Changes in the regulation of the security of critical information infrastructure (CII)

Effective 1 September 2025, CII entities are generally only those legal entities and government authorities that operate in designated areas and own CII facilities. According to the amendments, individual entrepreneurs cannot be included in this category.

Notably, the amendments that entered into force on 1 September 2025 apply certain obligations (e.g., reporting cyberattacks and incidents, installing detection tools, interacting with the state system for detecting, preventing and mitigating the consequences of cyberattacks (“GosSOPKA”)) to Russian legal entities that are controlled by the Russian Federation or its constituent entities and are not CII entities per se. This requirement is potentially applicable to a wide range of companies – at least to all entities subject to Federal Law No. 44-FZ and Federal Law No. 223-FZ, and to assets managed by the Federal Agency for State Property Management (with the number of such assets growing due to the wider application of Article 169 of the Civil Code in claims filed by the General Prosecutor’s Office).

Effective 1 September 2025, the Russian Government is authorized to approve the lists of standard sector-specific CII facilities[1] and sector-specific features for categorizing CII facilities[2]. This amendment may result in a revision and further expansion of the range of legal entities that are considered CII entities.

Effective 1 September 2025, CII entities are obliged to continuously interact with GosSOPKA, including installing tools to detect computer attacks and incidents (in particular, to identify signs of such attacks) and reporting such incidents to the authorized body.

In addition, effective 1 September 2025, the CII Law requires that CII entities’ significant facilities use the software included in the Unified Register of Russian Software for Computers and Databases[3]. It is also stipulated that the Russian Government will establish requirements for hardware and software tools in its regulations. The transition to such hardware and software tools must be made in the manner and within the time limits established by authorized bodies (no relevant regulations have been adopted so far).

Effective 1 March 2026, companies will have an alternative option for fulfilling this obligation by using software included in the currently non-existing list of Russian software for computers and databases developed and used for own needs by Russian legal entities[4]. To include software in this list, evidence will have to be provided that the software is owned by a Russian rights holder (subject to the requirements for control of rights holders by Russian entities). In addition, the software must not constitute a state secret.

It should be kept in mind that a violation of the CII Law may expose legal entities and their officers to administrative liability, with a fine of up to RUB 500,000 for legal entities and up to RUB 50,000 for their officers. Moreover, if a violation caused damage to CII, the officers at fault may be subject to criminal prosecution, with imprisonment for up to five years and a fine of up to RUB 1,000,000.