Ukrainian companies face a number of war-related challenges, such as physical damage to assets, loss of personnel, disruption of supply chains and the reduction in consumer demand, dampening business activity and economic growth. Digitalisation can help firms weather crisis-induced challenges and become more resilient to shocks; digitalisation should always be a means, not an end per se. This chapter delves deeper into specific ways digitalisation could be further leveraged to help SMEs tackle some of their war-related problems.

The first section focuses on e-commerce as a way to widen market outreach. Indeed, a recent survey conducted by the EBRD reveals that the decrease in demand and loss of market outlets is quoted by 77% of SMEs as the main challenge encountered in wartime (Figure 4.1). Subsequently, the most frequent support requested, regardless of the firm’s sector, is related to the expansion of sales markets (primarily to foreign markets).

Moreover, the survey results also highlight firms’ need to replace Russian software. The large majority of SMEs are still reliant on such tools – 1C, for instance, is used by 80% of Ukrainian firms. This increases their vulnerability in a context where Ukraine has been facing increasing Russian and suspected Belarusian cyberattacks. While the state has shown impressive cyber resilience so far, small firms are typically less equipped to deal with such risks, as they lack awareness and the resources to take adequate security measures. Moreover, digital security is closely linked to e-commerce, as security issues can impede trust in the digital age, and thereby hamper Internet use and uptake of e-commerce. This chapter’s second section is therefore dedicated to digital security risk management.

Eastern Europe has been recording higher growth rates in B2C e-commerce than many Western European countries (UPU, 2023[2]), although Western Europe still represent the largest share of total e-commerce turnover in Europe. In Ukraine, the value of the e-commerce market developed threefold between 2016 and 2020, making it the 48th largest market for e-commerce as of 2023 (ECDB, 2023[3]). It grew by 41% from 2019 to 2020 alone, amounting to USD 4 billion, approximately 2.6% of the country’s GDP (up from 1.04% in 2015), and is still increasing. The turnover of e-commerce sales almost doubled between 2018 and 2021 (+91%) (Ukrstat, 2023[4]). The leading segments include electronics, clothing, furniture, beauty products and groceries.

This steady growth has been supported by increased digital literacy levels and demand for online shopping: 42% of Ukrainians aged 15 years and above bought something online in 2021-22, an increase of 20 percentage points since 2017 – a share above that of other EaP countries, but still below OECD/EU levels, where close to two thirds of the population shop online (Figure 4.2). Ukraine exhibits the lowest annual individual e-commerce expenditure volume, amounting to USD 104, in stark contrast to Czechia’s significantly higher spending of USD 800 per year (Soul Partners, 2021[5]). Nevertheless, Ukraine’s allocation of budgetary resources for e-commerce aligns reasonably well with the Visegrád Group countries’ average, comprising 4.72% of total expenditures. This ratio falls below the corresponding figures in Czechia and Hungary, which are approximately 8%, but above Poland and Slovakia, whose households dedicate 3.8% and 2.5% of their total expenditure, respectively, to online spending (IMF, 2022[6]; The World Bank, 2022[7]).

The rapid growth of the sector has been fostered by the COVID-19 pandemic, with containment measures prompting individuals and businesses to step up online activities. Besides the pandemic, several factors have been pushing consumers to shop online in Ukraine. These include the growing internet penetration rate and number of smartphone users: fixed and mobile broadband subscriptions have registered the sharpest increase in EaP countries between 2015 and 2020, +60% and +969%, respectively (ITU, 2022[9]). In addition to internet penetration, digital literacy has also considerably improved, thanks to dedicated policy efforts – 79% of Ukrainians used the internet in 2021, and half of the population had basic and above basic digital skills in 2021, up from 30% in 2019 (ITU, 2022[9]). The barriers to e-commerce growth are a preference for personal shopping (69.4%) and lack of skills or knowledge (12.5%, down from 14.5% in 2019). Finally, the quality of postal services matters as the possibility of having a lost or broken package is also a factor hindering higher e-commerce share.

E-commerce growth has been fostered by the Ukrainian government’s substantial efforts. Several measures were taken to build a robust legal and regulatory framework, simultaneously seeking approximation with EU standards to tap into the potential of the EU market and encourage cross-border trade. Progress is reflected in the Network Readiness Index 2023, which lists e-commerce legislation among Ukraine’s strengths (Portulans Institute, 2023[10]).

In Ukraine, the e-commerce sector is mainly regulated by the law On Electronic Commerce, adopted in 2015, which provides definitions for e-commerce and online store1, establishes procedures for conducting electronic transactions using information and communication systems, and defines the rights and obligations of parties. This law is complemented by additional documents overseeing various aspects, e.g., on e-payments (Law on Payment Services, Regulation on System of E-payments of the National Bank of Ukraine Approving Amendments to the Regulations on the Procedure for Issuing and Acquiring Payment Instruments ). Ukraine has made strides in approximating its framework and standards with that of the EU, e.g., harmonising e-signatures with eIDAS. The country has fulfilled its obligations under the Association Agreement on e-commerce, particularly the implementation of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce in the Internal Market (“E-Commerce”- Directive) (Shcherbak, 2022[11]). The harmonisation of e-commerce with EU standards continues to be a part of Ukraine’s long-term ambition to join the EU, with dedicated measures foreseen in the National Economic Strategy 2030 and the initial DNRP.

In line with these strategic documents, the government has been making further efforts recently. With regards to consumer protection for instance, a new law was signed in July 2023 to ensure compliance with EU consumer protection rules, including five Directives2, thereby replacing the previous framework adopted in 1991 and amending the current E-commerce law. The new legislation reinforces the requirements laid out by the current laws, notably refining the definitions of digital trading platforms and product comparison services and imposing pre-contractual obligations on e-commerce actors. These provide for informed and conscious decisions from customers – who should benefit from clear, easily accessible and understandable information about products, in Ukrainian. Additional provisions include specific measures for vulnerable consumer groups, as well as regulations in case of purchase of unfit and/or dangerous items. Enforcement is fostered by enhanced power granted to the consumer protection authority, which can now request the internet service provider to restrict access to a given website if the latter is not observing the requirements, and to consumer advocacy groups, to whom the new law gives a legal framework to which to refer. The new law also paves the way for the creation of a new portal for e-commerce consumers, “E-Consumer” (Є-Покупець), as was foreseen in the Draft Recovery Plan, to be launched within three years to further protect them from online fraud: this publicly available platform should facilitate interactions among consumers, traders, and the consumer protection authority (e.g. enabling consumers to fill in complaints in case of rights violation) and ensuring the traders undergo mandatory registration procedures and obtain the status of certified traders (ACC, 2023[12]). Overall, the new regulations, to enter into force in July 2024 (if martial law is terminated) will grant Ukrainian consumers with the same rights and guarantees as EU citizens and stipulate that buyers in online stores should be protected no less than buyers in ordinary offline stores, in line also with the OECD E-commerce Recommendation (OECD, 2016[13]).

Ukrainian SMEs’ e-commerce adoption has shown little change over recent years, consistently trailing behind large enterprises. The share of SMEs engaging in e-commerce remains far below large firms, with only 4.2% of small ones making online sales, vs. 10.5% of large companies. Overall, the number of firms selling online, regardless of size, has been stalling, despite the COVID-19 pandemic and related containment measures, and it remains below OECD levels (Figure 4.3). The value of sales increased by 91% between 2018 and 2021, but this rise has been driven by large firms, with SMEs’ e-transactions stalling (Figure 4.4).

This plateauing trend in online sales and persisting disparities among firms ensue from several factors. Many companies, especially smaller ones, lack awareness of the opportunities offered by e-commerce. As mentioned in Chapter 3, SMEs often lack the financial and human resources to reap the benefits of digital tools – e.g., in this case, the skills and ability to create a website, using social media platforms, develop a digital marketing strategy, establish additional sales channels, and manage hybrid operations – which requires investing time and money (OECD, 2023[15]). Additional challenges appear with regards to cross-border e-trade: the usage of global marketplaces by Ukrainian firms remains limited, and local marketplaces rarely sell abroad (EU4Digital, 2021[16]). In recent years, Ukraine has seen continued growth in its three largest online marketplaces – Rozetka, Prom and Epicenter (epicentrk.ua). For example, the Prom marketplace, which offers products by thousands of entrepreneurs across the country and is visited by almost 50 million consumers every month, has the annual revenue USD 25-50 million, while the annual revenue of Rozetka, which provides a one-stop shop for all customer’s needs, stands at USD 200-500 million (Similarweb, 2023[17]). Nevertheless, online retailers are accelerating their offline expansion. Rozetka had opened five flagship stores of 1500-3000 sq m each and more than 70 pick-up spots by November 2020. These local marketplaces, while contributing to the expansion of domestic e-commerce, rarely export to the EU – they are not designed for foreign customers, providing information in Ukrainian and Russian only, and prices in local currency. As for global marketplaces, there has been some progress in the use of some online platforms such as Amazon, Ebay and Etsy, further fostered by recent improvements in e-payments, with Paypal and Etsy Payments being now available. However, uptake is still hindered by several challenges – including delivery times (up to several weeks) and costs (EU4Digital, 2021[16]).

Against this backdrop, Ukraine has been continuously expanding its support to SMEs through the EEPO. A wide range of tools have been implemented to support SME internationalisation at large – resulting in a +31% increase in score for the dedicated dimension in the latest OECD SME Policy Index (OECD, 2023[18]). The Diia.Business portal includes a dedicated section, gathering various resources to help SMEs export their products and services – such as an export-readiness test, advisory services, guidelines and tips, insights into foreign markets, training, a business matchmaking/networking service, but also support to participation in international fairs and exhibitions. Noteworthy efforts have been made to increase SMEs’ awareness of export market opportunities through analytics and guidelines on foreign countries and markets. With regards to e-commerce specifically, additional materials have been made available online – such as guidelines on how to use global marketplaces such as Amazon, eBay and Etsy, and online marketing advice (Diia.Business, 2024[19]). After the start of Russia’s full-scale invasion, a Ukrainian IT company, EVO, with the support of the MDTU, the Ministry of Foreign Affairs, Visa, and Banda, launched Made with bravery3, an e-marketplace for products made in Ukraine, by Ukrainian entrepreneurs. This new platform contributed to increased visibility of Ukrainian goods abroad, advertising them in English and offering worldwide delivery options.

While these developments mark a positive stride forward, support for entrepreneurs to engage in e-commerce, domestically or abroad, is relatively modest. The OECD SME Policy Index 2024 assessed several aspects of SME digitalisation policies in Eastern Partner countries. Ukraine performs strongly overall, but the use of e-commerce is the only digitalisation component where it scores below the regional average (Figure 4.5). This is partly due to the absence of a comprehensive programme to promote e-commerce for SMEs. Yet Ukrainian SMEs express high demand for more export-related support, as many of them seek to enter foreign markets: the most frequent requests one year after the start of the invasion included the promotion of Ukrainian businesses in foreign markets, consulting (notably on marketing and requirements for export to the EU), as well as training on how to sell on global marketplaces (Amazon, eBay) (EBRD, 2023[1]). Indeed, SMEs lack the ability to carry out necessary market assessments and to discover how and via what channels they can promote their products. Current strategic documents do not address this demand, focusing rather on improving the legal and regulatory framework, notably consumer protection. Moving forward, the approach could be complemented by some SME-related support, to develop the supply side.

While the digital economy has been bringing significant benefits to economies and societies and constitutes a source of growth, innovation, improved well-being, productivity and inclusiveness, these opportunities come with a myriad of new and ever-growing digital security threats. The latter vary in form and scope, ranging from untargeted phishing campaigns to very sophisticated malwares. Digital security incidents are increasingly prevalent and impactful, affecting both large and small organisations. They can have significant economic and social repercussions, including reputational damage, disruption of operations, financial losses from scams or disruptions, expenses related to recovery – which in turn can hinder innovation and competitiveness. Incidents may compromise the availability, integrity, or confidentiality of information and systems, stemming from deliberate malicious actions or unintentional events such as natural disasters or human error, and they can also erode consumers’ trust. In that context, SMEs appear to be particularly vulnerable to digital security risks. They often lack the awareness, resources and expertise needed to assess and effectively manage these risks; yet incidents leading to compromised consumer trust, reputational damage, or revenue decline may inflict greater harm upon SMEs compared to larger firms, given small businesses’ increased vulnerability to enduring difficulties in managing temporary customer or revenue losses. Conversely, SMEs equipped with sound digital security policies may have a competitive advantage in the marketplace (OECD, 2016[20]).

Ukraine has faced increased cyber-attacks since the outbreak of Russia’s war. Forbes Ukraine estimated that the losses caused in Ukraine by cybercrime in 2022 amounted to UAH 1 billion (EUR 24 million), a 96% jump compared to 2021 (Forbes, 2023[21]), with the average losses per attack increasing by 49% (to UAH 7,900 / EUR 190). Over 2021-2023, data security problems also increased in frequency, by 14%, resulting in 60% of the adult population having experienced at least one data breach in 2022, and 8 out of 10 teenagers (Ministry of Digital Transformation of Ukraine, 2023[22]). Recent insights into the frequency and type of digital security incidents are not available, but evidence collected prior to Russia’s full-scale invasion suggests that Ukrainian firms’ exposure to digital security threats had been on the rise, with 31% of businesses experiencing cybercrime in 2018 (up from 24% in 2016). The survey found, inter alia, that Ukrainian companies were more likely to experience a disruption of business processes, extortion or intellectual property and theft, as well as politically motivated or state sponsored attacks, than firms surveyed in other countries (PwC, 2018[23]).

Well aware of these increasing challenges, Ukraine has been working on developing a strong policy framework to address them already prior to the war, with a first cybersecurity strategy for 2016-2020, followed by the ongoing Cybersecurity Strategy of Ukraine 2021-2025. The latter entails provisions to counter cyberterrorism and cyberespionage, but also grants attention to digital security, i.e., economic and social aspects. Built around three main principles – deterrence, cyber resilience, and interaction –, it mentions some of the aspects listed in the OECD Council Recommendation on National Digital Security Strategies (see Box 4.1), such as awareness-raising of digital security risks, vulnerability treatment and international co-operation, albeit to various and at times limited extent. It emphasises the need to enhance coordination between different cyber security actors and the issues of operative exchange information on cyber threats, effective training system and models of public-private partnerships – one of the items foreseen in the previous strategy that did not materialise (National Security and Defense Council of Ukraine, 2021[24]). Moreover, digital security challenges are also mentioned in key digitalisation documents outlined in Chapter 2, such as the Strategy on integration of Ukraine into the European Union Digital Single Market, the National Economic Strategy 2030, and draft strategies such as the DNRP and Ukraine Plan. The draft SME Strategy 2024-2027 also states the aim to strengthen SMEs’ digital security capabilities.

Cybersecurity policies are designed and coordinated by Ukraine’s National Cybersecurity Coordination Centre (NCCC), under the National Security and Defence Council of Ukraine. The country benefits from a Computer Emergency Response Team (CERT-UA) operated by the State Service for Special Communications and Information Protection of Ukraine to help detect, monitor, and investigate threats. The body has received international accreditations. Recent progress has notably been made with regards to information-sharing, as CERT-UA now provides a platform to report digital security incidents as well as newly established guidelines to this end, adopted in 2023 and based on the EU Agency for Cyber ​​Security (ENISA) recommendations. CERT-UA has reportedly dealt with 2,194 incidents (Government of Ukraine, 2024[26]).

Ukraine was among the first EaP countries (together with Georgia) to develop a legal and regulatory framework on digital security. The main document in that regard is the Law on basic principles to ensure cyber security (adopted in 2017, amended in 2020), laying out the key principles for a cybersecurity system and its stakeholders. Some minimum cybersecurity requirements were defined at the national level, mostly based on ISO and NIST standards, and applying to public entities and private firms. Ukraine’s efforts in recent years were fostered by the previous cybersecurity strategy, and are reflected in the ITU’s Global Cybersecurity Index, where legal measures stand out as the country’s main strength (ITU, 2024[27]).

Current plans foresee further steps to strengthen the legal arsenal, notably in the Strategy on integration of Ukraine into the EU Digital Single Market 2018-23 and the Draft Recovery Plan. Both documents emphasise the need to align Ukraine’s regulations with that of the EU and with NATO requirements. Indeed, the country, like its regional peers, has not yet aligned its laws and regulations with the EU Directive on the security of network and information systems (NIS). Some welcome measures were recently adopted, e.g., new regulations to exchange information on cyber incidents, but further improvements are needed to align with EU requirements (Maigre, 2024[28]; European Commission, 2023[29]).

Ukraine’s aspirations to align with international standards fall in line with overall efforts to enhance cyber resilience through greater cross-country co-operation. Like EaP peers, Ukraine has ratified the Budapest Convention on Cybercrime, which seeks to facilitate international co-operation on the investigation of cybercrime, and the country has been steadily stepping up co-operation with foreign partners, e.g., through cyber exercises conducted with the EU, NATO, and other states and international organisations. Recent examples include the signature, in 2023, of an arrangement between ENISA and Ukrainian counterparts, targeting capacity-building, exchange of best practices (including on key legislation implementation), and awareness-raising (European Union Agency for Cybersecurity, 2023[30]).

While Ukraine appears undoubtedly committed to building up cyber resilience, there remains room for improvement with regard to effective implementation of planned measures, as well as coordination across stakeholders. The assessment of the previous cybersecurity strategy found that less than half of the actions foreseen were implemented, with particular issues in terms of operative exchange of information, training, public-private partnerships, and the establishment of a list of critical information infrastructure. These shortcomings were partly due to a lack of clarity in the priority areas outlined, with planned measures not always associated with objectives and assigned to relevant actors, and a reported lack of resources. The absence of indicators to monitor and evaluate the strategy also hindered the realisation of the latter (National Security and Defense Council of Ukraine, 2021[24]).

One of the key challenges identified was the insufficient exchanges between relevant actors. The previous strategy was primarily implemented by security and defence actors, while ministries, scientific institutions, and non-governmental stakeholders, as well as educational and research institutions, were reportedly insufficiently involved (National Security and Defense Council of Ukraine, 2021[24]). Yet co-operation, including at domestic level, is essential to effectively manage digital security risks. At organisation level, leaders, decision makers and technical experts need to cooperate to assess threats and ensure alignment of the measures with the organisation’s objectives; exchanges between organisations are also crucial, e.g., to share information about emerging threats and vulnerabilities within entities and across supply chains or sectors, including among competitors (e.g., through Information Sharing and Analysis Centres – ISACs) (OECD, 2016[20]; OECD, 2022[31]). In Ukraine, however, the inadequate level of coordination, co-operation, and information exchange among entities has been a persisting issue (Spînu, 2020[32]). Public-private co-operation, for instance, remain limited, e.g., with regards to information-sharing – there is no automation of processes or risk management systems. Prior to Russia’s full-scale invasion, 28% of organisations in Ukraine were unlikely to share information about digital security incidents with the government or law enforcement agencies, vs. 12% of firms globally – this is partly due to a lack of trust, with more than half of firms reporting lack of trust in the expertise of law enforcement agencies (PwC, 2018[23]). Finally, the development of the partnerships with technological and industrial partners is still at a nascent stage (EU4Digital, 2020[33]).

Enhanced involvement of all stakeholders, notably the business, technical, and civil society experts, would therefore help inform policymaking and strengthen overall cyber resilience.

As digital security threats increase, SMEs, in Ukraine like elsewhere, often lack awareness of risks and appear to be particularly vulnerable. Recent studies reveal that more than one Ukrainian out of three (36%) do not have cyber security measures at their workplace, and one out of four (26%) reports there are no effective measures to protect data and confidential information (Ministry of Digital Transformation of Ukraine, 2023[22]). Ukraine benefits from a larger density of secure Internet servers than EaP peers, albeit less than OECD and EU levels (Figure 4.7), but the use of Russian software by public authorities, citizens and businesses alike increases the attack surface. The country is still dependent on ICT products and management software from Russia. Inter alia, concerns about SMEs’ overreliance on Russian products, e.g., for CRM and ERP systems, have been on the rise since the outbreak of Russia’s full-scale invasion. Some 12% of SMEs see the need to replace Russian software as a key wartime challenge (Dolmatova, 2023[34]), but, as of 2023, 80% of Ukrainian businesses still used 1C for instance, which might make them more vulnerable to potential attacks.

Amidst these increasing concerns and challenges, several non-financial tools were developed to increase SMEs’ awareness of, and preparedness for, data protection-related risks (e.g., Diia.Business’s online self-assessment tool on data protection for SME managers) and digital security threats (e.g., the free online course on Cybersecurity Basics for Entrepreneurs, launched by MDTU in collaboration with Diia.Business Diia.Education, NCCC, the Cyber Diia platform, Google, and Information Systems Security Partners). More recently, the EEPO and foreign stakeholders, such as USAID, have been working on developing financial support, such as vouchers, with a view to incentivising small firms to invest in digital security services (American Chamber of Commerce, Ukraine, 2023[35]) (Prostir, 2024[36]). However, support remains relatively scarce overall, and SMEs’ coverage in the current approach to digital security still appears to be limited, with policy documents entailing very few provisions for them.

More could be done with regards to personal data protection. There is no general obligation to report personal data breaches either to customers or to law enforcement. While this fosters an environment where SMEs can operate digital services with greater ease, without the burden of cumbersome technical requirements, it might undermine customers’ trust in businesses, providing no guarantee that firms sufficiently protect their personal data. This appears as a concern for many consumers, with 40% of Ukrainians having opted out from purchasing online due to digital security/privacy reasons. This issue might also be particularly detrimental for cross-border e-trade, as Ukrainian SMEs seeking to export might be confronted to more stringent digital security and data protection requirements. Fostering enforcement of privacy standards could not only help SMEs protect themselves but could also give them a competitive advantage in the marketplace, enhancing their reputation, revenues, and consumers’ trust.

In light of the above, Ukraine could step up its support to help SMEs broaden their domestic and foreign customer base by tapping into e-commerce opportunities. To this end, the following measures could be considered:

• In the short-term, help SMEs reduce shipping costs and time: delivery times and costs often appear as one of the main challenges to cross-border e-commerce. While Ukrainian SMEs’ selling online may have quality products, the logistics to ship them abroad, e.g., to EU markets, lead to longer delivery times, and might therefore lower competitiveness. Moreover, the war has created additional logistical and storage challenges. Storing goods in warehouses in target markets could be useful in that regard, enabling firms to have products ready to be quickly dispatched. Provisions in that direction could include raising SMEs’ awareness of such warehousing options and enhancing their access thereto, e.g., by subsidising costs for first-time users. A pilot programme could be considered with neighbouring EU countries, e.g., Poland.

• In the medium-term, step up direct support for SMEs to develop both domestic and cross-border e-commerce practices: the analysis has shown that uptake of global marketplaces by Ukrainian businesses remains relatively low, while Ukrainian marketplaces are little known to foreign customers. Moreover, SMEs often lack awareness of market opportunities, and of how and via which channels they can promote products. With a view to addressing these persisting challenges and the overall high demand for more export support from SMEs, additional tools could be implemented – e.g., consulting (notably on marketing strategies, opportunities and requirements for exports to EU markets) and training on how to sell on global marketplaces (Amazon, eBay). Such components could be included in the overall SME digitalisation programme recommended in Chapter 3.

• In the long-term, raise stakeholders’ awareness of new laws and regulations: the recent and ongoing changes to the legal and regulatory framework for e-commerce to align with the EU are very welcome steps; however, SMEs’ limited time and resources often do not enable them to keep abreast of new requirements such changes might introduce. Moreover, evidence show that stakeholders often lack awareness of EU cross-border taxation procedures (EU4Digital, 2021[16]). More could therefore be done to help small firms keep track of the latest changes and requirements, e.g., on consumer protection, and to foster stakeholders’ awareness of EU changes in customs, taxes, security, and parcel delivery areas.

Ukraine has shown impressive cyber resilience and continues to provide substantial policy efforts to tackle ever-growing threats. Building on this, the following could complement the current approach and enhance its effectiveness:

• In the short-term, help SMEs protect themselves from digital security risks: as outlined, SMEs often lack the awareness, resources and expertise to assess their digital risk exposure; they appear as the “weak link” in networks, being an easier access point for hackers to target larger firms, and this might ultimately undermine resilience (OECD, 2020[37]). Moreover, in the case of Ukraine, the overreliance on Russian software such as 1C creates additional vulnerabilities. The priority should therefore be to foster the uptake of an alternative software, ideally in Ukrainian, as language remains a barrier. This could be encouraged through targeted financial support, to incentivise the change, coupled with training. Beyond this, additional tools could be implemented to raise SMEs’ awareness of existing risks, help them manage them and respond to potential attacks, and ultimately increase their trust in digital technologies. These could entail, for instance, standards on digital security and data protection for SMEs, specific training for both SME managers and employees, and/or financial incentives to invest in cyber insurance. Integrating a digital security component in overall SME digitalisation programme could help in that regard.

• In the medium-term, increase co-operation across all stakeholders to enhance capacity and resilience: while international co-operation between Ukraine and partners has been on the rise, the limited collaboration between public and private stakeholders remains a challenge. In line with the OECD Recommendation on Digital Security Risk Management, co-operation within and between organisations and sectors could be stepped up, e.g., through public-private and sector-specific partnerships. The role and involvement of educational and research institutions could be enhanced, e.g., to inform policymaking, but also to help increase cyber literacy levels.

• In the long-term, strengthen policy framework on cyber / digital security, ensuring effective implementation and monitoring & evaluation: drawing on from the lessons of the previous cybersecurity strategy, Ukraine should ensure effective implementation of the actions planned. Objectives should be systematically associated with concrete measures, measurable indicators, targets and budget lines, and clearly allocate responsibility for each action, in order to avoid the caveats reported in previous strategies. As the current strategy will expire in 2025, future policy documents could also grant more attention to digital security risks to economic and social activities and include SME-related provisions. Ukraine might find it useful to leverage OECD tools for guidance, such as the abovementioned OECD Recommendation on National Digital Security Strategies (OECD, 2022[25]) and the OECD Policy Framework on Digital Security (OECD, 2022[38]), which would also help the country get closer to OECD standards.

[12] ACC (2023), Ukraine Introduces New Law on Consumer Protection, https://chamber.ua/news/ukraine-introduces-new-law-on-consumer-protection/ (accessed on 8 January 2024).

[35] American Chamber of Commerce, Ukraine (2023), Dialogue “The Use of Cybersecurity Vouchers to Stimulate the Cybersecurity Market in Ukraine”, https://chamber.ua/events/dialogue-the-use-of-cybersecurity-vouchers-to-stimulate-the-cybersecurity-market-in-ukraine/ (accessed on 30 June 2023).

[19] Diia.Business (2024), E-commerce, https://export.gov.ua/415-e-commerce (accessed on 11 January 2024).

[34] Dolmatova, A. (2023), EBRD, USA and Sweden assess impact of war on SMEs in Ukraine, EBRD, https://www.ebrd.com/news/2023/ebrd-usa-and-sweden-assess-impact-of-war-on-smes-in-ukraine.html.

[1] EBRD (2023), Key problems and needs of SMEs analysed almost a year after Russian invasion, https://www.merezha.ua/reports/2023/Challenges-and-Needs-of-SMEs-in-War-Time-en.pdf.

[3] ECDB (2023), eCommerce market in Ukraine, https://ecommercedb.com/markets/ua/all (accessed on 17 January 2024).

[16] EU4Digital (2021), eCommerce report - Recommendations proposed for eCommerce environment harmonisation in the EaP countries: Ukraine, https://eufordigital.eu/wp-content/uploads/2021/04/eCommerce-report-%E2%80%93-Recommendations-proposed-for-eCommerce-environment-harmonisation-in-the-EaP-countries-Ukraine.pdf.

[33] EU4Digital (2020), Cybersecurity guidelines for the Eastern Partner countries, https://eufordigital.eu/wp-content/uploads/2020/10/Cybersecurity-guidelines-for-the-Eastern-Partner-countries.pdf.

[29] European Commission (2023), Commision Staff Working document - Ukraine 2023 Report, https://neighbourhood-enlargement.ec.europa.eu/system/files/2023-11/SWD_2023_699%20Ukraine%20report.pdf.

[30] European Union Agency for Cybersecurity (2023), Enhanced EU-Ukraine cooperation in Cybersecurity, https://www.enisa.europa.eu/news/enhanced-eu-ukraine-cooperation-in-cybersecurity (accessed on 17 November 2023).

[21] Forbes (2023), Збитки українців від кіберзлочинності торік зросли до 1 млрд грн – дослідження ЄМА [The losses of Ukrainians from cybercrime increased to UAH 1 billion last year - EMA research], https://forbes.ua/news/zbitki-ukraintsiv-vid-kiberzlochinnosti-torik-zrosli-do-1-mlrd-grn-doslidzhennya-ema-21022023-11884 (accessed on 19 February 2024).

[26] Government of Ukraine (2024), Strategy for the recovery, sustainable development and digital transformation of small and medium-sized enterprises for the period up to 2027 (draft for consultation, unpublished).

[6] IMF (2022), E-commerce During Covid: Stylized Facts from 47 Economies, International Monetary Fund, https://www.imf.org/en/Publications/WP/Issues/2022/01/28/E-commerce-During-Covid-Stylized-Facts-from-47-Economies-512014.

[27] ITU (2024), Global Cybersecurity Index 2020, https://www.itu.int/epublications/publication/D-STR-GCI.01-2021-HTM-E.

[9] ITU (2022), Digital Development Dashboard: An overview of the state of digital development around the world based on ITU data, https://www.itu.int/en/ITU-D/Statistics/Dashboards/Pages/Digital-Development.aspx (accessed on 17 August 2023).

[28] Maigre, M. (2024), An E-Integration Marathon - The potential Impact of Ukrainian Membership on the EU’s Digitalisation and Cybersecurity, International Centre for Defence and Security, https://icds.ee/wp-content/uploads/dlm_uploads/2024/01/ICDS_Policy_Paper_An_E-Integration_Marathon_Merle_Maigre_January_2024.pdf.

[22] Ministry of Digital Transformation of Ukraine (2023), Digital Literacy Research - 2023, https://osvita.diia.gov.ua/uploads/1/8801-en_cifrova_gramotnist_naselenna_ukraini_2023.pdf.

[24] National Security and Defense Council of Ukraine (2021), Стратегія кібербезпеки України (2021 – 2025 роки) [Cybersecurity Strategy 2021-2025], https://www.rnbo.gov.ua/files/2021/STRATEGIYA%20KYBERBEZPEKI/proekt%20strategii_kyberbezpeki_Ukr.pdf.

[18] OECD (2023), SME Policy Index: Eastern Partner Countries 2024: Building Resilience in Challenging Times, SME Policy Index, OECD Publishing, Paris, https://doi.org/10.1787/3197420e-en.

[15] OECD (2023), “SMEs in the era of hybrid retail: Evidence from an OECD D4SME survey”, OECD SME and Entrepreneurship Papers, No. 41, OECD Publishing, Paris, https://doi.org/10.1787/882f30b0-en.

[38] OECD (2022), Policy Framework on Digital Security, https://www.oecd.org/publications/oecd-policy-framework-on-digital-security-a69df866-en.htm.

[31] OECD (2022), Recommendation of the Council on Digital Security Risk Management, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0479 (accessed on 5 November 2023).

[25] OECD (2022), Recommendation of the Council on National Digital Security Strategies, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0480 (accessed on 6 November 2023).

[37] OECD (2020), Digital Security and Data Protection in SMEs. How to ensure SMEs are less vulnerable for a post-COVID digital world? Digital for SME ‘D4SME’ Global Initiative webinar – 29 October 2020, https://www.oecd.org/digital/sme/D4SME%20Digital%20Security%20and%20Data%20Protection%20Webinar%20Summary%20Record.pdf.

[20] OECD (2016), Managing Digital Security and Privacy Risk, https://www.oecd-ilibrary.org/science-and-technology/managing-digital-security-and-privacy-risk_5jlwt49ccklt-en.

[13] OECD (2016), Recommendation of the Council on Consumer Protection in E-Commerce, OECD Publishing, Paris, https://www.oecd-ilibrary.org/industry-and-services/oecd-recommendation-of-the-council-on-consumer-protection-in-e-commerce_9789264255258-en (accessed on 4 November 2023).

[14] OECD Going Digital Toolkit (2023), Share of small businesses making e-commerce sales, https://goingdigital.oecd.org/indicator/21 (accessed on 8 January 2024).

[10] Portulans Institute (2023), Network Readiness Index 2023, https://networkreadinessindex.org/.

[36] Prostir (2024), USAID «Кібербезпека критично важливої інфраструктури України» Cyber Vouchers Administration Grant Program RFA-CCI-002 (переоголошення), https://www.prostir.ua/?grants=usaid-kiberbezpeka-krytychno-vazhlyvoji-infrastruktury-ukrajiny-cyber-vouchers-administration-grant-program-rfa-cci-002-pereoholoshennya (accessed on 23 February 2024).

[23] PwC (2018), Global Economic Crime and Fraud Survey 2018: Ukrainian findings, https://www.pwc.com/ua/en/survey/2018/pwc-gecs-2018-eng.pdf.

[11] Shcherbak, O. (2022), Правове регулювання електронної торгівлі [Legal regulation of electronic commerce], https://disua.com.ua/uk/elektronna-torgivlya-ukrayinska-ta-svitovapraktyka-pravovogo-regulyuvannya/ (accessed on 18 December 2023).

[17] Similarweb (2023), rozetka.com.ua Traffic Analytics, Ranking Stats & Tech Stack | Similarweb, https://www.similarweb.com/website/prom.ua/#ranking (accessed on 18 December 2023).

[5] Soul Partners (2021), The e-commerce market in Ukraine has reached $4 billion, https://soulpartners.com.ua/en/news/tpost/casugamy91-the-e-commerce-market-in-ukraine-has-rea (accessed on 17 December 2023).

[32] Spînu, N. (2020), Ukraine Cybersecurity Governance Assessment, DCAF Geneva Centre for Security Sector Governance, https://www.dcaf.ch/sites/default/files/publications/documents/UkraineCybersecurityGovernanceAssessment.pdf.

[7] The World Bank (2022), Households and NPISHs Final consumption expenditure per capita - Ukraine, https://data.worldbank.org/indicator/NE.CON.PRVT.PC.KD?locations=UA (accessed on 16 July 2023).

[8] The World Bank (2021), The Global Findex Database 2021 - Data Download and Documentation, https://www.worldbank.org/en/publication/globalfindex/Data (accessed on 16 October 2023).

[4] Ukrstat (2023), Використання інформаційно-комунікаційних технологій на підприємствах [Use of information and communication technologies in enterprises], https://www.ukrstat.gov.ua/ (accessed on December 17 2023).

[2] UPU (2023), European E-commerce report 2023, https://www.upu.int/UPU/media/wwwUpuIntUniversalPostalUnionAboutUpuBodiesConsultativeCommittee/2023EuropeanEcommerceReportEn.pdf.