Law on Security of Critical Information Infrastructure: implications for players of finance, banking, transport, health, telecom and other industries. 

July, 2017 - Maria Ostashenko

We would like to inform you of the recent developments of Russian cybersecurity legislation. The draft law “On Security of Critical Information Infrastructure” has passed the third (final) reading at the Lower Chamber of the Russian Parliament and has been sent to the Upper Chamber for final approval. Afterwards Russian President will likely sign the document. The draft law defines critical information infrastructure (“CII”), industries of CII, responsibilities of their owners, enforcement powers of state authorities, etc. Amendments proposed under the draft law will come into force on January 1, 2018.

Who will be on the radar?
The draft law targets the state authorities, Russian legal entities and individual entrepreneurs owning and otherwise possessing IT and telecom systems, automated control systems as well as electronic communications networks applied in the following industries: healthcare, science, transport, communications, defense, energy, banking and finance, nuclear energy, mining, chemicals, space-rocket, metallurgy, fuel (“CII Subject(s)”). The draft law also applies to the Russian entities and individual entrepreneurs ensuring connectivity between CII Subjects.

State register of crucial CCI
Information systems of the CII Subjects shall be assigned a category (one of three) in accordance with their social, economic, political, ecological and public security weight. The CII Subject itself shall make decision on assigning particular category to its system or decision not to assign it at all. The decision made shall be communicated to a competent state authority, which will verify or challenge it. If CCI is assigned a category and the state authority approves it, the information on such CII is inserted into the special register (“Crucial CII Subjects”).

Responsibilities of CII Subjects
The key obligations are as follows:
- Notify immediately the state authorities of a computer incident;
- Cooperate with the state authorities in detecting, preventing, investigating computer incidents and mitigating their negative consequences;
- Comply with technical requirements concerning antiviruses and other technical means installed to detect computer attacks.

Additional obligations are imposed on Crucial CII Subjects, such as:
- Comply with special security requirements;
- Comply with the orders of the competent state authorities with respect to security requirements;
- Respond to compute attacks as required by applicable regulations, mitigate consequences of the
attacks;
- To ensure easy access to Russian authorities to crucial CII.

Application of state secrecy laws
Under the draft law the information on security measures applied to the CII constitute state secrecy. Please note that information system containing state secrecy is subject to specific statutory requirements (e.g., only certified security tools can be used; specific IT contractors can be engaged, etc.).

Liability issues
The draft law supplements Russian Criminal Code with a number of crimes in the area of cybersecurity. In particular, it introduces criminal liability for non-compliance with rules on handling means for storage, processing and transfer of information contained in the CII (up to imprisonment).

 


Footnotes:



Maria Ostashenko,
Partner
[email protected]


 



Data Protection Leader article: "The GDPR: How will it affect multinational businesses in Russia and Russian businesses abroad?"


Newsletter: Legislative Initiative On Regulation Of Messengers In Russia

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots