Introduction: Balancing Innovation and Cloud Compliance
In the era of accelerated digitalization, Ukrainian enterprises and government institutions are increasingly considering cloud technologies as a foundation for scalability, cost-effectiveness, and flexibility. However, alongside the undeniable advantages of global cloud solutions, a critical question arises: how to ensure data sovereignty and compliance with strict national requirements for its storage and processing? This is particularly relevant for critical infrastructure and confidential information, where legal risks and information security are a priority.
For CIOs, CTOs, and CISOs, choosing a cloud provider is not just a technical decision but a strategic commitment that requires a deep understanding of both technological capabilities and Ukraine's regulatory landscape.
Data Sovereignty in Ukraine: The Legislative Landscape
Ukrainian legislation is actively developing in the area of cloud services regulation and data protection, striving to adapt best global practices while ensuring national interests. Key regulatory acts that define requirements for working with data in the cloud include:
- Law of Ukraine "On Cloud Services" (entered into force on September 16, 2022). This law defines the concepts of cloud computing, services, and providers, and establishes the legal framework for their provision and consumption. It directly prohibits the processing of information constituting state secrets, official information, as well as state and unified registers using cloud resources and/or data processing centers located outside Ukraine's borders or in temporarily occupied territories of Ukraine, or belonging to the aggressor state. For public procurers and critical information infrastructure entities, the law requires compliance with legislation on personal data protection, information, and cybersecurity.
- Law of Ukraine "On Personal Data Protection" (of June 1, 2010). This law regulates relations related to the protection and processing of personal data and aims to protect fundamental human rights and freedoms. It imposes on personal data holders the obligation to ensure their protection against illegal processing and access. The processing of personal data generally requires the unambiguous consent of the data subject.
- Resolution of the Cabinet of Ministers of Ukraine No. 154 of February 11, 2025 "Some Issues of Providing and Using Cloud Services and/or Data Processing Center Services". This resolution details the procedure for providing cloud services for processing state information resources or restricted-access information. It establishes requirements for cloud service providers, including the need for a compliance document issued by an accredited conformity assessment body in the field of electronic communications, confirming the management of information security, continuity, and network system security.
- Law of Ukraine "On Critical Infrastructure" and related subordinate acts. This legislation defines the concept of critical infrastructure and establishes special requirements for protecting related information, emphasizing the need for effective measures to prevent harm to national interests.
Requirements for Cloud Providers for Ukrainian Business and Government
For Ukrainian organizations considering migration to the cloud, especially for processing sensitive data or operating critical infrastructure, the key criteria for choosing a provider are:
- Location of Data Processing Centers (DPCs): For information constituting state secrets, official information, and state registers, DPCs must be located exclusively within Ukraine. For other types of data, although there may be no direct prohibitions on placement abroad, localizing data within Ukraine or the EU/EEA can be an advantage for simplifying compliance and reducing geopolitical risks.
- Compliance with Ukrainian Legislation: The provider must demonstrate a clear understanding and ability to comply with the requirements of the Laws "On Cloud Services," "On Personal Data Protection," "On Critical Infrastructure," and relevant CMU resolutions.
- Certifications and Security Standards: The presence of international certificates (e.g., ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018) is a basic requirement. For working with public users and critical infrastructure, a certificate of conformity issued by an accredited Ukrainian conformity assessment body may be required.
- Contractual Obligations: The cloud services agreement must clearly reflect the division of responsibilities for data protection, guarantees regarding data sovereignty, procedures for law enforcement access to data, and audit mechanisms. A typical contract for public users and critical infrastructure operators is approved by the Government.
- Data Protection Mechanisms: The provider must offer robust technical and organizational security measures, including encryption, access management, incident monitoring, and disaster recovery plans.
Global Cloud Giants and Ukrainian Compliance: Realities and Opportunities
Leading global cloud providers such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud offer unparalleled scale, innovative services, and global DPC networks. However, none of them currently have full-fledged commercial data centers directly on Ukrainian territory. This creates certain challenges for Ukrainian organizations, especially considering data localization requirements.
- Microsoft Azure: Actively supports Ukrainian businesses and government institutions, assisting with cloud migration and ensuring business continuity in wartime conditions. Microsoft offers initiatives such as "Microsoft Cloud for Sovereignty" and "EU Data Boundary," which allow customers to host data in selected EU/EEA regions, ensuring compliance with local data sovereignty and privacy requirements. While these are not DPCs in Ukraine, they can be acceptable solutions for many types of data that do not fall under the strictest restrictions. Azure Stack solutions also allow extending Azure services to the client's local DPCs or partner DPCs in Ukraine, creating hybrid architectures.
- Amazon Web Services (AWS): Played a key role in preserving critically important Ukrainian government and private data, migrating over 10 petabytes of information to its cloud storage using physical Snowball Edge devices. AWS demonstrates a high level of compliance with international security standards. Although AWS DPCs are located outside Ukraine, the company actively collaborates with the Ukrainian government and businesses, providing support and expertise.
- Google Cloud: Offers a wide range of services and tools for security and regulatory compliance, including compliance assessments with GDPR, PCI DSS, ISO 27001, and assistance in navigating the Ukrainian regulatory environment. Google Cloud has a global infrastructure with numerous regions, allowing customers to choose data storage locations, although there is no direct DPC in Ukraine. The company is also actively working on compliance with European regulations such as DORA.
The use of cloud technologies requires not only an understanding of technical aspects but also the ability to integrate them into the overall information management and cybersecurity strategy. Companies specializing in system integration and complex IT solutions development, such as Intecracy Group and InBase, can provide valuable expertise in building hybrid cloud architectures and ensuring business continuity amidst constant changes.
Checklist for Choosing a Cloud Provider Considering Data Sovereignty
When making decisions about choosing a cloud provider, CIOs, CTOs, and CISOs should consider the following criteria:
| Criterion | Description | Microsoft Azure | Amazon Web Services (AWS) | Google Cloud |
|---|---|---|---|---|
| DPC Location for Critical Data (State Secrets, Registers) | Presence of DPCs within Ukraine. | No (hybrid solutions with Azure Stack in local DPCs are possible). | No (data is migrated to DPCs outside Ukraine). | No (DPCs outside Ukraine). |
| Compliance with the Law "On Cloud Services" | Provider's ability to meet the law's requirements, especially for public users. | Active cooperation with the government, EU Data Boundary and Cloud for Sovereignty initiatives. | Active cooperation with the government, assistance with critical data migration. | Provides resources and consultations on regulatory compliance. |
| Compliance with the Law "On Personal Data Protection" | Guarantees of personal data protection and consent mechanisms. | Global certifications (ISO 27018), EU Data Boundary. | Global certifications, high security standards. | Global certifications (ISO 27018, 27701), GDPR support. |
| Availability of Ukrainian Compliance Certificates | Certificate from an accredited Ukrainian conformity assessment body (especially for public procurers). | Requires separate expertise and certification in Ukraine. | Requires separate expertise and certification in Ukraine. | Requires separate expertise and certification in Ukraine. |
| Contractual Terms on Data Sovereignty | Clear provisions on data storage location, jurisdiction, and access. | Proposals for EU Data Boundary, Sovereign Cloud. | Provides contractual obligations, but jurisdiction is determined by the DPC region. | Updated contractual terms for European financial institutions (DORA). |
| Cybersecurity Measures and Standards Compliance | Implemented information security management systems (ISO 27001), incident response. | ISO 27001, SOC, multi-layered protection, Zero Trust. | ISO 27001, SOC, proactive cybersecurity measures. | ISO 27001, SOC, Security Command Center, network resilience. |
| Hybrid and Private Cloud Solution Capabilities | Ability to integrate global cloud with local DPCs or private clouds. | Azure Stack for extending Azure to local DPCs. | Capabilities for hybrid architectures, e.g., via AWS Outposts. | Hybrid cloud solutions (Anthos). |
Conclusion: A Strategic Choice for Ukraine's Digital Future
Choosing a cloud provider under Ukrainian data sovereignty laws is a complex but critically important task. It requires not only technical expertise but also a deep understanding of legal nuances and geopolitical realities. The balance between the global advantages of scalability and innovation offered by global cloud giants and the need to comply with national localization and data protection requirements is key to a successful and secure cloud strategy.
CIOs, CTOs, and CISOs must conduct thorough analysis, engage legal experts, and consider hybrid models that can combine the benefits of global clouds with the ability to store the most sensitive data within Ukraine. This approach will allow Ukrainian organizations to effectively use cloud technologies while minimizing legal risks and ensuring the highest level of information security.
Related solutions: Intecracy solutions and inbase.com.ua solutions.
Sources
- tecracer.com
- awsstatic.com
- audit3a.com
- tomshardware.com
- chambers.com
- google.com
- aboutamazon.com
- google.com