Tougher cybersecurity requirements for Russian government agencies and organizations

Presidential Decree No. 250 on ensuring information security of state bodies and state corporations, strategic enterprises, systemically important organizations and legal entities that are subjects of critical information infrastructure (hereinafter – the Decree) has been amended.

Earlier the Decree already established a ban on the use of information protection equipment from “unfriendly” countries and companies from these states by the above-mentioned bodies and organizations starting from January 1, 2025. This includes, in particular, various software programs or gadgets that protect systems from cyberattacks, hacking and information leaks.

Now, from the same date, the use of "services (works) to ensure information security provided (performed, rendered)" by organizations from "unfriendly" jurisdictions is also not allowed. It can be assumed that this means various cloud services, as well as work and consulting on the implementation and maintenance of cybersecurity solutions and assessment of the security of Internet resources. However, the question arises as to how widespread the use of such foreign services by Russian persons and the provision of consultations by foreign specialists to Russian organizations (and even more so to government agencies) is in practice, given the sanctions.

Another innovation is the development by the Federal Security Service (FSB) of requirements for accredited centers of the State System of Detection, Prevention and Elimination of Consequences of Computer Attacks on Information Resources of the Russian Federation (GosSOPKA). These centers are responsible for monitoring and analyzing the security of information systems, as well as for eliminating the consequences of computer attacks. The FSB will have to develop a procedure for their accreditation, its suspension and revocation.

According to experts, the changes introduced in the Decree will contribute to "increasing cyber resilience of the Russian economy and technological independence of the information security industry".

Source: Decree of the President of the Russian Federation from 01.05.2022 N 250 (ed. from 13.06.2024) "On additional measures to ensure information security of the Russian Federation".