Skip to main content
|

Add a bookmark to get started

Bookmarks info
  • Home
  • Insights
  • Sweeping New Rules for Foreign Software and Technology in Official Procurement
Abstract view of building
27 April 20226 minute read

Sweeping New Rules for Foreign Software and Technology in Official Procurement

Written by:Mikhail Sholokhov

For years Russia has been pursuing policies discouraging reliance on foreign technology in critical state infrastructure. This policy appears to have been accelerated in the current environment where foreign technology is less available to Russian state organizations.

In particular, new rules tightening restrictions on the acquisition and use of foreign software for critical state infrastructure were promulgated by Presidential Decree 166 of March 29, 2022. Decree 166 established two strict rules with apparently sweeping effects, but it remains to be seen how these rules will be implemented.

It is important to note that these rules apply not only to standalone software, but also to services associated with software and to software embedded into or used with hardware.

An important mitigating factor is that these rules are limited to certain types of organizations with state ties and to "natural" monopolies, so they do not apply to the community as a whole.

Two New Rules

Decree 166 established the following two rules:

  • Consent for Acquisition of Foreign Software. From March 31, 2022, certain state-related organizations and natural monopolies may not acquire foreign software for use with "objects of critical infrastructure" without approval from the government; and
  • Prohibition on Use of Foreign Software. From January 1, 2025, these same organizations may not use foreign software for their critical infrastructure.

The requirement for approval to acquire foreign software is not really new, as Russian government agencies have been subject to this requirement since 2015, but Decree 166 now expands this requirement beyond government agencies to include certain state-owned organizations and natural monopolies.

Both rules are written in broad terms, but the details of implementation are not yet clear. Moreover, it may be technically difficult to implement these rules as written, so clarifications or even changes to the rules may be expected.

Acquisition of Foreign Software – Nobody's At Home

Foreign software can only be acquired with governmental approval, but this requirement is currently impossible to satisfy, as the government agency to provide for such approvals has not yet been appointed. The government should appoint this agency (which is expected to be Federal Service for Technical and Export Control of Russia or FSTEK Russia) by the end of April, but as yet, there is no agency appointed for handling these approvals and there is no exception to obtaining the approvals.

This means that the organizations affected by this rule cannot legally acquire foreign software for their critical infrastructure at the moment. This includes software embedded in hardware and devices, so this rule could effectively extend beyond just software.

As the agency for handling these approvals has not been designated, no specific criteria and procedures for obtaining approvals have been issued. This means that for the time being, it is not clear as to how the process will be applied and when approvals maybe granted.

Use of Foreign Software

The prohibition on the use of foreign software for critical infrastructure is also broadly written and has no exceptions. On its face, the rule would prohibit the use of all foreign software, including that which was acquired with government approval. No approval process for the use of foreign software is provided for beyond January 1, 2025.

This second rule may face serious problems in practice, as it relies on the assumptions that analogous Russian software will be fully available and that a transition away from foreign software will be possible within that timeframe.

Given the possible technical and cost issues, one may expect changes to this rule in terms of the timing, scope or exceptions, but for now, the rule is clear and broadly written.

To Whom Does this Apply - Affected Organizations

The rules in Decree 166 apply to organizations covered under procurement law (primarily Federal Law No. 223-FZ "On the Procurement of Goods, Work and Services by Certain Types of Legal Entities"). These organizations generally are:

  • State and government organizations
  • Organizations with over 50% state or government ownership and
  • “Natural” monopolies (as designated in a specific register – the best example is Russian railways – ostensibly a private organization with a public function)

These rules do not generally apply to purely private organizations which are not identified as natural monopolies and which do not have over 50% state or governmental ownership.

What is Foreign Software?

While Decree 166 refers to "foreign" software without further definition, the context of requirements to purchase "Russian" software under existing procurement rules would likely mean that "foreign" software is that which is not "Russian" software, but even that has a narrow and somewhat arbitrary definition.Under existing procurement rules for government agencies, Russian software is only that software contained on the official register of Russian software ("Unified Register of Computer software and Databases Originating From Russia" maintained in accordance with the Federal Law "On Information") - such approach was introduced in 2015 when the use of Russian software in governmental organization was required where possible and the register was created to confirm the Russian origin of software for this purpose. Therefore, even software owned by Russians or created in Russia or by Russians, but not on the register will likely not be considered "Russian" software under these rules.

Embedded Software

Most concerning is that the rules apply not only to standalone software but also to software embedded in hardware and devices, so the rules will affect technical equipment in addition to just software itself.

This aspect of the rules may involve certain technical difficulties, as it may not be possible to separate embedded software from hardware already in use.

Services Associated with Foreign Software

The rules apply also to services associated with foreign software.

What is Critical Information Infrastructure?

Critical information infrastructure includes information systems and telecommunication networks critical for the operation of key areas: health, science, transport, telecoms, banking, fuel and energy sector, etc, as defined in a specific law on critical infrastructure, but briefly put, the term refers to facilities and systems critical to the operation of the organization or fulfillment of its function. The focus for this rule is not on the character of the software or technology but rather on the character of the intended use.

Foreign software may be acquired and used in contexts of non-critical infrastructure, but what is considered critical infrastructure will be widely construed for these rules.

Open Questions

There are many open questions on how these rules will work and we expect clarifications and changes to be issued over time. The important issue though is that there is an active policy being implemented to reduce reliance on foreign software and technology.

Related Capabilities

Intellectual Property
Print
Legal noticesPrivacy policyCookie policyModern slaveryFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper