QES under new rules: how this will affect users

QES in Ukraine is moving to a new level of security: from 10 February 2026 all new keys will be created using the strengthened “Kupyna” algorithm, and a full transition to this standard is expected by 1 July 2026. For users this means not so much a change in familiar services as an update of the “engine room” – the cryptography will become much more resistant to modern cyberthreats and digital data will be better protected.

1. What exactly is changing in the rules for creating QES

• From 10 February 2026 all new QES certificates will be generated with the “Kupyna” algorithm – a modern cryptographic standard that replaces previous algorithms for new operations.
• The old algorithms will not be switched off instantly: they will continue to be used to verify documents signed earlier, but for new keys and transactions only “Kupyna” will gradually be applied.
• The Ministry of Digital Transformation has set a deadline: by 1 July 2026 all providers of electronic trust services must fully migrate to the new standard, synchronising their hardware‑software complexes and internal regulations.
• For users this is a planned security upgrade: the interfaces of Diia, the tax e‑cabinets and banking apps remain the same, only the way cryptographic keys are generated and stored changes.

2. Do you need to urgently replace your current signature

• All QES issued before 10 February 2026 remain valid until their expiry date – no automatic “cancellations” or blocks are envisaged.
• If your certificate is valid for a few more months or a year, you can safely use it for tax reporting, submitting applications via Diia, participating in tenders or conducting banking operations until it expires.
• The old encryption algorithms will continue to be supported for signature verification – documents you have already signed with an “old” QES will not lose legal force and will be correctly verified in state systems.
• You will actually switch to the new standard during scheduled renewal: when the certificate expires, the certification centre will issue you a new key already based on “Kupyna”, without any extra actions on your part.

3. Benefits and risks for ordinary users

• The main benefit is an increased level of cyber protection: the strengthened algorithm reduces the risks of key guessing, signature interception and unauthorised modification of signed data, which is especially important given rising computing power and attack sophistication.
• For an ordinary user this looks like a “lock upgrade” – the signing process in Diia or the taxpayer’s cabinet does not change, but the likelihood of a technical compromise of the key itself drops significantly.
• Stronger signatures reduce fraud risks: it becomes harder for attackers to create a fake QES, take out loans, file a bogus tax return or sign documents on your behalf without access to the real key.
• At the same time, the cost of careless handling of QES increases: if a user passes the key to third parties, stores the password in plain text or uses dubious devices, the consequences of compromise will be just as serious as before, and proving a hack without proper logs and a well‑organised key management process will be difficult.

4. Implications for businesses and sole proprietors

• For small and medium‑sized businesses the new rules mean that all future signatures of employees, accountants and directors will gradually move to a single strengthened standard, which will simplify interaction with public authorities and counterparties in the long term.
• However, during the transition companies will need resources for an inventory of existing QES, scheduled reissuance of certificates, updating internal information‑security policies and training staff who use e‑signatures in their daily work.
• In sensitive sectors – public procurement, finance, work with state registers – regulators may insist on using secure hardware tokens or cloud‑based QES with strict access control, which will add costs but reduce the risks of internal abuse.
• For businesses working with non‑residents and international partners, the transition to a modern standard increases the chances of further technical and legal convergence with the European eIDAS infrastructure and thus simplifies electronic document exchange with EU counterparties.

5. How to prepare for the transition: step‑by‑step tips

• Check the expiry date of your current QES certificate in your trust service provider’s cabinet or in the app you use and note that date – this is your control point for migrating to “Kupyna”.
• Monitor announcements from your certification centre: during the transition there may be changes in working hours, issuance channels, required documents or service fees, which is crucial if you are responsible for multiple employees’ signatures.
• Decide on the key carrier format: for individuals and some sole proprietors a file‑based or cloud QES may be sufficient, whereas for public officials, managers of large companies or those responsible for procurement it is more appropriate to use secure tokens with limited physical access.
• Update basic cyber‑hygiene rules: never share keys, do not store passwords in unprotected notes, use multi‑factor authentication for access to Diia, e‑cabinets and email through which you receive confirmations of QES operations.
• If you run a business, create an internal register of all QES (who uses which signature and for what), define a procedure for urgent blocking of a compromised key and designate responsible persons employees should contact if a token is lost or a hack is suspected.

If you have questions or face difficulties related to transitioning to the new QES standard, choosing a secure signature carrier, organising key management in your company or dealing with the consequences of a possible key compromise, seeking qualified legal and tax advice will help you choose the best operating model, minimise technical and legal risks and avoid disputes with counterparties and regulators.

Author – Yuliia Popadyn, attorney of the tax and housing law practice at the Law Firm “Winner Legal Company”.