There is no answer to this question. Opinions were evenly divided. The same Aleksey Lukatsky optimistically declares that one can safely write “the threats of the NDV are irrelevant” and move away from 1-2 levels. Others, more cautious, believe that it is not so easy to get off. As far as I know, there is no method or criteria to say that in this case the threats are not relevant.
I will try to reason from the point of view of common sense (which may not be applicable to the topic of protecting personal data). If I suspect that the intruder who will act against me has one in his arsenal of dirty tricks that will allow him to use some kind of NDV in the equipment I use, then I will use proven (certified) SVT. If my supposed opponents are not so advanced, I will consider NDV irrelevant.
When compiling the Threat Model, I would have worked out this moment in describing the capabilities of the intruder (Intruder Model) and in the spirit of ""Certified protective equipment and mass-produced CVT samples from well-known manufacturers are used ..." Well, in short, I would carefully justify irrelevance.
Plus, there is a chance that such an important point will be somehow clarified in further documents of the regulators, but there is little hope ...

Everyone correctly noted above, as always, they will write something in the legislation, but it is not clear how to do it. With threats of NDV, it turned out the same way as with the fact that PD operators must determine the amount of damage to PD subjects in case of violation of the confidentiality of these PD themselves, and there is no methodology at all to determine this amount of damage.
About NDV threats, as already mentioned, develop an intruder model and a threat model, consistently justifying the irrelevance of these threats. For example, if we take an internal violator, we write that you have developed organizational and administrative documentation, all employees admitted to processing PD have signed a non-disclosure agreement, measures are taken periodically to control compliance with the confidentiality of PD, and if there is an insider, then we have IPS from NSD, which record all user actions in their logs. As for the external violator, you can justify it by the estimated harm and value of your PD. Like, your ISPD is not of interest to foreign intelligence services or criminal groups, so no one will hire a hacker for big money who knows all zero-day vulnerabilities, and besides, you have firewalls,

Apparently in those that use a copy certified by the fstek as wasps.