This NBU Resolution No. 66 is **** (as it relates to the regulation of the financial sector and cybersecurity); it establishes clear rules for the protection of critical information infrastructure (CII) in the financial sector. The document defines the criteria by which banking and non-banking financial institutions must identify their information and communication systems as CII objects. The resolution also obliges critical infrastructure operators to compile a registry of such objects and submit it to the National Bank. The document introduces enhanced cybersecurity measures for these systems and amends existing NBU regulations regarding cybersecurity.<\/p>\n
### Structure and Main Provisions
\nThe resolution consists of a regulatory part and three annexes:
\n1. **Regulation on CII of the Financial Sector:** defines terminology, criteria for classifying systems as CII, the procedure for maintaining the registry, and cybersecurity requirements for various categories of operators (banks, payment systems, database administrators).
\n2. **Amendments to Regulation No. 43:** update information protection requirements in the payment market, specifically regarding the classification of cyber incidents and the procedure for reporting them.
\n3. **Amendments to Regulation No. 178:** adjust the organization of cybersecurity in the banking system, specifically clarifying the composition of information exchange participants and the requirements for external audits for bank CII operators.<\/p>\n
Compared to previous versions, these changes systematize the approach to cybersecurity by integrating it with the requirements of the laws “On Critical Infrastructure” and “On Basic Principles of Ensuring Cybersecurity of Ukraine.”<\/p>\n
### Most Important Provisions for Application
\n* **CII Criteria:** A system becomes a CII object if its stoppage would lead to a crisis situation and the financial institution has no alternative for its replacement.
\n* **Prohibition on Software Usage:** Operators are strictly prohibited from using software and equipment included in the list of prohibited items (specifically those associated with the aggressor state or sanctioned persons).
\n* **Reporting:** Operators are required to identify their CII objects within two months after the resolution enters into force and provide information about them to the NBU. Subsequently, the list must be reviewed annually (as of November 1).
\n* **Responsible Persons:** Institutions must appoint persons responsible for CII who will ensure data updates and compliance with cybersecurity requirements.
\n* **Incident Classification:** Requirements for cyber incident notifications have been updated, including criticality levels (from yellow to black), which requires market participants to provide a rapid response and reporting through the NBU Cyber Defense Center.<\/p>\n