Cybersecurity regulation in Russia (2026)

Roskomnadzor, jointly with the FSB and Ministry of Digital Development, gained binding legal authority to reroute all internet traffic in real time and switch RuNet into isolation mode under Decree No. 1667, which remains in force until 2032. The decree operationalizes the most sweeping powers of the 2019 Sovereign Internet Law, including DPI-based traffic rerouting and binding orders to all ISPs and internet-exchange owners.

Russia approved a sweeping cybercrime legislative package amending over 30 laws, imposing prison terms of 5–15 years for hacking, data theft, and CII attacks and up to 12 years for large-scale cyber fraud. Tougher penalties under Criminal Code Articles 272, 273, and 274.1 are paired with asset seizure provisions and are the most aggressive overhaul of cyber-criminal statutes since the 2017 CII law.

A formal amendment to the 2022 Decree No. 250 was published, broadening the scope of required security subdivisions and deputy-director accountability for information security across strategic enterprises, state corporations, and all CII subjects — closing gaps identified during two years of enforcement.

Amendments to the Personal Data Law (152-FZ) enacted a 24-hour initial breach notification to Roskomnadzor (stricter than GDPR) followed by a 72-hour full report, plus a mandatory transfer-impact assessment and Roskomnadzor pre-notification before any cross-border personal data transfer. Core provisions took effect September 1, 2022; cross-border rules from March 1, 2023.

Putin's Decree No. 250 required all federal authorities, state corporations, strategic enterprises, and CII subjects to appoint a named deputy director responsible for cybersecurity and to establish dedicated information-security subdivisions; CEOs face personal liability for failures in cyberattack response. The decree was a direct response to the surge in attacks following the February 2022 invasion of Ukraine.

Russia mandated installation of Deep Packet Inspection (DPI) equipment on all ISPs, enabling Roskomnadzor to centrally filter and reroute traffic and to operate a national DNS — creating the technical infrastructure to isolate RuNet from the global internet in a declared emergency. The law entered force November 1, 2019 and gave Roskomnadzor unprecedented autonomous blocking powers.

Three FSB orders issued in July 2018 formally stood up the National Coordination Centre for Computer Incidents (NCCCI) and defined binding requirements for CII subjects to connect to and share incident telemetry with the GosSOPKA state detection-and-response network, operationalizing the 187-FZ mandate.

Russia's landmark CII law obligated operators across 13 sectors (energy, transport, healthcare, finance, telecom, defence, nuclear, etc.) to categorize systems by criticality, register with FSTEC, and implement FSTEC-certified security measures against computer attacks; it provided the legislative foundation for GosSOPKA and took effect January 1, 2018.

Putin approved a revised Information Security Doctrine replacing the September 2000 version, designating protection of critical information infrastructure, development of domestic IT, and countering foreign information influence as core national security priorities; it set the strategic direction for all subsequent cybersecurity legislation and regulatory programs.

The 'Yarovaya package' required telecoms to retain call content for 6 months and metadata for 3 years, while internet services (email, messaging, social networks) must store user content for 6 months; all operators must provide the FSB with decryption keys and real-time access without a court order. Telecom storage requirements began phased implementation from July 1, 2018.

Enacted in July 2014 and accelerated one year ahead of schedule, the data localization law entered force requiring that personal data of Russian citizens be collected, recorded, and stored on servers physically located in Russia; Roskomnadzor gained authority to block foreign operators found non-compliant, shifting the global compliance posture of multinationals.

Putin ordered the FSB to build GosSOPKA — the State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks — establishing Russia's first unified national cyber-incident detection and response architecture spanning all government and critical information systems, and laying the institutional groundwork for the later NCCCI.

Russia's foundational statute on information, information technologies, and information protection replaced a 1995 predecessor, establishing core principles on information access, restricted-information classification, and mandatory technical protection measures; it remains the bedrock law on which all subsequent cybersecurity obligations are layered.