Administrative-legal regulation of cybersecurity of critical information infrastructure under martial law conditions
DOI:
https://doi.org/10.5281/zenodo.21297649Keywords:
cybersecurity, critical information infrastructure, administrative-legal regulation, martial law, NIS2, CERT-UA, SSSCIP, administrative liability.Abstract
The article examines the administrative-legal regulation of cybersecurity of critical information infrastructure in Ukraine under martial law conditions as of April 2025. The conceptual triad of critical infrastructure, critical information infrastructure, and CII objects under Ukrainian Laws No. 1882-IX and No. 2163-VIII is analysed in comparison with the entity-based logic of Directive (EU) 2022/2555 (NIS2), which operates with the categories of essential and important entities across 18 sectors. It is established that the object-oriented approach of Ukrainian legislation creates a semantic gap with the European model and complicates the harmonisation process. The institutional architecture of the national cybersecurity system encompassing the SSSCIP, CERT-UA, SSU, Cyber Police, Ministry of Digital Transformation, and NCCC under the NSDC is identified, revealing the structural problem of coordination without a coordinator – overlapping competencies in the absence of a single operational accountability centre. The transformation of the CII cybersecurity legal regime under the influence of martial law is explored, including the expansion of regulatory discretionary powers, simplified incident response procedures, and restricted registry publicity, with the stated risk of normalising emergency powers in the absence of automatic sunset mechanisms. A comparative analysis of the Ukrainian model with the European NIS2 system and the experience of Estonia and Lithuania is conducted. Based on the analysis of strategic cyber incidents in 2022–2024 (Industroyer2, the Kyivstar attack, the Ministry of Justice registry breach), the effectiveness of operational response is demonstrated alongside the inability of the administrative mechanism to perform preventive disciplining of CII operators. De lege ferenda proposals are formulated regarding full NIS2 transposition, harmonisation of the sanctions mechanism, creation of a unified operational cyber defence coordinator, and introduction of mandatory external audits.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 А. А. Васильєв, Я. О. Бакай

This work is licensed under a Creative Commons Attribution 4.0 International License.