The transition of critical IT infrastructure to Russian domestic software and equipment is postponed

 The necessary Russian developments are still in short supply. Owners of critical information infrastructure still find the transition difficult to implement

The Ministry of digital development, communications and mass communications of the Russian Federation proposed to oblige owners of critical information infrastructure (CII) to switch to the preferable use of Russian software from 2024, and to Russian equipment from 2025. This is stated in the draft presidential decree published on the portal of normative legal acts.

The first version of the decree was published in May, it provided for the transition of the CII to Russian software from 2021, and to Russian equipment from 2022.

The proposed deadlines raised concerns among the owners of CII – banks and industry.

Several owners of critical information infrastructure pointed to the immaturity of the domestic software and hardware market. “Often there is a single developer or supplier of software or hardware of a certain class, which negatively affects pricing,” said one of the owners. According to another owner, this single supplier will not be motivated to improve quality.

The Association of Russian banks in June asked the Bank of Russia to support the postponement of the transition to domestic software. Bankers said that the transition in a short time will entail significant expenses, and currently domestic manufacturers do not have the necessary equipment. The Central Bank supported this proposal, sending relevant comments to the government and the presidential administration.

At the end of 2019, the government issued a decree on the introduction of a temporary ban (for two years) on public procurement of foreign data storage systems for use on critical information infrastructure facilities.

The law on critical information infrastructure security came into force on January 1, 2018. It provides for the connection of CII objects to the state system for detecting, preventing and eliminating the consequences of computer attacks.