Law in IT

Is it possible to lower the ISPD security class?

Good afternoon, dear habrazhiteli!
When establishing the level of security, it is necessary to determine the relevance of threats of a certain type (1st, 2nd or 3rd).
According to Decree 1119, paragraph 6: "Threats of the 1st type are relevant to the information system, if it is also affected by threats related to the presence of undocumented (undeclared) capabilities in the system software used in the information system." The organization providing the documents claims that due to the lack of FSTEC certificates for undeclared capabilities for operating systems (OS), all personal data information systems (PDIS) using the OS will receive the 1st (highest) level of security.
Therefore, in accordance with clause 9.a “The need to ensure the 1st level of protection of personal data during their processing in the information system is established if at least one of the following conditions is present: a) threats of the 1st type and the information system are relevant for the information system processes either special categories of personal data or biometric personal data or other categories of personal data;

It's no secret that most companies in ISPD use a regular licensed Windows that does not have FSTEC certificates, which means that the class will also be the highest, the first. Accordingly, the requirements for the protection of such ISPDs will be the highest.

And now the question is: is it possible to lower the level of security at least to the 3rd, while remaining within the framework of the new legislation?
Maybe someone has come across something similar?