Procurement is active. Tenders are open. And the compliance architecture around this economy is more demanding than anything most European corporates have encountered in an emerging-market entry. This note sets out what the operating environment actually looks like — and what it takes to engage seriously.
R·26·06 · June 2026
The World Bank's successive Rapid Damage and Needs Assessments have consistently placed the cost of Ukraine's recovery above $480 billion, a figure that rises with each assessment cycle. The financing architecture mobilised to meet it is multilayered and already operational: the EU Ukraine Facility's €50 billion envelope through 2027, with disbursements underway against the Ukraine Plan's reform milestones; EBRD, EIB, IFC, and World Bank co-financing across energy, transport, housing, municipal infrastructure, and industrial recovery; bilateral instruments from G7 members and associated donors; and an expanding ecosystem of blended-finance vehicles designed to crowd in private capital against public-sector guarantees.
This is not a planning-stage discussion. EU Ukraine Facility tenders are being published through the Prozorro public procurement system and through DFI procurement portals. Pre-qualification processes are running. International companies are forming consortia and onboarding Ukrainian subcontractors under compressed timelines. The procurement mechanics themselves are non-trivial: Prozorro operates under Ukrainian procurement law as amended under martial law, with separate thresholds and procedures for defence-related and critical infrastructure procurement. DFI-backed projects use their own procurement frameworks — EBRD's Procurement Policies and Rules, the World Bank's Procurement Regulations — which do not always align with each other or with Ukrainian domestic requirements. Companies bidding across multiple funding streams encounter multiple procurement regimes for what is functionally the same market.
The competitive landscape compounds the urgency. European companies operate under the full weight of CSDDD, EU sanctions, and dual-use controls. Competitors from China, Turkey, the Gulf states, and other jurisdictions do not. This asymmetry is structural: it will not resolve, and it means that the compliance cost of responsible engagement is a competitive disadvantage that must be managed rather than eliminated. The companies that absorb this cost intelligently — building compliance architectures that also serve as business intelligence and risk management — will be better positioned than those that treat it as overhead.
CSDDD, EU sanctions, and dual-use export controls apply simultaneously to every Ukraine-relevant commercial decision. Most compliance functions staff these as separate workstreams. In the reconstruction context, they converge at the level of individual supplier-onboarding decisions, procurement bids, and financing arrangements. A supplier who clears sanctions screening may present CSDDD-relevant human rights exposure through its labour practices or subcontractor chain. A component that is civilian in its primary market may have dual-use characteristics in a wartime economy where the line between civilian and military infrastructure has been blurred by three years of full-scale conflict. The companies that build integrated assessment frameworks — one counterparty picture that addresses all three regimes — will avoid the internally inconsistent positions that separate workstreams inevitably produce.
Ukraine's beneficial ownership register has improved materially since the 2014 reforms and is, by regional standards, functional. But corporate structures have been reshaped repeatedly — by post-Maidan de-oligarchisation, by the 2022 invasion, by wartime nationalisations of Russian-connected assets under the NSDC sanctions mechanism, by the transfer of businesses from sanctioned individuals to nominees or related parties, and by the practical expedients of operating a business under sustained missile and drone attack. Reading the register correctly requires familiarity with how Ukrainian corporate law operates under martial law, how the beneficial ownership disclosure regime interacts with national security exemptions, and where the data quality breaks down — none of which standard KYC tooling provides.
Residual exposure to Russian-connected ownership chains that pre-date the war has not been fully cleansed. Some structures were deliberately obscured; others were inherited through pre-war commercial relationships that were never re-examined. The twentieth EU sanctions package's activation of the anti-circumvention tool — and its new IP-use reporting obligation — has raised the analytical bar for counterparty assessment in ways that most onboarding processes have not yet absorbed.
The active conflict shapes every commercial and operational dimension in ways that standard country-risk frameworks do not capture:
Payment and currency. The National Bank of Ukraine maintains capital controls and foreign-exchange restrictions under martial law. Cross-border payments require compliance with NBU regulations that change with limited notice. Settlement timelines are unpredictable. Multi-currency contracts require structuring that accounts for hryvnia convertibility constraints and repatriation limitations.
Labour and workforce. Conscription has removed a material proportion of the working-age male population from the civilian labour market. Companies subcontracting to Ukrainian firms need to understand the mobilisation framework and its implications for workforce continuity, project delivery timelines, and succession risk. Internally displaced populations present both labour-supply opportunities and HRDD obligations — forced labour indicators in informal supply chains, labour rights in displacement contexts, and the specific protections that IDP status carries under Ukrainian law.
Insurance and surety. War-risk insurance for Ukrainian operations is available but expensive, coverage terms have narrowed, and exclusion clauses have multiplied. Performance bonds and guarantees require structuring that accounts for force majeure under conditions of ongoing armed conflict. The interaction between insurance coverage and DFI/donor loss-allocation mechanisms is non-obvious and varies by funding stream.
Dispute resolution. Martial law affects the operation of Ukrainian courts, the enforceability of judgments, and the availability of arbitration mechanisms. International arbitration clauses are standard in cross-border contracts, but the enforcement of foreign arbitral awards in Ukraine under martial law conditions has practical limitations that commercial counsel may not flag without specific Ukraine experience.
Physical security. Site access in government-controlled oblasts is feasible but requires structured security protocols, not adapted corporate travel policy. Access to front-line areas, recently de-occupied zones, and areas with mine contamination requires capabilities that most corporate compliance teams do not maintain. The desk-based questionnaire process that serves adequately in stable jurisdictions is structurally inadequate for verification in this environment.
Companies entering through DFI-backed or EU Facility-funded projects face a doubled compliance burden. IFC Performance Standards, EBRD's Environmental and Social Policy, and the EU's procurement and financial regulation framework apply at the project level alongside the corporate compliance regimes that apply at the firm level. These two layers use different vocabularies, different assessment methodologies, different reporting cadences, and different escalation procedures. Making them coherent rather than redundant is non-trivial — but the companies that succeed will find that institutional safeguards, properly internalised, discharge a substantial portion of the CSDDD operational burden for the Ukrainian portion of their chain. The companies that treat them as a procurement formality will do the work twice and gain the benefit of neither.
Ukraine has built genuine anti-corruption institutional capacity since 2014 — NABU, SAPO, the High Anti-Corruption Court, the Asset Recovery and Management Agency, and the reformed Prozorro procurement system represent real progress that deserves acknowledgment. But reconstruction spending at this scale, under wartime conditions, with compressed procurement timelines and constrained oversight capacity, creates governance risks that any serious entrant must price into its due diligence.
The question is not whether corruption exists — that framing is unhelpful and patronising. The question is whether your counterparty-assessment process can distinguish between a credible firm and one whose corporate structure, pricing, subcontracting relationships, or political connections should prompt further investigation. Standard compliance questionnaires do not make this distinction. Intelligence-led counterparty assessment — combining corporate registry analysis, beneficial ownership mapping, adverse media, and local-network verification — does.
CSDDD does not endorse withdrawal as a uniformly compliant strategy. The directive contemplates that disengagement may itself produce adverse human rights impacts — on workers, on communities, on counterparties whose viability depends on the relationship. For companies considering whether to enter or stay in the Ukrainian market, the serious question is not binary. It is: what does a responsible, documented, defensible engagement strategy look like — and what does the compliance record supporting that strategy need to contain? A reflexive exit without analysis is increasingly difficult to defend; a documented, principled decision — whether to engage, to remain, or to withdraw — is defensible regardless of the conclusion it reaches.
The companies that engage effectively in Ukraine's reconstruction economy share a common pattern. It is not a matter of spending more on compliance; it is a matter of building the right architecture.
A single counterparty picture. Sanctions, CSDDD, dual-use, and institutional safeguards are assessed as one integrated view per counterparty — not as parallel workstreams producing separate reports that nobody reconciles. The assessment is structured, version-controlled, and updated on a defined cadence. It serves as the authoritative record for board reporting, audit, regulatory enquiry, and DFI safeguards review.
Intelligence infrastructure, not ad-hoc research. Counterparty assessment at scale requires tooling — beneficial ownership resolution, sanctions screening against live data, adverse media monitoring, corporate registry integration. Companies that rely on manual research per counterparty will not scale with the procurement cadence. The right infrastructure turns what would be a six-week research project into a structured query with a documented output.
In-country capacity that is not improvised. Whether through internal teams or through advisers with genuine in-country presence, the company needs access to Ukrainian operational reality — not mediated through a desk in London, Frankfurt, or Vienna. This means people who read Ukrainian corporate law, who know how the Prozorro system works in practice, who can visit a site and assess what they find, and who maintain the local relationships that make verification possible. Remote desktop exercises produce outputs that look like due diligence but do not survive contact with the actual environment.
Decision records that survive scrutiny. Every engagement, entry, exit, and escalation decision produces a record that a board, an auditor, a regulator, and an institutional safeguards reviewer can all read with the same level of confidence. The record documents not only the conclusion but the analytical process, the data sources, the limitations, and the residual risk accepted. This is not bureaucracy — it is the difference between a defensible posture and one that unravels under the first serious question.
Salient One addresses Ukraine reconstruction risk through complementary capabilities: intelligence platforms purpose-built for Ukrainian counterparty assessment, and a practitioner-led advisory practice with in-country presence. They work independently or together — depending on where you are in the engagement cycle.