CUE safety. What awaits the business in 2026?

Previously, companies could report cyber attacks on a one-time basis, for example, by sending an email, but now this should happen in real time through a special personal account. 

In fact, the FSB will be able to quickly monitor and coordinate all actions in the event of cyber attacks, becoming a central hub in the fight against digital threats to critical facilities.

An expanding range of responsibilities
At the same time, the approach to contractors is also changing. The Federal Service for Technical and Export Control (FSTEC) is preparing regulations that will oblige all performers with access to the IT infrastructure of critical facilities to comply with the same strict cybersecurity requirements as the owners themselves. This is a direct consequence of the identified problems. According to the agency, the lack of control over the actions of contractors has become a serious security gap for the market. If the contract does not specify responsibility, and the contractor is not familiar with the internal safety rules of the customer, then all requirements remain only on paper.

Almost a third of encryption attacks occur due to unsecured contractors
FSTEC inspections have already revealed more than 1,100 violations. Typical problems include inconsistency of the real state of affairs with the data in the CII registry and disregard for Presidential Decree No. 250. This document prohibits the use of information protection tools from unfriendly countries at critical facilities. Despite the fact that the deadline for its execution came on January 1, 2025, many companies still have not been rebuilt. The FSTEC warns that the period of "soft" implementation is over, and administrative cases will now be initiated for non-compliance with the decree.

What should a business prepare for?
For many, the administrative burden and compliance costs will increase dramatically. Companies will have to not only establish the technical possibility of continuous data transfer to the FSB, but also review all contracts with contractors, including new obligations and strict boundaries of division of responsibility.

Control over import substitution in IT is likely to be tightened. Decree No. 250 is entering the stage of active implementation, since, according to the FSTEC, the time for reflection and choice has already passed. Companies that have so far postponed the transition to domestic information security software will have to do so urgently, which entails additional costs and compatibility risks.

The State Duma proposed to mitigate the punishment for IT specialists
Now, large companies that own CII will be forced to require their, often smaller, contractors to fully comply with the norms of 187-FZ. This can lead to a purge of the market from those who are not ready to bear the additional costs of security, and to the consolidation of players in the field of IT outsourcing.

In general, the government is building a centralized and tightly regulated cybersecurity ecosystem for critical infrastructure. Businesses will have to become a transparent and manageable part of it, which will inevitably lead to increased costs and bureaucratic burden, but, according to the regulator, it should increase overall resistance to cyber threats.