Ukraine introduces its first official list of prohibited software, strengthening cybersecurity and sanctions enforcement
January 2026
On 8 January 2026, the State Service of Special Communications and Information Protection of Ukraine published the List of Software and Communication (Network) Equipment Prohibited for Use (the List).
This is the first public, official and formalised list of software the use of which is explicitly prohibited by law. As of the publication date, the List includes 27 software products, primarily accounting and management systems.
PROHIBITED SOFTWARE
The List includes, in particular, the following software products:
1C: Accounting 8 for Ukraine, including Basic and Educational versions
1C: Enterprise 8 (for Ukraine), including:
– Trade for Private Entrepreneurs
– Trade Management
– Small Business Management
– Payroll and HR Management (including Basic version)
– Trade Enterprise Management (1C: TEM 8)
– Manufacturing Enterprise Management
– Document Management CORP
– Solutions for budget-funded institutions (accounting, payroll, HR)1C: Enterprise 7.7 – accounting, trade, warehouse, manufacturing, payroll
BAS – ERP, Holding Management, Document Management CORP, Trade Management, Retail, Accounting CORP
“UA-Budget” software
The main manufacturer of the listed software is 1C, LLC, a Russian company specialising in the development, support and distribution of business software.
LEGAL BASIS FOR THE LIST
The List was introduced following the adoption of the Law of Ukraine "On Amendments to Certain Laws of Ukraine on the Protection of Information and Cybersecurity of State Information Resources and Critical Information Infrastructure" dated 27 March 2025.
This Law amended Article 4 of the Law of Ukraine “On the Basic Principles of Cybersecurity of Ukraine” by introducing a statutory prohibition on the use of software and communication (network) equipment included in the List in:
information, electronic communications and information and communications systems that process state information resources;
systems containing official information or information constituting a state secret;
critical information infrastructure facilities.
GROUNDS FOR INCLUSION IN THE LIST AND ITS FORMATION
Software and equipment are included in the List if a) their authors, rightsholders or ultimate beneficial owners; or b) persons holding proprietary rights to at least one element of the software or equipment are subject to one of the following:
Ukrainian sanctions;
international sanctions recognised by Ukraine; or
inclusion is based on a court decision.
The List is public and updated within five business days of any relevant change. It contains information on:
the name of the software or equipment;
the manufacturer;
identification details (versions, serial numbers, etc.);
grounds for inclusion;
date of inclusion.
The procedure for removal from the List or amendment of entries is also provided for, including in cases of lifting sanctions, correction of technical errors, or based on a court decision.
The requirements for the formation and maintenance of the List are set out in the Cabinet of Ministers of Ukraine Resolution "On Approval of the Procedure for Formation and Maintenance of the Open List of Software and Communication (Network) Equipment Prohibited for Use" dated 22 October 2025, No. 1335.
SANCTIONS AGAINST 1C, LLC
1C, LLC has been subject to Ukrainian sanctions since 15 May 2017.
The most recent decision is Presidential Decree No. 280/2023 dated 12 May 2023 (as amended by Presidential Decree No. 601/2024 dated 2 September 2024), which, among other measures, approved sanctions in the form of a ban on:
public procurement of the relevant software; and
its use by state-owned enterprises, institutions and organisations.
WHAT THIS MEANS FOR BUSINESS
Formally, the direct statutory ban currently applies to:
the public sector;
critical infrastructure facilities;
systems processing state information resources.
However, for private companies the situation is not neutral.
The use of software from a sanctioned vendor may give rise to legal, compliance and reputational risks, in particular:
when working with state customers;
in joint projects with public sector entities;
during due diligence, M&A transactions or fundraising processes;
in the context of internal cybersecurity and sanctions compliance policies.
PRACTICAL NEXT STEPS
In practice, businesses should consider:
conducting an inventory of all software in use and checking whether any of it is included in the List or linked to sanctioned persons;
assessing where and how such software is used (accounting, HR, document management, etc.);
where appropriate, transitioning to alternative solutions, taking into account operational, legal and compliance risks.
Kristina Shyposha
Counsel
Marta
Hrunska