A ratchet, not a reversal
On July 13, 2026, Ukraine's Ministry of Digital Transformation tightened, for at least the third time since February, the rules governing who may legally operate a Starlink terminal on Ukrainian territory. Under the update announced on the Diia portal, individuals and sole proprietors registering a terminal must now physically present every device at an administrative service center (ASC), Ukrposhta, or Nova Poshta branch — previously, a single terminal could be registered remotely. Applicants must supply both the terminal's KIT number and its UTID hardware identifier rather than either one alone. And legal entities seeking to register terminals through Diia must now show more than a year of continuous registration in Ukraine's Unified State Register, up from a one-month threshold (dev.ua; Kyiv Independent). Most companies remain capped at ten registered terminals, with exceptions reserved for critical-infrastructure operators.
This is the latest increment in a system that did not exist before February 2026. The Cabinet of Ministers approved the original whitelist resolution in early February, and unregistered terminals began going dark across the front within days — Defense Minister Mykhaylo Fedorov called verification "the only technical solution" available to counter Russian use of the hardware (Kyiv Independent). Each subsequent revision, including this one, narrows the margin for error rather than reversing course.
The case for the crackdown
The security rationale here is unusually concrete, and it deserves to be stated plainly before any objection. Russian forces had begun mounting Starlink terminals directly on attack drones and armored vehicles, exploiting a low-latency, jam-resistant satellite link that Ukraine's own military depends on, to coordinate movements and guide strikes in real time (Ministry of Digital Transformation). This was not a hypothetical vulnerability. When SpaceX and Kyiv cut off unregistered terminals in February, the effect was immediate and measurable: a Pentagon Inspector General assessment, drawing on Defense Intelligence Agency and U.S. European Command reporting, credited the resulting disruption with helping Ukraine retake roughly 400 square kilometers of territory in early 2026 — its first net territorial gain since 2023 — after "thousands of portable Starlink internet terminals used by Russian forces were disabled," temporarily degrading Russian battlefield coordination (Euromaidan Press). Few connectivity-control measures anywhere have produced so direct and documented a military payoff. Moscow's response — offering Ukrainian civilians cash to register terminals in their own names, routing devices through shell companies — confirms the whitelist bit hard enough to force a criminal workaround rather than a shrug (The Record). A Ukrainian cyber unit turned that desperation into a sting, extracting over 2,400 data packets and nearly $5,900 from Russian soldiers seeking reconnection. Judged purely against the threat it was built for, the whitelist has earned its keep.
Where proportionality strains
The harder question is whether each new turn of the screw is still calibrated to that threat, or whether it is increasingly taxing the legitimate Ukrainian users the system was never meant to burden. Raising the business-registration bar twelvefold, from one month to a year, does little to stop a Russian operator paying a complicit Ukrainian civilian for a device; it does a great deal to exclude newly incorporated Ukrainian businesses, including relief organizations and reconstruction contractors standing up operations near the front, from fast connectivity precisely when they need it most. The mandatory in-person presentation of every terminal likewise falls hardest on displaced businesses and rural users furthest from an ASC, Ukrposhta, or Nova Poshta counter — a real logistical cost for people already absorbing the disruptions of war. None of the public announcements accompanying the July 13 change describe an expedited exception lane for verifiably legitimate new entities, nor a sunset or review clause for the registration system as a whole. A control regime introduced as an emergency wartime measure that only ever tightens, without a stated mechanism for loosening once the immediate threat recedes, risks calcifying into permanent infrastructure of control long after Russian drone-mounted terminals stop being the operative danger.
A private chokepoint, formalized
It is also worth naming what this arrangement actually is: a foreign private company, SpaceX, enforcing a Ukrainian government access list on a network millions of Ukrainian civilians and soldiers rely on for basic connectivity. That partnership has so far worked well and fast — precisely the kind of public-private coordination this publication generally welcomes. But it sets a template other governments will study, for better and worse, in future conflicts where a satellite ISP becomes the arbiter of who gets to communicate. Kyiv, more than most governments, has reason to build durable transparency around whitelist criteria and appeals, since it is simultaneously the state most dependent on Starlink's uptime and the one setting the precedent for how such dependence gets policed.
Ukraine's tightened rules are a proportionate response to a demonstrated threat, not an overreach dressed up as security. But proportionality is not a one-time judgment — it has to be renewed at each ratchet. Pairing future tightenings with an explicit fast-track for legitimate new businesses and a public commitment to review the whitelist's scope once the drone-terminal threat is contained would let Kyiv keep the security gain without quietly exporting its wartime friction onto the civilian resilience Starlink was imported to provide in the first place.