Uninterrupted Functioning in a Special Period (NBU Regulation No. 67)
This guide is part of the documentation available in SecBoard. It summarises the Regulation on the organization of ensuring uninterrupted functioning during a special period of the banking system of Ukraine, activity of non-bank financial institutions and other persons that are not financial institutions but have the right to provide certain financial services, regulation and supervision of which is carried out by the National Bank of Ukraine, approved by the Resolution of the Board of the NBU of 14 June 2024 No. 67 (the Regulation / Положення). It explains the three functioning modes, protocols, and how SecBoard modules help banks, branches of foreign banks, non-bank financial institutions, and other supervised persons prepare and demonstrate compliance. Use SecBoard Framework Compliance and Document Register for protocols and evidence; use other SecBoard modules for continuity, incidents, assets, risk, and roles.
What is the Regulation (No. 67)?
The Regulation establishes how the National Bank of Ukraine (NBU) and subjects of the financial services market of Ukraine ensure uninterrupted functioning during a special period (e.g. martial law, emergency). It defines three modes of functioning, the obligation to develop and maintain protocols for transition to each mode, and the duty to activate the relevant protocol when a special period is in effect or when the NBU Board introduces a restricted or critical mode. The Regulation references the Law on the NBU, the Law on Critical Infrastructure, the Law on Financial Services and Financial Companies, the Law on Banks and Banking Activity, the Law on Insurance, the Law on Credit Unions, the Law on Payment Services, the Law on Currency, and other legislation on defence, martial law, mobilisation, and emergency.
Scope: The Regulation applies to banks of Ukraine, branches of foreign banks, non-bank financial institutions, and other persons that are not financial institutions but have the right to provide certain financial services and are regulated and supervised by the NBU (together, “subjects of the financial services market of Ukraine”). Within six months of the Resolution’s entry into force, these subjects must develop and approve internal documents on ensuring uninterrupted functioning in a special period, provide the NBU with information (in electronic form) on the approved documents and copies of their approval, and ensure the ability to promptly change modes and adapt by improving the continuity management system in line with existing NBU acts and the Regulation’s requirements.
Three modes of functioning
Depending on the potential or actual impact on the financial services market, the Regulation defines three modes. One mode applies to all subjects and the NBU at the same time (no simultaneous different modes, except as allowed in the Regulation).
No systemic (or minimal) impact of direct threats to life, health, or infrastructure. Subjects and the NBU can provide services and perform functions in full. In the event of a special period or martial law, subjects function in this mode until a restricted or critical mode is introduced.
Systemic impact of direct threats or objective circumstances posing a potential threat to life, health, or infrastructure. Services and NBU functions can still be performed, but there may be non-compliance with conditions or scope as under heightened readiness. Subjects operate within the scope and specifics set by NBU normative acts for the relevant mode.
Systemic critical impact, infrastructure inaccessible, critical security situations (hostilities, blockade, occupation, contamination). Ability to provide services or perform functions is significantly limited or may cease. Even in critical mode, financial services must be provided in: monetary circulation; non-cash and cash settlements; payment and accounting systems; electronic trust services; cybersecurity and information security measures; and the NBU’s function of managing gold and foreign exchange reserves.
Protocols and directions
The NBU develops and approves its own protocols for transition to each mode. Subjects develop and approve protocols for each mode in line with NBU requirements and the directions set out in the Regulation. Protocols must be in electronic form and signed with a qualified electronic signature. They must be kept up to date. When a special period is in effect or the NBU Board decides to introduce a mode, subjects must activate the relevant protocol and ensure functioning in accordance with it.
Protocol content (minimum): (1) sequence of actions and list of measures for the mode; (2) responsible persons (with classification and roles); (3) order of interaction and communication (managers, staff, separate subdivisions, NBU); (4) order of activation; (5) execution of actions and tasks for the mode; (6) list of resources required (including human).
Directions that NBU normative acts regulate for each mode include: cybersecurity and information security; electronic trust services; infrastructure and ICTS, reservation of information systems supporting critical processes, creation, storage and restoration from backups; document storage; safeguarding of valuables (transport, storage); separate subdivisions and remote service points; resource provision (buildings, personnel, power, reserves); NBU mobilisation preparation; technical and operational readiness to implement NBU acts. When a mode is introduced, the NBU issues corresponding normative acts (e.g. on cash, payments, liquidity, reserves, forex, reporting, financial monitoring).
Key requirement areas
| Area | Requirements (summary) |
|---|---|
| Internal documents | Develop and approve internal documents on ensuring uninterrupted functioning in a special period (within 6 months). Provide NBU with information and copies of approval. Align with existing continuity management system per other NBU acts. |
| Protocols | Develop and approve protocols for each of the three modes (heightened readiness, restricted, critical). Protocols: actions and measures; responsible persons and roles; interaction and communication; activation; execution; resources. Keep protocols up to date. Create in electronic form, sign with qualified e-signature. |
| Activation | Upon special period and/or NBU decision on a mode, activate the corresponding protocol and ensure functioning per that protocol. Ensure ability to promptly change modes and adapt activity/resources by improving the continuity management system. |
| Directions (cyber, ICTS, backup) | Protocols and NBU acts address: cyber/information security; ICTS and reservation; backup and restore of data; document storage; safeguarding of valuables; separate subdivisions and remote service; resource provision (personnel, power, reserves); technical and operational readiness. |
How SecBoard modules support the Regulation (No. 67)
SecBoard helps you document protocols, assign responsibilities, store evidence, and track readiness. Use the modules below in line with your role (bank, branch, non-bank financial institution, other supervised person) and NBU expectations.
| SecBoard module | Regulation area | How it helps |
|---|---|---|
| Framework Compliance | All (controls, evidence) | Create a Custom or Local framework (e.g. “NBU 67 – Uninterrupted functioning in special period”). Map control categories and controls to: internal documents, protocols per mode, activation, directions (cyber, ICTS, backup, resources, readiness). Attach evidence (protocols, approval copies, procedures). Assign owners and review dates. Use for gap analysis and NBU reporting readiness. Dashboard shows status. |
| Document Register / Legislative docs (app_doc) | Internal documents, protocols | Store and version internal documents on uninterrupted functioning in a special period and protocol documents (per mode). Link to Framework Compliance evidence. Legislative docs for the official Regulation (No. 67) and NBU acts issued when a mode is introduced. Mandatory Processes for recurring review and update of protocols. |
| Incident Register (app_incident) | Crisis response, activation | Record crisis situations and activation events; document response and escalation. Use for alignment with “crisis response mode” of critical infrastructure (п. 7) and for incident/crisis evidence linked to protocol activation. Link to Framework Compliance. |
| Risk Assessment (app_risk) | Scenarios, readiness | Document risk scenarios (e.g. scenarios of events that may trigger restricted or critical mode). Use for continuity and special-period risk assessment. Link risk treatment to protocols and resources. Evidence for Framework Compliance. |
| Asset management (app_asset) | Resources, ICTS | Maintain inventory of critical resources, ICTS, and infrastructure. Use for “list of resources” (п. 14(6)) and for reservation/backup scope. Supports protocol content and NBU directions on ICTS and reservation. Asset Guide available. |
| Cabinet (app_cabinet) | Responsible persons, roles | Document roles and responsible persons (п. 14(2)). Use Org Structure and Cabinet Users for “responsible persons for organization, control and execution” and for communication chains. Supports protocol content and activation. Cabinet Users Guide and Org Structure Guide available. |
| Keys & Certificates (app_keycert) | Electronic trust, crypto | Where protocols or NBU directions involve electronic trust services or cryptographic means, use for key/certificate lifecycle and backup evidence. Key/Cert Guide available. |
| SOC / Wazuh (app_soc) | Cyber/info security | Support evidence for “organization of cybersecurity and information security” in protocols and NBU directions. Logging and monitoring for continuity and incident response. FIM Dashboard Guide available. Attach reports in Framework Compliance. |
| TPRM (app_tprm) | Third parties in continuity | If protocols or resource provision involve third parties (e.g. backup sites, support), use Vendor and VendorAssessment for contracts and readiness. Link to Framework Compliance where relevant. |
| Configuration (app_conf) | Scope by entity | Define companies (e.g. bank, branch, entity). Use to scope protocols and evidence by entity and to align Framework Compliance instances. |
Quick mapping: Regulation area → SecBoard
| Regulation area | SecBoard modules to use |
|---|---|
| Internal documents & protocols | Framework Compliance, Document Register, Legislative docs, Mandatory Processes. |
| Responsible persons, roles, communication | Framework Compliance, Cabinet (Org Structure, Users), Document Register (protocol content). |
| Activation, crisis response | Framework Compliance, Incident Register, Document Register (activation procedure). |
| Resources, ICTS, backup | Framework Compliance, Asset management, Document Register (reservation, backup procedures). |
| Cyber/information security | Framework Compliance, SOC, Document Register, KeyCert (where applicable). |
| Scenarios, readiness | Framework Compliance, Risk Assessment. |
Getting started with the Regulation in SecBoard
- Create a framework: In Framework Compliance, create a Custom framework (e.g. “NBU 67 – Uninterrupted functioning in special period”). Add control categories and controls for: internal documents, protocols (per mode), activation, directions (cyber, ICTS, backup, resources, readiness).
- Protocols and documents: Store internal documents on uninterrupted functioning and protocol documents (for each of the three modes) in Document Register. Ensure protocol content includes: actions and measures; responsible persons and roles; interaction and communication; activation order; execution; resources. Keep protocols up to date; use Mandatory Processes for periodic review. Link to Framework Compliance.
- Roles and communication: Use Cabinet (Org Structure, Users) to document responsible persons and roles referenced in protocols. Document communication and escalation paths in protocol documents.
- Resources and ICTS: Use Asset management for inventory of critical resources and ICTS; link to reservation and backup procedures. Document backup and restore in Document Register and link to controls.
- Activation and incidents: Use Incident Register for crisis/activation events and response. Link activation procedure (from protocols) to Framework Compliance. Use Risk Assessment for scenario and readiness documentation.
- NBU reporting: Within six months, provide NBU with information on approved internal documents and copies of approval. Use Framework Compliance and Document Register to keep evidence ready for submission and for follow-up improvement of the continuity management system.
NBU Regulation No. 67 and SecBoard
This guide is part of the documentation available in SecBoard. The Regulation on the organization of ensuring uninterrupted functioning during a special period (Положення, NBU Board Resolution 14.06.2024 No. 67) applies to banks, branches of foreign banks, non-bank financial institutions, and other persons that provide certain financial services under NBU supervision. It defines three modes (heightened readiness, restricted, critical) and requires protocols for each mode, activation upon special period or NBU decision, and internal documents within six months. Use SecBoard Framework Compliance and Document Register for protocols and evidence; use Incident Register, Risk Assessment, Asset, Cabinet, SOC, and KeyCert to support activation, resources, roles, cyber/info security, and readiness.
Keep protocols and internal documents up to date and ensure the continuity management system allows prompt change of modes and adaptation in line with NBU requirements.
Frequently asked questions
What is the Regulation (No. 67)? — The NBU Board Resolution of 14 June 2024 No. 67 approved the Regulation on ensuring uninterrupted functioning in a special period for the banking system of Ukraine and for non-bank financial institutions and other supervised persons. It defines three modes (heightened readiness, restricted, critical), protocols for transition to each mode, and the obligation to activate the relevant protocol and to develop internal documents within six months.
Who must comply? — Banks of Ukraine, branches of foreign banks, non-bank financial institutions, and other persons that are not financial institutions but have the right to provide certain financial services and are regulated and supervised by the NBU.
What are the three modes? — (1) Heightened readiness — full services; (2) Restricted — systemic or potential threat, possible reduction in scope; (3) Critical — severe impact, but core financial services (monetary circulation, settlements, payment systems, electronic trust services, cyber/info security, NBU reserve management) must still be ensured.
What must a protocol contain? — Sequence of actions and list of measures; responsible persons (with roles); order of interaction and communication (including with NBU); order of activation; execution of actions and tasks; list of resources (including human). Protocols are in electronic form and signed with a qualified e-signature.
How do I use SecBoard for NBU 67? — Store internal documents and protocols in Document Register; map controls and evidence in Framework Compliance; document responsible persons and roles in Cabinet; use Incident Register for activation/crisis events; use Asset and Risk Assessment for resources and scenarios. Provide NBU with information on approved documents and copies of approval within six months.