CII187-FZCompliance

What Is CII and Who Must Comply with 187-FZ in Russia in 2025

May 8, 2025 · 10 min read · System Networks

Federal Law 187-FZ "On Security of Critical Information Infrastructure" came into force in 2018. In 2022–2025 enforcement significantly intensified. If your organisation operates in one of 13 regulated sectors, you are likely a CII subject — with specific security obligations and criminal liability for violations.

What Is Critical Information Infrastructure (CII)

CII (Kriticheskaya Informatsionnaya Infrastruktura in Russian) refers to information systems, information and telecommunication networks, and automated control systems that are critical to key sectors of the Russian economy and government. A disruption to these systems could cause significant harm to citizens, national security, or the economy.

CII consists of two components:

CII Objects

Specific information systems, networks, or automated control systems (APCS) that belong to CII subjects. Each object is categorised by significance level (Category 1, 2, or 3).

CII Subjects

Organisations that own or operate CII objects. State bodies, state institutions, Russian legal entities, and foreign organisations operating in Russia that work in regulated sectors.

13 Regulated Sectors

If your organisation operates in any of the following sectors, you may be a CII subject:

·Healthcare

·Science

·Transport

·Communications

·Energy

·Banking and financial services

·Fuel and energy complex

·Nuclear energy

·Defence industry

·Rocket and space industry

·Mining

·Metallurgy

·Chemical industry

Additionally: organisations providing services to the above sectors (IT service providers, cloud providers, telecommunication companies) may also fall under CII requirements if they serve CII subjects.

CII Object Significance Categories

Category 1

Highest significance. Potential disruption could cause harm at a federal level — affecting national security, constitutional order, or causing large-scale economic damage. Requires the most stringent security measures.

Category 2

Significant impact on regional economy, social infrastructure, or services. Disruption affects a significant number of citizens or organisations within a region or industry.

Category 3

Local significance. Disruption affects a limited number of people or organisations. Requires baseline security measures.

Key Obligations for CII Subjects

Categorise CII objects

Identify all information systems and APCS that may qualify as CII objects. Submit categorisation results to FSTEC within 10 days of completion.

Connect to GOSSOPKA

GOSSOPKA is the State System for Detection, Prevention and Elimination of Cyber Attacks. CII subjects must connect to GOSSOPKA and report incidents within 3 hours.

Implement security requirements

Technical and organisational security measures based on the category. Category 1 requires the most extensive measures including penetration testing and 24/7 monitoring.

Use FSTEC/FSB-certified tools

For Category 1 and 2 objects, security tools must be certified by Russian regulators (FSTEC, FSB). This significantly limits the available product range.

Conduct periodic security assessments

Regular security audits and penetration testing. Frequency depends on category — at least annually for Category 1.

Liability for Non-Compliance

⚠️ Criminal Liability Under Article 274.1 of the Criminal Code

Unlawful access to CIIUp to 6 years imprisonment

Damage to CII causing significant harmUp to 8 years imprisonment

Failure to fulfil security obligations resulting in damageUp to 6 years imprisonment

Organised group / severe consequencesUp to 10 years imprisonment

CII security compliance

CII protection and 187-FZ compliance support →

Categorisation · GOSSOPKA connection · FSTEC-certified solutions · Security assessment