Administrative liability for cybersecurity violations: problems of qualification and effectiveness of sanctions
DOI:
https://doi.org/10.5281/zenodo.21297805Keywords:
administrative liability, cybersecurity, offence qualification, sanction effectiveness, NIS 2 Directive, critical infrastructure, compliance, GDPR.Abstract
The article examines administrative liability for cybersecurity violations in Ukraine, focusing on the qualification of offences and the effectiveness of sanctions. The doctrinal foundations of a cybersecurity delict are explored as an autonomous corpus delicti with a specific object – the orderly regime of confidentiality, integrity and availability of network and information systems. The analysis reveals the fragmentation of relevant administrative offence provisions across multiple articles of the Code of Ukraine on Administrative Offences (Art. 188-31, 188-39, 212-2, 212-5, 212-6) and the institutional asymmetry between the substantive obligations of critical infrastructure operators established by Law No. 4336-IX and the fragmentary sanctions framework. Four qualification problems are identified: the blurred boundary between administrative and criminal cyber offences, the constitutional tension of blanket dispositions referencing private technical standards such as ISO/IEC 27001 and NIST CSF, the multi-causal nature of cyber incidents that impedes the establishment of causation under classical doctrines, and the absence of sanction differentiation by entity type, which violates the principle of proportionality. The Ukrainian model is compared with the NIS 2 Directive approach, where fines may reach EUR 10 million or 2% of global turnover, and with GDPR enforcement practice, which has accumulated over EUR 5.65 billion in penalties. Five reform directions are substantiated: turnover-linked sanctions differentiated by entity category, compliance defence through ISO/IEC 27001 certification, normative recognition of SIEM/SOC data as admissible administrative evidence, voluntary self-reporting with amnesty for timely incident disclosure, and personal liability of the cybersecurity officer.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 А. А. Васильєв, Я. О. Бакай

This work is licensed under a Creative Commons Attribution 4.0 International License.