Cybersecurity of Critical Infrastructure and Oversight of Local Self-Government Decisions

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Between November 2 and November 16, Reform Index experts recorded six reform events. The key reform of this issue is the new rules on the cybersecurity of critical infrastructure, which require operators to assess cyber risks and develop response plans. Experts rated this development at +2 points. Issue 277 also focuses on the law on transparency of the activities of local self-government bodies, which received a score of +1 point.

The overall Reform Index score in issue 277 is +1.1 points (on a scale from -5 to +5). In the previous issue, the Index stood at +1 point.

Graph 1. Dynamics of the Reform Index

Graph 2. Values of the Reform Index and Its Components in the Current Assessment Round

Risk-based approach to the cybersecurity of critical infrastructure, +2 points
Resolution No. 1479 changes the approach to the cybersecurity of critical infrastructure: instead of uniform rules for all, it introduces a model based on risk assessment. Previously, cybersecurity requirements were limited to standard measures (such as having a designated unit, the necessary technical tools, and prescribed actions in the event of cyberattacks). Now, the cybersecurity system must not only comply with these requirements but also take into account cyber risks specific to each facility and ways to manage them.
Under the new approach, operators must regularly review the cybersecurity status of their facilities, identify the most vulnerable elements, assess the potential consequences of attacks, and update their cybersecurity plans annually. These plans must describe both the current state of cybersecurity and the target state — that is, the level of security the facility must achieve. In addition, the plans must be aligned with the national security system (that is, take into account threats at the state level and general approaches to protecting critical infrastructure) and reviewed and approved by the relevant state authorities (the State Service of Special Communications and Information Protection and relevant ministries).

Information about the Reforms Index project, the list of Index experts and the database of the regulations assessed are available here.

Expert commentary
Oleh Haiduk, expert at the Institute of Cyber Warfare Research (ICWR), advisor on AI and innovation at the PARKOVYI Data Center

“Resolution No. 1479 aims to shift the cybersecurity of critical infrastructure from formal compliance with requirements to the management of real risks. The key innovation is the introduction of baseline cybersecurity measures and a catalog of cybersecurity measures, as well as a risk assessment methodology to be developed by the Administration of the State Service of Special Communications and Information Protection. This establishes a nationwide minimum level of security and a mechanism for strengthening protection for high-risk facilities. Under the new rules, risk management must be treated as a continuous process, responsible parties for cybersecurity must be designated, and training and funding must be planned. Sectoral authorities (relevant ministries and other state authorities) have been tasked with specifying cybersecurity requirements, taking into account sectoral specifics.
Overall, the resolution aligns with the European regulatory framework. The EU’s second Directive on the security of network and information systems (NIS2) requires critical infrastructure entities to implement proportional measures based on risk assessment and strengthens management accountability for their implementation. In France, this approach is implemented under the regime for the protection of vital activities (SAIV), where the French National Cybersecurity Agency (ANSSI) defines requirements for critical systems and oversees their implementation. In Germany, NIS2 has already entered into force, and Poland is moving in the same direction by updating the framework law on the National Cybersecurity System.
At the same time, in the context of cyber warfare, a risk-based approach requires particular caution. Underestimating the adversary or formally justifying exceptions may lead to situations where compliance does not translate into actual cyber resilience.
The effectiveness of implementing the risk-based model depends not only on regulatory decisions but also on the actual readiness of the market and the professional community. Industry associations, in particular the Digital Sovereignty Alliance of Ukraine (DSUA), can serve as open platforms for coordinating practical approaches, developing targeted solutions, and pooling resources from technology vendors and leading data center and cloud service operators.”

Law on oversight of the legality of local self-government decisions, +1 point
Law No. 4677-IХ introduces state oversight of the legality of acts of local self-government bodies. Decisions of regional councils will be reviewed by a central executive authority designated by the Cabinet of Ministers (no such resolution has yet been adopted); decisions of district councils will be reviewed by regional state administrations. Within one year from the date the law enters into force (that is, one year after martial law is lifted), decisions of village, settlement, and city councils will also be reviewed by regional state administrations, and this function will later be transferred to district state administrations.
This oversight applies only to decisions adopted by communities in the exercise of powers delegated to them by the state. Delegated powers relate to areas where legislation establishes uniform national standards, such as the provision of administrative services through Administrative Service Centers or oversight of compliance with price and tariff regulations. Decisions adopted within the communities’ own (self-governing) powers are not subject to state oversight. These include matters such as the local budget, management of municipal property, public amenities, and similar issues.
Decisions may be reviewed no later than 60 days after they enter into force. If violations are identified, the oversight body must, within three working days, submit a request to the council requiring the violations to be remedied, and the council then has up to 20 working days to do so. If the violations are not remedied, the oversight body may file a claim with the court to annul the unlawful decision. In exceptional cases where a decision threatens the territorial integrity of Ukraine, it may be temporarily suspended, and the case immediately referred to court, with the President and the Cabinet of Ministers notified accordingly.
Oversight bodies must, at least once per quarter, inform local councils in writing of changes in legislation and, upon request, provide explanations on how to properly apply legal provisions.
Expert commentary
Oleksandr Slobozhan, executive director of the Association of Ukrainian Cities

“The law introduces a new system of administrative oversight over the legality of acts of local self-government bodies in accordance with the European Charter of Local Self-Government and streamlines the system of state authorities with regard to coordination, oversight, and control.”

Viktoriia Derets, public administration expert at the Centre of Policy and Legal Reform

“The law on ensuring legality and transparency in the activities of local self-government bodies marks the final stage of an almost five-year attempt to regulate state oversight of their acts — one of the elements of the unfinished reform of local state administrations.
Initially, the reform envisaged transforming local state administrations into prefecture-type bodies, with a clear focus on ensuring the legality of acts of local self-government bodies, coordinating territorial bodies of central executive authorities, and depoliticizing the leadership of local state administrations. This approach was reflected in draft law No. 4298 (2020); however, due to conceptual disagreements, multiple revisions, and stakeholder criticism, it was never adopted. Subsequent “clone” draft laws sought to accelerate the fulfillment of a Ukraine Facility indicator but would have strengthened the influence of local state administrations over local self-government, creating a risk of undermining its autonomy, and were ultimately rejected.
Law No. 4677-IX introduces two mechanisms for ensuring the legality of acts of local self-government bodies: first, through information and advisory support from local state administrations; second, through formal requirements to eliminate violations and recourse to the courts to annul unlawful acts, which can generally be regarded as a positive development.
At the same time, during preparation for second reading, the scope of oversight was narrowed. It had been planned that state oversight would cover both regulatory acts of local self-government bodies and individual acts (that is, those concerning specific persons or situations) adopted in violation of the law or exceeding authority, since the main purpose of state oversight of legality is to prevent violations of human rights in the activities of local self-government bodies. However, in the final version, the Law limits oversight only to acts adopted under powers delegated by the state. The nature of delegated powers means that they remain within the competence of the delegating authority. According to the Constitution, the exercise of such powers should be subject to state control, not state oversight. Therefore, the new mechanism does not fully resolve the key problem—the lack of oversight over the legality of acts adopted by local self-government bodies in the exercise of their powers.
Another drawback is that the Law does not include a provision for establishing a personnel reserve for the positions of heads of district state administrations, indicating a lack of intention to restore the civil servant status of heads of local state administrations and their deputies, even in the future. The Law also temporarily assigns the function of ensuring the legality of acts of village, settlement, city, and district-in-city councils, and their executive bodies, to regional state administrations. These powers will be exercised for one year from the date the Law enters into force, even though district state administrations could have been prepared in advance to carry out this function.
As a result, the Law does not resolve the main problem — the reform of local state administrations remains incomplete.”

Oleh Ivanov, analyst at Vox Ukraine

“The law was intended as a step toward completing decentralization and transforming local state administrations into prefecture-type bodies that would exercise neutral oversight over the legality of community decisions — that is, verifying only their compliance with the law, without interfering in governance, without assessing the expediency of decisions, and with the possibility of annulling them exclusively through the courts. However, this approach was abandoned in the final version: local state administrations were not restructured, did not lose their administrative and sectoral functions, but were at the same time granted additional powers to ensure legality, which increases their influence over local self-government.
On the other hand, oversight was limited only to decisions of local self-government bodies adopted within delegated powers. Control over such powers had already existed, so the law does not significantly change the “rules of the game” in relations between the state and communities and does not resolve the issue of the legality of decisions adopted under communities’ own powers. At the same time, the law is not overtly counter-reform: it does not revoke community powers and contains certain technical procedural improvements — judicial procedure, consultations, and information support.”

Reform Index from VoxUkraine aims to provide a comprehensive assessment of reform efforts by Ukraine’s authorities. The Index is based on expert assessments of changes in the regulatory environment in six areas: Governance, Public Finance, Monetary system, Business Environment, Energy, Human Capital. Information about the Reforms Index project, the list of Index experts and the database of the regulations assessed are available here.