Ukraine's wartime cybersecurity is usually measured in attacks absorbed. On May 19, 2026, it was measured in a different currency: 60 people in a room in Kyiv, working through a simulated cascading cyberattack on the state.
The event was the first large-scale Tabletop Exercise (TTX) under Cyber4Ukraine, an EU-funded programme running 2026–2028 and implemented by Estonia's e-Governance Academy together with Ukraine's State Service of Special Communications and Information Protection (SSSCIP). Participants were drawn from ministries, critical-infrastructure operators and key public institutions, and it is the first of ten regional rounds planned across 2026. SSSCIP chairman Oleksandr Potii framed the goal bluntly: the aim was "not merely theoretical discussion" but a chance "to test and refine cyberattack response protocols."
That framing matters, and it carries a lesson well beyond a country at war.
The threat the drill is built for
The backdrop is a threat environment few regulators ever model in earnest. CERT-UA recorded nearly 6,000 cyber incidents in 2025, a 37% rise on 2024 — itself a roughly 70% jump from 2023, when 2,541 incidents were logged (4,315 in 2024). The line is steep and unbroken.
The numbers describe more than volume. In December 2024, an attack Ukrainian officials attributed to Russia's GRU-linked Sandworm group hit roughly 60 databases run by the Ministry of Justice through a state contractor, knocking dozens of services off the Diia e-government app used by more than 21 million citizens — property registration, marriage applications, child-benefit payments. Deputy Prime Minister Olga Stefanishyna said restoring the most critical registers would take about two weeks. The damage was not abstract; it landed on ordinary administrative life.
By 2025 the tactics had shifted again. CERT-UA reported attackers using AI to generate phishing lures and malicious code, and a "steal-and-go" model that grabs data fast rather than maintaining network persistence — a direct adaptation to Ukraine's faster takedowns. More than 3,000 incidents were logged in the first half of 2025 alone, even as the share of high-impact breaches fell. Defenders were improving while the adversary industrialised.
Why drills beat paperwork
There is a serious case for the regulatory alternative. Binding obligations — mandatory incident reporting, baseline security controls, audited compliance, in the mould of the EU's NIS2 Directive — force laggards to invest, create accountability, and set a floor that no voluntary scheme guarantees. Where genuinely critical services are involved, that floor is worth defending, and Ukraine's own EU-accession track will require it to align with much of that acquis.
But Ukraine's experience exposes the limit of compliance-as-resilience. Paper obligations did not stop the registry attack; a drilled, coordinated response is what contained it. The e-Governance Academy's project lead, Taimar Peterkop, put the binding constraint plainly: "In a cyber crisis, technology alone is not enough. What really matters is whether people can stay calm, coordinate with each other, and make the right decisions under pressure."
That is not an argument against rules. It is an argument about where scarce capacity should go. A regime that pours analyst-hours into compliance documentation — while those same analysts have never once rehearsed an interagency response — is optimising the wrong variable. Proportionate regulation sets a baseline and then invests the marginal euro in the muscle memory that actually determines outcomes on the day: exercises, interoperable tooling, and clear decision rights under pressure.
The EU's hands-on model
Cyber4Ukraine reflects that priority. Rather than exporting a rulebook, the EU is funding hands-on capacity, and spreading it: ten regional rounds distributed across Ukraine's regional cybersecurity centres rather than concentrated in Kyiv. This is continuous with earlier EU work — a €3 million European Peace Facility measure (2022–2024), also delivered by the e-Governance Academy, built Ukraine a cyber lab and training environment from which this programme now extends.
The decentralisation is itself a resilience choice. A single national command is a single point of failure; ten regional teams that have each rehearsed coordination degrade gracefully when one is knocked out. It mirrors the open-internet principle that distributed systems survive what centralised ones cannot — applied to institutions rather than packets.
What peacetime regulators should copy
The reflex in peacetime democracies is to legislate cyber resilience into existence: new mandates, new reporting thresholds, new penalties. Ukraine, under far heavier pressure, is investing in the opposite — readiness that is practised, not merely promulgated.
The lesson is not "fewer rules." It is sequencing. Set a proportionate baseline for genuinely critical infrastructure; resist treating every additional compliance obligation as if it were a security gain; and spend the real budget on the things that move outcomes — trained people, interoperable tools, and rehearsed coordination. A tabletop exercise produces no audit trail and no headline-grabbing fine. On the evidence from Kyiv, it may be the better investment.