New Requirements for the Information Security

Presidential Decree of the 1^st of May 2022 No. 250 “On additional measures of providing information security in Russia” (the Decree) introduced new requirements for the information security of Russian resources.

The Decree applies to the following organizations:

• Federal executive authorities and senior executive authorities of Russia’s constituents
• Government funds, corporations and other entities, created on the basis of federal laws
• Strategic enterprises and strategic join-stock companies¹
• Systemically important organizations of Russian economy²
• Legal entities, which are the subjects of critical information infrastructure³

To comply with the Decree’s requirements the organizations shall:

• authorize the deputy director to maintain the information security and response to cyberattacks
• establish a subdivision for information security and response to cyberattacks
• involve contractors, which are licensed to carry out technical activities on confidential information protection, if the participation of such contractors is required to ensure information security
• involve accredited government system centers of detection, prevention and liquidation of cyberattack consequences (GovSDCC), if the participation of such centers is required to ensure a successful cyberattack response
• provide governmental officials with an unlimited access to information resources for the thier safety monitoring and insurance of the organizations’ compliance to the orders of Security Service. Also, the access shall be granted to the Internet information resources, which is used by the organizations
• stop using of information protection resources that were created in the unfriendly foreign countries staring from the 1^st of January 2025.

The Decree also includes provisions on personal liability on the CEO of the organizations for information security and cyberattack response in such organizations.

In connection with the new requirements, the Russian Government is going to approvethe following documents till the 1^st of June 2022:

• model provision on subdivision providing the information security and cyberattack response
• model provision on the organization’s deputy director
• list of organizations which shall evaluate their level of information security and provide a relevant report to the Russian Government before the 1^st of June 2022

Thus, the aforementioned changes will likely positively influence the Russian system of information security, decrease risks of personal data leaks and prevent temporary termination in activity of organizations, connected with information infrastructure.

¹Presidential Decree of the 4th of August 2004 No. 1009 “On the approval of the registry of strategic enterprises and strategic join-stock companies”
²Relevant registry of systemically important organizations of Russian economy is available in the lists of subject ministries.
³para. 8 art. 2 of Federal law of the 26^th of June 2017 No. 187-FL “On security of Russia’s critical information infrastructure”.