Four years into the most sustained state-on-state cyber campaign in history, Ukraine recorded zero critical cyber incidents in the second half of 2025. That is the headline finding of Cyber Threats: Ukraine, the analytical report published by Ukraine's State Service of Special Communications and Information Protection (SSSCIP) and its national response team CERT-UA on April 3, 2026.
The figure is not a claim of calm. SSSCIP is blunt that "the intensity of hostile cyberattacks remains consistently high, and the situation in Ukrainian cyberspace is complex and dynamic." What changed is the outcome. High-severity incidents fell 17% against the prior period, medium-severity 2%, and low-severity incidents dropped a striking 87% — even as the volume and sophistication of intrusion attempts kept climbing. Russia is throwing more at Ukraine and landing less.
A shift from smash-and-grab to siege
The report's most important analytical point is about adversary behavior, not Ukrainian metrics. CERT-UA documents a deliberate move away from the "Steal & Go" tactic — quick data theft with no attempt to stay — toward long-term, persistent access. Attackers now return to previously compromised systems weeks later to test whether old vulnerabilities or stolen passwords still work.
The flagship example is the group tracked as UAC-0250, which exploited zero-click vulnerabilities in Zimbra mail servers — bugs that require no user action — to quietly siphon correspondence and the backup codes used for multi-factor authentication. A parallel group, UAC-0246, routed phishing to citizens' personal inboxes to slip past corporate email defenses. This is a maturing adversary trading the smash-and-grab for the long siege.
That matters because patient intrusions are exactly the kind that централизованные, paperwork-driven defenses miss. A regime built around annual audits and incident-reporting forms is well-suited to catching the loud breach and poorly suited to catching the attacker who logged in quietly six weeks ago and is waiting.
Why the impact collapsed
SSSCIP attributes the falling damage to better detection-and-response, hardened systems, and improved user cyber-hygiene. The scale of the machine behind those numbers is worth stating: in the first half of 2025 alone, the State Cyber Protection Center's vulnerability-detection system processed 3.8 million security events, flagged roughly 9,000 as critical, and confirmed 535 actual incidents. The triage funnel — millions of signals down to a few hundred real incidents down to zero critical ones — is the system working as designed.
Crucially, almost none of that resilience was produced by a regulation. It was produced by an operating model: rapid, machine-speed threat-intelligence sharing between CERT-UA and operators; a wartime decision to migrate critical state data into resilient cloud infrastructure rather than vulnerable on-premise servers; deep cooperation with private vendors and allied governments; and a defender community trained by relentless, real-world pressure. NATO's Cooperative Cyber Defence Centre of Excellence has documented this in its 2025 Tallinn Paper framing Ukraine as the frontline of European cyber defense — resilience emerging from decentralization and partnership, not from a thicker statute book.
Steelmanning the mandate
There is a serious case for the opposite approach. Mandatory baseline controls, breach-notification deadlines, and a strong central regulator — the model the EU is pushing through NIS2 — exist precisely because markets under-invest in security and because a single soft target can endanger an entire network. When critical infrastructure is at stake, leaving security to voluntary good intentions is a gamble, and Ukraine itself runs a capable, well-resourced state cyber authority. No one should pretend SSSCIP is a libertarian experiment.
But Ukraine's results refine that case rather than confirm it. The decisive ingredients were speed, information flow, and trust between the state and the operators it depends on. Ukraine did not defeat zero-click Zimbra exploits by issuing a compliance checklist; it defeated them by sharing indicators fast enough that defenders could patch and hunt before the access matured into impact. Where regulation helped, it helped by enabling that flow — clearing legal barriers to cloud migration, formalizing reporting channels — not by adding friction to it.
The lesson for democracies writing the rules
For policymakers in Brussels, Washington, and Delhi now drafting cyber mandates, the proportionate reading of this report is clear. Rules that fund and accelerate real-time threat sharing, lower the legal cost of moving to resilient infrastructure, and reward demonstrated detection-and-response capability will buy security. Rules that measure compliance by the weight of submitted paperwork will buy the appearance of it — and, against an adversary now optimizing for patient, quiet persistence, the appearance is the more dangerous illusion.
Ukraine's zero-critical half-year is a genuine achievement earned under fire. The policy mistake would be to read it as proof that more centralized control wins, when it is in fact proof that agility, openness, and partnership do. The threat is getting more patient. Defensive regulation should get more agile in response — not heavier.