information, the government can motivate organisations to work together to prevent cyber incidents and achieve safer cyberspace.
• Evidence: Regular public threat notifications and reports, social media posts, and so on by, for example, the national computer security incident response team (CSIRT) or computer emergency response team (CERT), or another relevant authority count as evidence. To be recognised in the NCSI, such reports should be issued at least once a year.
-
7.3. Public cybersecurity awareness resources 333
Requirements
CriteriaPublic authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.
Accepted referencesOfficial website, public advisories
Evidence
Evidence presented in a foreign language
- Cyber Police of Ukraine website → “Recommendations” or “No more ransom”: https://cyberpolice.gov.ua/articles/
- CERT-UA → Recommendations: https://cert.gov.ua/recommendations
- Governmental Portal – Tips for safe online behaviour and a new training course: https://www.kmu.gov.ua/news/misiats-kiberbezpeky-porady-pro-bezpechnu-povedinku-v-merezhi-ta-novyi-navchalnyi-kurs
- Ministry of Education and Sciences of Ukraine: https://mon.gov.ua/ua/news/yak-ubezpechiti-sebe-v-kiberprostori-pid-chas-onlajn-navchannya-poradi-derzhspeczvyazku & https://mon.gov.ua/ua/tag/kiberbezpeka
- Special Website of the State Intelligence Service: https://cip.gov.ua/ua/news/kibermisyac-v-ukrayini & https://cybermonth.cip.gov.ua/
- “Diia” education portal. Portal with online courses: basic digital literacy, for teachers and for parents. “Online Safety of Children.” : https://osvita.diia.gov.ua/
- State Cyber Defence Centre – State Special Communications Service of Ukraine: https://scpc.gov.ua/uk/recommendations/129
- Overview of different initiatives, tips, guides etc. can be found on the webpage of the Kropyvnytskyi City: https://kr-rada.gov.ua/informatsiyna-bezpeka-ta-kiberbezpeka/
• What is measured: This indicator recognises the ready availability of public cybersecurity awareness resources such as cybersecurity guidance and advisories. These could be public awareness raising campaigns promoting cyber hygiene or dedicated websites with information, guidelines, and tips on how to keep data and assets safe online. They could be targeted at the general public or also address specific target groups such as cybersecurity professionals and small or medium enterprises.
• Importance: Cybersecurity ultimately depends on the skills of each user and asset owner to act responsibly in the online environment. The purpose of public cybersecurity resources, therefore, is to empower individuals, businesses, and civil society actors to improve their cybersecurity and protect their assets online.
• Evidence: A dedicated public website or readily available public cyber hygiene resources.
-
7.4. Cybersecurity awareness raising coordination 003
Requirements
CriteriaThere is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.
Accepted referencesLegal act, official document, or official website
Evidence
• What is measured: This indicator appraises a systematic approach to cybersecurity awareness through a clear allocation of cybersecurity awareness coordination tasks: providing direction, coordinating actions, and monitoring the implementation of cybersecurity awareness activities.
• Importance: A clearly assigned coordination and oversight role for cybersecurity awareness activities facilitates more effective and efficient awareness raising. In addition to providing direction, coordinating actions, and monitoring the implementation of awareness activities, the lead agency can identify the stakeholders to be involved in the development and implementation of the awareness activities, clarify the roles of different stakeholders, address gaps or duplications, and manage expectations throughout the process. Whether a centralised or a more distributed model is used, all parties involved should have a clear understanding of their respective roles and responsibilities so that accountability and progress can be ensured.
• Evidence: A legal act, statute, or other official document outlining the responsibilities and accountability for coordinating cybersecurity awareness.
-
-
8. PROTECTION OF PERSONAL DATA 4/4 100%44 100%
-
8.1. Personal data protection legislation 222
Requirements
CriteriaThere is a legal act for personal data protection that is applicable to the protection of data online or in digital form.
Accepted referencesLegal act
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/en/2297-17#top
Law of Ukraine – On Protection of Personal Data
• What is measured: The presence of a national law that sets out the principles of data processing, the rights of the individual (data subject) with regard to their data, and the obligations and liability of data controllers and processors. The applicability of the data protection law to the digital/online environment must either be stated explicitly or established through its inclusive nature that allows individuals the protection of their data processed online.
• Importance: The right to privacy is a fundamental human right that countries must protect and promote, regardless of the platform or medium where the data is processed, and regardless of who – state authorities or commercial service providers – is processing the personal data. Security assurances, including a legal basis for data processing, should be defined in legislation that provides the conditions and procedures for processing personal data as well as the liability for violations.
• Evidence: Personal data protection legislation that applies to data processing by both government and private sector actors in the digital/online environment.
-
8.2. Personal data protection authority 222
Requirements
CriteriaAn independent public supervisory authority has been designated and allocated powers to supervise personal data protection.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
Ukrainian Parliament's Commissioner for Human Rights (Ombudsman)
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/776/97-%D0%B2%D1%80#Text
Law of Ukraine – About the Commissioner for Human Rights of the Verkhovna Rada of Ukraine
• What is measured: The country should appoint and equip a public supervisory authority to make sure that its data protection laws are applied and enforced consistently when it comes to online data processing.
• Importance: An independent authority overseeing data processors’ compliance with personal data protection requirements is an essential component of individuals’ rights to privacy and data protection. National legislation should provide a legal basis for the supervisory authority and define its role, duties, and supervisory powers.
• Evidence: A data protection authority with oversight and enforcement powers allocated by law. The mandate must apply to oversight over data processing by both government and private sector actors in the digital/online environment.
-
RESPONSIVE CYBERSECURITY INDICATORS
-
9. CYBER INCIDENT RESPONSE 9/14 64%914 64%
-
9.1. National incident response capacity 333
Requirements
CriteriaThere is a CERT designated with nationwide responsibilities for cyber incident detection and response.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
CERT-UA
Evidence presented in a foreign language
See also Operational Center for Responding to Cyber Incidents, State Cyber Defense Center – Service for Special Communications and Information Protection of Ukraine'
• What is measured: The indicator tracks the presence of a national CSIRT/CERT/CIRT in the country. In line with the Carnegie Mellon University definition, the NCSI acknowledges as national CSIRTs those CERTs that are designated by a country or economy to have specific responsibilities regarding the cyber protection of the country or economy. Such national CSIRTs can be located inside or outside the government but must be specifically recognised by the government as having nationwide powers and responsibility. The IETF Request for Comments 2350 specifies what is expected of CSIRTs. A CSIRT should clearly define its constituency and publish information about its services and communication channels. Services provided by a CSIRT can be divided into two broad categories: real-time activities directly related to their main task of incident response and proactive activities in support of the incident response task. The basic tasks of a CSIRT include monitoring cyber incidents at the national level, providing early warnings, alerts, announcements and information to relevant stakeholders about risks and incidents, responding to incidents, and participating in the CSIRT networks.
• Importance: A well-functioning national CSIRT is central to the national-level capacity to prevent, detect, respond to and mitigate cyber incidents and manage cyber risks. CSIRTs should have sufficient technical and organisational capabilities to carry out these tasks and should be able to participate in international cooperation networks. National CSIRTs act as focal points and coordinate incident response at the national and international levels. Many CSIRTs also help protect their country’s government networks and CII.
• Evidence: A legal act designating the role of a national CSIRT, official governmental website or official website of the national CSIRT, or website of a recognised international CSIRT forum such as the Forum of Incident Response and Security Teams (FIRST) or the Task Force on Computer Security Incident Response Teams (TF-CSIRT).
-
9.2. Incident reporting obligations 333
Requirements
CriteriaOperators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.
Accepted referencesLegal act or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/z0603-08#Text
Order (10.06.2008 No. 94) of the Administration of the State Service for Special Communications and Information Protection of Ukraine: On the approval of the Procedure for coordinating the activities of state authorities, local self-government bodies, military formations, enterprises, institutions and organizations regardless of the forms of ownership on issues of prevention, detection and elimination of the consequences of unauthorized actions regarding state information resources in information, electronic communication and information and communication systems
Evidence presented in a foreign language
https://cert.gov.ua/recommendation/4256181
General Rules for Exchanging Information about Cyber Incidents
See I. General provisions number 2:
"2. The rules are mandatory for use by the main subjects of the national cyber security system, other state bodies, in particular sectoral bodies in the field of critical infrastructure protection, as well as recommended for critical infrastructure objects when reporting cyber incidents."
• What is measured: The indicator assesses whether a legal obligation exists to require certain critical sectors and organisations to notify the relevant government authority about significant cyber incidents. The obligation may extend to operators of CI/CII, digital service providers, essential services, government institutions, and other relevant actors. Such notifications are usually addressed to the national CSIRT or a national cybersecurity authority.
• Importance: Mandatory incident notification serves both responsive and preventive aims. It allows the national CSIRT to know when, where, and how to respond most effectively. It also enables the CSIRT to fulfil its threat awareness and analysis responsibilities, and provide alerts or preventive and mitigation guidance to potentially affected parties. To facilitate timely and informative incident reporting, the national CSIRT or another relevant authority could publish official criteria, guidelines, and tools. The law should also define confidentiality assurances to the notifying and affected parties, as appropriate.
• Evidence: Legislation that foresees mandatory reporting of significant cyber incidents, applicable at least for CII operators and/or government entities.
-
9.3. Cyber incident reporting tool 002
Requirements
CriteriaA publicly available official resource is provided for notifying competent authorities about cyber incidents.
Accepted referencesOfficial website
Evidence
• What is measured: The indicator tracks the practice of providing a widely accessible way to notify the national CSIRT, law enforcement, or other competent body about cyber incidents. The use of the tool does not need to be limited to mandatory incident reporting by operators of CII and government authorities.
• Importance: The ready, round-the-clock availability of an online incident reporting tool facilitates timely and informative incident reporting to the national CSIRT. It is important to ensure the confidentiality and integrity of information submitted over this channel and to communicate such assurances clearly when information is submitted. The authorities should follow up on any submissions as required.
• Evidence: An official website with incident reporting functionality.
-
9.4. Single point of contact for international cooperation 003
Requirements
CriteriaThe government has designated a single point of contact for international cybersecurity cooperation.
Accepted referencesLegal act or official website
Evidence
• What is measured: The country should have a designated national single point of contact (SPOC) to be available for liaising with international counterparts on issues related to cyber incident management and vulnerability information sharing. The SPOC coordinates with other affected countries in the event of a cross-border cyber incident. The role may be assigned to an existing authority, such as the national CSIRT.
• Importance: SPOCs simplify coordination and communication when dealing with cross-border threats and incidents, especially where several countries and multiple national authorities are involved in threat mitigation or incident resolution. For example, the SPOC may consult and cooperate with the relevant national law enforcement and data protection authorities where appropriate and in accordance with national law. Any relevant national authority or the CSIRT can entrust the SPOC to forward incident information to other national SPOCs. To carry out their tasks effectively, the SPOCs should have adequate technical, financial, and human resources.
• Evidence: A legal act or official website establishing an entity as the national SPOC for cyber incident coordination.
-
9.5. Participation in international incident response cooperation 333
Requirements
CriteriaThe national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.
Accepted referencesOfficial website or official document
Evidence
https://www.first.org/members/teams/cert-ua
CERT-UA – FIRST
https://www.trusted-introducer.org/directory/teams/cert-ua.html
CERT-UA – TF-CSIRT Trusted Introducer
• What is measured: This indicator assesses the country’s membership and participation in international cooperation formats focusing on handling security vulnerabilities and cyber incident responses. The relevant organisations include FIRST, TF-CSIRT, AfricaCERT, CSIRTAmericas, OIC-CERT, or other regional CSIRT organisations operating at the global level and in other regions.
• Importance: Membership in international and regional incident response organisations allows the national CSIRT to respond to security incidents more rapidly and effectively, cooperate and coordinate with other global and regional members on incident prevention, and facilitate information-sharing. These organisations may also offer additional services and resources to their members.
• Evidence: Website or other documents by the relevant CSIRT umbrella organisations confirming the membership of the country’s national CSIRT.
-
-
10. CYBER CRISIS MANAGEMENT 5/9 56%59 56%
-
10.1. Cyber crisis management plan 002
Requirements
CriteriaThe government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act or official website
Evidence
• What is measured: The indicator measures the existence of a national-level crisis plan for handling large-scale cyberattacks, incidents, or significant threats. This plan may be a separate cyber crisis-specific document, or cyber aspects may be integrated into a more comprehensive crisis plan. In either case, the plan should consider the specifics of cyber incidents and assign key roles regarding the crisis management authority, parties involved, and their responsibilities.
• Importance: Cyber crises differ from traditional crisis scenarios in that they can be expected to affect several sectors either directly or through secondary spill-over effects. A cyber crisis also requires the involvement and coordination of specific capabilities from a range of parties: technical knowledge and skills to analyse the threat vectors and methods involved; situational awareness, cyber intelligence, and analysis capabilities; support to restore affected assets; international coordination network; and public and international communication.
• Evidence: A formally adopted crisis plan addressing national-scale events. Organisational crisis plans or crisis plans limited to a specific sector generally do not suffice. Where the plan or parts of it are classified, public evidence must at least confirm the existence of a valid crisis plan.
-
10.2. National cyber crisis management exercises 333
Requirements
CriteriaRegular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.
Accepted referencesExercise document, official website, or press release
Evidence
Evidence presented in a foreign language
Regional Command and Staff Exercises 2023 on cyber security held in the Poltava region focusing on scenarios against state bodies. Participants: Technical specialists, employees of administrations and local authorities, representatives of the regional military administration, the State Special Forces, the National Police, the SBU, representatives of critical infrastructure enterprises, including oil & gas sector, agricultural sector, and mechanical engineering.
https://www.fiiapp.org/en/noticias/european-union-ensures-cyber-security-in-ukraine/
Cybersecurity Exercise “CIREX.CYBER.Ransomware” 2023
• What is measured: The indicator checks for the practice of regular interagency crisis management exercises in which response to a large-scale cyber incident is practiced. Such exercises may be wholly concentrated on cybersecurity, or they may be comprehensive exercises that involve cyber components in their training scenarios. Cyber crisis exercises may be held in various forms and at different levels. Exercises can test strategic decision-making, operational processes, or both. A tabletop exercise involves key personnel discussing simulated scenarios in an informal setting. This type of exercise is also used to assess plans, policies, and procedures. Exercises can also practice technical and operational aspects in a hands-on environment, with participants practicing incident mitigation techniques and cooperation.
• Importance: Cyber exercises improve readiness to respond to and contain ongoing crises. These exercises also help reduce the likelihood that a cyber incident will escalate into a full-blown national crisis. In order to ensure that crisis plans are realistic and that those charged with various crisis management roles are up to the task, regular joint exercises should be held to test and improve cyber crisis plans and processes, and to practice cooperation with other parties. Cyber crisis exercises should engage the country’s political leadership, CI/CII/essential service providers, and organisations that have cybersecurity responsibilities. Ideally, such exercises also involve private sector actors such as CII operators.
• Evidence: An official document or confirmation verifying an interagency cyber crisis management exercise or a national-level crisis management exercise with a cyber component in the past two years.
-
10.3. Participation in international cyber crisis exercises 222
Requirements
CriteriaThe country participates in an international cyber crisis management exercise at least every other year.
Accepted referencesExercise document/website or press release
Evidence
https://www.coe.int/en/web/cybercrime/-/cybereast-fourth-regional-cyber-cooperation-exercise
Fourth Regional Cyber Cooperation Exercise 2022
• What is measured: In an international cyber crisis management exercise, relevant government authorities from more than one country are jointly involved in preparation and execution. The purpose of international crisis exercises is to test and train cross-border cooperation. As with the previous indicator, such exercises may be wholly focused on cybersecurity or have a cyber component integrated into a broader training scenario. The exercise may be a bilateral or multilateral event or conducted in the framework of a regional or international organisation. Exercises delivered by one country or international organisation to another country with the aim of only testing the national processes within that country are not considered in the scope of this indicator.
• Importance: International exercises are important learning tools for countries for practicing compatibility of crisis management procedures and cross-border cooperation. They are a useful tool from which countries with little or no crisis experience can draw knowledge and gain lessons and insights from those who have undergone such events. As cyber threats are growing more complex and severe, participating in international cyber crisis exercises serves as a means for building better, more rapid responses.
• Evidence: An official document or confirmation verifying participation in the planning and/or execution of an international (bilateral, multilateral, or regional) cyber crisis management exercise or a crisis management exercise with a cyber component in the past two years.
-
10.4. Operational crisis reserve 002
Requirements
CriteriaA mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.
Accepted referencesLegal act or official website
Evidence
• What is measured: Operational reserves or quick reaction forces may be arranged in different ways: as a special (volunteer) unit, emergency response network, government reserve, or arrangements for assistance from the private sector. The fundamental matter is that the engagements must be formalised.
• Importance: A large-scale incident tests any country’s routine resources, and assistance beyond its own capacities can significantly help resolve a crisis. The option to count on the operational support of a crisis reserve of cybersecurity professionals gives the country additional volume, network, and skills when dealing with a cyber crisis. To ensure that the activities of such a reserve during a crisis are lawful and effective, its tasks and the procedure for calling on its assistance must be established beforehand.
• Evidence: A legal act or official website demonstrating the existence of a formal basis to engage reserve support.
-
-
11. FIGHT AGAINST CYBERCRIME 16/16 100%1616 100%
-
11.1. Cybercrime offences in national law 333
Requirements
CriteriaCybercrime offences are defined in national legislation.
Accepted referencesLegal act
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/2341-14/page15#Text
Criminal Code, see for example Chapter XVI (Criminal Offenses in the Sphere of Use of Electronic Computing Machines (Computers), Systems and Computer Networks and Electronic Communication Networks, Articles 361-363
https://www.coe.int/en/web/octopus/-/ukraine
For more detailed overview, see CoE’s country page on Ukraine → Substantive Law
• What is measured: The indicator tracks whether the following cybercrime offences are criminalised in national law: intentional access without right to a computer system (by infringing security measures) (illegal access); intentional interception by using technical means of non-public transmission of computer data without right (illegal interception); intentional damaging, deletion, deterioration, alteration or suppression of computer data without right (data interference); intentional serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data (system interference); and intentional commission of specific acts of a preparatory nature involving certain devices or accessing data to be used to commit the cybercrime offences referred to above (misuse of devices). The NCSI addresses cybercrime offences or cyber-enabled offences targeting computer systems and data. Other computer-related or cyber-dependent offences are beyond the scope of the NCSI.
• Importance: A legal basis to prevent and fight against cybercrime is a fundamental part of the national cybersecurity framework, needed to ensure an effective criminal justice response. As a point of reference, the NCSI relies on the Budapest Convention on Cybercrime, which is currently the only legally binding international instrument on cybercrime, has a global effect, and is also considered a standard for capacity building.
• Evidence: Official legislative act, whether it is a distinct cybercrime act or provisions in a comprehensive penal code.
-
11.2. Procedural law provisions 333
Requirements
CriteriaLegislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.
Accepted referencesLegal act
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/4651-17#Text
Code of Criminal Procedure of Ukraine
https://www.coe.int/en/web/octopus/-/ukraine
For more detailed overview, see CoE’s country page on Ukraine → Procedural Law
• What is measured: National procedural law that, at the minimum, addresses investigative and prosecutorial powers and measures related to cybercrime, and the collection and handling of electronic evidence for investigating and prosecuting crimes. Such provisions should comprise the criminal justice measures needed for cybercrime investigation, including measures to preserve or secure computer data (preservation order); produce or obtain computer data (production order); seize, secure, search, or access computer systems, computer data, and storage media, as well as to issue orders to obtain necessary information (search and seizure); and collect traffic data, intercept content, and compel service providers to collect and record data transmitted by means of a computer system in real time (real-time interception).
• Importance: While substantive law provisions criminalize acts regarded as cybercrime, procedural law measures are needed to start a criminal investigation and to collect or obtain computer data that can be used as electronic evidence in criminal proceedings. Without proper powers and measures to obtain and use electronic evidence, it is not possible to investigate cybercrime, identify potential suspects, and bring them to justice. Effective and successful cybercrime investigations are a prerequisite to providing restitution to the victims, either in the form of compensation for damages suffered or recovery of property.
• Evidence: The relevant procedural provisions may be contained in a separate (cybercrime) act or clearly integrated into a comprehensive code of criminal procedure. Generic clauses are not acceptable unless they also cover computer systems and computer data.
-
11.3. Ratification of or accession to the Convention on Cybercrime 222
Requirements
CriteriaThe country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.
Accepted referencesLegal act on Convention ratification or accession, website of the CoE Treaty Office
Evidence
https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=185
Entry into force 01/07/2006
• What is measured: Ratification of or accession to the CoE Convention on Cybercrime (the Budapest Convention).
• Importance: The Budapest Convention is currently the only legally binding international instrument on cybercrime. It addresses criminal offences committed against computer systems as well as computer-related offences, child pornography, and infringements of copyright and related rights. In addition to substantive law, the Convention also provides for procedural law measures to address computer data or electronic evidence, and a legal basis for international cooperation. It also contains a series of procedural powers, including to search computer systems and intercept computer data. The main objective of the Convention is to pursue a common criminal policy aimed at protecting society against cybercrime, especially by adopting the appropriate legislation and fostering international cooperation. The Budapest Convention is open for accession to all countries. As of September 2022, there were 67 members, with twelve more in the accession process, representing all continents. The signing and ratification of the Convention, or, in the case of non-member states, acceding to the Convention, provides further legal basis and mechanisms for international cooperation among state parties, including the use of the 24/7 point-of-contact network. Therefore, participation in the Convention notably strengthens a country’s possibilities to fight cybercrime. Other regional cybercrime conventions (e.g. African Union, Arab League) lack equivalent mechanisms and are therefore not tracked by the NCSI.
• Evidence: National legal act on the ratification or accession to the Convention or official data published by the CoE Treaty Office counts as evidence.
-
11.4. Cybercrime investigation capacity 333
Requirements
CriteriaLaw enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.
Accepted referencesLegal act or official website
Evidence
• What is measured: The purpose of this indicator is to assess the organisational capacity of the country to enforce cybercrime laws. Units with clear competencies and jurisdiction over cybercrime investigations, such as a Cybercrime or High-Tech Crime Unit, are considered to meet the criteria. The presence of a central specialised unit does not preclude additional local or regional units or officers.
• Importance: Cybercrime investigations as well as criminal investigations involving electronic evidence require specialised skills and knowledge. Cybercrime investigations and the analysis of objects containing electronic evidence also require specific analytical training and knowledge of digital forensics. Officers working in such units should have received specialised training that enables them to conduct investigations and use measures to obtain computer data. Specialised units also need to have the necessary powers to use more intrusive procedural measures such as search and seizure, and, in particular, real-time interception of communications (computer data) that might not be available to all units.
• Evidence: Official recognition of a specialised cybercrime unit; a legal act, bylaw, or statute of the unit. Evidence of specialised cybercrime investigative staff serving within a broader unit (e.g. High-Tech or technology crime) is also accepted.
-
11.5. Digital forensics capacity 222
Requirements
CriteriaLaw enforcement has a specialised function and capacity for digital forensics.
Accepted referencesLegal act, statute, official document, or official website
Evidence
Evidence presented in a foreign language
Website of the Sate Research Expert Forensic Center of the Ministry of Internal Affairs of Ukraine. Overview of types and subtypes of forensic examinations can be seen here.
In order to collect and analyze electronic evidence, the Cyber Police Department engages experts of the Forensic Science Centre of the Ministry of Interior. The experts take part in collecting, seizure, storage, analysis, examination and expert evaluation of digital evidence. Other agencies and units can invite experts of the Centre where it is necessary to collect and analyse digital evidence within investigative proceedings conducted by such other agencies / units. Cited source can be found on the country page of Ukraine, CoE.
• What is measured: This indicator considers the digital forensics capacity of law enforcement. Digital forensics is an area of forensic science that aims to obtain digital evidence, analyse it, and present it in court. Its scope includes computer, mobile, network, and malware forensics. The NCSI assesses whether a designated authority or digital forensic laboratory is responsible for handling, extracting, and analysing digital evidence and conducting digital forensics examinations for criminal justice purposes. Since law enforcement is a state prerogative, private investigative entities are outside the scope of this indicator.
• Importance: Almost any type of modern crime leaves electronic evidence or computer data that can serve as evidence in court proceedings; often it will be the only lead that law enforcement authorities and prosecutors can pursue and collect.
• Evidence: Proof of the existence of a specialised unit or specialised staff serving within a broader unit (e.g. high-tech or technological crime forensics laboratory) is accepted as evidence.
-
11.6. 24/7 contact point for international cybercrime 333
Requirements
CriteriaThe government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.
Accepted referencesOfficial website, legal act or statute
Evidence
https://rm.coe.int/0900001680abad5e
Cyberpolice Department of the National Police of Ukraine under the Ministry of Internal Affairs
Evidence presented in a foreign language
For additional information see also Ukraine’s country page on CoE → International Cooperation → 24/7 points of contact and police cooperation
• What is measured: This indicator assesses whether a point of contact has been established for criminal justice purposes that is operational 24 hours a day, seven days a week, regardless of where this entity is located (for example, police, prosecutor's office, or another authority).
• Importance: Electronic evidence is often stored in foreign jurisdictions. Therefore, criminal investigations often require a cross-border/international request to obtain electronic evidence from other countries, including evidence held by multinational service providers. As cybercrime can be of transborder nature and electronic evidence could be located in any country, it is also necessary to ensure that a point of contact is available and operational outside office hours. In urgent or emergency situations, another country might need to consult with the national point of contact. A 24/7 point of contact can also be used to quickly contact other countries to send requests and exchange information. Contact points can be used to transmit requests to obtain, preserve, and secure computer data, as well as for other forms of international cooperation and mutual assistance. Countries may also rely on other existing units or points of contact for 24/7 international cybercrime cooperation, such as Interpol.
• Evidence: Officially appointed 24/7 point of contact for international cybercrime, including those designated in the framework of the Budapest Convention, Interpol, or other international cooperation formats in criminal matters.
-
-
12. MILITARY CYBER DEFENCE 6/6 100%66 100%
-
12.1. Military cyber defence capacity 222
Requirements
CriteriaArmed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.
Accepted referencesLegal act, statute, other official document or official website
Evidence
Evidence presented in a foreign language
https://mil.in.ua/uk/news/v-zsu-formuyut-dva-novi-komanduvannya/
Command of the Communications and Cyber Security Troops of the Armed Forces of Ukraine (Командування військ зв’язку та кібернетичної безпеки Збройних Сил України - Komanduvannya vijsk zvyazku ta kibernetychnoyi bezpeky Zbroynykh Syl Ukrayiny)
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/z0785-16#Text
Law on the Approval of the Lists of Military Administration Bodies in which civil service positions are provided, Order 05/20/2016 No. 270, see list of military administration bodies whose jurisdiction extends to the entire territory of Ukraine, number 16.
Evidence presented in a foreign language
- White Book 2021 – Defence Policy of Ukraine, see page 99 “Figure 2. Structure of the Armed Forces of Ukraine Command and Control Authorities as of the end of 2021”, page 101 “Figure 5. Communications and Cyber Security Forces Command of the Armed Forces Structure and Composition“
- "Communications and cyber security forces are special forces designed to plan and ensure the deployment, deployment, operation of communications and information systems, combat control and warning systems, their expansion in peacetime, a special period, in the conditions of a state of emergency and war with the aim of solving the tasks of ensuring the management of the troops (forces) of the Armed Forces of Ukraine, as well as implementing measures for the functioning of the national cyber security system and repelling military aggression in cyberspace (cyber defense)." Cited source can be accessed here.
- MoD, see also Main Directorate of Communications and Cyber Security (J6)
- Facebook presence of the Command
- Doctrine of Communications and Cybersecurity of the Armed Forces of Ukraine (VKP 6-00(01).01), approved GK ZSU 09.12.2021, which can be accessed here or here. Page 3: "(…) The Doctrine takes into account the views of the leadership of the Armed Forces of Ukraine on what modern communications and cyber security forces should be in order to counter challenges and threats, achieve interoperability and cooperation with NATO member countries, experience in the training and use of communications and cyber security forces in the course of anti-terrorist operations and operations of joint forces on the territory of Donetsk and Luhansk regions. (…)". See page 9 for Tasks and Responsibilities; Military Command of the Communications Cyber Security Forces (starting at page 12); Specific Military Units (starting at page 23)
• What is measured: This indicator examines whether the country’s armed forces (or other government-sponsored and militarily arranged organisations tasked with territorial defence) have designated entities that relate either to cyber operations or to the cybersecurity of military operations, with the corresponding tasks and mandates. Such entities can be organised as a distinct branch, service, or joint force, with their tasks usually involving ICT infrastructure operations, defensive and/or offensive cyberspace operations, cyber intelligence operations, and providing cyber advice to military commanders and units. This indicator considers command-level responsibility, without assessing the organisation’s actual capacity to direct and control cyber operations in its own right.
• Importance: Military cyber defence is an important component of overall national defence capacity against existential external threats, including those enabled or amplified by cyberspace.
• Evidence: Official evidence of the existence of cyber units and their tasks as defined in the criteria.
-
12.2. Military cyber doctrine 222
Requirements
CriteriaThe tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.
Accepted referencesLegal act, official doctrine, or official website
Evidence
Evidence presented in a foreign language
https://zakon.rada.gov.ua/laws/show/1932-12#Text
Articles 3, 4 & 9 of the Law about the Defense of Ukraine, link above.
"Article 3: (…) Preparation of the state for defense in peacetime includes:
(…)
implementation of cyber defense measures (active cyber defense) to protect the sovereignty of the state and ensure its defense capability, prevent armed conflict and repel armed aggression;
(…)Article 4. Repelling armed aggression against Ukraine
(…)
State authorities and military administration bodies, without waiting for the declaration of a state of war, take measures to repel aggression. On the basis of the relevant decision of the President of Ukraine, the Armed Forces of Ukraine, together with other military formations, begin military operations, including conducting special operations (intelligence, informational and psychological, etc.) in cyberspace.Article 9 Powers of the Cabinet of Ministers of Ukraine in the field of defense
Cabinet of Ministers of Ukraine:
(…)
supervises the implementation of laws in the field of defense, carries out other measures to ensure the defense capability of Ukraine in accordance with the laws, coordinates and controls their implementation and bears, within the limits of its authority, responsibility for ensuring the defense of Ukraine."
Evidence presented in a foreign language
https://www.rnbo.gov.ua/ua/Ukazy/5005.html
Decree of the President of Ukraine — On the decision of the National Security and Defense Council of Ukraine dated August 20, 2021 "On the Strategic Defense Bulletin of Ukraine"
"In accordance with Article 107 of the Constitution of Ukraine and the fourth clause of the first part of Article 13 of the Law of Ukraine "On the National Security of Ukraine", it is hereby decreed: (…)
3.8. Combat military units and units of the defense forces will be combat-capable, mobile and able to quickly advance to threatening directions, concentrate efforts in the necessary place at the specified time, act unpredictably and innovatively, taking into account the overall military advantage of the enemy. The introduction of a network-centric approach, which, on the basis of a single protected information environment, will combine the simultaneous and synchronized use of modern control systems, information exchange (intelligence), means of destruction and non-lethal influence (radio-electronic, information influence, actions in cyberspace, etc.), will increase the capabilities of the combined forces under the time of their application.
The creation of deterrence potential will be based, in particular, on the capabilities of operational-tactical missile systems, multifunctional all-weather manned and unmanned aircraft systems, medium-range anti-aircraft missile systems, forces and means of active influence in cyberspace and through cyberspace. (…)
The creation of a cyber defense system will be focused on the acquisition of the necessary capabilities by the subjects of preparation and implementation of cyber defense measures, the creation and development of forces, means and tools of combat in cyberspace and through cyberspace, which will ensure the creation of the necessary potential of the defense forces to repel military aggression in cyberspace.
In order to counteract the forces and means of the enemy, the efforts of radio-electronic warfare and warfare in cyberspace are combined.
Remote non-contact influence on the enemy will become the main way to achieve the goals of the battle and operation.
The use of high-precision weapons becomes a prerogative, robotic systems will be actively implemented.
3.9. The Armed Forces of Ukraine and other components of the defense forces will gradually be equipped with high-tech samples of weapons and military (special) equipment, which will ensure the implementation of deterrence potential, protection of troops (forces), objects, information protection and cyber protection of information infrastructure in the entire spectrum.3.14. (…) The development of the operational, combat and special capabilities of the defense forces will be aimed at achieving by the Armed Forces of Ukraine, the forces and means of other components of the defense forces, the ability to perform tasks as intended, which will ensure deterrence, stability and repulsion of armed aggression against Ukraine, countering hybrid threats, and will focus on: (…) capabilities for conducting confrontation in the information space and cyberspace as a component of the information space;"
See also Task 5.6. Achieving the capabilities to fight in cyberspace, creating a cyber defense system.
Evidence presented in a foreign language
https://www.president.gov.ua/documents/472017-21374
DECREE OF THE PRESIDENT OF UKRAINE No. 47/2017 on the decision of the National Security and Defense Council of Ukraine dated December 29, 2016 "On the Information Security Doctrine of Ukraine"
• What is measured: The role or tasks, principles, and oversight of the military regarding planning and conducting cyber operations are defined in legislation or official doctrine. These documents establish a common, authorised framework to guide and set lawful boundaries for the military as it pursues national security objectives. Legislation or doctrine may include subjects such as the purpose, goals, uses, and authorisation related to the use of cyber capabilities. Military doctrines may be fully or partially public, or access-restricted. To be considered by the NCSI, public evidence of their existence and of the presence of key components (tasks and oversight) is required.
• Importance: Public doctrine stimulates lawfulness, predictability, and responsible behaviour by the armed forces engaging in cyber operations.
• Evidence: Legal act, official doctrine, or official confirmation of their existence, with some details on the key components of these documents. A military strategy that does not define mandatory principles on the operational level does not qualify as evidence.
-
12.3. Military cyber defence exercises 222
Requirements
CriteriaArmed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.
Accepted referencesOfficial website or official document
Evidence
Defence Cyber Marvel 2 2023. See also "UK testing complex cyber threats on CR14's Cyber Range"
Critical Infrastructure Resilience Exercises (CIREX) 2023 – command and staff exercise
• What is measured: Engagement in both domestic and international exercises that practice the cyber defence tasks and responsibilities of the armed forces. The NCSI does not consider the particular type or level of the cyber defence exercise: these may be technical live-fire cyber defence exercises; strategic-level decision-making exercises; integrated technical-operational, cyber-kinetic, or civil-military exercises; military exercises with a cyber component; a crisis exercise with a military cyber component; or other.
• Importance: Cyber defence exercises are an important mechanism for testing, improving, and practicing procedures and the skills needed to manage large-scale crisis scenarios, including civil-military cooperation.
• Evidence: Official website or official document, including exercise document, website, or press release. The exercise must have taken place within the past three years.
-
Information Disclaimer
The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.
What can I do to improve my country's data in NCSI?
Become a data contributor Update a specific indicator with evidence data