25/07/2025

How Ukrainian businesses can meet international cybersecurity standards and obtain certification to operate in European and US markets

You have created a high-quality product, offer competitive prices, and have an experienced team. However, European and US partners choose competitors, even if your offer is more advantageous. Why?
Often, the main obstacle is the lack of international cybersecurity certificates. According to a joint study by the National Security and Defence Council of Ukraine, the National Cybersecurity Coordination Centre, and the Ukrainian Security Studies Foundation, 68% of information security incidents are caused by human factors – unintentional mistakes made by employees or as a result of falling victim to social engineering schemes. This highlights the importance of implementing international cybersecurity standards that help minimise such risks and increase company security level.
To enter international markets, companies need to prove their reliability in terms of information security. This includes compliance with international standards such as ISO/IEC 27001, PCI DSS, as well as adherence to cybersecurity best practices and regulatory requirements such as NIST CSF, NIS2, SOC 2, DORA, CCPA, etc. In Europe, particular attention is paid to the protection of personal data and the cyber resilience of critical enterprises, which is regulated by acts such as GDPR and NIS2.
How can a company ensure compliance with these requirements and obtain the necessary certificates for international development? Let's examine this issue in more detail.

European requirements for personal data protection: What you need to know

The European market imposes strict requirements on cybersecurity. Companies that process personal data, financial transactions or belong to critical infrastructure facilities receive special attention from regulatory authorities. 
General Data Protection Regulation (GDPR) or the Regulation of the European Parliament and of the Council on the on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, is the key EU law on personal data protection, which applies to all companies that process the data of EU citizens, regardless of the company's location.
What is needed to meet the requirements?
To comply with GPPR requirements, first of all, it is necessary to: 
● Appoint a data protection officer if the company processes large amounts of special categories of data.● Implement privacy policies and transparent mechanisms for collecting and processing personal data. ● Ensure users' right to access, rectify and erase personal data.● Implement measures to ensure personal data protection. ● Report data breaches within 72 hours of detection.
What are the penalties for non-compliance with the GDPR?
In the event of a breach of GDPR requirements, maximum fines can reach €20 million or 4% of the company's annual turnover. We have already discussed these regulations in more detail – you can find out more here.
International standard (certification) for ISMS development – ISO/IEC 27001
ISO/IEC 27001 is an international standard that provides clear guidelines for creating an effective information security management system (ISMS) that will ensure the confidentiality, integrity and availability of data.
What is needed to obtain a certificate?
To comply with ISO/IEC 27001, one must:
● Develop information security policies and conduct regular staff training.● Identify and assess information security risks.● Implement technical and organisational security measures – access control, encryption, backup, etc. ● Undergo regular internal and external security audits.● Monitor and continuously improve the information security management system. 
Obtaining ISO/IEC 27001 certification significantly increases the level of trust among international partners and customers.
Cybersecurity directive for critical sectors – NIS2
Network and Information Security Directive 2 (NIS2) is an updated EU directive that strengthens cybersecurity requirements for critical sectors such as energy, healthcare, financial services, and other businesses that play a key role in society. 
What is needed to meet the requirements? To comply with NIS2 requirements, first of all, it is necessary to: 
● Develop and implement a cybersecurity strategy.● Conduct regular risk assessments and cybersecurity audits.● Provide staff training on cybersecurity issues.● Develop and implement a cyber incident response plan.● Promptly report cyber incidents to regulatory authorities.
What are the penalties for non-compliance with the NIS2? The size of the penalties depends on the level of criticality of an enterprise:
● Critical infrastructure (energy, transport, finance, healthcare, water supply, digital infrastructure, public administration): up to €10 million or 2% of total global annual turnover.● Important enterprises (food industry, chemical industry, electrical appliance manufacturing, mechanical engineering, digital services, waste management): up to €7 million or 1.4% of total global annual turnover.
In addition to financial penalties, the NIS2 Directive establishes personal liability for senior management for non-compliance with cybersecurity requirements. In the event of a breach that causes a security incident, company executives may be held liable. 
International standard (certification) for payment card security – PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is an international security standard that is mandatory for all companies that process, store or transmit payment card data (Visa, MasterCard, American Express, and other payment systems). 
What is needed to obtain a certificate? To comply with PCI DSS requirements, you must:
● Encrypt and protect customer payment data during transmission and storage.● Restrict access to payment information by implementing the principle of least privilege and multi-factor authentication mechanisms.● Conduct regular testing, including vulnerability scanning and penetration testing – this service is provided by IT Specialist.● Implement incident monitoring and response to quickly detect and eliminate threats.
Failure to comply with the requirements may have serious consequences: financial penalties, as well as termination of cooperation with payment systems. In addition, companies that do not meet standards become targets for attackers, which can lead to confidential information leaks and, as a result, reputational damage.
Regulation on cybersecurity in the financial sector – DORA
The Digital Operational Resilience Act (DORA) aims to strengthen the cyber resilience of financial institutions and their IT service providers. It obliges companies to adhere to high cybersecurity standards to ensure business continuity in the event of cyber incidents.
What is needed to meet the requirements? To comply with DORA requirements, companies must:
● Implement a cyber risk management system.● Ensure operational resilience to cyber incidents by implementing response and recovery strategies.● Regularly test systems to identify and address vulnerabilities. ● Strengthen cybersecurity requirements when interacting with suppliers and control the associated risks.
DORA came into effect in 2023, and compliance with its requirements became mandatory on 17 January 2025. Companies operating in the financial sector must adapt their processes to new standards in order to comply with regulatory requirements and avoid potential sanctions.
What next – how to meet European cybersecurity requirements?
IT Specialist provides compliance auditing and certification preparation services in accordance with international cybersecurity standards. The company assists in implementing and confirming compliance with ISO/IEC 27001, ensuring effective information security management. As an accredited company with QSA (Qualified Security Assessor) status, IT Specialist provides services of certification audit for compliance with PCI DSS requirements. Our team of information security experts provides auditing and consulting services for the implementation of solutions to comply with GDPR, NIS2, DORA, and other requirements.

Cybersecurity requirements in the United States and Canada: overview of key laws and standards

The United States and Canada have high standards for the protection of information and personal data. For companies working with customers or partners from these countries, compliance with local laws and standards is a prerequisite for doing business. Let's take a closer look at the main regulations governing cybersecurity in the United States and Canada.
Cybersecurity and data protection standard – SOC 2
Service Organisation Control 2 (SOC 2) is a standard developed by the AICPA that confirms a company's compliance with cybersecurity and data protection requirements. It is often required by IT service providers, SaaS companies, and financial organisations.
What is needed to obtain a certificate? To comply with SOC 2 requirements, first of all, it is necessary to:
● Implement access control and security policies.● Assess risks and protect information from internal and external threats.● Implement multi-factor authentication (MFA), encryption, and other security measures.● Conduct periodic audits to confirm compliance.
Obtaining SOC 2 certification confirms that the company adheres to high cybersecurity standards and meets the requirements of customers in the United States and other countries. This is particularly important for SaaS providers, financial companies, and service organisations that work with confidential data.
American cybersecurity framework – NIST CSF
The NIST Cybersecurity Framework (NIST CSF) is a cybersecurity framework developed by the US National Institute of Standards and Technology (NIST). It contains recommendations and best practices for effective cyber risk management, providing companies with a clear, structured methodology for improving security.
What is required to implement NIST CSF?
● Implement a cybersecurity management system based on the risk management process.● Implement security measures, including access control, encryption, multi-factor authentication, etc.● Ensure monitoring of events, prompt incident detection and response.● Regularly check system security, test the effectiveness of protective mechanisms, and improve incident response processes.
Implementing NIST CSF enables companies to build an effective cybersecurity system, minimise risks, and increase resilience to today's threats.
Data privacy protection in the United States
There is no single privacy law at the federal level in the United States, but there are a number of industry-specific regulations, including HIPAA (regulating the protection of medical data), GLBA (establishing security requirements for financial institutions), FERPA (regarding the protection of student educational information), and FCRA (regulating the processing of credit information).
What is needed to meet the requirements? Some of the measures that need to be taken to meet these requirements:
● Determine which law applies to the company depending on its activities and the type of data processed.● Implement protective measures, including encryption, access control, risk management, etc.● Appoint a person responsible for compliance with confidentiality requirements (e.g., Data Protection Officer).● Conduct regular audits and risk assessments to ensure compliance with requirements.
Violation of these requirements may result in fines and lawsuits amounting to millions, the amount of which depends on the specific law and the extent of the violation.
Personal information protection act – CCPA/CPRA (California, USA)
The California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA), regulate the processing of personal data of California residents. Since California is one of the largest markets in the United States, these laws apply to companies that do business with California residents, even if the business is located outside the state.
What is needed to meet the requirements?
● Transparency in data collection – companies are required to inform users about what data is collected and for what purpose.● Right to erasure – users may request that their information be deleted.● Restrictions on the transfer of personal data – users have the right to object to the transfer of their data to third parties.● Personal data protection – companies must implement technical and organisational security measures, including encryption, access control ,and monitoring of potential threats.
Penalties for violations can reach $7,500 for each instance of data disclosure without the user's consent.
Personal Information Protection and Electronic Documents Act – PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the primary personal information protection law in Canada. It regulates the collection, use, and storage of personal information.
What is needed to meet the requirements? Some of the measures that need to be taken to meet these requirements:
● Obtain users' consent before collecting and using their information.● Ensure transparency of privacy policies by giving users the right to review data processing policies and request its erasure.● Implement information security measures, including encryption and access control, to prevent unauthorised use of personal data.
Penalties for PIPEDA violations can reach up to 100,000 Canadian dollars for serious violations.
How does IT Specialist help Ukrainian businesses enter the US and Canadian markets?
Entering the US and Canadian markets requires compliance with international cybersecurity standards and practices, such as ISO/IEC 27001, SOC 2, NIST CSF, and PCI DSS. IT Specialist provides a full range of services for auditing, preparing for certification, and implementing the necessary security measures.
A team of experts helps assess the current level of cybersecurity, eliminate identified gaps, conduct penetration testing, and configure the necessary processes in accordance with international standards. This allows companies to avoid fines, increase partner trust, and ensure unhindered access to international markets.

How to scale your business to Middle Eastern markets: Safety requirements in the UAE and Saudi Arabia

To successfully enter the markets of the United Arab Emirates and Saudi Arabia, Ukrainian companies must additionally ensure compliance with local requirements for cybersecurity and personal data protection. Let's consider the key regulations and standards that must be complied with.
Federal Decree-Law on Personal Data Protection (UAE)
Federal Decree-Law No. 45 of 2021 on personal data protection is the main legislative act in the United Arab Emirates regulating the processing of personal data. It establishes rules for the collection, use, storage, and protection of personal data of individuals.
What is needed to meet the requirements?
● Appointing a data protection officer is a mandatory requirement for companies that process large-scale sensitive data or carry out processing that poses high risks to confidentiality.● Obtain consent from data subjects – before collecting or processing personal data, explicit consent must be obtained from individuals.● Ensure the rights of data subjects – users have the right to access, rectify, and erase their data.● Implement technical and organisational security measures – the company must ensure data confidentiality and integrity through encryption, access control, and regular audits.● Restrict data transfers abroad – personal data may only be transferred to countries that provide an adequate level of protection.
Failure to comply with these legal requirements may result in significant fines and legal sanctions. In addition to financial penalties, other measures are also possible, such as restrictions on the company's activities.
ersonal Data Protection Law – PDPL (Saudi Arabia)
The Personal Data Protection Law (PDPL) is a Saudi Arabian law that regulates the processing of personal data. It came into effect on 14 September 2023 and aims at protecting citizens' rights and establishing clear responsibilities for organisations. The main requirements include:
● Obtaining explicit consent – before collecting or processing personal data, it is necessary to obtain clear consent from users.● Guarantee of data subjects' rights – companies must ensure that personal data can be accessed, rectified or erased.● Implementation of security measures – data must be protected against unauthorised access, loss or leakage by means of technical and organisational measures.● Prompt notification of breaches – in the event of a data leak or breach, a company is obliged to immediately notify the regulatory authorities and affected individuals.
Violation of PDPL requirements may result not only in significant fines, but also in a ban on the company's activities in Saudi Arabia.
Special economic zones and free zones in the UAE
There are special economic zones in the UAE, including:
● Dubai International Financial Centre (DIFC).● Abu Dhabi Global Market (ADGM).
These areas have their own legislation on personal data protection, which may differ from Federal Decree-Law No. 45 of 2021. Companies planning to operate in DIFC or ADGM must thoroughly review local regulatory requirements and ensure that their policies and procedures comply with the requirements of these zones.

Where to start on ensuring compliance with international requirements?

Implementing compliance with international requirements is a complex process that includes analysing the compliance of internal documentation and information security processes, developing the necessary security policies, conducting risk assessments, implementing technical protection measures, and undergoing certification. Compliance with standards and regulatory requirements not only opens up access to international markets, but also strengthens customer confidence and minimises the risk of cyber attacks and penalties from regulatory authorities. Let's take a closer look at the main stages of this process.
Step 1: Definition of standards and regulatory requirements
The first step is to determine which standards and regulatory requirements apply to your business. To do this, the following factors must be taken into account:
● Geography – countries or regions where the company operates (EU, US, Canada, etc.).● Industry – financial sector, healthcare, software development, or other industry.● Data type – whether the company processes personal data, payment or medical information, etc.
For most companies, it is recommended to comply with ISO/IEC 27001, SOC 2 standards and local regulatory requirements regarding personal data protection.
Step 2: Conducting an audit of the current status
Next, it is necessary to assess the current status of compliance with cybersecurity standards and regulatory requirements applicable to the company, namely:
● Analyse internal documentation governing cybersecurity issues;● Assess the implementation status and effectiveness of cyber protection tools;● Verify the compliance of existing information security management processes with standards and regulatory requirements;● Form conclusions about the current status and plan further steps.
For this stage, it is recommended to engage an external party for an objective and independent assessment. In particular, IT Specialist provides services for assessing the current state of information security in accordance with the requirements of international standards and frameworks, such as ISO/IEC 27001 and NIST CSF 2.0.
Step 3: Implementation of technical and organisational security measures
At this stage, the company implements the technical and organisational security measures necessary to comply with standards and regulatory requirements. The main measures include:
● Developing and updating security policies – formalising requirements for data protection, access management and/or other cybersecurity issues that are not currently regulated within the company.● Strengthening technical protection measures – implementing multi-factor authentication, modern network security solutions and other technical solutions. ● Training employees on information security issues – conducting training sessions, simulating phishing attacks, testing knowledge of internal security procedures.
A detailed list of measures can only be drawn up based on the results of a comprehensive assessment of the current state of a company's information security. In addition, the implementation of some technical solutions may require the involvement of external experts, which is where the team of qualified experts at IT Specialist is ready to help.
Step 4: Preparation for certification audit
To successfully pass the audit and obtain a certificate of compliance with ISO/IEC 27001 or PCI DSS standards, a company must implement and document all existing security measures and provide the auditor with the necessary evidence of their use upon request. In particular, during certification, an auditor may request the following documents:
● Information security policies – documents governing risk management, access, incident handling, data protection measures, etc. ● Access control logs and reports – records of user actions in critical systems, confirmation of the use of authentication and access control mechanisms. ● Security test results – reports on vulnerability scans, penetration testing, risk assessments, and internal audit results.● Training programmes and training logs – confirmation that employees have completed cybersecurity training.
After completing the preparation, a company applies to an accredited certification body, which conducts an audit, verifies compliance with the requirements, and issues a certificate.
IT Specialist provides a full range of services for compliance auditing, preparation for certification, and implementation of technical and organisational security measures. Our experienced team of specialists will help you assess risks, set up information security management processes, and obtain the necessary certificates to enter new markets.
Ensuring cybersecurity is not an expense, but an investment in business reliability and international development.
IT Specialist is a safe integration into the future!
Author of the article: Dmytro Chub, Director of Automation, Integration and Business Process Audit.