articles

Overview of changes in the sphere of information security and personal data (hereinafter referred to as the “PD”) that will affect the activities of organizations involved in the wholesale and retail trade of medicinal products. We remind you that starting from September 1, 2025, consents for PD processing must be stand-alone documents, separate from website Privacy Policies.

1. Industry-Specific Features of Categorizing Critical Information Infrastructure (hereinafter referred to as the “CII”) Facilities in Healthcare

On July 4, 2025, a draft Government Resolution “On Approval of Industry-Specific Features for Categorizing Critical Information Infrastructure Facilities in Healthcare” (hereinafter referred to as the “Draft Resolution”) was released for public discussion. This resolution establishes special rules for categorizing CII facilities in the healthcare system.

CII Entities

According to the Draft Resolution, the categorization features will apply to the following CII facilities:

• State healthcare authorities
• State medical institutions
• The Federal Compulsory Medical Insurance Fund and its regional funds
• Russian legal entities engaged in medical and pharmaceutical activities
• Russian legal entities ensuring interaction between CII systems

Medical organizations include those providing specialized (including high-tech) medical care, as well as emergency (including specialized emergency) care. Organizations engaged in the wholesale and retail trade of medicinal products include companies with annual revenue of RUB 5 billion and a workforce of at least 250 employees.

CII Categorization

Categorization of CII facilities will be performed by a permanent categorization commission within the CII entity.

The following significance criteria indicators are proposed for categorizing healthcare CII facilities:

• Social significance
• Political significance
• Economic significance
• Environmental significance¹

The assessment is carried out for each of the values of the significance criteria Indicator applicable to the CII subject, and the significance category is assigned to the CII object according to the highest value of one of the indicators in the List of Significance Criteria Indicators.

An algorithm has also been established to assess the scale of the consequences of computer attacks on CII facilities in the healthcare sphere. In such incidents, the Draft Resolution suggests considering the worst-case scenarios, which may result in disruption or shutdown of the CII facility. In addition, it is proposed to determine the dependence of CII facilities on each other, as well as to identify statistical data on computer incidents that occurred earlier at CII facilities of the same type.

The public discussion period ends on July 18, 2025.

2. Typical Industry-Specific CII Facilities in Healthcare

CII regulations are currently governed by the Federal Law “On Security of Critical Information Infrastructure of the Russian Federation” (hereinafter referred to as the “CII Law”) alongside Categorization Rules and Significance Criteria Indicators.

In June 2025, FSTEC published a draft Government Resolution “On Approving Lists of Typical Industry-Specific Critical Information Infrastructure Facilities” (hereinafter referred to as the “Draft of Typical Industrial Facilities of the CII”). It identifies the following as typical healthcare CII facilities:

• Medical information systems of healthcare organizations
• Pharmaceutical management systems
• The Unified State Health Information System (EGISZ)
• Other specialized systems

If adopted, the finalized Draft of Typical Industrial Facilities of the CII will become mandatory for CII entities when categorizing their facilities, effective September 1, 2025.

3. Separate Consent Requirement for Processing PD

We remind you of amendments to Federal Law No. 152-FZ “On Personal Data” (July 27, 2006) (hereinafter referred to as the “Personal Data Law”), effective September 1, 2025.

Federal Law No. 156-FZ (June 24, 2025) “On Establishing a Multifunctional Information Exchange Service and on amendments to certain legislative acts of the Russian Federation” introduced a requirement for separately obtained consent for PD processing. Key provisions:

• Consent cannot be included within contracts, agreements, or other documents
• Consent cannot be embedded in online user agreements

Responsibility for non-compliance with the requirements will be established under Part 2 of Article 13.11 of the Code of Administrative Offences of the Russian Federation and will amount to:

• RUB 100,000 – 300,000 for officials
• RUB 300,000 – 700,000 for organizations

¹The indicators of significance criteria and their values are established by Russian Government Resolution No. 127 of February 8, 2018, “On Approval of the Rules for Categorizing Critical Information Infrastructure Facilities of the Russian Federation, as well as the List of Indicators of Significance Criteria for Critical Information Infrastructure Facilities of the Russian Federation and Their Values” (hereinafter referred to as the “Categorization Rules and List of Significance Criteria Indicators” / “List of Significance Criteria Indicators”).