The Chairman of the State Security Service issued an order: Approval of the Temporary Regulation on the procedure for categorizing critical information infrastructure facilities and forming their Single register.
In line with the Regulation, subjects (owners) of critical information infrastructure facilities are required to categorize these facilities at least once a year. To do this, it is necessary to create a corresponding commission.
The following levels of critical information infrastructure facilities have been defined:
High:
- facilities whose failure as a result of a cybersecurity incident can cause major damage, harm to the health of more than 20 people, disrupt the living conditions of more than 500 people, or damage the environment in an area equal to a large sown area*;
- facilities that handle information related to state secrets, as well as oil and energy, nuclear energy, healthcare, telecommunications facilities and those located in places of permanent or temporary residence of protected persons;
Medium:
- facilities whose failure as a result of a cybersecurity incident can cause major damage, harm to the health of more than 10 but less than 20 people, disrupt the living conditions of more than 100 but less than 500 people, or damage the environment in an area equal to the average sown area** or harm the prestige and reputation of the state;
Low:
- facilities that are not added in the category of high and medium level critical information infrastructure facilities.
Information about the facilities shall be submitted to the State Security Service to keep a register of critical information infrastructure facilities.
