World Watch/Russia/Cybersecurity
Language:EnglishSpanishFrenchGermanPortugueseHindi

Cybersecurity · Russia

Cybersecurity - Russia

Comprehensive lawFederal Law No. 187-FZ 'On the Security of Critical Information Infrastructure of the Russian Federation' (2017, in force 2018), supplemented by Federal Law No. 152-FZ on Personal Data and the GosSOPKA/NKTsKI state incident-response system, with sector rules from the Bank of Russia (FinCERT) and oversight by FSTEC, the FSB and Roskomnadzor.

Russia operates a comprehensive, state-centric cybersecurity regime built around the 2017 Critical Information Infrastructure (CII) Law No. 187-FZ, which mandates protection measures, asset categorization and incident reporting for operators in defence, energy, finance, healthcare, transport, telecoms and other sectors. Incidents are reported through the FSB-run GosSOPKA system and its National Coordination Center for Computer Incidents (NKTsKI), while personal-data breaches must be notified to Roskomnadzor under Law No. 152-FZ. Penalties were sharply increased from 30 May 2025, introducing turnover-based administrative fines and new criminal liability for data leaks.

Critical infrastructure law (187-FZ)

Federal Law No. 187-FZ (adopted 26 July 2017, in force 1 January 2018) sets the core CII security regime, requiring owners of significant CII objects to categorize assets, apply protection measures and register with FSTEC, the technical-security regulator that supervises the field.

source 1source 2source 3
GosSOPKA / NKTsKI incident reporting

CII operators must report computer incidents to the FSB-operated GosSOPKA system via the National Coordination Center for Computer Incidents (NKTsKI), established in late 2018, which centralizes detection, analysis and coordinated response to attacks on Russian state and critical-sector networks.

source 1source 2
Personal-data breach notification

Under Federal Law No. 152-FZ (amended from 1 September 2022), data operators must notify Roskomnadzor of a personal-data breach within 24 hours of detection, followed by results of an internal investigation within 72 hours.

source 1source 2
Tougher penalties from May 2025

Amendments to the Administrative Offences Code and Criminal Code in force from 30 May 2025 introduced GDPR-style turnover-based fines for repeat data leaks (up to 1–3% of annual revenue, capped at RUB 500 million) plus new criminal liability of up to 10 years' imprisonment for illegal handling of unlawfully obtained personal data.

source 1source 2source 3
Financial-sector supervision (Bank of Russia / FinCERT)

The Bank of Russia regulates information security for banks and financial-market participants and runs FinCERT, the financial-sector incident-exchange and response center; over 800 organizations including all Russian banks share incident data through it.

source 1source 2
Regulators and division of authority

Oversight is split among FSTEC (technical protection and CII categorization), the FSB (GosSOPKA/NKTsKI operational threat response) and Roskomnadzor (personal-data protection and breach notifications), reflecting a centralized, state-controlled model.

source 1source 2

Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →