In 2025–2026, Ukrainian companies are increasingly reassessing their IT landscape not only from an efficiency perspective, but also as a matter of compliance and cybersecurity risk management. The emergence of official lists of software products deemed to pose national security risks has intensified scrutiny from public authorities, major counterparties, and banks. In this article, we outline the legal context and provide a practical roadmap to help businesses navigate compliance requirements.
Ukraine has moved decisively from declarative statements to strict regulation of the IT landscape. At this stage, the former “grey zone” — where businesses continued to use russian‑origin software disguised as European alternatives — has been formally eliminated.
1. Legal framework: who is now outside the law?
Pursuant to Resolution of the Cabinet of Ministers of Ukraine No. 1335 dated 22.10.2025, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) published an official list of software products that pose a threat to national security. This list includes not only the classic 1C products, but also the entire BAS product line and UA‑Budget. The State has formally acknowledged that a change in name does not alter the underlying code architecture or the financial trace leading to the aggressor state.
Who is the ban mandatory for
- State authorities and military formations
- State‑owned and municipal enterprises
- Operators of critical infrastructure facilities, including private energy, logistics, and healthcare companies
For the private sector, the list currently functions as a “red flag”. However, Draft Law No. 13505, which has already been registered, is laying the groundwork for the introduction of penalties of up to 2% of annual turnover. While the sanctions mechanism is scheduled to take effect in 2030, restrictions on the use of such software are being implemented gradually already.
2. Risk exposure for the private sector
Although as of May 2026 direct administrative liability for commercial companies that are not classified as critical infrastructure operators is still in the process of legislative implementation, private businesses are already facing a number of practical barriers.
The use of sanctioned software has shifted from being primarily a technical issue to a strategic business risk.
- “Toxic counterparty” effect
Even if the state does not impose direct fines on private businesses at this stage, it is already creating conditions under which a company using sanctioned software becomes an undesirable partner. Potential negative scenarios include:
- Exclusion from public procurement: Under updated Prozorro requirements, tender participants must confirm that they do not use software included in sanctions lists. The presence of BAS in a company’s back‑office systems results in automatic disqualification.
- Rejection by major counterparties: In 2026, corporations that prioritise their own compliance increasingly require suppliers to demonstrate “digital cleanliness.” Cooperation with a company using software from the aggressor state is viewed as a reputational risk.
- Banking compliance and financial monitoring
In 2026, Ukraine’s banking system operates under a “zero‑tolerance” approach to sanctioned software products.
- Risk of payment blocking: Payments for services provided by developers or integration firms involved in the “support” of software originating from the aggressor state are flagged as high‑risk transactions.
- Deterioration of credit standing: During annual Know Your Customer (KYC) reviews, banks take technological risks into account. The use of unsupported or sanctioned software reduces the likelihood of obtaining credit facilities or overdrafts.
- Technological degradation and accounting errors
Official updates for software originating from the aggressor state are blocked. This creates a direct risk for accounting functions:
- Regulatory non‑compliance: Any changes to tax invoice formats, reporting forms, or tax rates in 2026 must be implemented manually or through unofficial patches. This inevitably leads to errors, for which the State Tax Service applies real and enforceable penalties.
- Lack of integrations: Modern Ukrainian services — including PRRO systems, electronic document management platforms, and banking APIs — are increasingly discontinuing support for the data exchange protocols used by such software. As a result, businesses become isolated and lose the ability to automate processes.
- Reputational risks and employer brand
In the 2026 labour market, working with 1C‑based systems is increasingly perceived as a sign of a company’s technological and organisational obsolescence.
- Talent shortage: Qualified accountants and CFOs are increasingly unwilling to work for companies that ignore sanctions legislation, due to concerns about their professional reputation and long‑term career prospects.
- Ethical considerations: Society has formed a clear expectation of a complete break with products originating from the aggressor state. Continued use of such software may lead to public reputational incidents and customer boycotts.
- Risk of an “emergency migration”
This is arguably the most critical risk. Businesses that delay action until the last moment — for example, awaiting the final introduction of penalties equal to 2% of annual turnover — risk finding themselves in a situation where system migration must be completed within weeks.
- Impact: Data loss, disruption of shipments, significant costs associated with urgent system implementation, and stress levels capable of paralysing operations for months.
The core issue is not the possibility of an inspection or a fine. The real risk is that a business relying on sanctioned software becomes uncompetitive, vulnerable, and isolated from Ukraine’s modern economic ecosystem. The cost of migration today is the price of survival tomorrow.
3. What businesses should do: a roadmap and key documents
For private businesses that have not yet become subject to direct sanctions, 2026 is the time to formalise documentation and begin a planned migration.
Step 1. Formalising the process
Issue an Order to Conduct an Audit of Information Systems. This document serves as key evidence for tax authorities and banking compliance that the company is acting in good faith and preparing for regulatory changes.
Step 2. Technical preservation
Formally record the current state by issuing a Software Inventory Report. All legacy 1C/BAS databases must be switched to “read‑only” mode. Issue an Order Declaring the Software as Archived — this legally separates prohibited use from the mandatory retention of tax and accounting data.
Step 3. Selection and implementation of an alternative
Prepare a Software Selection Protocol (for example, migration to cloud‑based solutions such as Dilovod, MASTER, or Odoo). The document should confirm that the selected software meets cybersecurity requirements and is not included in any sanctions or blacklists.
Step 4. Engagement with partners
Prepare a Comfort Letter for banks and counterparties. The letter should clearly state that “the company is in the process of migration, that the use of sanctioned software is limited strictly to archival purposes, and that operational activities are being transitioned to new software”.
As of May 2026, 1C and BAS have been officially recognised as compromised technologies. For private businesses, the absence of immediate penalties is not a reason for complacency, but rather an opportunity to carry out migration without disrupting operations. Following the steps outlined above will allow companies not only to prepare for future inspections, but also to ensure business stability within Ukraine’s new digital and legal environment.
If you are planning a migration or are already receiving inquiries from banks or counterparties, it is advisable to conduct a software inventory and assess compliance and cybersecurity risks, as well as prepare a documentation package to evidence a controlled transition. BDO in Ukraine provides ІТ audit services to support your business. Сontact us.
