Ukraine’s Updated Legal Framework for Government CISO Roles
May 22, 12:20 PM
Recent amendments to Ukrainian legislation, grounded in Law 4336 and related regulations, have introduced specific requirements for Chief Information Security Officers (CISOs) within state bodies. Rather than being detailed directly in the law, the precise criteria for CISO candidates are laid out in Cabinet of Ministers Resolution No. 1516 and professional standards. The primary sources for these mandates are Procedure No. 1516 and Order No. 798.
Under Part 3 of Article 5¹ of Law 4336, the State Service for Special Communications and Information Protection of Ukraine (SSSCIP) provides methodological guidance on CISO qualifications. Additionally, Article 14, Paragraph 106 of the Law on the SSSCIP (as amended by 4336) empowers the agency to oversee the professional certification system, which also applies to CISOs. This regulatory shift aims to standardize cybersecurity leadership across government institutions.
Candidate Qualifications for the CISO Position
Applicants for CISO roles in state authorities must meet defined educational and experience benchmarks. Specifically, candidates need a higher education degree in one of the following fields:
- Information Technology (with a preference for Cybersecurity and Information Protection);
- Information Security Management (within the Security and Defense domain);
- Electronics, Electronic Communications, Instrumentation, and Radio Engineering;
- Information and Measurement Technologies;
- Automation, Computer-Integrated Technologies, and Robotics (from the Engineering, Manufacturing, and Construction field);
- Public Management and Administration (from the Business, Administration, and Law field).
A standard requirement for CISO candidates is at least three years of relevant professional experience. This condition is established in professional standards and methodological recommendations, not directly in Law 4336. As per Paragraph 3 of the Procedure approved by Cabinet of Ministers Resolution No. 1516 (dated November 26, 2025), these criteria are mandatory for all relevant appointments.
These new legislative measures set clear expectations for cybersecurity specialists, aiming to bolster information protection within state agencies. This article serves as a supplement to the main piece titled 'Law 4336-IX: What Changes for State Institutions and Critical Infrastructure, and How Businesses Should Prepare.'
Elevating the qualification standards for cybersecurity leaders in government bodies is a critical step toward strengthening national cyber resilience.
Given the rising threats in cyberspace, such initiatives can enhance the security of data and information systems, which is vital for government operations and public trust. The adoption of these new standards may also drive advancements in cybersecurity education and professional training across Ukraine.