26
Wed, Feb
74 New Articles

New Regulation of Cloud and Data Center Services in Ukraine

Ukraine
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

On 11 February 2025, the Ukrainian Government adopted a resolution regulating various aspects of cloud and data center services (the "Services") provision and use. In particular, the resolution introduces:

  • a procedure for the provision of Services related to the processing of state information resources ("SIR") or restricted information, the requirement for the protection of which is established by law ("resricted information");
  • requirements for Service providers;
  • a framework for the formation and use of electronic catalogues of Services;
  • a model contract governing the provision of Services to public users of cloud services and critical infrastructure operators for their critical information infrastructure.

The resolution is adopted under the Law of Ukraine "On Cloud Services".

Key provisions

  1. Services related to the processing of SIR or restricted information

The resolution establishes the procedure for providing Services related to processing SIR or restricted information. In particular, such Services must be provided under a contract, the term of which may not exceed the validity period of a conformity document issued by an accredited conformity assessment body in electronic communications. The conformity document serves as a evidence of compliance with requirements for information security management, service continuity, network and information system security. Users also consider these conformity documents when comparing Services and cloud infrastructure options.

  1. Requirements for Service providers

The resolution defines the obligations of Service providers, including

  • the steps required for a Service provider to be included into the official list of providers (the "List"), which is maintained by the Administration of the State Service for Special Communications and Information Protection of Ukraine (the “SSSCIP”); and
  • the procedure for confirming compliance of Service providers with these requirements.

The requirements cover technical, organisational, and physical security measures, including the implementation of an information security management system (the "ISMS") or comprehensive information security system (the "CISS"), cybersecurity incident management and service continuity management, automated service control, monitoring, auditing, and security testing.

The Service provider shall ensure compliance with the established standards, in particular international standard ISO/IEC 27001 or a standard of a foreign country adopted under this standard, or the Ukrainian national standards ISO/IEC 27001:2023 (ISO/IEC 27001:2022, IDT), ISO/IEC 27018:2019.

To confirm compliance with the requirements, a provider must obtain: (i) a conformity document issued by a conformity assessment body or a document confirming the compliance of a CISS based on the results of a state examination in the field of technical information protection; (ii) policies and procedure for processing personal data; (iii) documents confirming the ownership or other property rights to equipment and premises used for providing Services; and (iv) a conformity document issued by a conformity assessment body in the field of electronic communications, confirming compliance with the requirements.

  1. Electronic catalogues of Services

The resolution also regulates the procedure for forming and using electronic catalogues of Services. Key provisions include:

  • Service providers must publish and maintain an electronic catalogue of their services in Ukrainian on their website;
  • the catalogue will be a reference for public users* and critical infrastructure operators. It will assist in market analysis and procurement planning under the Law of Ukraine "On Public Procurement".

Under the Law of Ukraine "On Cloud Services", a public user of cloud services is a state authority, an authority of the Autonomous Republic of Crimea, a local self-government body, a state enterprise, a state institution, a state organisation or other subject of authority or other entity to which such authority has been delegated.

The catalogue must include: (i) a description of the Service, terms and conditions of use, data protection procedures, location of cloud resources/data center, incident reporting mechanism, compliance with standards, and (ii) an identification code such as the USREOU (Ukrainian company code), LEI code (international legal entity identifier) or taxpayer identification number for individual entrepreneurs. These provisions indicate that the Service provider may be either a resident or a non-resident of Ukraine.

  1. Model contract for the provision of Services

The model contract governs agreements between Service providers and public users and critical information infrastructure facility operators. The model contract outlines the procedures and conditions for granting access to the Services, the payment procedures, and the rights and obligations of both parties. For example, the provider is obliged to immediately notify the user of a cybersecurity incident that has or may have a significant negative impact on the provision of Services, confirming the notification to CERT-UA, and further inform the user of the measures taken to respond to the cybersecurity incident.

In terms of liability, a penalty of 20 percent of the value of the defective Services will apply for failure to provide quality Services. Additional sanctions will apply for failure to comply with time limits for fulfilling the obligation.

Early termination of the contract is allowed (i) by mutual agreement of the parties, (ii) by unilateral termination due to contract breaches, (iii) in case of termination or cancellation of the document confirming compliance with the requirements for managing information security, continuity, security of network and information systems of the providers.

Under the provisions of the model contract, the law of Ukraine applies to legal relations not regulated by the contract. Disputes fall under the jurisdiction of Ukrainian courts.

  1. Compliance deadline and next steps

Providers and users of cloud services or data center services in Ukraine must comply with the new regulatory framework. Until 31 December 2025, public users may still procure Services from providers not included in the official List. After that date, only listed providers will be eligible for public procurement contracts.

Given this, Service providers should prepare in advance to meet the requirements for inclusion in the List to maintain the possibility of providing Services to public users after 2025.

By Yuriy Kotliarov, Partner, and Sergiy Tsyba, Counsel, Asters

Ukraine Knowledge Partner

AVELLUM is a leading Ukrainian full service law firm with a key focus on Finance, Corporate, Dispute Resolution, Tax, and Antitrust.

Our aim is to be the firm of choice for large businesses and financial institutions in respect of their most important and challenging transactions.

We build lasting relationships with our clients and make them feel secure in new uncertain economic and legal realities.

We incorporate the most advanced Western legal techniques and practices into our work. By adding our first-hand knowledge, broad industry experience, and unparalleled level of service we deliver the best results to our clients in their business endeavours. Our partners are taking an active role in every transaction and ensure smooth teamwork.

AVELLUM is recognised as one of the leading law firms in Ukraine by various international and Ukrainian legal editions (Chambers, The Legal500, IFLR1000, The Ukrainian Law Firms, and others).

Firm's website: www.avellum.com

 

Our Latest Issue