Ru - Russian
En - English
Cn - Chinese
Search results ${allResultCounter}
${item.name} ${item.count}
${this.additional.title}

Services

Services

Assurance

Assurance

Explore Assurance Audit Services Financial Accounting Advisory Services Sustainability Services Forensics

Consulting, Technology and Transactions

Consulting, Technology and Transactions

Explore Consulting, Technology and Transactions Engineering and Project Management Insurance and Actuarial Solutions M&A and Restructuring Operational Excellence: Finance Operational Excellence: Retail SC&O – Enterprise Asset Management (EAM) Strategy and Business Transformation Supply Chain and Operations Transaction Due Diligence Technology Consulting Services Valuation, Modeling and Economics

Tax, Law, PAS and Business Support

Tax, Law, PAS and Business Support

Explore Tax, Law, PAS and Business Support Indirect Tax International Tax Planning Global Trade and Customs Legal Services Managed Services: Tax and Accounting People Advisory Services Private Client Services Tax Controversy Transaction Tax Transfer Pricing and Operating Model Effectiveness
IPO services

Foreign Desk Organization

Foreign Desk Organization

Explore Foreign Desk Organization China Desk Japan Desk
Academy of Business

Industries

Industries

Energy & Resources
Financial Services
Government & Public Sector
Real Estate, Hospitality & Construction
Transportation
Retail & Consumer Products
Agribusiness & AgriTech
Life Sciences & Pharma
Mining & Metals
Technology, Media & Telecommunications
Advanced Manufacturing & Mobility

Analytics

Analytics

Surveys & Reviews
Tax Messenger
IFRS

Programs

Programs

Women Entrepreneurs and Leaders
Careers

About Us

About Us

About B1 Group
Our Mission and Values
Our Awards
Transparency Reports
Media Center Subscribe Contact Us Locations

Select your language

Ru - Russian
En - English
Cn - Chinese

Select your location

Russia
Belarus
We use cookies to give you the best possible experience with b1.ru. By continuing to browse this website, you are agreeing to our use of cookies. You can disable cookies in your browser settings.
View all publications

Law Messenger

Software localization drivers: foreign sanctions and the domestic ban on foreign software for critical information infrastructure

09.02.2024

Share
Legal Services

We have previously covered restrictions on the provision of software and IT services from the EU to Russia under the 8th and 12th EU packages of sanctions. Some private companies in Russia have addressed the issues of software localization and data migration in advance, while others are now analyzing the changes to regulation and available offers. We recommend taking account of a key Russian regulation that incentivizes the use of local software, both within the activities of government agencies and at important social and industrial facilities.

On 30 March 2022, the President of the Russian Federation adopted Decree No. 166 "On Measures to Ensure Technological Independence and Security of the Critical Information Infrastructure of the Russian Federation" (hereinafter — Decree No. 166), which introduces the following restrictions on the use of foreign software (including as part of software and hardware complexes) (hereinafter — Foreign Software) at critical information infrastructure (hereinafter — CII facilities):

  • Starting from 31 March 2022, customers procuring in accordance with Federal Law No. 223 of 18 July 2011 "On Procurement of Goods, Works and Services by Certain Types of Legal Entities" (hereinafter, "FZ No. 223") (e.g., state corporations, legal entities in which the state holds a stake of more than 50%, natural monopolies) are (i) prohibited from procuring Foreign Software for use at significant CII facilities owned by such customers, and (ii) prohibited from procuring services necessary for the use of Foreign Software at significant CII facilities owned by such customers. This prohibition restricts the possibility of acquiring new Foreign Software, but does not restrict the right to use already acquired Foreign Software.
  • Starting from 1 January 2025, the above-mentioned customers as well as public authorities are prohibited from using Foreign Software at significant CII facilities owned by them. The prohibition implies complete cessation of the use of Foreign Software at the specified facilities, including previously provided/installed ones.

Beyond that, on 1 May 2022, in addition to Decree No. 166, the President of the Russian Federation adopted Decree No. 250 "On Additional Measures to Ensure Information Security of the Russian Federation" (hereinafter, Decree No. 250), under which, as of 1 January 2025, all "CII subjects" are prohibited from using information protection tools whose developers are directly or indirectly linked to "unfriendly" countries.

For violation of the above-mentioned requirements, the official responsible for organizing the creation of a security system for significant CII facilities, as well as the legal entity owning the relevant significant CII facility, may be held administratively liable by the Federal Service for Technical and Export Control of the Russian Federation (hereinafter — FSTEC) in the form of a fine under part 1 of article 13.12.1 of the Administrative Offences Code of the Russian Federation ("Violation of requirements for the creation of security systems for significant CII facilities of the Russian Federation and ensuring their operation or requirements for ensuring their security"). At the moment the fine for an official is up to 50 thousand rubles, and that for a legal entity is up to 100 thousand rubles. At the same time, we cannot rule out the possibility that by 1 January 2025 stricter liability measures will be introduced, as well as special offenses involving the use of Foreign Software at significant CII facilities.

In order to understand the applicability of the provisions of Decree No. 166 and Decree No. 250 in a particular situation, a number of steps must be taken:

1. At first, it is necessary to define the status of a "CII subject".

CII subjects include, in particular, individual entrepreneurs and legal entities that (i) carry out their activities in the areas set forth by Federal Law No. 187-FZ dated 26 July 2017 "On the Security of Critical Information Infrastructure of the Russian Federation" (hereinafter — the CII Law), and (ii) control CII facilities under ownership rights, a lease or otherwise legally.

The areas set forth by the CII Law include healthcare, science, transport, communications, energy, state registration of rights to immovable property and transactions therewith, banking and other financial market areas, the fuel and energy complex, nuclear power, and the defense, space, mining, metallurgy and chemical industries. Accordingly, the restrictions may apply to hospitals, research institutes, universities, public transport and taxis, credit institutions, oil refineries and petrol stations — a very wide range of companies in various industries.

CII facilities include information systems (e.g., programs included in the 1C package), information and telecommunication networks (e.g., local networks, provider equipment), and automated control systems (e.g., numerically controlled machine tools).

2. After the establishment of "CII subject" status, it is necessary to categorize the CII facilities in order to determine which of the CII facilities are significant, since the restrictions under Decree No. 166 relate only to significant CII facilities.

What should be done:

  • Organize and assign responsibility to a special internal commission which should include a CII subject leader or a person thereby authorized, a CII subject employee responsible for information security, and a CII subject employee having access to state secrets, etc. — requirements for members of the commission were set by Government Regulation No. 127 dated 8 February 2018 "On Approval of the Rules for Categorization of Critical Information Infrastructure Facilities of the Russian Federation, as well as the list of indicators of the criteria of significance of critical information infrastructure facilities of the Russian Federation and their values" (hereinafter — Government Regulation No. 127).
  • Collect all the necessary information — compile a list of all CII facilities.
  • Categorize the CII facilities in accordance with the criteria established by Government Regulation No. 127 and thus identify significant CII facilities.
  • Send the outcome of the categorization to FSTEC. If necessary, the comments received from FSTEC should be taken into account.

3. After identifying significant CII facilities, it is necessary to bring personal procurement activity (and information security systems — after the establishment of the status of CII subject) into accordance with the established requirements, and to prepare for the rejection of foreign software and a transition to domestic equivalents. For all CII subjects this relates to "unfriendly" Foreign Software in the field of information security, while for persons carrying out procurement under Federal Law No. 223 and public authorities this relates to the complete rejection of Foreign Software at significant CII facilities.

What comes next

In the near future, companies operating in healthcare, science, transport, communications, energy, state registration of rights to immovable property and transactions therewith, banking and other areas of the financial market, the fuel and energy complex, nuclear power, the defense, space, mining, metallurgy and chemical industries, should pay special attention to identifying their status in accordance with the Law on CII, as well as to categorizing CII facilities and gaining approval of such categorization from FSTEC. Once the list of significant CII facilities has been established, it is necessary to start searching for or ordering the development of domestic programs capable of replacing Foreign Software.

The B1 team is ready to provide support on various issues related to determining whether our clients are categorized as CII subjects, to provide technical and legal support to the organization, and to carry out the procedure for categorization of CII facilities, including initial preparation of the position before interacting with authorized bodies, as well as to prepare agreements accompanying the transformation.

AUTHORS

  • Natalia Aristova, Partner, Legal Services
  • Anton Sidnin, Senior Associate, Legal Services
  • Dmitry Korovin, Senior, Legal Services
OTHER PUBLICATIONS
View all
New sector-specific rules adopted for categorizing critical information infrastructure in financial services

New sector-specific rules adopted for categorizing critical information infrastructure in financial services

On 6 February 2026, the Russian Government adopted Decree No. 92, establishing sector-specific rules for categorizing critical information infrastructure (CII) in the banking sector and other segments of the financial market. The new regulation, which entered into force on 15 February 2026, requires CII entities to take immediate compliance actions.

11.02.2026

Extended producer responsibility (EPR): what has changed since 1 January 2026 and how it affects businesses

Extended producer responsibility (EPR): what has changed since 1 January 2026 and how it affects businesses

Federal Law No. 495-FZ of 28 December 2025 “On Amendments to Article 29¹ of the Federal Law ‘On Production and Consumption Waste’ and Certain Legislative Acts of the Russian Federation” (“Law No. 495-FZ”) was enacted on 31 December 2025 to introduce the new EPR transition timeline for importers from non-EAEU countries.

14.01.2026

New U.S. sanctions

New U.S. sanctions

On 22 October 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a press release announcing the imposition of new sanctions against Russia. Below is an overview of the new restrictions and licenses.

27.10.2025

Changes in the regulation of the security of critical information infrastructure (CII)

Changes in the regulation of the security of critical information infrastructure (CII)

In 2025, Federal Law No. 187-FZ “On the Security of Critical Information Infrastructure of the Russian Federation” dated 26 July 2017 was significantly amended to strengthen CII technology independence and security. The amendments, introduced by Federal Law No. 58-FZ dated 7 April 2025 (effective 1 September 2025) and Federal Law No. 325-FZ dated 31 July 2025 (effective 1 March 2026), determine CII entities and establish new obligations for them. We highlight the key developments that require companies to promptly adapt their approaches to categorizing CII facilities and building the software mix.

20.10.2025

Overview of potential restrictions resulting from the 19th EU sanctions package

Overview of potential restrictions resulting from the 19th EU sanctions package

On 19 September 2025 the European Commission presented member states of the European Union with proposals for a 19th package of sanctions against Russia. At the time of writing the package has not yet been approved by the EU Council and its scope and content remain under discussion. Below is a brief summary of the proposed measures based on public statements made by the EU Commission and individual EU officials as well as information available in the mass media as of 7 October.

07.10.2025

Changes to the rules for the distribution of audiovisual works in Russia: new requirements and restrictions

Changes to the rules for the distribution of audiovisual works in Russia: new requirements and restrictions

On 31 July 2025 a new federal law was published which amends the rules for the issuance and revocation of distribution certificates1 for audiovisual works and may have a major impact on the activities of owners of streaming services and social networks in Russia. The changes will come into force on 1 March 2026.

28.08.2025