Cloud technologies and data centres: new regulation in Ukraine

On 15 March 2022, the President of Ukraine has signed the Law of Ukraine “On Cloud Services” No. 2075-IX, dated 17 February 2022 (the “Cloud Services Law“). The Law is scheduled to take effect on 16 September 2022.

For the first time in Ukraine, the Cloud Services Law introduces a complex regulatory framework for providing the cloud and data centre services for users in Ukraine. The adopted Cloud Services Law has strong focus on regulating provision of such services to the public authorities and operators of critical information infrastructure facilities (the “CIIF operators“), but the scope thereof extends further to B2B and B2C relations.

In this overview, we look at what cloud services mean, what types of services are covered, whether there are any requirements to cloud and/or data centre services contracts as well as what data security and localisation requirements are stipulated by the Cloud Services Law.

What do “cloud services” mean?

The Cloud Services Law does not re-invent the wheel, so the key definitions generally correspond to their conventional meanings.

Cloud service is defined as a service of providing cloud resources by means of the cloud computing technology.

Cloud resources mean any hardware and software or other elements of the information (automated) system the access to which is provided through and by cloud computing technologies, in particular, processor time (computing power), storage space, computing networks, databases and computer programmes.

Cloud computing technology should be understood as a technology of providing a remote access to the cloud infrastructure through e-communication networks at the user’s request.

Cloud (cloud infrastructure) means a set of dynamically distributed and customised cloud resources which can promptly be provided to the user of cloud services and freed up through global and local networks of data transfer.

Which cloud and supplemental services are covered?

The Cloud Services Law specifically lists the following services which are subject to its regulation:

  • infrastructure as a service (IaaS) that involves providing computing resources, storage resources and e-communication systems by means of the cloud computing technology;
  • platform as a service (PaaS) that involves providing access to infrastructure and sets of computer programmes, such as operating systems, system computer programmes, computer programming software, database management software, by means of the cloud computing technology;
  • software as a service (SaaS) that involves providing access to software by means of the cloud computing technology through an online service or computer agent programmes; and
  • security as a service (SECaaS) that involves providing cybersecurity services with the use of the cloud resources.

Under the Cloud Services Law, the list of the cloud services is non-exhaustive. Any service that falls within the meaning of the ‘cloud service’ definition will be subject to regulation under the Cloud Services Law. Scope of specific cloud services should be defined in a contract between provider and user of cloud services.

Furthermore, the Cloud Services Law regulates the services of data centres. Under the Cloud Services Law, a data centre is defined as a specialised technical complex that consists of engineering (uninterruptable power supply, ventilation, cooling and humidity control, fire safety, physical protection), information, e-communication and software and hardware infrastructure.

Data centre services can either be supplemental to the cloud services or provided separately from the cloud services. The data centre services include: (1) technical management of information (automated) and e-communication networks, as well as information and communication systems; (2) technical support for users of cloud services; (3) installing equipment in the data centre, including providing a separate premises for installing the equipment; (4) rent of technical means located in the data centre; and (5) cybersecurity.

Requirements for cloud and/or data centre services contracts

The Cloud Services Law has strong focus on regulating the cloud and/or data centre services contracts where public authority and/or CIIF operator is a party to the contract, while the regulation is minimum where a privately owned business is a party to such contract:

Factor to consider

Сloud and/or data center services to public authorities and CIIF operators

Сloud and/or data centre services to privately owned businesses

Contract form Written (electronic)
Model (standard) contract Yes. A model cloud and/or data centre services contract will be approved by the Ukrainian Government. The model contract is binding, but the parties are permitted to specify the basic terms and conditions No
Inclusion of other document to the
principal contract by reference
Permitted by the Cloud Services Law
Joint liability of service providers Yes. If several service providers are involved in the provision of services under the contract for one user, such providers bear joint liability before the user unless agreed otherwise in the contract with the user
Essential provisions of the contract Yes. The Cloud Services Law stipulates an extensive and non-exhaustive list of essential provisions for cloud services contract:

  • subject-matter and contract term;
  • procedure and conditions for providing the user with access to cloud resources;
  • procedure of access to data that is processed during fulfilment of the cloud and/or data centre services contract;
  • data protection (including personal data protection), including protection against unauthorised actions (internal and external threats, cybersecurity incidents, cyberattacks), and procedure of notifying users;
  • requirements for immediate notification of a cybersecurity incident that is critical for providing cloud and/or data centre services;
  • requirements for the level of uninterrupted operation of the system using the cloud computing technology;
  • procedure for transferring data, including backup copies, from the provider to the user;
  • procedure and timeframe for transferring data, operating and information systems (if any) from the user of cloud services to the provider for the purpose of proper provision of services and fulfilment of the contract;
  • termination, including timeframes and procedures for transferring data, their backups, systems (if any) from the cloud service provider to the user of cloud services;
  • procedure for deleting (destroying) data and its backup copies;
  • information regarding backups, including procedure and frequency of backup;
  • parties’ liability;
  • notification procedure regarding changes to essential provisions of the contract;
  • service fees and payment terms;
  • termination, including early termination.

The parties are allowed to agree that some other provisions to be essential.

  No
Governing law Must be governed by the laws of Ukraine Can be governed by the laws other than Ukrainian if service provider is a foreign entity
Jurisdiction of the forum Must be resolved in the Ukrainian courts Foreign courts or arbitration can be chosen if service provider is a foreign entity
Local authorisation for service providers Yes. Service provider must be recorded with the Ukrainian Registry of Providers of Cloud and/or Data Centre Services. The Registry is maintained by the Commission (as defined below) No
Public procurements law Applies Does not apply
Data processing localisation requirement Yes (for more information, see our overview below) No specific requirement
Obligation to inform on security risks  Yes. User must be informed about potential  security risks which can arise due to data processing in the cloud (likely prior to provision of services) No specific obligation
Obligation to inform on security measures  Service provider should provide information on how data is secured from external and internal threats, including cyberattacks, upon the user’s request and/or in accordance with the procedure agreed in the contract

Security requirements

Under the Cloud Services Law, service providers must not:

  • use technical facilities located in the territory where public authorities of Ukraine temporarily do not exercise their powers (which would be territories temporarily affected by the war) and in the territory of any aggressor state (currently, only the Russian Federation);
  • use technical facilities owned by states or entities to which the sanctions have been applied under the Law of Ukraine “On Sanctions” 1644-VII, dated 14 August 2014 (the “Sanctions Law“).

The Cloud Services Law does not provide any detailed instructions on how a service provider should trace the ownership of the facilities.The Cloud Services Law also sets general requirements regarding compliance with technical and organisational measures for managing risks related to security of networks and systems used for cloud and/or data centre services. Such measures must appropriately correspond to the perceived level of the security threat and should encompass:

  • security of systems and equipment;
  • incident management;
  • business continuity management;
  • monitoring, audit and testing;
  • compliance with the international standards.

The Cloud Services Law also establishes a notification requirement for service providers – they must, without undue delay, notify of any incident that has a significant adverse effect on the provision of cloud and/or data center services. The said notification must be sent to the National Commission for State Regulation of Electronic Communications, Radiofrequency Spectrum and Postal Services (the “Commission“), and CERT-UA, the Computer Emergency Response Team of Ukraine at the State Service of Special Communication and Information Protection of Ukraine. The Cloud Services Law does not interpret the scope of “significant adverse effect” that triggers the notification obligation, so it should be defined in the internal documents or service providers and decided on a case-by-case basis. The Commission should also approve the notification procedure.

Data localisation requirement and related regulation

The Cloud Services Law introduces a data localisation requirement. In particular, it is prohibited to process the following information with the use of cloud resources and/or data centres located abroad or in the temporarily occupies territories of Ukraine, or which are owned broadly by the Russian Federation or sanctioned individuals and entities under the Sanctions Law: (1) state secrets; (2) information pertaining to the office; and (3) information from the state and unified registers which are created, maintained and operated under the laws of Ukraine.

Since the Cloud Services Law is not yet in force, the data localisation requirement is also not yet in force. Therefore, public authorities and service providers should have enough time to restructure their cooperation if and where needed.

The introduced data localisation requirement should be applied in conjunction with other parts of the Ukrainian legislation establishing a specific regulation during the martial law:

  • according to Resolution No. 263 of the Cabinet of Ministers of Ukraine, dated 12 March 2022, public authorities were allowed, among other things, to locate public information resources and public e-registers as well as their encrypted reserve copies on the cloud resources or data centres outside Ukraine;
  • Draft Law 7152 “On Amending Some Laws of Ukraine Concerning Maintenance of Functioning of Information and Communication Systems, Electronic Communication Systems, Public Electronic Registers” dated 13 March 2022 is expected to allow locating public e-registers abroad during the martial law and up to six (6) months after cancellation of the martial law. Currently, the Draft Law awaits the signature by the President of Ukraine.

Under the Cloud Services Law, the Ukrainian Government is tasked to adopt a procedure of providing cloud and/or data centre services in connection with public information resources or information with limited access.

Information contained in this overview is for general information purposes only, does not constitute legal or other professional advice, and should not be relied upon as a substitute for specific professional advice tailored to particular circumstances.

Related legal alerts

22 November 2022
Reservation of it specialists during martial law: what to expect from upcoming new rules and requirements?
23 August 2022
Starting from 17 August 2022, no import duty applies to goods required to secure storage of grain and/or oilseed crops
20 July 2022
Regulatory reminder Ukraine: 1 August 2022 is the deadline for foreign broadcasters whose TV channels were authorised for retransmission before 1 February 2022
Notification cookies

We use cookies to analyze the behavior of visitors
of our website and improve it. By using our website, you consent to these cookies in accordance with our Cookie Policy.