On approval of the Rules and criteria for classifying objects of information and communication infrastructure to critical facilities information and communication infrastructure

Decree of the Government of the Republic of Kazakhstan dated September 8, 2016 No. 529.

      Unofficial translation

      In accordance with subparagraph 4) of article 6 of the Law of the Republic of Kazakhstan dated November 24, 2015 "On informatization" the Government of the Republic of Kazakhstan HEREBY DECREES:

      1. to approve the attached:

      1) Rules for classifying objects of information and communication infrastructure to critical facilities information and communication infrastructure;

      2) Criteria for classifying objects of information and communication infrastructure to critical facilities information and communication infrastructure.

      2. This decree shall come into force upon expiry of ten calendar days after the date of its first official publication.

      Prime Minister
      of the Republic of Kazakhstan К. Massimov

  Approved by the decreeof the Government of the
  Republic of Kazakhstan
dated September 8, 2016 no. 529

Rules for classifying objects of information and communication infrastructure to critical facilities information and communication infrastructure

1. General provisions

      1. These Rules for classifying objects of information and communication infrastructure to critical facilities information and communication infrastructure (hereinafter referred to as the Rules) have been developed in accordance with subparagraph 4) article 6 of the Law of the Republic of Kazakhstan dated November 24, 2015 "On informatization" and shall determine the procedure for classifying objects of information and communication infrastructure to critical facilities information and communication infrastructure.

      2. The following main definitions shall be used in these Rules:

      1) authorized body in the field of information security (hereinafter referred to as the authorized body) - the central executive body that carries out management and intersectoral coordination in the field of information security;

      2) information and communication infrastructure - information systems, technological platforms, hardware and software complexes, server rooms (data centres), telecommunication networks, as well as systems ensuring information security and uninterrupted operation of technical devices;

      3) information and communication infrastructure – a set of the objects of information and communication infrastructure intended to ensure the functioning of the technological environment in order to generate electronic information resources and provide access to them;

      4) crucial information and communication infrastructure objects (hereinafter referred to as CICIO) – information and communication infrastructure objects, the disruption or termination of the functioning of which leads to a social and/or technogenic emergency or to significant negative consequences for defence, security, international relations, the economy, certain areas of the economy or the life of the population, residing in the respective territory, including infrastructure: heat, electricity, gas, water, industry, health, communications, banking, transport, waterworks, law enforcement, e-government”.

      Footnote. Paragraph 2 as amended by the decree of the Government of the Republic of Kazakhstan dated 09.04.2018 № 179 (shall enter into force upon expiry of ten calendar days after the date of its first official publication); No. 1047 of 31.12.2019 (shall be enacted ten calendar days after the date of its first official publication); No. 12 of 18.01.2021 (shall be put into effect ten calendar days after the date of its first official publication).

      2. Порядок for classifying objects of information and communication infrastructure to critical facilities information and communication infrastructure

      3. Objects of information and communication infrastructure shall be classified as critically when meeting at least one of criteria of classifying the objects of information and communication infrastructure to critical objects of information and communication infrastructure (hereinafter referred to as the criteria) and shall be subject to introduction to the list of critical objects of information and communication infrastructure, approved by the Government of the Republic of Kazakhstan , (hereinafter referred to as the list).

      4. The authorized body annually, no later than February 1, shall send to the central state and local executive bodies, holders (owners) of strategic objects, critical state objects , objects of economy sectors, which have strategic significance, request on existing objects of information and communication infrastructure corresponding to at least one of criteria (hereinafter referred to as the request).

      5. Central state and local executive bodies, holders (owners) of strategic objects, critical state objects, objects of economy sectors, which have strategic significance, annually, no later than March 1, on the basis of a request, shall submit proposals to the authorized body for consideration to include objects of information and communication infrastructure in the list with documents and other materials justifying such compliance.

      5-1. In order to ensure the country's security, the authorized bodies in the field of defense, civil protection and national security bodies, on their own initiative, shall submit proposals to the authorized body for inclusion of information and communication infrastructure objects in the list and (or) exceptions from it, with the application of documents and other materials substantiating such compliance, within the time periods established by paragraph 5 of these Rules.

      Footnote. The Rules have been added with paragraph 5-1 in accordance with the decree of the Government of the Republic of Kazakhstan dated 26.12.2018 no. 892 (shall enter into force upon expiry of ten calendar days after the date of its first official publication).

      6. The authorized body for the consideration and analysis of proposals of central state and local executive bodies, holders (owners) of strategic objects, critical state objects, objects of economic sectors, which have strategic significance, shall form a commission from among specialists of public associations in the field of information security, as well as officials responsible for ensuring information security in an authorized body, national security bodies, civil defense and defense (hereinafter referred to as the commission).

      Footnote. Paragraph 6 as amended by the decree of the Government of the Republic of Kazakhstan dated 26.12.2018 no. 892 (shall enter into force upon expiry of ten calendar days after the date of its first official publication).

      7. The Commission shall examine the proposals, documents and materials submitted and make a recommendation:

      1) on the inclusion of an information and communication infrastructure object in the list;

      2) on rejection of the application for inclusion of an information and communication infrastructure object in the list;

      3) on removal of the information and communication infrastructure object from the list of essential information and communication infrastructure as per paragraph 11 hereof.

      Footnote. Paragraph 7 - as reworded by Decree of the Government of the Republic of Kazakhstan No. 12 of 18.01.2021 (shall be put into effect ten calendar days after the date of its first official publication).

      8. The recommendation of the commission shall be recorded in a protocol, containing the following information:

      1) date and venue of the meeting

      2) committee structure;

      3) number of applications reviewed;

      4) the commission's recommendation for each ICT infrastructure object, justifying whether it meets or does not meet the established criteria.

      Footnote. Paragraph 8 - as reworded by Decree of the Government of the Republic of Kazakhstan No. 12 of 18.01.2021 (shall be enacted ten calendar days after the date of its first official publication).

      9. In case of rejection of the application for inclusion of the object of information and communication infrastructure in the list, the authorized body no later than ten working days from the date of the decision shall send a notification indicating the reasons for the refusal to the appropriate central state and local executive body, the holder (owner) of strategic objects, especially important state objects , objects of industries of strategic importance.

      10. The competent authority shall take one of three decisions based on the minutes of the commission:

      1) on the inclusion of an information and communication infrastructure object in the list;

      2) on rejection of the application for inclusion of an information and communication infrastructure object in the list;

      3) on removal of an information and communication infrastructure object from the list of critical information and communication infrastructure.

      The competent authority shall compile the list and submit it to the Government of the Republic of Kazakhstan for approval no later than 1 July of each year under the procedure established by law. The list shall be accompanied by the minutes of the commission and applications of central state and local executive bodies, owners (possessors) of strategic facilities, particularly important state facilities, facilities of strategic importance to the economy sectors.

      Footnote. Paragraph 10 - as reworded by Decree of the Government of the Republic of Kazakhstan No. 12 of 18.01.2021 (shall come into force ten calendar days after the date of its first official publication).

      11. The list shall be updated annually by the authorized body on the basis of proposals from central state and local executive bodies, holders (owners) of strategic facilities, critical government facilities, facilities of economic sectors of strategic importance in connection with the cessation of industrial operation of a critical facility of information and communication infrastructure or a change in the functionality of the critical information and communication facility infrastructure that entailed the loss of compliance with the criteria or the identification of a new object of information and communication infrastructure that meets at least one of the criteria.

      The authorized body shall consider proposals of central state and local executive bodies, owners (owners) of strategic objects, especially important state objects, objects of industries of strategic importance, in accordance with the procedure provided for by paragraphs 6-10 of these Rules.

      12. Amendments and (or) additions to the list shall be made when necessary according to the procedure established by these Rules and legislation.

  Approved by the decree
of the Government
of the Republic of Kazakhstan
dated September 8, 2016 no. 529

Criteria for classifying objects of information and communication infrastructure to critical facilities information and communication infrastructure

      1. Influence of the object of information and communication infrastructure on the continuous operation of critical state facilities, in the event of a malfunction of which the activities of critical state objects will be stopped.

      2. Influence of the object of information and communication infrastructure on the continuous and safe operation of strategic objects, in case of disruption of which the activity of strategic objects will be stopped or a threat of an emergency of man-made character will arise.

      3. Influence of the object of information and communication infrastructure on the continuous and safe operation of objects of economic sectors of strategic importance, if its functioning is disrupted, the activities of objects of economic sectors of strategic importance will be stopped, or a man-made emergency will occur.

      4. The influence of the object of information and communication infrastructure on ensuring the stable functioning of the object of informatization of "electronic government" and other information and communication services, the partial or complete disruption (termination) of which may lead to an emergency of a social nature.

      Footnote. The criteria are added with paragraph 4 in accordance with the decree of the Government of the Republic of Kazakhstan dated 09.04.2018 no. 179 (shall enter into force upon expiry of ten calendar days after the date of its first official publication).