New sector-specific rules adopted for categorizing critical information infrastructure in financial services

Under the Decree, the sector-specific categorization rules apply to the following financial market participants: 

• Government authorities and/or legal entities exercising functions or powers in the banking sector and other segments of the financial market (including their subordinate organizations);
• Credit institutions;
• Non-credit financial institutions;
• Participants in the national payment system; and
• Providers of professional services in the financial market,

provided that they own, lease, or otherwise lawfully possess information systems, information and telecommunications networks, or automated control systems (collectively, “IT systems”) that support the performance of their functions as CII entities in the financial market.

The adoption of sector-specific categorization rules automatically triggers the need to revisit prior categorization decisions—either confirming the assignment of a significance category or reassessing whether such categorization is required[2].

If an IT system is recognized as a CII facility, the company must implement a comprehensive set of measures designed to ensure its security.

In addition, as of 1 September 2025, CII entities are required to maintain continuous interaction with the State System for Detection, Prevention and Elimination of Consequences of Computer Attacks (GosSOPKA). This includes installing technical tools for detecting computer attacks and incidents (in particular, tools for identifying indicators of compromise), and reporting detected incidents to the authorized state body. 

Furthermore, CII entities must use domestic software at designated significant CII facilities.

According to the Decree, the determination of whether an IT system constitutes a CII facility must be based on the following criteria: 

1. List of typical sector-specific CII facilities. A draft list is currently under review by the Russian Government[3]. The list includes, inter alia, the following systems:
   • Remote banking service systems
   • Automated banking systems
   • Transaction processing systems
   • Financial transaction recording systems
   • Client account management systems of non-state pension funds and microfinance organizations
   • Insurance contract, payment, claims and reinsurance accounting systems
   • Credit information systems responsible for collection, processing, storage and provision of credit data  
2. Government-approved significance criteria[4]

Importantly, an IT system may qualify as a CII facility even if operates in another sector,  provided that it supports the company’s activities in the financial market. Accordingly, the categorization exercise must take into account not only lists of typical CII facilities applicable to the financial market, but also those relevant to other sectors.

The adoption of sector-specific rules means that companies qualifying as CII entities must complete a number of formal compliance steps. 

In particular, they are required to: 

1. Establish a categorization commission, comprising the head of the CII entity, experts in IT, telecommunications, process/industrial safety and information security, and other relevant personnel as necessary
2. Identify CII facilities and assign them an appropriate significance category in accordance with the Government-approved significance criteria and the newly adopted sector-specific rules  
3. Submit to the Federal Service for Technical and Export Control (FSTEC of Russia) the formal report adopted by the categorization commission 

Failure to comply with the requirements of the CII Law may result in administrative liability for legal entities and their officers, including administrative fines up to RUB 500,000 for legal entities and up to RUB 50,000 for individual officers. 

In cases where non-compliance causes actual damage to CII, responsible officers may also face criminal liability, including imprisonment for up to five years and a criminal fine of up to RUB 1,000,000.

In the coming months, companies should prioritize the following measures: 

• Assess whether they qualify as CII entities
• Conduct CII categorization in accordance with the updated lists of typical CII facilities and the newly adopted sector-specific rules
• Transition to domestically developed software and hardware solutions 

Given the current uncertainty surrounding transition periods, we recommend proactively planning compliance measures—such as migrating to Russian-hosted services or preparing documentation required for registration of domestic software and databases in the relevant state registers and lists.

The B1 team is ready to assist clients with:

• Determining their status as CII entities
• Legal advisory throughout the CII categorization process, including helping the company prepare its position for discussions with regulatory authorities
• Ongoing compliance monitoring
• End-to-end support for migration to domestic software solutions, including preparation of all necessary documentation