Critical Infrastructure Objects: Detailed Analysis and Answers to Common Questions

 

On June 29, 2022, amendments to Resolution No. 169 of the CMU of February 28, 2022 "Some issues of defense and public procurement of goods, works and services under martial law" (hereinafter referred to as Resolution No. 169) entered into force, which in particular provide for a list of exceptions, under which the purchase of goods, works, and services, the value of which is or exceeds UAH 50,000, can be carried out without applying the simplified procurement procedure and/or the electronic catalog.

 

One of the most interesting points, which caused a discussion in the procurement community, was an exception with the wording "goods, works and services are being procured to ensure the functioning of critical infrastructure facilities".

 

In connection with the appearance of this exception, the community had many logical questions, including:

• • how to determine that the object belongs to critical infrastructure objects (hereinafter referred to as CI objects);
  • whether there is a register of CI objects or another list containing such information;
  • whether data on CI objects is information with limited access;
  • is it possible to get a passport of the CI object;
  • how to determine to which category the CI object belongs;
  • where to get documentary confirmation that the object belongs to CI objects.

 

In this article, Yan Tomashuk, SmartTender's legal advisor, will deal with the details and nuances related to CI objects.

 

The regulatory framework and terms you need to know

As of today, two main documents will help us get answers to the above questions:

1. 1. The Law of Ukraine "On Critical Infrastructure" (1882-IX dated 16.11.2021), which entered into force on 15.12.2021, but began to operate only on 15.06.2022 (hereinafter referred to as the Law);
   2. Resolution of the CMU No. 1109 dated 09.10.2020 "Some issues of critical infrastructure facilities", with changes from 29.12.2021, which entered into force on 31.12.2021 (hereinafter referred to as Resolution No. 1109).

 

Also, for a more thorough analysis, I recommend that you first briefly familiarize yourself with the key terms of the Law, which will often be used in this material:

 

     1. Important terms and processes related to CI:

• • • CI objects — infrastructure objects, systems, their parts, and their aggregates, which are important for the economy, national security, and defense, the disruption of which may harm vital national interests;
    • the criticality category (criteria) of the CI object — the degree (relative level) of the importance of the critical infrastructure object, classified (categorized) depending on its impact on the performance of vital functions and/or the provision of vital services;
    • categorization of infrastructure objects — assignment of infrastructure objects to criticality categories of infrastructure objects;
    • identification of the CI object — the procedure of assigning the infrastructure object to the critical infrastructure objects;
    • security passport (hereinafter referred to as CI object passport) — a document of the established form, which contains information about a critical infrastructure object, as well as a set of measures taken to protect this object from the types of threats identified for it;
    • the register of CI objects (hereinafter – the Register) is an automated system that contains a list of the most important critical infrastructure for the life of society and the state, for which special requirements are established to ensure its safety and stability and their compliance is monitored;
    • CI sector — a set of critical infrastructure objects that belong to one sector (branch) of the economy and/or have a common functional focus.

 

     2. Main subjects in the field of critical infrastructure:

• • • critical infrastructure operator (hereinafter referred to as CI Operator) — a legal entity of any form of ownership and/or an individual entrepreneur who manages a critical infrastructure object based on ownership, lease, or other legal grounds and is responsible for its current functioning;
    • sectoral body in the field of critical infrastructure protection (hereinafter referred to as the Sectoral Body) — a state body designated by legislation as responsible for ensuring the formation and implementation of state policy in the field of critical infrastructure protection in a separate critical infrastructure sector;
    • the authorized body in the field of critical infrastructure protection of Ukraine (hereinafter — the Authorized Body in the Field of ZKI) — the body that ensures the formation and implementation of state policy in the field of critical infrastructure protection, performs functional management of the national system of critical infrastructure protection, ensures coordination of the activities of ministries and operators of critical infrastructure on issues of ensuring stability and protection of critical infrastructure objects.

 

Who and how carries out the identification of CI objects?

To determine whether an object belongs to critical infrastructure, first of all, it is necessary to understand who has the authority to refer objects to CI objects.

 

By Part 1 of Art. 8 of the Law, the classification of objects as critical infrastructure is carried out by the procedure established by the Cabinet of Ministers of Ukraine.

 

Taking into account the fact that from the moment of adoption of the Law until today, the Cabinet of Ministers has not approved another separate procedure for classifying objects as critical infrastructure, we are guided by the Procedure for classifying objects as critical infrastructure objects (hereinafter – the Procedure), which was approved by Resolution No. 1109 back in the 2020 year

 

It should be noted that the Order itself contains terms that are slightly different from the terms provided by the Law but correspond to each other in terms of content. For example an authorized body of state power responsible for a sector (sub-sector) of critical infrastructure (hereinafter referred to as the authorized body) = Sectoral body.

 

According to Clause 4 of the Procedure, the authorized bodies, using the list of sectors (sub-sectors), and basic services of critical infrastructure, identify the objects of critical infrastructure of their sectors (sub-sectors) of critical infrastructure.

 

Given the above, the authority to refer objects to critical infrastructure belongs to Sectoral bodies.

 

Where to find the list of Sectoral bodies?

Resolution No. 1109 approved, in particular, the List of sectors (subsectors), the main services of the state's critical infrastructure (hereinafter – the List).

 

The list contains a table containing the column "Authorized state authority responsible for the sector (subsector) of critical infrastructure", which lists the Sectoral authorities.

 

According to the information from the List, the Sectoral Bodies include:

• • Ministry of Energy;
  • Ministry of Digital Transformation;
  • Ministry for Communities and Territories Development;
  • Ministry of Economy;
  • Ministry of Health;
  • National Health Service;
  • National Securities and Stock Market Commission;
  • Ministry of Infrastructure;
  • Ministry of Strategic Industry;
  • Ministry of Internal Affairs;
  • Ministry of Finance.

 

 

Each of these Sectoral bodies is responsible for its sectors, sub-sectors, and types of basic services of the state's critical infrastructure.

 

Is there a Register of CI objects or another list that contains such information?

According to Art. 11 of the Law, to coordinate the actions of the subjects of the national critical infrastructure protection system, the Register of Critical Infrastructure Objects (hereinafter – the Register) is formed.

 

In turn, the collection, summarization, preliminary analysis of data on critical infrastructure objects, and proposals for inclusion of such objects in the Register within the defined sectors are carried out by the Sectoral Bodies.

The Register itself is formed and maintained by the Authorized Body in the field of ZKI based on the proposals of the subjects of the national system of critical infrastructure protection.

 

According to p.p. 1 p. 5 of the final provisions of the Law, the Cabinet of Ministers of Ukraine must determine the authorized body for the protection of the critical infrastructure of Ukraine within three months from the date of entry into force of this Law.

Thus, the deadline for determining such an authorized body was March 2022.

 

At the same time, only recently, by Resolution of the CMU No. 787 dated 12.07.2022 "On the establishment of the State Service for the Protection of Critical Infrastructure and Ensuring the National Resilience System of Ukraine", the Authorized Body in the field of CSI was defined – it became the State Service for the Protection of Critical Infrastructure and Ensuring the National Resilience System of Ukraine (DZKI). At the same time, the said Resolution will enter into force only after amendments are made to the Law of Ukraine "On the State Budget of Ukraine for 2022" regarding the financing of DZKI.

 

It should also be noted that the procedure for maintaining the Register, including objects in the Register, accessing and providing information from it is determined by the Cabinet of Ministers of Ukraine.

 

However, as of the time of writing this article, the Cabinet of Ministers has not approved such a procedure for maintaining the Register.

 

Is there another list that contains information about CI objects? According to Clause 5 of the Procedure approved by Resolution No. 1109, the authorized bodies compile consolidated lists of all critical infrastructure objects of their sectors (subsectors) of critical infrastructure, assigned to the I and II categories of criticality, and provide them to the Authorized Body for the Protection of Critical Infrastructure to form a national list of critical infrastructure objects.

 

However, no information about the creation and existence of such a national list of CI objects was found.

 

Thus, summing up the above, we have the following situation:

• • the Registry of critical infrastructure facilities has not yet been created and is not functioning;
  • the Order for maintaining the Register has not yet been approved by the Cabinet of Ministers;
  • the Authorized body in the field of CI, which should form and maintain such a Register, is not yet functioning;
  • there is no information about the existence of another list of CI objects, or such a list is not publicly available and/or with limited access.

 

 

Is the data on CI objects information with limited access?

According to Part 6 of Art. 11 of the Law, information about critical infrastructure objects contained in the Register is open, publicly available, and free of charge, except for information with limited access. The administrator provides round-the-clock access to open information of the Register on its official website.

 

At the same time, by Clause 7 of the Procedure approved by Resolution No. 1109, information about critical infrastructure objects contained in the national list of critical infrastructure objects and sectoral lists of critical infrastructure objects is information with limited access, the protection of which is ensured by the requirements of the legislation in the field of information protection.

 

At the same time, I will immediately remind you that:

• • according to Clause 5 of the Procedure, such a national list includes only CI objects assigned to the I and II categories of criticality;
  • there is no information about the existence of such a list of CI objects.

 

You can also additionally pay attention to the security passport, the information of which also contains information with limited access by Part 7 of Art. 12 of the Law.

 

Given the above, it can be concluded that even though, by the provisions of the Law, the information in the Register about CI objects must be open, most of such information, especially if they are objects of the I or II criticality category, can be determined as restricted information.

 

However, it should be noted that during the period of martial law and the war with the Russian Federation, this appears to be a logical phenomenon and is included in the norms of the so-called "three-syllable test" provided in Part 2 of Art. 6 of the Law of Ukraine "On Access to Public Information", since the disclosure of information about the list and addresses of such CI objects may lead to negative consequences.

 

What is the criticality category of CI objects, and who and how determines it?

According to Art. 10 of the Law, to determine the level of requirements for ensuring the protection of critical infrastructure objects by the level of their importance for ensuring certain vital functions within the critical infrastructure sectors, critical infrastructure objects are categorized according to the categories of criticality defined by the Law.

 

There are the following categories of the criticality of CI objects:

• • I category of criticality – especially important facilities of national importance and a significant impact on other critical infrastructure facilities, the disruption of which will lead to a crisis of national importance;
  • II category of criticality – vital facilities, the disruption of which will lead to a crisis of regional significance;
  • III category of criticality – important facilities, the disruption of which will lead to a crisis of local significance;
  • IV category of criticality – necessary objects, the failure of which will lead to a crisis of local significance.

 

 

Sectoral bodies, together with CI Operators, carry out the categorization of critical infrastructure objects in their sectors (subsectors) of critical infrastructure by the Methodology for Categorization of Critical Infrastructure Objects, approved by the Cabinet of Ministers of Ukraine.

 

The method of categorization of critical infrastructure objects was approved by Resolution No. 1109.

 

Thus, Sectoral bodies are responsible both for the identification of CI objects and for the categorization of CI objects.

 

At the same time, in contrast to identification, categorization by the provisions of the Law and the Procedure approved by Resolution No. 1109 is carried out by Sectoral bodies together with CI Operators.

 

Is it possible to get a safety passport for a CI facility?

First of all, it should be noted that according to Part 4 of Art. 11 of the Law, after the inclusion of the object in the Register, Sectoral bodies notify the Operator of the CI object about it to ensure certification and protection of the critical infrastructure object by the requirements of the Law.

 

According to Art. 12 of the Law, to conduct an analysis of possible main threats and potentially negative consequences for critical infrastructure objects, preventing and preventing the occurrence of such threats to critical infrastructure, operators of critical infrastructure objects prepare and submit for approval to the relevant sectoral bodies in the field of critical infrastructure protection, the relevant functional authority safety passport for each object of critical infrastructure.

 

The security passport for the critical infrastructure object itself contains information about the identification of the object and measures for its protection and security, and also defines the list of positions and responsible persons whose tasks include communication and exchange of information with the subjects of the national protection system critical infrastructure.

 

However, it should be noted that the requirements for the procedure for developing and approving a safety passport for a critical infrastructure facility, its content, content, procedure, and submission deadlines are established by the Cabinet of Ministers of Ukraine.

 

At the same time, as of the time of writing this article, the procedure for developing and approving the safety passport for the CI facility has not yet been approved by the Cabinet of Ministers.

 

Thus, at the moment, it is impossible to obtain such a safety passport for a CI facility for two reasons:

1. 1. The procedure for developing and approving the safety data sheet has not been approved.
   2. The passport itself is carried out only after the object is included in the Register, and as noted in the previous sections of the article, such a Register has not yet been created.

 

How do I get documentary confirmation that the object belongs to CI objects?

If the Register does not exist, it is impossible to obtain a security passport, and the information about the object itself may belong to information with limited access, the question arises: where to get documentary confirmation that the object belongs to CI objects?

 

As of today, there are two practical options that I know of that can be applied.

 

Method 1: appeal to the Sectoral body

Since the identification of objects to CI objects belongs to the powers of Sectoral bodies, I recommend that customers first contact their Sectoral bodies by the List of sectors (subsectors) approved by Resolution No. 1109.

 

Since neither the norms of the Law nor the norms of Resolution No. 1109 provide for the form of such an appeal, you can make such a request in an arbitrary form, but I recommend that you refer to the norms of Art. 8 of the Law and Clause 4 of the Procedure approved by Resolution No. 1109, and note that such information is necessary for procurement by CMU Resolution No. 169. The signatory of such a request can be any person by the internal regulations of the contracting authority.

 

Method 2: appeal to the military administration

According to Art. 3 of the Law, this Law regulates relations in the field of operation and protection of critical infrastructure as a whole and its objects in peacetime.

 

Features of the protection and legal regime of critical infrastructure objects in emergencies, state of emergency and martial law, and special periods are regulated by the laws of Ukraine "On the legal regime of martial law", "On the legal regime of the state of emergency", "On the functioning of the unified transport system of Ukraine in a special period" and "On the defense of Ukraine".

 

Considering the above, attention should be paid to the provisions of the Law of Ukraine "On the Legal Regime of Martial Law", namely:

• • one of the key goals of the creation of military administrations during the period of martial law is, in particular, to ensure the protection of CI objects (Part 1, Article 4 of the Law);
  • military administrations can establish various measures of the legal regime of martial law, in particular, establishing (strengthening) the protection of CI facilities (Part 1, Article 8 of the Law);
  • military administrations in their activities are governed, in particular, by the Law of Ukraine "On Critical Infrastructure" (Part 1, Article 15 of the Law);
  • the powers of the military administrations include, in particular, the establishment of enhanced protection of CI facilities (clause 25, part 2, article 15 of the Law);

 

Thus, military administrations of settlements should have information about the list of CI objects for which they are responsible.

 

Therefore, if the Sectoral bodies do not respond to requests or cannot give a clear answer, as an alternative option, I suggest contacting the military administrations with the question of whether your object belongs to the CI objects.

 

Conclusion

Analyzing the norms of legislation in the field of critical infrastructure, including the Law of Ukraine "On Critical Infrastructure", it can be noted that, in general, the norms of the Law are aimed at streamlining issues related to CI objects, and are the first step towards the development of legislation in this area.

 

At the same time, most of the norms and mechanisms provided for by this Law simply do not work as they do today. There are several reasons for this:

1. 1. First of all, there is armed aggression by the Russian Federation, during which the government has more priority tasks to ensure the functioning of the state, as a result of which all the deadlines by which all the above-mentioned issues were supposed to be resolved have been violated.
   2. The Law itself is quite new and came into effect only in mid-June. Accordingly, its practical application has not yet been worked out, only "on paper".
   3. The authorized body in the field of ZKI, which was supposed to be created as early as March 2022, was "documentary established" only in July of this year, but it will take a lot of time before the actual functioning of DZKI.
   4. Separate procedures have not been approved, which relate, in particular, to the Register and certification of CI objects.

 

Taking into account the entire situation in the country and the given circumstances, the purchasing sphere has nothing else to do but to wait for the resolution of the above-mentioned problems and to apply the above-mentioned methods of documentary confirmation.

 

Therefore, we will continue to monitor changes in the field of critical infrastructure and will inform you about the most important and most interesting.

 

How to order a consultation with SmartTender lawyers?

If you have questions about the legal side of the procurement, please contact SmartTender lawyers on this page.

 

You can also always contact our support service at 0 800 75 10 10.

Follow our news and take care!