Наталя Хандусенко War 22 July 2025, 09:54

Ukraine wants to ban the purchase, use, and distribution of hostile software: financial sanctions will be imposed in case of violation

On July 18, the Verkhovna Rada registered a bill on the prohibition of the use and distribution of hostile software products and hostile information technology. In particular, it provides for the withdrawal of hostile software from use by January 1, 2030 and financial sanctions in case of violation. It also defines the criteria by which hostile software and information technology are determined.

What does the bill provide for?

The draft law establishes the terms "hostile software product" and "hostile means of informatization";
defines the criteria by which software products and information technology tools are classified as hostile (in particular, based on beneficial ownership, origin, copyright, presence of prohibited solutions on open lists, etc.);
establishes the powers of the Cabinet of Ministers of Ukraine to approve lists of hostile software products and information technology tools maintained by the State Service for Special Communications and Information Protection of Ukraine as part of an open list of software and network equipment prohibited for use;
grants the Security Service of Ukraine and the National Bank of Ukraine the right
submit proposals for the inclusion or exclusion of products from the lists within the relevant areas of supervision (national security, financial sector, etc.);
provides for the gradual withdrawal from use of hostile software products and information technology by January 1, 2030 ;
establishes a ban on their purchase and use by state authorities, critical infrastructure entities, defense sector enterprises, as well as participants in payment systems, except for cases provided for intelligence agencies;
determines liability in the form of financial sanctions in the amount of 2% of the total annual turnover of the business entity in case of violation of requirements regarding prohibited products;
establishes the terms for the entry into force of the provisions of the Law ( the main provisions - 6 months from the date of publication; the sanctions block - from January 1, 2030);
contains amendments to the laws of Ukraine "On the Security Service of Ukraine", "On the National Bank of Ukraine", "On the State Service for Special Communications and Information Protection of Ukraine" in order to ensure the implementation of the provisions of this Law.

Criteria for classifying a software product as hostile software product

The ultimate beneficial owner of the business entity distributing the software is: a citizen of the aggressor state and/or the occupying state or states that are part of customs and military alliances with such states, or states to which sanctions have been applied and/or to which personal economic and other restrictive measures (sanctions) have been applied;
the author of the computer program who owns the property rights to the computer program is a citizen of the aggressor state and/or the occupying state or which is a member of customs and military alliances with such states, or states to which sanctions have been applied, and/or to which personal economic and other restrictive measures (sanctions) have been applied;
the software is in the open list
prohibited from use software and communication (network) equipment, which is maintained in accordance with the requirements of the Law of Ukraine "On the Basic Principles of Ensuring Cybersecurity of Ukraine";
the website owner is a citizen of the aggressor state and/or
occupying states or those that are part of customs and military alliances with such states, or states to which sanctions have been applied, or a citizen of Ukraine registered in the temporarily occupied territories of Ukraine, and/or to which personal economic and other restrictive measures (sanctions) have been applied;
the owner of the website is a citizen of the aggressor state and/or
occupying states or those that are part of customs and military alliances with such states, or states to which sanctions have been applied, or a citizen of Ukraine registered in the temporarily occupied territories of Ukraine, and/or to which personal economic and other restrictive measures (sanctions) have been applied;
the property copyrights for such software product belong to
a legal entity whose ultimate beneficial owner is any of the persons specified above;
the owner of such a website is a legal entity whose ultimate beneficial owner is any of the persons listed above.

Criteria for classifying an information technology tool as a hostile information technology tool

Communication (network) equipment is in the open
a list of software and communication (network) equipment prohibited for use, maintained in accordance with the requirements of the Law of Ukraine "On the Basic Principles of Ensuring Cybersecurity of Ukraine";
account on such equipment contains access data to
parts of the catalogs and computer program, computer equipment, and also defines the rights of such access, which enable the account holder to add, delete, change the digital content and data of the website, provide access to the website or its part, individual data to other persons, terminate the functioning of such a website or its part within the account belongs to: a citizen or legal entity resident of the aggressor state and/or the occupying state, or a state that is part of a customs or military union with such a state, or a state to which sanctions have been applied, or a citizen of Ukraine whose place of residence is registered in the temporarily occupied territory of Ukraine, or a legal entity resident of Ukraine whose location is registered in the temporarily occupied territory of Ukraine, and/or to which personal economic and other restrictive measures (sanctions) have been applied.

Liability for violation of the law

According to the draft law, the sale, use and distribution of hostile software products and tools is prohibited
informatization will come into effect from January 1, 2030. In case of violation, the following liability is provided:

to business entities that sell, use
and/or distribution of software products, information technology means, records of which are available in the lists of software products and information technology means classified as hostile software products, hostile information technology means approved by the Cabinet of Ministers of Ukraine or those that meet the criteria specified in Article 3 and Article 4 of this Law, financial sanctions are applied in the form of a fine in the amount of 2% of the total annual turnover of such a business entity, but not less than the income from such sale and/or distribution or use.
Financial sanctions are applied 180 calendar days after the date of publication of lists of software products and information technology tools classified as hostile;
detection of two or more violations of the requirements of this law increases
financial sanctions for the number of violations detected;
application of financial sanctions specified in part one of this
Article, is carried out by a court decision adopted upon a claim by an authorized body, which ensures the formation and implementation of state policy on the protection of state information resources and information in cyberspace, the requirement for protection of which is established by law, active counteraction to aggression in cyberspace, and cyber protection of critical information infrastructure facilities.

By January 1, 2030, government bodies, local governments, military formations, state enterprises, institutions and organizations, owners and operators of critical infrastructure are instructed to take urgent measures to transition (decommission) hostile software products, information technology tools, or those that fall under the criteria of hostile.

It should also prohibit the introduction of measures to modernize electronic communications equipment and terminal equipment when deploying high-speed broadband access networks (including when deploying fifth-generation and subsequent mobile communications) using hostile software or information technology products, or those that fall under the criteria.

Individuals and legal entities, other business entities shall take urgent measures to remove from use software products, information technology tools classified as hostile, etc.

Go for a manicure and leave your data with the FSB — Ukrainian businesses still use Russian software, even in barbershops

Why has it not been possible to replace 1C with another product in ten years?

Six Ukrainian alternatives to Russian 1C: how to abandon Russian software