The People's Deputy believes that the heads of state institutions and enterprises that are designated as critical infrastructure facilities should bear personal, up to and including criminal, responsibility for improper protection of their facilities.
The People's Deputy believes that the heads of state institutions and enterprises that are designated as critical infrastructure facilities should bear personal, up to and including criminal, responsibility for improper protection of their facilities.
Oleksandr Fedienko, the head of the subcommittee on cybersecurity of the Verkhovna Rada Committee on National Security, stated about the lack of responsibility for officials during the Kyiv Forum on Cyber Resilience 2026.
Fedienko explained that the state establishes clear rules on physical, technological, and cyber protection for critical infrastructure enterprises. However, in practice, this process is being slowed down.
"The problem is that many private enterprises are simply not ready to do this. This requires money, attracting new people and specialists. Therefore, they are starting to block this story. And the heads of state-owned enterprises are starting to use this reluctance of private business to also not implement these mechanisms," the official noted.
The subcommittee chairman cited the example of the banking sector, where management clearly understands the risks of losing funds or business reputation, and therefore invests in security. In contrast, the illusion of impunity reigns in the public sector.
Fedienko recalled cases of loss of digital state registers in the past, noting that no official or minister suffered any real punishment for this.
"Some responsibility should still fall primarily on the heads of state institutions who took on the responsibility for protecting this facility. It doesn't matter if it's a kinetic or hybrid attack, but they must be responsible for ensuring that the protection is formed correctly within the framework of current legislation. […] Until this mechanism works, none of the leaders will assess the risks," the People's Deputy emphasized.
Currently, the Verkhovna Rada has already adopted the necessary framework, in particular Law No. 4336, which fundamentally changes the cybersecurity paradigm in Ukraine, taking into account the European NIS2 directive and national war experience.
However, the question of punishment for ignoring these norms remains open. According to Fedienko, a complex discussion is currently underway with the Law Enforcement Committee regarding what exactly the responsibility for officials should be: administrative, correctional, or criminal.
The deputy expressed hope that in the near future the committees will reach a compromise and establish uniform rules of liability for managers of critical infrastructure facilities.
Recall that in December 2024, Ukraine learned of a large-scale cyberattack on state registers . As a result of the attack carried out by Russian hackers, the work of key systems of the Ministry of Justice was temporarily suspended.
