Overview Of Key Security Developments in Critical Information Infrastructure (CII)

We suggest to review the changes in the legislation on the safety of CII, which entered into force in 2025, as well as new initiatives that are planned to be considered and/or come into force in 2026.

1. On September 01, 2025, Federal Law No. 58-FZ dated 04/07/2025 "On Amendments to the Federal Law "On the Security of Critical Information Infrastructure of the Russian Federation"¹(hereinafter referred to as "Law No. 58") entered into force, aimed at strengthening technological independence and improving the security of CII. Law No. 58 excluded individual entrepreneurs from the list of CII subjects, and also expands the powers of the Government of the Russian Federation in the field of CII safety regulation, which has the right to establish:

• the procedure for monitoring the performance of duties of CII subjects on the use of domestic software and hardware and software;

• a single list of typical industrial CII facilities, including types of information systems, information and telecommunication networks, automated control systems with a sign of significance;

• industry-specific features of the categorization of CII objects, which include, among other things, industry-specific signs of the significance of CII objects and the procedure for calculating the values of indicators of significance criteria;

• the procedure and timing of the transition to Russian software and related hardware and software at significant CII facilities;

• requirements for the software and hardware to be used on the device.

The responsibilities of the subjects of the CII in the field of detection, prevention and elimination of the consequences of computer attacks on the information resources of the Russian Federation are supplemented and include requirements on:

• the use of software included in the register of Russian software, which is used in GIS and other information systems of government agencies, unitary enterprises, and institutions that comply with information protection requirements.;

• implementation of continuous interaction with the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation.

A) On September 01, 2025, the amended procedure for maintaining the significant CII facilities registry came into force².

According to the changes in the procedure for maintaining the significant CII facilities registry, each significant CII object included in the registry is assigned a registration number in a stricter format: XXXXXX/X/XX/X. The new format of the registration number stands for as follows:

• the first 6 digits from 000001 to 999999 are the serial number of the CII object in the registry;

• the next digit from 1 to 8 is the federal district in which the CII facility is located.;

• the next group of characters contains a number from 01 to 14 – the sphere (area) of activity of the CII subject to which the CII object belongs.;

• the last group of characters contains the capital letters "A", "B" and "C" and means the type of CII object ("A" – information system (hereinafter – IS), "B" – automated process control system, "C" – information and telecommunication network);

• information from the register is provided monthly to government agencies or Russian legal entities that perform functions related to the development, implementation or implementation of public policy.

Information from the register is subject to monthly transfer to government agencies and Russian legal entities authorized to develop/implement state policy in the relevant field.

B) Starting from September 01, 2025, it is necessary to send information on the results of assigning categories of CII facilities in a new form³.

On July 11, 2025, FSTEC Order No. 247 was signed "On Amendments to the Form for Sending Information on the Results of Assigning an Object of Critical Information Infrastructure One of the Categories of Importance or on the Absence of the Need to Assign It One of Such Categories, approved by Order No. 236 of the FSTEC of Russia dated December 22, 2017 (hereinafter referred to as "Order No. 247"), which entered into force on September 1, 2025. Order No. 247 amended the existing form of sending information on the results of assigning a CII object to one of the categories of significance or on the absence of the need to assign a category. The form is supplemented with a field indicating the name of a typical CII industry facility (according to the lists established by the Government of the Russian Federation), as well as the domain name and external network address of the information resources involved.

The Order also clarifies the wording on the subject's field of activity, the description of the element/component of the object (data center, server equipment, etc.), the composition of the software, and details the requirements for describing the security measures used, specifying the details of the certificates or justifying their absence.

A) Starting from March 1, 2026, FSTEC of Russia Order No. 17 dated 02/11/2013 "On Approval of Requirements for the Protection of Information Not Constituting a State Secret Contained in State Information Systems" will become invalid in connection with the issuance of FSTEC Order No. 117 dated April 11, 2025 "On Approval of Requirements for the Protection of Information Contained in State Information Systems information systems, and other information systems of government agencies, state unitary enterprises, and government agencies" (hereinafter referred to as "Order No. 117")⁴.

Order No. 117 establishes updated requirements for the protection of information processed in information systems, including CII facilities, as well as new approaches to organizational and technical protection measures and focuses on the use of trusted solutions and information security tools. The area of responsibility for the transfer of restricted access information from GIS to other information systems is also being clarified. The composition of the transmitted information of limited access, the purpose of its protection and the level of security should be established by the owner of the information, the customer who signed the contract for the creation of information systems, the operator of information systems. Information protection in the Russian Federation must be carried out in accordance with the legislation and Requirements adopted on the basis of Federal Law No. 187-FZ dated July 26, 2017.

When creating GIS, a threat model is required for NOKIA according to Government Decree No. 676 dated 07/06/2015. It serves as the basis for protection measures and the choice of information security tools. The operator identifies, prioritizes and neutralizes threats using the FSTEC threat database. For non-governmental information systems, the decision on the threat model is made by the head. Certificates issued before 03/01/2026 remain valid.

It has also been added that users can use personal mobile devices to access information systems and the information contained therein in order to perform their duties (functions) if they meet the requirements and if the operator (information holder) has the ability to control the use of such devices.

Order No. 117 highlights measures to ensure information protection during wireless user access to information systems and stipulates that privileged access should be carried out using strict authentication, and in case of technical impossibility of using strict authentication, using enhanced multifactor authentication. Moreover, Order No. 117 moves away from the "rigid" lists of measures by security class, as measures are now selected and verified for the architecture and current threats. The FSTEC plans to submit a detailed list of measures in a separate document.

The draft on new fines for violating the rules of operation of the CII facility or access to it has been sent to the State Duma⁵.

On November 18, 2025, a new draft law introducing amendments to the Code of Administrative Offenses of the Russian Federation (hereinafter referred to as the "Administrative Code of the Russian Federation") was registered and sent to the Chairman of the State Duma. It is proposed to introduce a new article 13.12.2 of the Administrative Code of the Russian Federation, which provides for liability for violation of the rules of operation of CII facilities.

Liability is provided for violation of the rules for the operation of the following facilities:

• means of storing, processing, or transmitting protected computer information contained in the CII;

• Information systems;

• Information and telecommunication networks;

• Automated control systems;

• Telecommunication networks related to CII.

The legislator proposes the introduction of the following fines for the commission of this act:

• For citizens - from 5 to 10 thousand rubles;

• For officials - from 10 to 50 thousand rubles;

• For legal entities - from 100 to 500 thousand rubles.

The explanatory note to this draft law states that this provision is being introduced “in order to eliminate the risk of leaching the staff of government authorities and subordinate organizations,” i.e. in relation to persons who ensure the operation and operation of CII facilities in the Russian Federation, as well as users of CII facilities, for example, medical workers.

Starting from March 1, 2026, it is planned to launch a new antifraud platform of the Ministry of Digital⁶.

Federal Law No. 41-FZ of April 1, 2025 establishes uniform regulations for combating telephone and Internet fraud, including the creation of GIS to counter offenses committed using information and communication technologies.

Government agencies (the Prosecutor General's Office, the Investigative Committee, the Ministry of Internal Affairs), the Central Bank and banks, telecom operators, owners of social networks and ad placement services, hosting providers and others will participate in this platform. The functions of the anti-fraud platform include collecting and exchanging data on cyberbullying, automatically exchanging suspicious event alerts, storing information about violators and the numbers they use, detecting phishing resources, restricting access to fraudulent sites, and collecting statistics and analytics.

The details of the creation, operation and interaction of the system's participants are determined by the Draft Government Decree "On the State Information System for Countering Offenses committed using Information and Communication Technologies." It also clarifies the functions of the platform, the list of participants (government agencies, banks, telecom operators, marketplaces, classifieds, etc.), as well as the requirements for software and hardware.

Starting from March 1, 2026, MFIs are required to authenticate customers using biometrics.

Starting from March 1, 2026, microfinance organizations (MFIs) in Russia are required to introduce biometric identification of borrowers when concluding consumer loan agreements in electronic form. This requirement is stipulated in Federal Law No. 41-FZ "On the Creation of a State information system for countering offenses Committed using information and communication technologies." MFIs are also required to interact with ASOI FinCERT, Roskomnadzor systems, the registry of prohibited sites, SMEV and other information resources. Thus, MFIs will not be able to use a simplified authentication system to conclude contracts.