Updated Cybersecurity Requirements for Non-Bank Financial Institutions

On 13 December 2025, Resolution of the NBU Board No. 143 dated 9 December 2025 “On Approval of the Regulation on the Implementation of Measures to Ensure Information Security and Cybersecurity by Financial Service Providers” (the “Regulation”) came into force. The Regulation was developed in alignment with European standards – specifically, Regulation (EU) 2022/2554 of the European Parliament and of the Council dated 14 December 2022, on digital operational resilience of the financial sector (DORA) – as well as national standards in information security (IS) and cybersecurity.

Financial companies, insurers, credit unions, and pawnshops must align their operations with the new requirements within one year.

The Regulation establishes mandatory requirements for cyber risk management, the organization of information security, cyber incident response, as well as document management and access control within information and communication systems for financial service providers.

Entities subject to the Regulation are specifically required to:

• Implement IS and cybersecurity measures based on a risk-oriented approach, including the protection of infrastructure, services, and supply chains, management of access and authentication, and event logging and recording; and
• Apply these measures to protected assets throughout their entire life cycle, considering the specific characteristics of their information and communication systems.

Furthermore, financial service providers have the right to:

• Establish a process for managing cyber and IS risks within their risk management system.
• Independently define the approaches (methodologies) for the assessment and management of cyber and IS risks.
• Engage authorized third-party providers to implement security measures and respond to cyber incidents, with contracts including a mandatory non-disclosure agreement (NDA).

The changes introduced strengthen the cyber resilience of the financial sector and aim to align Ukrainian requirements with European standards in information security.

How Deloitte’s specialists can help

Our team of experienced cybersecurity professionals and legal experts offers a wide range of services, including:

• Assessing the current state of IS, cybersecurity, and supplier risk management in accordance with Resolution No. 143 and DORA.
• Identifying and designing measures (controls) to minimize risks. 
• Developing or updating security policies and procedures (access management, multi-factor authentication (MFA), passwords, logging, network protection, vulnerability management).
• Conducting penetration testing and assessing PAM/MFA architecture, as well as SIEM/SOC systems (MFA use cases, brute-force, privilege escalation, lateral movement).
• Designing network segmentation, high-security zones, perimeter protection, and services for external connections using advanced approaches and technologies such as Zero Trust Network Access, Secure Service Edge, and Cloud Security Posture Management, in collaboration with global security providers.
• Formulating and verifying contractual requirements for third parties (NDA clauses, sanctions and jurisdictional restrictions, incident reporting, cloud/data center requirements).
• Conducting training sessions and tabletop exercises on supply chain cyber resilience, incident response, business continuity, and disaster recovery.

Where necessary, we engage experts from Deloitte’s global network with proven experience implementing DORA requirements and related standards in Europe, ensuring the adoption of best international practices. 

If you have any questions or require advice, please contact us. 

_{We will continue to monitor key legislative developments and share relevant insights with you.}

_{Comments provided by Deloitte experts herein are for information purpose only and should not be used by taxpayers without an in-depth expert analysis on a case-by-case basis.}

Return to the previous page: Tax & Legal Alerts