Software localization drivers: foreign sanctions and the domestic ban on foreign software for critical information infrastructure

9 February 2024
Law Messenger
We have previously covered restrictions on the provision of software and IT services from the EU to Russia under the 8th and 12th EU packages of sanctions. Some private companies in Russia have addressed the issues of software localization and data migration in advance, while others are now analyzing the changes to regulation and available offers. We recommend taking account of a key Russian regulation that incentivizes the use of local software, both within the activities of government agencies and at important social and industrial facilities.

On 30 March 2022, the President of the Russian Federation adopted Decree No. 166 "On Measures to Ensure Technological Independence and Security of the Critical Information Infrastructure of the Russian Federation" (hereinafter — Decree No. 166), which introduces the following restrictions on the use of foreign software (including as part of software and hardware complexes) (hereinafter — Foreign Software) at critical information infrastructure (hereinafter — CII facilities):

  • Starting from 31 March 2022, customers procuring in accordance with Federal Law No. 223 of 18 July 2011 "On Procurement of Goods, Works and Services by Certain Types of Legal Entities" (hereinafter, "FZ No. 223") (e.g., state corporations, legal entities in which the state holds a stake of more than 50%, natural monopolies) are (i) prohibited from procuring Foreign Software for use at significant CII facilities owned by such customers, and (ii) prohibited from procuring services necessary for the use of Foreign Software at significant CII facilities owned by such customers. This prohibition restricts the possibility of acquiring new Foreign Software, but does not restrict the right to use already acquired Foreign Software.
  • Starting from 1 January 2025, the above-mentioned customers as well as public authorities are prohibited from using Foreign Software at significant CII facilities owned by them. The prohibition implies complete cessation of the use of Foreign Software at the specified facilities, including previously provided/installed ones.
Beyond that, on 1 May 2022, in addition to Decree No. 166, the President of the Russian Federation adopted Decree No. 250 "On Additional Measures to Ensure Information Security of the Russian Federation" (hereinafter, Decree No. 250), under which, as of 1 January 2025, all "CII subjects" are prohibited from using information protection tools whose developers are directly or indirectly linked to "unfriendly" countries.

For violation of the above-mentioned requirements, the official responsible for organizing the creation of a security system for significant CII facilities, as well as the legal entity owning the relevant significant CII facility, may be held administratively liable by the Federal Service for Technical and Export Control of the Russian Federation (hereinafter — FSTEC) in the form of a fine under part 1 of article 13.12.1 of the Administrative Offences Code of the Russian Federation ("Violation of requirements for the creation of security systems for significant CII facilities of the Russian Federation and ensuring their operation or requirements for ensuring their security"). At the moment the fine for an official is up to 50 thousand roubles, and that for a legal entity is up to 100 thousand roubles. At the same time, we cannot rule out the possibility that by 1 January 2025 stricter liability measures will be introduced, as well as special offenses involving the use of Foreign Software at significant CII facilities.

In order to understand the applicability of the provisions of Decree No. 166 and Decree No. 250 in a particular situation, a number of steps must be taken:
1. At first, it is necessary to define the status of a "CII subject".

CII subjects include, in particular, individual entrepreneurs and legal entities that (i) carry out their activities in the areas set forth by Federal Law No. 187-FZ dated 26 July 2017 "On the Security of Critical Information Infrastructure of the Russian Federation" (hereinafter — the CII Law), and (ii) control CII facilities under ownership rights, a lease or otherwise legally.

The areas set forth by the CII Law include healthcare, science, transport, communications, energy, state registration of rights to immovable property and transactions therewith, banking and other financial market areas, the fuel and energy complex, nuclear power, and the defense, space, mining, metallurgy and chemical industries. Accordingly, the restrictions may apply to hospitals, research institutes, universities, public transport and taxis, credit institutions, oil refineries and petrol stations — a very wide range of companies in various industries.

CII facilities include information systems (e.g., programs included in the 1C package), information and telecommunication networks (e.g., local networks, provider equipment), and automated control systems (e.g., numerically controlled machine tools).
2. After the establishment of "CII subject" status, it is necessary to categorize the CII facilities in order to determine which of the
CII facilities are significant,
since the restrictions under Decree No. 166 relate only to significant CII facilities.

What should be done:

  • Organize and assign responsibility to a special internal commission which should include a CII subject leader or a person thereby authorized, a CII subject employee responsible for information security, and a CII subject employee having access to state secrets, etc. — requirements for members of the commission were set by Government Regulation No. 127 dated 8 February 2018 "On Approval of the Rules for Categorization of Critical Information Infrastructure Facilities of the Russian Federation, as well as the list of indicators of the criteria of significance of critical information infrastructure facilities of the Russian Federation and their values" (hereinafter — Government Regulation No. 127).
  • Collect all the necessary information — compile a list of all CII facilities.
  • Categorize the CII facilities in accordance with the criteria established by Government Regulation No. 127 and thus identify significant CII facilities.
  • Send the outcome of the categorization to FSTEC. If necessary, the comments received from FSTEC should be taken into account.

3. After identifying significant CII facilities, it is necessary to bring personal procurement activity (and information security systems — after the establishment of the status of CII subject) into accordance with the established requirements, and to prepare for the rejection of foreign software and a transition to domestic equivalents. For all CII subjects this relates to "unfriendly" Foreign Software in the field of information security, while for persons carrying out procurement under Federal Law No. 223 and public authorities this relates to the complete rejection of Foreign Software at significant CII facilities.
What comes next

In the near future, companies operating in healthcare, science, transport, communications, energy, state registration of rights to immovable property and transactions therewith, banking and other areas of the financial market, the fuel and energy complex, nuclear power, the defense, space, mining, metallurgy and chemical industries, should pay special attention to identifying their status in accordance with the Law on CII, as well as to categorizing CII facilities and gaining approval of such categorization from FSTEC. Once the list of significant CII facilities has been established, it is necessary to start searching for or ordering the development of domestic programs capable of replacing Foreign Software.

The B1 team is ready to provide support on various issues related to determining whether our clients are categorized as CII subjects, to provide technical and legal support to the organization, and to carry out the procedure for categorization of CII facilities, including initial preparation of the position before interacting with authorized bodies, as well as to prepare agreements accompanying the transformation.

Authors:
  • Natalia Aristova
    Partner
    B1 Legal
  • Anton Sidnin
    Senior Associate
    B1 Legal
Contact us

Learn more about our services by filling in the feedback form, or send us a request for proposal by email. Select the appropriate option.
This website uses cookies to improve your user experience. If you continue on this website, you will be providing your consent to our use of cookies.
Accept