A new recently adopted legal procedure takes the next step in ensuring cybersecurity of Ukraine’s critical infrastructure and national interests by providing for the creation of an official ban list of software and equipment.
On 22 October 2025, the Cabinet of Ministers of Ukraine adopted “The Procedure for Forming and Maintaining an Open List of Software and Communication (Network) Equipment Prohibited for Use” which implements the mechanism - as established by the Law “On the Basic Principles of Ensuring Cybersecurity of Ukraine” - for adding sanctioned, vulnerable or unsafe technologies to an official ban list to protect national interests and critical infrastructure from cyber threats.
Creation and maintenance of an open list of prohibited software and equipment (the “List”) falls under the Administration of the State Service for Special Communications and Information Protection (Derzhspetszviazku). The List is to be publicly available in electronic form on the Derzhspetszviazku’s official website and the Unified State Open Data portal.
The List’s criteria
Software and equipment are added to the List based on the following definitive grounds:
- Ukrainian sanctions: Ownership or beneficial ownership by entities subject to sanctions under the Law “On Sanctions”
- International sanctions: Subject to international sanctions recognized by Ukraine
- Court decisions: Explicit prohibition of specific software or equipment by a court decision
The List is maintained in Ukrainian and contains the following details:
- Name of the software or equipment
- Manufacturer’s name
- Other identifying data (e.g., version or serial number)
- The grounds for and date of inclusion.
However, certain particulars - specifically, the name of the software or communication (network) equipment, the owner’s or manufacturer's name - are also duplicated in the language of the country of origin.
Any changes (additions or removals) to the List must be completed within five working days of the grounds arising.
What are the possible implications of using prohibited software/equipment?
Using software or equipment included on the List after the prohibition date violates Ukrainian law requirements, exposing Ukrainian entities to legal, administrative and operational penalties.
Liability-wise, non-compliance with the Procedure for the Open List of Prohibited Software and Network Equipment in Ukraine can lead to legal, administrative, and operational liabilities, especially for businesses. While the specific penalties may depend on the nature and extent of the violation, here’s a breakdown of potential consequences:
Legislative implications
Violation of sanctions law: Using software or equipment that falls under sanctions may constitute a breach of the Law of Ukraine “On Sanctions,” which can result in: (i) fines, (ii) suspension of business activities, (ii) criminal liability in extreme cases (e.g., national security matters).
Court-mandated implications
Court enforcement: If a court decision is the basis for prohibition, ignoring it may lead to enforcement actions, including asset seizures.
Administrative implications
Regulatory penalties: Derzhspetszviazku and other regulators may impose administrative fines, revoke licenses and permits, restrict public procurement eligibility.
Operational implications
Forced discontinuation: Authorities may require immediate cessation of use, leading to (i) business disruption; (ii) data access issues; and (iii) potential loss of functionality.
Reputational implications
Violations of trust: Public exposure of non-compliance could harm client trust, partner relations and regulatory standing.
In addition, if found using prohibited software or equipment that involves personal data processing or may pose a cybersecurity threat, the user could face audits by the data protection or cybersecurity authorities.
Best practices to avoid violations and remain compliant
In light of the foregoing, businesses operating in Ukraine must treat compliance as an ongoing regulatory obligation rather than a one-time exercise. The following measures are essential to mitigate legal, administrative, operational and reputational risks:
Legal: Consult legal advisors to assess current compliance status, evaluate potential exposure, and develop appropriate risk mitigation strategies.
Monitoring: Implement procedures to continuously monitor the List once published on Derzhspetszviazku’s official website and the Unified State Open Data portal.
IT Audits: Perform assessments of all software and network (communication) equipment currently deployed to identify products that are likely to be added to the List.
Migration: Prepare and (where feasible) implement transition plans to alternative compliant solutions for any identified at-risk software and network (communication) equipment, thus proactively ensuring regulatory compliance.
Response strategy: Develop and maintain in advance a discontinuation plan that can be immediately executed once software or equipment is added to the List.
By Volodymyr Monastyrskyy, Partner, and Roman Mehedynyuk, Senior Associate, Dentons
