What is AI regulation in Ukraine?
AI regulation: countries and regions
Ukraine does not yet have a single AI Act in force. Instead, it regulates AI through a staged, EU-aligned framework made up of existing horizontal law, government AI policy acts, and a Ministry of Digital Transformation programme built around guidance, voluntary codes, risk tools and a sandbox. The declared destination is a future Ukrainian law analogous to the EU AI Act, with a government draft bill targeted for late 2026.
What this means
AI regulation in Ukraine is best understood as a hybrid system. Right now, the country relies on existing law, especially privacy and personal data rules, plus government concepts and plans, Ministry guidance, voluntary business commitments and an experimental sandbox. That is different from having one comprehensive AI statute already in force.
The defining feature of Ukraine's present model is that it is "bottom-up". The state is trying to prepare businesses, public authorities and future regulators first, then move to a harder-law phase later. In practice, that means recommendations, codes of conduct, risk-assessment methods and institutional capacity-building come before a full Ukrainian law modelled on the EU AI Act.
That makes Ukraine important to watch. It is not simply copying Brussels, nor is it leaving AI ungoverned. It is using a transition model that tries to balance innovation, human rights, public-sector modernisation and EU accession.
Why it matters
For organisations deploying or buying AI in Ukraine, the main practical point is this: waiting for a future AI law is not a safe strategy. Existing legal duties still apply now, especially around personal data, information rights, cybersecurity and public-sector use. At the same time, the government's AI programme already signals what future compliance is likely to look like: risk-based governance, better documentation, more human oversight, clearer accountability and more formal testing.
This matters even more for teams that want to sell into European markets, work with the public sector, or build products in sensitive areas such as health, education, digital public services or defence-adjacent tooling. Ukraine's current framework is explicitly being shaped around EU alignment, so businesses that build sensible governance now are likely to be in a better position later.
It also matters for leaders because Ukraine's regime is not one document. It is a moving architecture of binding law, policy acts, Ministry guidance, voluntary commitments, international cooperation and pending reform. Good governance in Ukraine therefore means knowing which parts are already mandatory, which parts are preparation, and which parts may become law next.
How it works
No dedicated AI statute yet
Ukraine does not yet have a single, comprehensive AI law equivalent to the EU AI Act. The foundation is broader and older than the current White Paper cycle. In 2020, the Cabinet of Ministers approved the Concept of AI Development in Ukraine, a long-horizon state policy document running to 2030. It treats AI as a priority area across education, science, the economy, cybersecurity, information security, defence, public administration, legal regulation, ethics and justice.
That 2020 concept is important because it shows that AI in Ukraine is not being treated only as a startup or innovation question. It is also a public-administration, rights and national-capacity question. The concept explicitly calls for Ukrainian law to be harmonised with European and international approaches, and it also leaves open the possibility of legislative regulation of AI at a later stage.
The legal picture is therefore layered. Government concepts and action plans set direction. Ministry papers explain regulatory design. Existing statutes continue to apply. A future AI law is planned, but it is still future law.
One sign that the framework is still maturing is terminology. The 2020 concept uses an older, broad domestic definition of AI technologies, while the more recent voluntary code uses a machine-based system definition that is much closer to current OECD and EU language. That is a useful clue for readers: Ukraine's AI rulebook is still converging toward European vocabulary and structure.
Bottom-up preparation before hard law
The Ministry of Digital Transformation describes Ukraine's current AI-regulation model as "bottom-up". In plain terms, that means stage one is preparatory and stage two is legislative.
In stage one, the Ministry says it is building the capacity of a future regulator and preparing industry for future requirements. The tools are practical rather than punitive: a White Paper, general recommendations, sector-specific recommendations, voluntary commitments, guides, risk-assessment methods, AI labelling initiatives, a glossary and a sandbox. The Ministry's public roadmap presents this as a two to three year period designed to give businesses predictability instead of surprise.
The White Paper published in 2024 is the clearest statement of that model. Its message is that Ukraine should first help companies understand what a future AI regime will probably require, then later adopt a Ukrainian law analogous to the EU AI Act. That is why the current regime looks more like guided self-regulation than command-and-control regulation.
The voluntary side of that model has become tangible. In September 2024, companies signed a declaration on AI self-regulation in Ukraine. In December 2024, the Ministry published a Voluntary Code of Conduct on the ethical and responsible use of artificial intelligence. The code is not legislation, but it is not empty either. It asks signatories to work through eight themes: risk-based governance, safety and robustness, privacy and data protection, fairness, transparency, human oversight, leadership and awareness, and intellectual property. It also expects annual reporting and public-facing materials on implementation.
That matters because Ukraine is using voluntary instruments not just as ethics statements, but as rehearsal for a future legal framework.
Existing law still governs live use cases
Even without a dedicated AI Act, organisations are not operating in a legal vacuum. The current hard-law baseline comes mainly from existing Ukrainian legislation, especially personal data and privacy law, plus sector-specific rules, procurement rules, contract terms and public-law duties where the state is involved.
For many AI use cases, the most important present-day legal layer is still personal data protection. The Ombudsman's office remains central here. Official materials from the Commissioner make two points at once. First, the present data-protection system is real and active. Second, it is widely seen as incomplete for Ukraine's EU path and for the realities of modern AI.
That is why privacy reform is so important in the Ukrainian AI story. The Ombudsman's office has said that new data-protection legislation and a more effective supervisory body are needed, and it treats this as part of Ukraine's European integration path. Separately, the parliamentary bill card for draft law No. 8153 shows that the personal data reform bill has been adopted as a basis and is still being prepared for second reading. So the privacy layer that will sit under any future AI law is itself still evolving.
For operators, the practical reading is straightforward. If an AI system processes personal data, influences access to a service, or affects people in a meaningful way, you should already be thinking about lawful processing, transparency, data minimisation, security, auditability and human review. Those themes are already present in current Ukrainian privacy oversight and in the Ministry's non-binding AI materials.
The institutions doing the work
The Ministry of Digital Transformation is the lead institution on AI policy and regulatory design. It owns the roadmap, White Paper, code-of-conduct work, public guidance and sandbox programme. Its public materials repeatedly present the Ministry as the driver of AI development and preparation for future regulation.
The Expert Advisory Committee on the Development of Artificial Intelligence in Ukraine also matters. It operates under the Ministry and brings together academic, business, legal, technical and civil-society expertise. That matters because Ukraine is building its AI framework through a multi-stakeholder process rather than through closed drafting alone.
The Cabinet of Ministers provides the formal state-policy machinery. It approved the 2020 AI concept, the 2025 to 2026 implementation plan for that concept, and the 2024 procedure for the experimental sandbox project. In other words, Cabinet acts are turning general ambition into administrative tasks, timelines and institutional responsibilities.
The Ombudsman remains the key rights and data-protection institution in the current system. It has worked with the Ministry and EU4DigitalUA on AI guidance focused on human rights and privacy. It also continues to supervise personal-data compliance under the existing legal framework. That gives Ukraine's AI policy a clear human-rights and information-rights thread, even before a dedicated AI law exists.
Parliament, finally, is crucial because policy will stay policy until legislation is passed. The same is true for linked privacy reform. Businesses therefore need to watch not just Ministry announcements, but also parliamentary procedure.
European alignment shapes the design
Ukraine's AI framework is explicitly tied to EU accession and European market alignment. The Ministry's own regulation page says adapting the EU AI Act is a key step in integrating Ukraine into the EU. The 2023 roadmap and 2024 White Paper both frame future Ukrainian law as an analogue of the EU AI Act rather than a wholly separate design.
That does not mean the EU AI Act directly governs Ukraine as domestic law. It does mean the European model is being used as the template for where Ukraine wants to end up. That has immediate practical significance for founders, buyers and governance leads. If you are building internal controls around risk classification, testing, documentation, transparency and oversight, you are moving in the same direction as the Ukrainian policy track.
The Council of Europe is also shaping the regime. Ukraine signed the Council of Europe Framework Convention on AI in May 2025, which places the country inside a wider rights-based international framework for AI. In parallel, Council of Europe cooperation in Ukraine is feeding the HUDERIA methodology into the Ukrainian sandbox. That is useful because it turns abstract principles around human rights, democracy and the rule of law into working assessment tools.
So the direction of travel is not only Brussels. It is Brussels plus Strasbourg: EU-style market regulation and Council of Europe-style rights governance.
What is likely to become binding next
The clearest official signal is in the Cabinet's 2025 to 2026 implementation plan for the AI concept. That plan says the Ministry of Digital Transformation is to develop and submit a draft law on legal regulation in the field of AI in the fourth quarter of 2026. That is the most concrete current statement of when Ukraine expects the hard-law phase to move forward.
The same plan also points to standards work. It envisages adopting a set of international AI standards as national standards by the end of 2026, including ISO and IEC materials on AI concepts, management systems, risk management, bias and data frameworks. That is significant because standards often become the bridge between broad legal principles and real operational controls.
The sandbox also sits between today's preparation and tomorrow's law. The Cabinet's 2024 procedure for the experimental project says the sandbox method is used to study high-technology products that use AI or blockchain for safety, legal compliance, standards fit, patent cleanliness, intellectual property and market demand. In other words, the state is using live product review to learn what future regulation should look like.
The result is a regime in transition. Ukraine already has enough architecture to shape conduct now, but not yet the single AI statute many readers may expect.
Examples
Example A. A Ukrainian medtech, GovTech or education-tech team with an AI product can enter the national sandbox. There it can receive legal, technical and business review, while the state studies how such products fit existing law, standards and intellectual-property requirements. The Council of Europe's HUDERIA work is being adapted into that environment, so the sandbox is both a business-preparation tool and a policy-learning tool.
Example B. A company that signs the Voluntary Code of Conduct is expected to do more than issue a press release. The code asks signatories to build a risk-based governance process, address privacy and fairness, document human oversight, maintain internal processes, and publish annual reporting material on how the code is being implemented. That turns self-regulation into a documented governance exercise.
Example C. A public authority, or a vendor serving one, that wants to use AI in a citizen-facing service should not wait for a future AI statute. Current practice already points toward a privacy and rights-led review. The Ombudsman, the Ministry and EU4DigitalUA have published guidance aimed at helping companies and state bodies avoid human-rights and privacy violations when developing or deploying AI.
Common misunderstandings
"Ukraine already has its own AI Act." No. Ukraine has policy acts, guidance, voluntary instruments and existing horizontal law, but the dedicated AI bill is still in preparation.
"Self-regulation means nothing is enforceable." No. Existing law still applies, especially on personal data and information rights. Voluntary instruments sit on top of that baseline, they do not replace it.
"The sandbox is a licence to operate." No. It is an experimental, advisory environment for testing and review. It helps teams prepare, but it does not wipe away legal risk.
"The EU AI Act already applies inside Ukraine as Ukrainian law." No. Ukraine is aligning with the EU model, but the EU AI Act is not itself Ukraine's domestic AI statute.
"The Council of Europe convention is the same as Ukraine's AI law." No. It is an international framework that reinforces rights-based governance. Domestic implementation still depends on Ukrainian legislation and institutions.
Risks and boundaries
Ukraine's current AI framework is real, but it is still transitional. The most important boundary is that much of the AI-specific material available today is non-binding. The White Paper, recommendations, glossary and most guidance are preparatory tools. The voluntary code creates self-regulatory commitments for signatories, not general statutory duties for everyone.
That means organisations can misread the regime in two ways. Some assume there is no regulation because there is no AI Act yet. Others assume the Ministry's guidance already has the force of law. Neither view is right. The present system is a mix of binding general law and non-binding AI-specific preparation.
There is also genuine institutional uncertainty ahead. The future AI bill is planned, but its final scope, enforcement model, regulator design and timing can still change. The privacy layer beneath AI governance is also in motion because personal data reform remains unfinished.
Another boundary is sectoral. The voluntary code expressly does not cover national security and defence uses. Yet defence is one of the state's core AI priorities. So readers should not assume that every AI use case in Ukraine will be governed through one uniform civilian framework.
Finally, this page is explanatory, not legal advice. Ukraine's live compliance position will always depend on the function of the system, whether personal data is involved, whether a public authority is involved, what contracts say, and whether the organisation is preparing for Ukrainian use only or for EU-facing market access as well.
What to do next
First, build a single map of your AI use across the organisation. Include who uses the system, what data it touches, whether it supports or makes meaningful decisions, where people can be affected, and whether the use case is local, public-sector or EU-facing. Ukraine's regime is too hybrid for scattered ownership.
Second, separate today's mandatory controls from tomorrow's likely ones. Today's baseline is existing law, especially privacy, data handling, security, contract discipline and public-law duties. Tomorrow's likely additions are AI-Act-like controls such as clearer risk classes, more formal documentation, deeper testing, stronger human oversight and more structured post-deployment monitoring.
Third, use the Ukrainian preparatory tools as governance aids, not just policy reading. The White Paper, guidance, voluntary code and sandbox can all be turned into internal checklists, product review gates and board-level reporting prompts.
Fourth, watch three moving tracks at the same time: the future Ukrainian AI bill, the pending personal-data reform bill, and the standards-adoption work scheduled in the government's 2025 to 2026 plan. Those three tracks together are more informative than waiting for one headline law.
Fifth, if your organisation is building AI inside Ukraine for wider European use, prepare as though convergence will continue. In practice, that means leaning early into risk assessment, privacy discipline, documentation, incident handling, testing and human review.
FAQs
Does Ukraine already have a comprehensive AI law?
No. The current regime is a mixture of existing general law, government AI concepts and plans, Ministry guidance, voluntary commitments and an experimental sandbox. A future dedicated AI bill is planned, but it is not yet in force.
Is the EU AI Act directly applicable in Ukraine?
No, not as Ukrainian domestic law. But Ukraine is deliberately using the EU model as the template for its future framework, largely because of EU accession and European market alignment.
Who is leading AI policy in Ukraine right now?
The Ministry of Digital Transformation leads the AI policy and rule-design work. The Cabinet of Ministers approves state concepts and action plans, the Ombudsman is central on privacy and information rights, and Parliament will be necessary for any future AI statute.
What does the Ukrainian sandbox actually do?
It gives eligible teams an experimental environment for legal, technical and business review of AI or blockchain products. It is designed both to help teams prepare for scaling and to help the state design better future rules.
Are there binding duties now if my company uses AI in Ukraine?
Yes, but they mostly come from existing law rather than from an AI-specific statute. Privacy, data handling, cybersecurity, procurement terms, contracts and sector rules already matter. The AI-specific code is voluntary unless your company signs it.
Has Ukraine committed to any international AI framework?
Yes. Ukraine signed the Council of Europe Framework Convention on AI. That does not by itself replace domestic legislation, but it reinforces a rights-based direction of travel and feeds into cooperation on practical assessment methods.
What legislative change should businesses watch most closely?
The government's target to produce a draft Ukrainian AI law in late 2026 is the headline item, but privacy reform matters almost as much. In practice, many AI governance questions in Ukraine still run through personal-data law.