RussiaPresidential Decree No. 166 of 30.03.2022 — On Measures to Ensure Technological Independence and Security of the Critical Information Infrastructure of the Russian Federation
Executive Summary
Presidential Decree No. 166, signed on March 30, 2022, is one of the cornerstone regulatory acts defining Russia's import substitution policy in the field of information technology for critical information infrastructure (CII) facilities. The document was issued amid unprecedented Western sanctions against Russia and the mass withdrawal of foreign IT vendors from the Russian market, which created direct threats to the functioning of critical information systems across key sectors of the economy.
The Decree establishes two fundamental restrictions: an immediate ban on the procurement of foreign software for significant CII facilities without prior approval from an authorized government body (effective March 31, 2022), and a complete ban on the use of foreign software at such facilities (effective January 1, 2025). Beyond software, the document mandates a comprehensive transition to domestic radio-electronic products and telecommunications equipment, making it one of the most sweeping acts in the sphere of technological sovereignty.
The Decree applies to a broad range of entities: government authorities, state corporations, state-owned enterprises, and other procuring entities operating under Federal Law No. 223-FZ. In practice, its scope extends to all major enterprises across key economic sectors — energy, transportation, telecommunications, finance, the defense industry, and healthcare — thereby reshaping the entire IT procurement landscape for critical infrastructure.
Key Provisions
-
Ban on procurement of foreign software (from March 31, 2022): Procuring entities, except for organizations with municipal participation, are prohibited from purchasing foreign software for use at significant CII facilities without prior approval from the authorized federal executive body or the Central Bank of Russia. The ban also covers procurement of services required for the operation of such software.
-
Complete ban on use of foreign software (from January 1, 2025): Government authorities and procuring entities are prohibited from using foreign software at their significant CII facilities, unless otherwise provided by federal law. This provision was clarified by amendments of April 7, 2025.
-
Software requirements: The Government was instructed to approve, within one month, requirements for software used at significant CII facilities, as well as rules for coordinating purchases of foreign software.
-
Transition to domestic equipment: Within six months, the Government was required to implement a set of measures ensuring the preferential use of domestic radio-electronic products and telecommunications equipment at significant CII facilities.
-
Establishment of a scientific-industrial association: The Decree provides for the creation of a specialized entity focused on the development, production, technical support, and servicing of trusted software and hardware systems for CII.
-
Personnel training: Organization of training and retraining programs for specialists in the development, production, and maintenance of domestic equipment and software.
-
Monitoring system: Creation of a monitoring and oversight system to track compliance with the Decree's requirements.
Goals and Timelines
| Deadline | Measure |
|---|---|
| March 31, 2022 | Entry into force of the ban on procurement of foreign software without approval |
| April 30, 2022 | Government approval of software requirements and procurement coordination rules |
| September 30, 2022 | Implementation of measures for transition to domestic equipment |
| January 1, 2025 | Complete ban on the use of foreign software at significant CII facilities |
Specific quantitative KPIs are not established in the Decree itself, but the implied target is 100% substitution of foreign software at significant CII facilities by January 1, 2025. The Government was delegated the authority to determine specific timelines and procedures for the transition to trusted software and hardware systems.
Implementation Mechanisms
Responsible bodies: Primary responsibility for implementation is assigned to the Government of the Russian Federation. The authorized federal executive body (the Ministry of Digital Development) and the Central Bank of Russia coordinate the approval of foreign software procurement within their respective jurisdictions.
Approval procedure: For cases where replacement of foreign software is objectively impossible, an approval procedure is provided through the authorized body. This creates a controlled exceptions mechanism that prevents a complete shutdown of CII operations while maintaining oversight.
Compliance oversight: The Government ensures oversight of procuring entities' compliance with the procurement coordination rules and the ban on using foreign software. A dedicated monitoring system has been established.
Financing: The Decree does not specify particular financing mechanisms, but implementation has drawn upon federal budget funds allocated for digital transformation and import substitution programs, as well as the CII entities' own resources.
Legislative support: The Government was instructed to amend legislation in accordance with the Decree, which led to the adoption of several subordinate regulatory acts and government resolutions providing detailed implementation rules.
Industry Impact
Decree No. 166 has had a profound transformative effect on the Russian IT market. It effectively closed the CII market to foreign vendors and created guaranteed demand for Russian software, stimulating investment in domestic development.
Positive effects: Significant growth of the domestic software registry, acceleration in the development of Russian alternatives to foreign solutions (operating systems, DBMS, office suites, ERP systems, information security tools). Increased revenue for Russian IT companies engaged in system and application software development. Stimulation of ecosystem creation for compatible domestic products.
Challenges and issues: Many CII operators faced objective impossibility of replacing mission-critical systems within the established deadlines, particularly in the area of industrial software (SCADA, process control systems) and specialized industry solutions. This required mass applications for approval to continue using foreign software. Concerns arose regarding the quality and maturity of some domestic replacement solutions, as well as compatibility of Russian software with existing infrastructure.
Investment climate: The Decree strengthened the trend toward localization of IT development in Russia and attracted investor attention to the import substitution segment. Simultaneously, it created uncertainty for international technology partnerships and complicated operations for companies using hybrid solutions. The established deadlines created urgency that drove rapid market restructuring.
Amendment History
-
November 22, 2023 (Decree No. 887): Amendment to subparagraph "a" of paragraph 1 — exclusion of organizations with municipal participation from the procuring entities subject to the procurement approval requirement.
-
April 7, 2025 (Decree No. 214): Amendment to subparagraph "b" of paragraph 1 — clarification of the complete ban on using foreign software with the caveat "unless otherwise established by federal law," creating a legal basis for targeted exceptions at the legislative level.
Related Documents
- Federal Law No. 187-FZ of July 26, 2017 "On the Security of the Critical Information Infrastructure of the Russian Federation" — the foundational law defining CII, significant CII facilities, and CII entities.
- Federal Law No. 223-FZ of July 18, 2011 "On Procurement of Goods, Works, and Services by Certain Types of Legal Entities" — the law regulating procurement activities of entities subject to the Decree.
- Information Security Doctrine of the Russian Federation (Decree No. 646 of December 5, 2016) — a strategic document defining approaches to information security, including reduction of dependence on foreign technologies.
- Strategy for the Development of the Information Society in the Russian Federation for 2017-2030 (Decree No. 203 of May 9, 2017) — a strategy providing for the creation of Russian IT solutions and replacement of imported equipment and software.
- Strategy for the Development of the IT Industry in the Russian Federation for 2014-2020 and Beyond to 2025 — a document laying the groundwork for state policy supporting domestic IT development.