BRICSPULSE
$1 = 78.62 $1 = 6.91 ¥$1 = 91.81
Back
ru flagRussiaSoftwareFederal LawActive

Critical Information Infrastructure Security Law (187-FZ)

Jul 26, 2017
RussianEnglish

Executive Summary

Federal Law No. 187-FZ "On the Security of Critical Information Infrastructure of the Russian Federation," dated July 26, 2017, is the primary legislative act regulating relations in the field of critical information infrastructure (CII) security in Russia. The law was adopted by the State Duma on July 12, 2017, approved by the Federation Council on July 19, 2017, and entered into force on January 1, 2018.

The law establishes the legal framework for protecting information systems, telecommunications networks, and automated control systems operating in strategically important economic sectors: healthcare, science, transport, communications, energy, banking, the fuel and energy complex, nuclear energy, defense, aerospace, mining, metallurgical, and chemical industries. The document creates the State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks (GosSOPKA) and defines the categorization procedure for CII objects.

The law undergoes regular updates; the most recent major amendments were introduced by Federal Law No. 58-FZ of April 7, 2025 (effective September 1, 2025), which significantly expand the obligations of CII entities, including requirements for software and hardware import substitution.

Key Provisions

  • CII definition. Critical information infrastructure encompasses CII objects (information systems, telecommunications networks, automated control systems) and telecommunications networks used for their interconnection. CII entities are government bodies and Russian legal entities that own these objects.

  • Object categorization. Three significance categories are established (first, second, third), assigned based on social, political, economic, ecological significance criteria and significance for national defense.

  • GosSOPKA. The State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks is a unified geographically distributed complex of forces and means for detecting, preventing, and responding to computer incidents.

  • National Computer Incident Coordination Center (NCCC). An organization under the authorized federal executive body that coordinates CII entities' activities on cybersecurity matters.

  • Registry of significant CII objects. The federal authority maintains a registry containing information on significant objects: name, network addresses, significance category, software data, and applied security measures.

  • Import substitution (from 2025). Significant CII objects must use software listed in the unified registry of Russian programs. The Government establishes the procedure and timeline for transition, as well as hardware-software requirements.

  • Continuous interaction with GosSOPKA. From September 1, 2025, CII entities owning significant objects are required to maintain continuous interaction with GosSOPKA.

Goals and Timelines

Event / RequirementDate
Law entered into forceJanuary 1, 2018
CII object categorizationOngoing; reviewed upon object or organizational changes
Scheduled inspectionsEvery 3 years from registry inclusion
Unscheduled inspectionsUpon incidents, non-compliance, or Presidential/Government order
Software import substitution requirementsSeptember 1, 2025
Hardware-software requirementsSeptember 1, 2025
Continuous GosSOPKA interactionSeptember 1, 2025
Extended obligations for government entitiesSeptember 1, 2025

CII entities must submit categorization results to FSTEC within 10 days; review takes 30 days; correction period is 10 days if deficiencies are identified.

Implementation Mechanisms

  • The President of the Russian Federation determines policy directions, authorized bodies, and the procedure for establishing GosSOPKA.
  • The Government of the Russian Federation establishes significance criteria indicators, categorization procedures, standard sectoral CII object lists, sectoral categorization specifics, hardware-software requirements, and import substitution monitoring procedures.
  • FSTEC of Russia (authorized body for CII security): maintains the registry, approves security requirements, conducts state control, and issues compliance orders.
  • FSB of Russia (authorized body for GosSOPKA operations): creates the NCCC, coordinates attack detection and response, determines information lists for GosSOPKA, and organizes the installation of detection tools.
  • The Central Bank of Russia participates in approving requirements for the banking sector and financial markets.
  • CII entities are obligated to: categorize objects, create security systems, immediately report incidents, respond to attacks, ensure access for inspections, and use Russian software.

Industry Impact

Law 187-FZ has had a fundamental impact on the Russian IT market and the information security market. It created an extensive market for cybersecurity services and products, as thousands of organizations in strategic sectors are required to comply with CII protection requirements.

For IT companies, the law has created significant business opportunities: development of attack detection and prevention tools, system integration, security auditing, and categorization consulting. Simultaneously, the law has become a driver of import substitution in the IT sector -- from 2025, significant CII objects must use Russian software from the unified registry, stimulating the development of domestic developers of operating systems, DBMS, office software, and specialized applications.

For the investment climate, the law creates a dual effect: on one hand, it raises the level of cybersecurity and trust in digital infrastructure; on the other, it increases compliance costs for organizations and restricts the use of foreign solutions, which may affect the competitiveness of individual companies.

The 2025 expansion of the law's scope to cover information resources of government bodies and organizations under state control significantly increases the number of regulated entities and the overall cybersecurity market volume.

Amendment History

  • July 26, 2017 -- Adoption of Federal Law No. 187-FZ.
  • January 1, 2018 -- Entry into force.
  • April 7, 2025 -- Federal Law No. 58-FZ introduces major amendments (effective September 1, 2025):
    • Expanded definition of CII entities.
    • Introduction of standard sectoral CII object lists.
    • Establishment of sectoral categorization specifics.
    • Hardware-software requirements for significant objects introduced.
    • Transition procedure to domestic software established.
    • Mandatory continuous interaction with GosSOPKA introduced.
    • Extended obligations for heads of government bodies and state-controlled organizations.

Related Documents

  • Presidential Decree "On CII Security" -- defines authorized bodies and the procedure for establishing GosSOPKA.
  • Government Decrees on significance criteria, categorization procedures, and state control.
  • FSTEC Orders -- security requirements for significant CII objects (Orders No. 235, 239).
  • Federal Law "On Information, Information Technologies, and Information Protection" (No. 149-FZ) -- unified registry of Russian programs.
  • Federal Law "On Communications" (No. 126-FZ) -- specifics of application to public communication networks.
  • Presidential Decree on AI Development (No. 490) -- trusted AI technologies for CII entities.
  • Presidential Decree of March 30, 2022, No. 166 -- measures to ensure technological independence and CII security.