Cybersecurity is becoming one of the top priorities for any country. This issue is particularly acute in Ukraine, which is in an active phase of war, as Ukraine's critical infrastructure, networks, registries, and archives are constantly under threat from cyber-attacks.

In an effort to avoid a “Zero Day” scenario, the Ukrainian government has made several strategic decisions related to relocating data centres outside Ukraine, utilizing cloud services, and ensuring data protection. As a result, the cloud services market in Ukraine is undergoing rapid development, creating vast opportunities for global providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. At the same time, the law requires potential providers to comply with specific regulatory requirements and standards to ensure security for Ukrainians.

Transition period and recent changes

Due to the Russian invasion, the legal process for cloud service provider registration was temporarily suspended, making it impossible to complete registration as certain requirements and mandatory document formats had not been approved.

However, on February 11, 2025, the Cabinet of Ministers of Ukraine adopted Resolution No. 154, "Certain Issues Regarding the Provision and Use of Cloud Services and/or Data Processing Centre Services", which addressed existing legal gaps, introduced a transition period, and structured the registration procedure for cloud service providers.

This resolution has now made it possible to officially register as a cloud service provider. Until December 31, 2025, government institutions can still procure cloud services from companies that have not yet been registered. However, after the transition period ends, registration will become mandatory for working with government agencies and critical infrastructure facilities.

What is the regulatory framework for cloud service provider registration in Ukraine?

Ukraine has enacted the Law "On Cloud Services" which regulates the activities of cloud service providers. In order to have access to public procurement and provide services to critical infrastructure, you need to be included in the register of cloud service providers. The registration process requires submission of the following documents:

  • an application for inclusion in the list of cloud service providers: the form for submitting such an application is already published by the State Service of Special Communications and Information Protection in Ukraine (SSSCIP);
  • documents confirming compliance with information protection legislation: requires the development of a complex data protection system (CDPS) and expertise carried out by SSSCIP. The form for requesting such expertise is already established. The expertise may take up to 6 months;
  • a personal data processing policy: an internal document that may be developed by the company or qualified legal advisor;
  • proof of ownership or usage rights over the technical infrastructure: internal documents that may include lease agreements for premises and equipment, statements from the registers, etc;
  • a compliance certificate issued by a conformity assessment body in Ukraine: obtaining such certificate requires an expertise carried out by the Certification Authority Body of the State Scientific and Research Institute of Cybersecurity Technologies and Information Protection. The expertise may take up to 6 months.

What are the security and technical compliance requirements for registered cloud service providers?

In order to legally operate in the Ukrainian cloud services market, providers must:

  • use only technical resources that do not belong to entities on the sanctions list and are not located in aggressor states;
  • implement information security management systems in accordance with international standards such as ISO/IEC 27001 and ISO/IEC 27018;
  • conduct monitoring, audits, and ensure an immediate response to cybersecurity incidents while informing CERT-UA about significant incidents;
  • regularly train personnel on cybersecurity standards and data protection measures.

Benefits for Global Cloud Service Providers

Registering as a cloud service provider in Ukraine opens significant opportunities for providers. After registration, a company gains the right to provide services to government agencies and critical infrastructure enterprises. We believe that in the beginning of 2026 only few companies will be included in the register of cloud service providers. As a result, registration as a cloud service provider will provide a serious competitive advantage during the first half of 2026, enabling the company to establish a strong position in the Ukrainian market. In fact, the resolution has created the preconditions for a first-mover advantage in this area. Also, for conservative private entities holding official status strengthens a company's reputation as a reliable partner.

Conclusions

The Ukrainian cloud services market presents promising opportunities for global providers, particularly in the context of digitalizing public services and the rapid growth of the IT sector. However, to operate effectively, companies must comply with Ukrainian legislation, particularly regarding registration, cybersecurity, and infrastructure localization. 

Since the registration procedure will take from 6 to 12 months under favourable circumstances, we are convinced that work in this area should begin immediately. 

Companies that adapt to the new regulations in a timely manner will gain significant competitive advantages and secure a foothold in one of the most dynamic markets in Eastern Europe.