Regulatory Adaptation of Personal Data Protection Standards to Hybrid Threats in the EU and Ukraine
Abstract
The article examines the directions and mechanisms of regulatory adaptation of personal data protection standards to hybrid threat conditions within the legal systems of the European Union and Ukraine. The research methodology is based on qualitative analysis of primary regulatory acts (GDPR, NIS2 and CER Directives, DORA Regulation, Ukrainian legislation on personal data protection and cybersecurity), official documents of EU institutions, ENISA reports and Ukrainian regulators’ documentation, employing comparative legal method and inductive generalisation based on specific incidents from 2023–2024. It is substantiated that the traditional distinction between personal data protection as an element of human rights and cybersecurity as a technical discipline is losing relevance: personal data have transformed into an instrument of “weaponisation of identities” for micro-targeted disinformation campaigns, as confirmed by ENISA’s inclusion of information manipulation amongst the principal threats. The EU’s regulatory response has been systematised – a multi-layered architecture comprising NIS2, DORA, CER and the Cyber Resilience Act, which integrates security requirements into organisations’ operational activities and introduces personal liability of management for cyber risks. Four systemic gaps have been identified in the Ukrainian context: institutional imbalance with the dominance of security agencies over data protection authorities; absence of oversight mechanisms for wartime rights restrictions; multiplicity of reporting regimes without automatic information exchange between departments; shortage of cybersecurity professionals. The predominantly reactive nature of regulatory policy has been demonstrated: the attack on Kyivstar accelerated the adoption of Law No. 11290, attacks on state registries prompted Cabinet Resolution No. 1531, whilst the EU integration draft law No. 8153 on personal data protection yields priority to the wartime track. Comparative analysis revealed a fundamental difference in institutional models: the European model is based on a network of independent regulators coordinated by ENISA, whereas the Ukrainian model is characterised by centralisation and dominance of CERT-UA, the State Service of Special Communications and the Security Service of Ukraine. The research findings hold practical significance for the formation of integrated regulatory policy that combines protection of data subjects’ rights with ensuring operational resilience of state information systems.
Downloads
References
Havryliuk, A. (2024). GDPR Ukrainian style: key aspects of Draft Law No. 8153 «On Personal Data Protection». Sayenko Kharenko. https://sk.ua/uk/gdpr-po-ukrainski-kljuchovi-aspekti-zp-8153-pro-zahist-personalnih-danih/ [in Ukrainian].
Hyliaka, O.S. (2023). The right to privacy and personal data protection in the context of digitalisation. Visnyk Natsionalnoi akademii pravovykh nauk Ukrainy, 30(1), 15–32. https://doi.org/10.31359/1993-0909-2023-30-1-15 [in Ukrainian].
Dovhan, O.D. (Comp.). (2023). Cybersecurity in the information society: information and analytical digest (No. 10). Instytut informatsii, bezpeky i prava NAPrN Ukrainy; Natsionalna biblioteka Ukrainy im. V. I. Vernadskoho [in Ukrainian].
Dunaiev, I., & Luhovenko, N. (2025). The state and personal data in the post-GDPR world: towards global consensus or regulatory fragmentation? Teoriia ta praktyka derzhavnoho upravlinnia, 2(79), 28–62. https://doi.org/10.26565/1727-6667-2024-2-02 [in Ukrainian].
European Business Association. (2025). Discussion of Draft Law No. 8153 «On Personal Data Protection». URL: https://eba.com.ua/obgovorennya-zakonoproyektu-8153-pro-zahyst-personalnyh-danyh/ [in Ukrainian].
Zhakhalov, Ya. (2025). Ukraine reforms cyber defence after attack on registries. This will expand the powers of the State Special Communications Service. DOU. https://dou.ua/lenta/news/new-law-on-cybersecurity/ [in Ukrainian].
Report on the state of cyber protection of state information resources and critical infrastructure objects in 2023. (2024). Derzhavna sluzhba spetsialnoho zviazku ta zakhystu informatsii Ukrainy [in Ukrainian].
Kovaliv, M., Skrynkovskyi, R., Nazar, Yu., Yesimov, S., Krasnytskyi, I., Kaidrovych, Kh., Kniaz, S., & Kemska, Yu. (2021). Legal provision of cybersecurity of critical information infrastructure of Ukraine. Path of Science, 7(4), 2011–2018. https://doi.org/10.22178/pos.69-12 [in Ukrainian].
Udovenko, O.V., & Velychko, L.Yu. (2024). How does the «Brussels effect» shape new standards? The impact of the GDPR personal data protection standard and other EU initiatives on Ukraine and countries outside the European Union. Aktualni problemy derzhavnoho upravlinnia, 2(65), 187–215. https://doi.org/10.26565/1684-8489-2024-2-10 [in Ukrainian].
Furashev, V.M. (2012). Cyberspace and information space, cybersecurity and information security: essence, definitions, differences. Informatsiia i pravo, 2, 162–169. [in Ukrainian].
Annual report of the Ukrainian Parliament Commissioner for Human Rights on the state of observance and protection of human and citizens’ rights and freedoms in Ukraine for 2024. (2025). Ofis Ombudsmana. URL: https://ombudsman.gov.ua/storage/app/media/uploaded-files/1-eng-web.pdf [in Ukrainian].
Yarmolenko, O., & Husiev, H. (2025). The state reforms cyber defence after a large-scale breach. The State Special Communications Service will receive new powers – and this service is being criticised again. Babel. URL: https://babel.ua/texts/116673-derzhava-reformuye-kiberzahist-pislya-masshtabnogo-zlamu-derzhspeczv-yazku-otrimaye-novi-povnovazhennya-i-cyu-sluzhbu-znovu-kritikuyut-babel-poyasnyuye-sut-reformi-i-prosit-jiji-avtora-vidpovisti-na-k [in Ukrainian].
Bepon, K. (2024). 5 Questions (and Answers) About the Kyivstar Attack. KELA Cyber. URL: https://www.kelacyber.com/blog/5-questions-and-answers-about-the-kyivstar-attack/
CERT-UA recorded 4,315 cyber incidents in 2024. (2025). State Service of Special Communications and Information Protection of Ukraine. URL: https://cip.gov.ua/ua/news/cert-ua-minulogo-roku-opracyuvala-4315-kiberincidentiv
De Hert, P., Papakonstantinou, V., Malgieri, G., Beslay, L., & Sanchez, I. (2018). The Right to Data Portability in the GDPR: Towards User-Centric Interoperability of Digital Services. Computer Law & Security Review, 34(2), 193–203. https://doi.org/10.1016/j.clsr.2017.10.003
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union. (2022). Official Journal of the European Union, L 333, 80–152.
Due to Russia’s cyberattack, all registration actions are unavailable, about 25 state registers suspended. (2024). Interfax-Ukraine. URL: https://en.interfax.com.ua/news/general/1036066.html
ENISA. (2024). Report on the State of Cybersecurity in the Union 2024. https://doi.org/10.2824/0401593
ENISA Threat Landscape 2024. (2024). European Union Agency for Cybersecurity. URL: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024
ENISA Threat Landscape 2025. (2025). European Union Agency for Cybersecurity. URL: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
EU Cyber Resilience Act takes effect, brings new era of mandatory cybersecurity standards for digital products. (2024). Industrial Cyber. URL: https://industrialcyber.co/regulation-standards-and-compliance/eu-cyber-resilience-act-takes-effect-brings-new-era-of-mandatory-cybersecurity-standards-for-digital-products/
European Union Data Privacy: What’s Next for 2025? (2025). TrustArc. URL: https://trustarc.com/resource/european-union-data-privacy-whats-next-for-2025/
Giannopoulos, G., Smith, H., & Theocharidou, M. (2023). The Landscape of Hybrid Threats: A Conceptual Model. Publications Office of the European Union.
Hybrid threats as a concept. (n.d.). Hybrid CoE – The European Centre of Excellence for Countering Hybrid Threats. URL: https://www.hybridcoe.fi/hybrid-threats-as-a-phenomenon/
Investment Climate Statements 2025: Ukraine. (2025). U.S. Department of State. URL: https://www.state.gov/reports/2025-investment-climate-statements/ukraine
Kuner, C., Bygrave, L., & Docksey, C. (Eds.). (2020). The EU General Data Protection Regulation (GDPR): A Commentary. Oxford University Press.
Lynskey, O. (2015). The Foundations of EU Data Protection Law. Oxford University Press.
NIS 2 Directive, Article 23: Reporting obligations. (n.d.). URL: https://www.nis-2-directive.com/NIS_2_Directive_Article_23.html
Petkova, B. (2019). Privacy as Europe’s First Amendment. European Law Journal, 25(2), 140–154. https://doi.org/10.1111/eulj.12316
Reisinger, T., Wagner, I., & Boiten, E. A. (2022). Security and Privacy in Unified Communication. ACM Computing Surveys, 55(3), 1–35. https://doi.org/10.1145/3498335
Rotenberg, M. (2020). Schrems II, from Snowden to China: Toward a New Alignment on Transatlantic Data Protection. European Law Journal, 26(1–2), 141–152. https://doi.org/10.1111/eulj.12370
Russian Sandworm hackers breach Kyivstar network, causing devastating damage and signaling warning to the West. (2024). Industrial Cyber. URL: https://industrialcyber.co/threat-landscape/russian-sandworm-hackers-breach-kyivstar-network-causing-devastating-damage-and-signaling-warning-to-the-west/
Shastri, S., Wasserman, M., & Chidambaram, V. (2021). How Design and Operation of Modern Cloud-Scale Systems Conflict with GDPR. Proceedings of the 2021 ACM Symposium on Cloud Computing, 560–566.
The EU Critical Entities Resilience Directive – What is the impact on your organisation? (2024). Osborne Clarke. URL: https://www.osborneclarke.com/insights/eu-critical-entities-resilience-directive-what-impact-your-organisation
The NIS 2 Directive: Updates, Compliance, Training. (n.d.). URL: https://www.nis-2-directive.com/
Voss, W.G., & Houser, K. (2019). Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies. American Business Law Journal, 56(2), 287–344. https://doi.org/10.1111/ablj.12139
Weaponizing social Identities: What can we learn from examples of targeted disinformation? (2024). Hybrid CoE. URL: https://www.hybridcoe.fi/news/weaponizing-social-identities-what-can-we-learn-from-examples-of-targeted-disinformation/
Yeung, K., & Bygrave, L.A. (2022). Demystifying the modernized European data protection regime: Cross-disciplinary insights from legal and regulatory governance scholarship. Regulation & Governance, 16(1), 137–168. https://doi.org/10.1111/rego.12401
