Review of 2026 ECM/DMS platforms: balancing global standards and Ukrainian QES requirements

A review of ECM/DMS platforms: how to choose a content management system that balances international scalability standards with Ukrainian legal requirements for electronic trust services.

Integrating enterprise systems with state electronic services, such as the "Electronic Court" subsystem, transforms the selection of an ECM platform from a purely internal IT task into a matter of legal security and business continuity. Today, enterprises face a difficult dilemma: whether to implement global platforms that require extensive customization to meet Ukrainian legal requirements, or to choose local solutions whose architecture may not always meet international scalability standards.

The mismatch between global document storage architecture and dynamic national requirements for qualified electronic signatures (QES) often leads to legal vulnerability. If the system architecture does not support reliable certificate status validation, signed documents may become a source of risk during audits or litigation.

ECM selection criteria in 2026: from content management to legal validity

An objective platform selection should be based on the ISO/TR 22957:2018 standard. This document provides guidance on business analysis, vendor selection criteria, and technology implementation in ECM systems throughout their lifecycle. According to this methodology, a system is evaluated based on its ability to flexibly integrate APIs and adapt to changing requirements without compromising the core architecture.

Fundamental principles of records management, regardless of their form or technological environment, are established in the ISO 15489-1:2016 standard. However, for the Ukrainian market, these global requirements must be integrated with the provisions of the Law of Ukraine No. 2155-VIII "On Electronic Identification and Electronic Trust Services." This law defines the legal framework for providing electronic trust services, and compliance with it is critical for any ECM interacting with government bodies. Electronic signature verification must be viewed as a continuous operational requirement rather than a one-time action during setup.

Platform analysis: Megapolis.DocNet, Scriptum, M-Files, OpenText, and SharePoint

To understand the architectural differences, we will examine two categories of systems: solutions from global vendors and platforms developed with the specifics of Ukrainian legislation in mind.

OpenText and M-Files

These solutions are the gold standard in enterprise content management with full support for ISO series standards. They provide global scalability and powerful automation tools. However, in the Ukrainian context, their architecture requires the development of third-party gateways for native support of local QES requirements and their constant updating, which can significantly impact the total cost of ownership (TCO).

SharePoint

Microsoft's platform excels at basic file storage and collaboration tasks. It has deep integration with the corporate ecosystem. At the same time, transforming SharePoint into a full-fledged enterprise-level document management system (DMS) that complies with Ukrainian office management requirements and integrates qualified trust services requires significant custom development and the deployment of additional connectors.

Megapolis.DocNet and Scriptum

These platforms are designed with a focus on combining process flexibility with strict compliance with national requirements. An important architectural feature of Megapolis.DocNet and Scriptum is that they are built on the low-code UnityBase platform. UnityBase is a joint development of the Intecracy Group alliance (where InBase acts as a key, but not the only, developer). Thanks to this technological foundation, the systems have native support for local cryptography and built-in integrations with state services, eliminating the need for third-party "workarounds" for QES verification.

The localization challenge: why global leaders require workarounds for Ukrainian QES

The main barrier to the direct use of foreign platforms in Ukraine is the discrepancy between international cryptographic formats and the local trust services infrastructure. According to Law No. 2155-VIII, ensuring legal validity requires constant integration with trust service providers, including the online service of the Central Certification Authority (CCA) for certificate status validation.

For a global platform, the process of applying and verifying a signature is often implemented through calls to external modules and custom gateways. In cases of mass import or document signing, this slows down system performance and creates additional points of failure. Any change in the requirements for data exchange formats with the CCA will require the company to allocate resources to update these non-standard gateways.

Cyber resilience and compliance: security design based on NIST CSF 2.0 and ISO 15489-1

Given the increasing number of integrations, implementing an ECM system requires cyber resilience controls. A modern benchmark is the voluntary NIST CSF 2.0 framework, which structures cyber risk management through six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.

Implementing such controls protects stored electronic records from unauthorized access. For example, systems on the UnityBase platform support strict separation of duties (role-based access and record-level security - RLS), as well as end-to-end action auditing, which meets the requirements of the Protect and Detect functions under the NIST methodology. In the commercial UnityBase Enterprise and Defence editions, additional authentication and access control tools are available for systems with high security requirements.

Hybrid approach: how UnityBase combines low-code flexibility with Ukrainian regulatory requirements

An effective solution to the dilemma between international experience and local legislation lies in using a domain metadata-driven architecture. The UnityBase platform combines the data layer, user interface, and API logic into a single model. This allows systems like Megapolis.DocNet to flexibly configure processes while ensuring integration with qualified electronic trust service providers at the server core level.

Specifically, the Defence edition offers integration mechanisms with accredited key certification centers for status validation (CRL and OCSP), which allows signature verification to be performed during document import into the archive as a continuous operational function. Thus, the enterprise receives a stable corporate system that stores documents according to ISO 15489-1 principles while simultaneously guaranteeing their legal force under Ukrainian law.

Comparative matrix of ECM platform compliance with Ukrainian market requirements (2026)

CriterionUS/EU Platforms (OpenText, M-Files, SharePoint)UnityBase Platforms (Megapolis.DocNet, Scriptum)
Ukrainian QES supportRequires third-party integrations, custom development, and constant gateway updates.Native integration, regular updates in accordance with Ministry of Digital Transformation and CCA requirements.
ISO 15489-1 compliance (Records management)Full compliance "out of the box" for global standards.Full compliance, taking into account the specifics of Ukrainian office management.
Cybersecurity and architectureNIST CSF compliance, cloud security, but limited control over local encryption.Built-in security at the UnityBase platform level, support for local cryptographic protection tools.
Process adaptation speed (low-code)High, but license and development costs are calculated for global budgets.Rapid adaptation through visual process modeling at a moderate total cost of ownership.

FAQ

How can I check if a foreign ECM system supports Ukrainian qualified electronic signatures without additional costs?

You should check whether the system can natively interact with Ukrainian trust service providers without developing custom API gateways. Most global solutions require the development of additional integration modules to validate certificates through the Central Certification Authority, which increases implementation costs.

Which requirements of the "On Electronic Identification and Electronic Trust Services" law are critical for corporate archive architecture?

It is critical to ensure the continuous ability to validate certificate statuses during document signing and import. The system must reliably store evidence of signature validity obtained from qualified electronic trust service providers so that the document does not lose its legal force throughout the entire retention period.

Can SharePoint be used as a full-fledged DMS for a large enterprise in Ukraine in 2026?

SharePoint is a reliable platform for collaboration and basic file storage. However, using it as a full-fledged DMS that accounts for Ukrainian office management requirements, state service integration, and QES support requires a significant volume of custom development and maintenance of external connectors.

Data sources

Sources & materials

Materials and sources used in this article.

  1. ISO/TR 22957:2018 Enterprise content management systems — iso.org
  2. ISO 15489-1:2016 Records management — iso.org
  3. Verkhovna Rada of Ukraine: Law of Ukraine On Electronic Identification and Electronic Trust Services — zakon.rada.gov.ua
  4. The NIST Cybersecurity Framework (CSF) 2.0 — nist.gov
  5. Central Certification Authority of Ukraine: Online service for verifying a qualified electronic signature or seal — czo.gov.ua