From a Fine to 15 Years in Prison: Which Online Actions Are Considered Cybercrimes and What Punishments Are Imposed
With the development of digital technologies and the increase in the number of online services, the issue of cybersecurity in Ukraine is becoming increasingly important. Along with expanding opportunities for citizens and businesses, the risks of cyber fraud, unauthorized access to information systems, and other offenses related to the use of information technologies are growing.
The issue of cybersecurity has become especially relevant in the context of the full-scale war, when the state's information infrastructure regularly becomes the target of attacks. That is why today the protection of digital resources is one of the key directions of state policy and international cooperation. For citizens and businesses, understanding which actions are recognized as cybercrimes and what liability they entail has become an important component of their own legal security.
How European Union countries are combating cybercrime in 2026
The European Union continues to strengthen the cybersecurity system by combining criminal law mechanisms, international cooperation, and preventive measures. One of the main coordinators in the fight against cybercrime remains the European Cybercrime Centre (ECС) within Europol, which ensures coordination of cross-border investigations, exchange of digital evidence, and support for national law enforcement agencies.
In 2026, EU countries continue to implement the requirements of the NIS2 Directive, which establishes uniform cybersecurity rules for critical infrastructure enterprises, digital services, transport, the financial sector, healthcare, and other strategically important industries. The legislation provides for mandatory cyber risk management, rapid incident reporting, and personal responsibility of management for compliance with security requirements.
At the same time, the European Union is preparing for the phased implementation of the Cyber Resilience Act, which sets mandatory cybersecurity requirements for software and digital products. The main obligations of manufacturers will begin to apply from December 11, 2027, while certain requirements regarding vulnerability and incident reporting will take effect from September 11, 2026.
What is considered cybercrime under Ukrainian law
Ukrainian legislation considers a cybercrime as a criminally punishable act committed using computer systems, information and communication networks, or other digital technologies. This category includes not only attacks on information systems but also the use of the digital environment as a tool for committing other criminal offenses.
Illegal access to someone else's accounts, email, servers, or corporate networks can be qualified as a criminal offense even when no material damage has actually been caused.
The very fact of violating the established procedure for accessing information can already constitute a crime. During legal assessment, the method of intrusion, the person's intent, the technical means used, and the consequences of such actions are taken into account.
Which articles of the Criminal Code of Ukraine apply to cyber fraud
Despite the widespread use of the term "cyber fraud," the Criminal Code of Ukraine does not contain a separate article with this name. Qualification depends on the mechanism of committing the offense, the method of obtaining access to information, the nature of the damage caused, and other established circumstances. In practice, law enforcement agencies often charge several articles simultaneously if the crime includes several interconnected episodes.
The following provisions of the Criminal Code of Ukraine are most often applied:
- Article 190 of the Criminal Code of Ukraine (fraud). Used when property or money is obtained by deception via the internet. This may include fake online stores, phishing sites, false investment projects, forged bank messages, or other social engineering schemes. Voluntary transfer of funds by the victim does not exclude criminal liability of the guilty party if the transfer resulted from deception.
- Article 361 of the Criminal Code of Ukraine (unauthorized interference with the operation of information systems). Provides liability for illegal intrusion into computer networks, servers, email, personal accounts, or other information resources. Material damage is not a mandatory condition — the mere fact of illegal interference is sufficient. If the obtained access is subsequently used to steal information or funds, legal liability is significantly increased.
- Article 361-1 of the Criminal Code of Ukraine (creation or distribution of malicious software). Covers the manufacture, distribution, or use of viruses, Trojan programs, spyware, and other tools intended for illegal influence on computer systems. Cases where such programs are used to steal personal data, confidential information, or funds are punished especially severely.
- Article 362 of the Criminal Code of Ukraine (unauthorized actions with information access to which was lawfully granted). Refers to situations where an employee of an enterprise, administrator, or other authorized person uses official powers unlawfully: copying, modifying, transmitting, or deleting information without proper legal grounds. Such actions are often combined with mercenary motives or further use of the obtained information.
What liability is provided for cybercrimes
The type of punishment is determined by the court individually, taking into account the method of committing the crime, the severity of the consequences, the amount of material damage, repeat offenses, and other circumstances of the case.
Depending on the qualification, the court may apply:
- fines in amounts provided by the relevant article of the Criminal Code of Ukraine;
- community or corrective labor;
- restriction of liberty for up to 5 years;
- imprisonment from 3 to 15 years depending on the qualification of the criminal offense. For certain qualified types of cybercrimes, especially those committed under martial law conditions, the maximum punishment can be up to 15 years of imprisonment.
- confiscation of property in cases defined by law;
- obligation to fully compensate the victims for material damage caused.
In complex multi-episode criminal proceedings, when a person is charged with several offenses simultaneously, the court may impose punishment for the totality of criminal offenses in accordance with the provisions of the Criminal Code of Ukraine. Therefore, the correct legal qualification of each episode is crucial both for the prosecution and the defense.
Recall that last year the President of Ukraine Volodymyr Zelenskyy signed Law No. 4336-IX, which strengthens the protection of state information systems and Ukraine's cybersecurity.
The document provides for the creation of a national system for responding to cyber incidents, cyberattacks, and cyber threats. In addition, the launch of an information exchange system about such threats at the national level is planned. The law also obliges state bodies and critical infrastructure facilities to introduce permanent positions for cybersecurity specialists. Their work is to become part of a systematic approach to information protection in the public sector.
Subscribe to our Telegram channel t.me/sudua and to Google News SUD.UA, as well as to our VIBER and WhatsApp, Facebook page and Instagram to stay updated on the most important events.





