FSTEC to Develop Cyber Resilience Assessment Framework for Critical Infrastructure
Russia’s Federal Service for Technical and Export Control (FSTEC) is set to develop a methodology for assessing the security posture of critical information infrastructure (CII) facilities. Reviews are expected to take place at least once every six months and will measure resilience at three levels – individual organizations, entire industries and regions.
The system will cover IT assets operated by government agencies, public funds, state corporations, strategic enterprises and systemically important companies. Assessment results will be submitted to the Russian Security Council. The proposed government resolution is designed to complement Presidential Decree No. 250 on information security measures.
A Measurable KPI for Cybersecurity
The initiative operates at a federal scale. At its core is the creation of a state system for quantitatively measuring the cyber resilience of critical infrastructure. Key sectors ranging from finance and transportation to energy and manufacturing depend on those systems. The new methodology would move regulation of critical information infrastructure toward measurable KPIs. It calls not only for data collection, but also for analysis and formal assignment of security levels.
For citizens, the practical outcome could mean more stable operation of government services, banking systems, telecommunications and other essential digital platforms. At the same time, the risks of outages and data leaks could decline. Authorities would gain a clearer picture of cyber risks across industries and regions, effectively creating a new tool for strengthening national security. The approach could also attract international attention as a model for cyber resilience assessment and regulation.
Expected Impact of the Changes
Implementation of the methodology in Russia could produce three major effects. The first is stronger recurring oversight. CII inspections and reporting would become cyclical processes. Mandatory monitoring at least twice a year would pressure operators of critical systems to improve their security posture or risk regulatory action. The second effect would likely be rising demand for domestic cybersecurity technologies and services. That trend appears especially plausible against the backdrop of Russia’s push for technological sovereignty, tighter security requirements and a growing volume of cyberattacks.
The third effect would be a shift away from formal compliance toward practical protection. Russia has already launched an experiment focused on independent security assessments of government information systems, vulnerability discovery and penetration testing. The new FSTEC methodology expands that model by increasing the number of strategically important organizations subject to scrutiny.
The initiative also carries indirect export potential. That opportunity is tied to the promotion of Russian cybersecurity products and expertise in markets across the CIS, the Middle East, Africa, Latin America and Southeast Asia. Countries in those regions may show interest in Russia’s experience building a national cyber defense framework.
Strengthening a Unified National Cyber Defense Perimeter
In 2022, Presidential Decree No. 250 established personal accountability for information security among senior executives. Cyber protection of critical systems was elevated to the level of top-management responsibility. The policy tightened further in 2024: beginning Jan. 1, 2025, CII operators were prohibited from using cybersecurity services and solutions provided by companies from “unfriendly” countries. Earlier restrictions had primarily targeted information security products themselves.
In 2025, the Russian government launched a three-year experiment aimed at improving the protection of federal executive branch information systems. The initiative included independent assessments, vulnerability discovery, penetration testing and the development of remediation measures. Officials planned to evaluate at least 43 key resources annually. That same year, amendments to Federal Law No. 187-FZ on critical information infrastructure came into force. Starting in September 2025, updated rules governing the categorization of CII facilities, software usage requirements, expanded FSTEC authority and new obligations for interaction with the State System for Detection, Prevention and Elimination of Consequences of Computer Attacks (GosSOPKA) became effective.
In 2026, following inspections of more than 700 significant CII facilities, FSTEC identified over 1,200 violations, issued more than 2,000 compliance orders and filed 603 administrative reports. Only 36% of organizations met the minimum required level of protection. Those findings highlighted the need for stricter and more measurable cyber resilience assessments. Against that backdrop, sector-specific CII categorization rules for the telecommunications industry are set to take effect on Sept. 1, 2026. The new provisions clarify how significance levels and performance indicators should be calculated based on industry-specific conditions, reflecting a broader shift from general requirements toward detailed sectoral regulation.
From Formal Compliance to Proven Security
The new FSTEC methodology can be viewed as a step toward building a state system for measuring the cyber resilience of critical infrastructure. It signals a transition away from formal compliance toward a model of demonstrable security. One expected outcome is the emergence of comparable metrics across organizations, industries and regions. That would allow regulators to evaluate not just whether security departments and policies exist, but also how risks are actually evolving over time.
The market is also likely to see increased demand for auditing, monitoring, SOC/MDR services, penetration testing, vulnerability management, industrial control system (ICS) protection and certified Russian cybersecurity solutions. Companies capable of demonstrating measurable security outcomes, rather than simply selling products, stand to benefit the most.
