1. GOVERNING TEXTS
Please note that some of the Russian Government's websites are not working. Therefore, some of the hyperlinks to Government departments and official documents may not be available at the moment.
There is no unified regulation on cybersecurity in Russia. Although there are some general principles that would apply in any case, one must make an assessment of the rules that apply to each particular case depending on the industry, conducted activities, and types of information accessed. We have summarised, below, some general regulations to give an overview of the Russian cybersecurity legal landscape, which is still actively developing, especially in 2022, which makes it crucial to keep monitoring further legislative initiatives and enforcement practices to stay in the loop.
The Federal Law of 27 July 2006 No. 149-FZ on Information, Information Technologies and Protection of Information (as amended) (only available in Russian here) ('the Law on Information') establishes the general regulations on the use of IT and information security, regulations applicable to search engines and messengers, website blocking tools, restrictions on the use of VPN, and other regulations on online activities.
The Federal Law of 7 July 2003 No. 126-FZ on Communications (as amended) (only available in Russian here) ('the Law on Communications') sets out basic rules and principles of regulation of activity of communication providers and protection of communication networks. The Law on Communications also contains requirements for storage of information by communication providers and procedure of access to it by state authorities (including police and the Federal Security Service ('FSB').
The Federal Law of 26 July 2017 No. 187-FZ on Security of Critical Russian Federation Information Infrastructure (only available in Russian here) ('the Law on CII') sets out the basic principles for ensuring the security of Russian Critical Information Infrastructures ('CII'), including the grounds for the functioning of the State system for detecting, preventing, and liquidating the consequences of cyber attacks against the Russian Federation's information resources. The Law on CII also defines the powers of state bodies for ensuring the security of CII and the rights and obligations of various actors in this area. Furthermore, the Law on CII establishes the State System for Detecting, Preventing, and Eliminating the Consequences of Computer Attacks on Information Resources of the Russian Federation ('GosSOPKA'). GosSOPKA accumulates all information on cyber attacks and other incidents collected from the subjects of CII and ensures their communication and cooperation. For further information on CII, see section 11 below.
The Federal Law of 27 July 2006 No. 152-FZ on Personal Data (as amended) (available in Russian here; an unofficial English version as of 2019 is available here) ('the Law on Personal Data') provides for regulations on personal data processing, including means of protection of personal data.
The Doctrine on Informational Security of the Russian Federation (approved by Presidential Decree of 5 December 2016 No. 646) (only available in Russian here) establishes a set of basic principles and directions for the development of national security of the Russian Federation in the information sphere.
The Strategy for the Development of Information Society in the Russian Federation for 2017-2030 (approved by Presidential Decree of 9 May 2017 No. 203) (only available in Russian here) defines goals, objectives, and measures for the implementation of domestic and foreign policy of the Russian Federation in the application of information and communication technologies, aimed at the development of the information society, the formation of a national digital economy, ensuring national interests, and the implementation of strategic national priorities.
Presidential Decree No. 250 of 1 May 2022 on Additional Measures to ensure the Information Security of the Russian Federation ('Decree No. 250') (only available in Russian here) obliges all federal executive bodies, higher executive bodies of the regions of Russia, state funds, state corporations, and other organisations established in accordance with federal laws, strategic enterprises, strategic joint stock companies, subjects of CII, and some other bodies and organisations to create internal department to ensure cybersecurity, including detecting and preventing cybersecurity threats. It also provides for various important cybersecurity regulatory requirements for those bodies and entities.
1.2. Regulatory authority
- The Government of the Russian Federation ('the Government') develops, ensures, and supports a unified policy of the state, including in the field of cybersecurity.
- The Ministry of Digital Development, Communications, and Mass Media ('the Ministry') is the main executive authority in the field of IT, communications, and personal data processing, empowered to issue regulatory acts and provide clarifications of legislation in the field.
- The FSB establishes the procedure for notifying computer incidents, as well as the procedure and technical conditions for installing and operating means designed to detect, prevent, and eliminate the consequences of computer attacks and respond to computer incidents.
- The Federal Service for Supervision of Communications, Information Technology, and Mass Media ('Roskomnadzor') is the executive authority responsible for exercising control over the provision of communication services and personal data processing. The Roskomnadzor is empowered to conduct inspections, issue warning prescriptions, and initiate administrative processing.
- The Federal Service for Technical and Export Control ('FSTEC') is the executive authority responsible for exercising control over fulfilling technical measures for the protection of confidential information and conduction of export control. FSTEC is empowered to conduct inspections, issue warning prescriptions, and initiate administrative processing. FSTEC establishes requirements applied to the security of objects of CII.
- The Central Bank of the Russian Federation ('the Central Bank') establishes requirements applied to the security of objects of CII in the banking sector and in other areas of the financial market.
- In March 2022, the Government instructed heads of all the regions of the Russian Federation to create in each region an office to fight cyber threats. This project is under development, but it is expected that these offices will cooperate with local authorities and companies in each region to develop an effective plan for fighting cyberthreats. As of June 2022, such offices were created almost in all regions of Russia.
1.3. Regulatory authority guidance
The regulatory authorities issue, from time to time, non-binding guidance and recommendations in their respective areas of expertise, for example, the FSTEC publishes from time to time information notices and analytics (accessible in Russian here). The Ministry also issues guidance and clarifications, in particular on personal data localisation and other regulations in the sphere of data protection (accessible in Russian here). Additional guidance and clarifications on data protection may be issued by the Roskomnadzor from time to time (accessible in Russian here).
2. SCOPE OF APPLICATION
Most requirements apply only to Russian legal entities. At the same time, a foreign company without legal presence in Russia may be subject to some Russian law requirements (e.g. the personal data localisation requirement) if its activities are targeted towards Russia. There are no clear criteria how such targeting shall be determined. With respect to the services provided via online platforms, the Ministry, the Roskomnadzor, and Russian courts have adhered to a virtual presence approach.
The following criteria are usually used (individually or in combination) to confirm that the business activities of foreign entities are targeted to Russia:
- all activities conducted through a Russian ccTLD domain, namely .RU, as well as .РФ and .SU domain zones;
- the online platform has a Russian version;
- the online platform provides a possibility of conclusion and performance of contracts with Russian residents;
- the online platform provides a possibility to conduct payments in Russian rubles;
- adverts of the online platform are distributed in Russian; and
- the online platform provides Russian-based contact details (phone numbers, postal addresses, emails, etc.).
We note that this list is not exhaustive, and competent state authorities and courts may consider other factors in each case.
Starting from 1 September 2022, the Law On Personal Data has explicitly set terms, under which it shall apply to the processing of personal data of Russian citizens done by foreign legal entities or foreign individuals. It will apply if such processing is done based on:
- a contract, if a party to such contract is a Russian citizen;
- other agreements made between foreign legal entities, foreign individuals, and Russian citizens; or
- the consent of a Russian citizen for personal data processing.
It also should be noted that on 1 July 2021, the President of the Russian Federation signed the Federal Law of 1 July 2021 No. 236-FZ on the Operation of Foreign Entities in the Internet on the Territory of the Russian Federation (only available in Russian here). This law inter alia requires foreign information resources (websites and software with a daily audience of more than 500,000 Russian users and that meet at least one of the criteria listed in the law) to establish a branch/representative office in Russia who shall be responsible for the handling of the requests of Russian citizens and state authorities, participation in court proceedings, and enforcement of local authorities' rulings.
The Law on CII provides the following definitions:
Critical Information Infrastructure (CII): CII facilities, as well as telecommunication networks used to organise the interaction of such facilities.
Objects of CII: Information systems, information and telecommunication networks, and automated control systems of CII entities.
Subjects of CII: State bodies, state institutions, Russian legal entities, and/or individual entrepreneurs who own, lease, or otherwise legally own information systems, information and telecommunication networks, automated control systems operating in the field of healthcare, science, transport, communications, energy, banking and other areas of the financial market, fuel and energy complex, in the field of nuclear energy, defence, rocket and space, mining, metallurgical and chemical industries, Russian legal entities, and (or) individual entrepreneurs who ensure the interaction of these systems or networks.
The Law on Information provides the following definitions:
Organiser of the dissemination of information on internet ('the Organiser'): An entity that ensures the functionality of informational systems and/or programs for electronic machines, aimed at, and used, in order to receive, transmit, deliver, and/or process electronic messages of internet users.
Instant messaging service: The Organiser that ensures functionality of the informational systems and/or software, which:
- is designed and/or used for exchanging electronic messages exclusively between users of such information systems and/or software;
- allows senders of electronic messages to determine the recipient(s) of the message;
- does not provide users with the opportunity to post publicly available information; or
- does not provide users with the opportunity to transfer electronic messages to an indefinite group of people.
The Law on Personal Data provides the following definitions:
Personal data operator: A state or municipal authority, individual, or legal entity which processes personal data in any form on its own or jointly with other persons, organises and/or carries out the processing of personal data, and determines the purposes, content, and actions of personal data processing.
Automated processing of personal data: Processing of personal data by means of computer technology.
Personal data information system: A set of personal data contained in databases, as well as information technologies and technical means that ensure their processing.
Non-automated processing of personal data: Processing of personal data contained in an information system of personal data or extracted from such a system with the direct participation of a person.
Processing of personal data: Any action or operation, or a set of actions or operations, performed with or without the use of automation tools with personal data, including the collection, recording, systematisation, accumulation, storage, clarification (i.e. update, change), extraction, use, transfer (i.e. distribution, provision, access), depersonalisation, blocking, deletion, and destruction of personal data.
Personal data: Any information relating directly or indirectly to an identified or identifiable individual (subject of personal data).
Special categories of personal data: Personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, and intimate life.
Biometric personal data: Information that characterises the physiological and biological characteristics of a personal data subject on the basis of which it is possible to establish their identity.
Personal data subject or data subject: An individual to whom the personal data is related.
Cross-border transfer of personal data: The transfer of personal data to the territory of a foreign state or an authority of a foreign state, a foreign individual, or a foreign legal entity.
The Federal Law of 7 July 2003 No.126-FZ on Communications (as amended) (only available in Russian here) ('the Law on Communications') provides the following definition:
Communication operator: A legal entity or an individual entrepreneur providing communication services.
The Civil Code of the Russian Federation of 30 November 1994 No. 51-FZ (as amended) (only available in Russian here) provides the following definition:
Database: A set of independent materials (articles, calculations, regulations, court decisions, and other similar materials) presented in an objective form, systematised in such a way that these materials can be found and processed using a computer.
4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK
4.1. Cybersecurity training and awareness
Russian law provides for the obligation of heads and members of cybersecurity teams of significant objects of CII to regularly pass cybersecurity trainings (compliance training programs).
In addition, personal data operators shall familiarise their employees with the requirements of data privacy legislation, internal regulatory documents on data processing, and the employees' rights and duties in this sphere, against the employees' signatures. This is usually done in form of trainings, informing the employees on legal, organisational, and technical measures taken to process data.
4.2. Cybersecurity risk assessments
Subjects of CII and personal data operators shall carry out an independent assessment of the risks and possible harm that may be caused to companies, individuals, the state, etc.
Taking this measure also requires the adoption of the relevant documents regulating management, security, and control over data processing and security of information systems. The assistance of a technical specialist is usually required at this stage.
4.3. Vendor management
State bodies and companies subject to Decree No. 250 are authorised to engage third parties to:
- ensure the information security of such bodies and companies (if the service provider has a license for technical protection of confidential information); and
- detect, prevent, and liquidate computer incidents and respond to computer incidents (if the service provider is duly accredited).
All such entities must ensure that the information with limited access (of confidential nature) is not accessed by non-authorised third parties. This is achieved by internal policies and template contracts with vendors.
For example, the Law on Personal Data provides that data transfer/processing agreements should include mandatory terms, namely:
- a list of personal data processed;
- processing methods that will be undertaken with respect to personal data to be transferred;
- purposes for processing;
- confidentiality obligations of the processor and obligation to keep data secured;
- the obligation to comply with Russian data localisation rules;
- the obligation to comply with Article 18.1 of the Law on Personal Data (legal and organisational measures to be taken by data operator); and
- a list of security measures to be taken by the processor according to Russian law, including an obligation to inform the data operator on the non-authorised or accidental transfer of personal data, which results in the breach of rights of data subjects.
It is also worth noting that a personal data operator (i.e. a data controller) is considered liable for the actions of its vendors (i.e. data processor), if this is a local vendor. Starting from 1 September 2022, if the data operator entrusts the processing of personal data to a foreign individual or foreign legal entity, both the data operator and the foreign data processor will be liable before the data subject.
4.4. Accountability/record keeping
The obligations may vary depending on the industry and legal acts applicable to the subject. For example, the personal data operator shall in particular:
- keep internally the list of machine carriers (e.g. laptops, USB-cards, cell phones) used to process (and store) personal data;
- back up the stored personal data to be available for restoring in case of modification or destruction as the result of unauthorised access;
- establish rules of access to personal data processed in information systems (e.g. determine people/positions who have access to personal data informational systems, set login, and passwords) and ensure registration and record of all actions performed with personal data in such information systems; and
- control and monitor compliance with adopted technical (security) measures in a regular way.
In particular, such control and monitoring may be carried out in the form of internal or external audits. Such audit should be conducted at least every three years.
5. DATA SECURITY
The requirements vary depending on the particular laws and regulations that apply to the company.
Thus, the subject of CII owns significant objects of CII which were categorised according to applicable laws, the subject of CII must create a protection system and determine the means for implementation of this system. The main regulatory acts are Order of FSTEC of 25 December 2017 No. 239 On The Approval Of Requirements For The Security Of Significant Objects Of The Critical Information Infrastructure Of The Russian Federation (only available in Russian here) and Order of FSTEC of 21 December 2017 No. 235 On The Approval Of Requirements For The Creation Of Security Systems Of Significant Objects Of The Critical Information Infrastructure Of The Russian Federation And Ensuring Their Functioning (only available in Russian here).
At the same time, personal data operators should comply with all requirements set forth in relation to technical measures by the Government, FSTEC, and the FSB, for instance:
- Resolution of the Government of 1 November 2012 No. 1119 (only available in Russian here);
- Order of the FSB of 10 July 2014 No. 378 on Approval of the Composition and Content of Organisational and Technical Measures to Ensure the Security of Personal Data When They are Processed in Personal Data Information Systems Using Cryptographic Information Protection Necessary to the Requirements for the Protection of Personal Data Established by the Government of the Russian Federation for Each Level of Security (only available in Russian here);
- Order of FSTEC of 11 February 2013 No. 17 on Approval of Requirements on the Protection of Information Not Constituting the Public Secret Contained in the State Information Systems (only available in Russian here); and
- Order of FSTEC of 18 February 2013 No. 21 On Approval of the Composition and Content of Organisational and Technical Measures to Ensure the Safety of Personal Data in Their Processing In Personal Data Information Systems (only available in Russian here).
Generally, the implementation of such technical measures includes:
- the development of a model of threats; and
- the determination of the required security level depending on the type and amount of personal data processed and types of potential threats (there are three types of threats and four levels of security provided by Russian law).
The required security level determines the type of security measures that shall apply.
Personal data operators shall also adopt a number of internal legal, organisational, and technical internal documents governing proper protection and processing of personal data.
From 1 March 2023, data operators must also assess the harm which may be caused to the data subjects in case of violations of the Law on Personal Data, as well as the correlation of the identified harm with the actions taken by the data operators to ensure they fulfil their obligations under the law, based on the requirements established by the Roskomnadzor.
We also note that the particular scope of applicable security measures depends on the types of processed data. Determination of the necessary security measures requires the assistance of IT/technical specialists.
Starting from 1 January 2025, state bodies and companies subject to Decree No. 250 are not entitled to use means of data protection originating from foreign states committing unfriendly acts against Russia, its companies and citizens, or manufactured by companies under the jurisdiction of such foreign states, direct or indirect control of such states, or affiliated with such states. The list of such 'unfriendly' states includes the US and Canada, EU states, the UK (including the Bailiwick of Guernsey, the Bailiwick of Jersey, and the Isle of Man, Anguilla, the British Virgin Islands, and Gibraltar), Ukraine, Montenegro, Switzerland, Albania, Andorra, Iceland, Liechtenstein, Monaco, Norway, San Marino, Northern Macedonia, as well as Japan, South Korea, Australia, Micronesia, New Zealand, Singapore, the Bahamas, and Taiwan.
6. NOTIFICATION OF CYBERSECURITY INCIDENTS
Starting from 1 September 2022, all personal data operators who discover a non-authorised or accidental data transfer (grant of access, provision, distribution) which results in the breach of the rights of data subjects, must inform the Roskomnadzor:
- within 24 hours on the accident, on the reasons why the rights of data subjects have been affected, the estimated harm, the measures taken to remediate the incident, as well as contact details of representatives authorised to discuss issues on the incident with the Roskomnadzor; and
- within 72 hours, on the results of internal investigation, as well as information on persons whose actions were the reason for the incident (if any).
The time frame is calculated form the moment when the data operator, the Roskomnadzor, or other interested third parties discover the incident. The Roskomnadzor will maintain the register of privacy incidents from 1 March 2023.
In addition to the above, all data operators must ensure cooperation with GosSOPKA, including to ensure to inform on computer incidents which result in non-authorised transfer of personal data. The regulation of such cooperation and data provisions is under development by the FSB. It is expected it will be similar to the procedure set for subjects of CII, which is already in effect and described below.
Subjects of CII must report on computer incidents immediately. According to the Decree of the FSB of 24 July 2018 No. 368 (only available in Russian here), notification shall be sent to:
- GosSOPKA under the FSB;
- the National Coordination Centre for Computer Incidents ('NCCCI'); and/or
- the Central Bank, if the computer incident relates to the operation of banking or financial systems of Russia.
The notification shall include full information on the technical details of the computer incident.
Notification shall be sent via the technical infrastructure department of the NCCCI or by means of facsimile, electronic, and telephone communication to the addresses or phone numbers that the NCCCI has specified on the website of the department.
The Order of the FSB of 19 June 2019 No. 282 on Approval of the Procedure for Informing the FSB about Computing Incidents (only available in Russian here) ('the Computer Incidents Order') provides certain details of the informing procedure.
Accordingly, the subject of CII must report all cyber incidents related to the operation of a significant object of CII within three hours after their occurrence. Reports on cyber incidents related to the operation of other objects of CII must be submitted within 24 hours after their occurrence.
The format of the incident report is still under development by the NCCCI.
In addition, the Law on Personal Data provides for an obligation for the personal data operator to inform the personal data subject and the regulator in this sphere of security incidents, but only in cases where such incidents were discovered based on the request of the data subject or the regulator respectively.
7. REGISTRATION WITH AUTHORITY
The registration/notification requirement varies depending on the status of the company. A few examples are provided below.
The subjects of CII must evaluate their objects (e.g. information systems) and identify those objects which are significant. The list of such objects and category of significance is sent to FSTEC, which maintains the list of such significant objects of CII. The subject of CII must further develop and approve the system of protection of significant objects of CII.
The Organiser is obliged to notify the Roskomnadzor, at the start of its activity, as an organiser of dissemination of information, upon such a state authorities' request. The Organiser has five business days to respond to such request.
Personal data operators should also, before starting personal data processing, file a notification with the Roskomnadzor on processing personal data, save for the following exemptions:
- the operator processes personal data included in the state information systems of personal data created in order to protect the security of the state and public order;
- the operator carries out activities for the processing of personal data exclusively without the use of automated tools; or
- the operator processes personal data based on legislation on transport security.
From 1 March 2023, separate notifications on cross-border data transfers must be also filed with the Roskomnadzor.
Owners of the anonymisers are obliged, within 30 business days after receipt of the Roskomnadzor's request, to sign up to the state system of prohibited (blocked) websites, to promptly (i.e. within three days after signing up) restrict access to the websites included in the system.
Communication operators are obliged to obtain a state licence before starting their activities. To obtain a licence, an entity should file an application with the Roskomnadzor. The term of consideration varies from 30 to 75 days and depends on the particular type of communication service.
8. APPOINTMENT OF A SECURITY OFFICER
State bodies and companies subject to Decree No. 250 are obliged to create a department to ensure the information security of such bodies and companies or to assign these functions to existing departments.
Separate (additional) requirements are imposed on security officers and security departments which ensure the security of significant objects of CII, which are qualified as such under Russian law by the subject of CII.
Personal data operators should appoint a person responsible for ensuring the security of personal data in the information system, if such a personal data operator is required to ensure a security level higher than the fourth. The appointment of a data processing officer is required in any case for legal entities as data operators.
9. SECTOR-SPECIFIC REQUIREMENTS
Financial institutions are a subject of CII; however, additional requirements are provided by the Central Bank.
The Central Bank introduced security standards ('STO BRs') in order to establish uniform requirements for the information security of the Russian Federation banking system organisations.
STO BRs impose an obligation on the institutions of Russia's banking system to enact information security policies and documents regulating specific activities and applicable to particular procedures related to ensuring information security. The recommendations on such policies and documents are specified in a series of STO BRs, and supportive guidelines, including the following:
- Central Bank Standard STO BR IBBS-1.1-2007 Information Security of Russian Banking Institutions - Information Security Audit;
- Central Bank Standard STO BR IBBS-1.0-2014 Maintenance of Information Security of the Russian Banking System Organisations - General Provisions;
- Central Bank Standard STO BR IBBS-1.2-2014 Maintenance of Information Security of the Russian Banking System Organisations - Assessment Method for Compliance of Information Security of the Russian Banking System Organisations with Requirements of STO BR IBBS-1.0-2014;
- Central Bank Standard STO BR IBBS-1.3-2016 Ensuring Information Security of Organisations of the Banking System of the Russian Federation - Collection and Analysis of Technical Data in Response to Information Security Incidents When Making Money Transfers (only available in Russian here);
- Central Bank Standard STO BR IBBS-1.4-2018 Ensuring Information Security of Organisations of the Banking System of the Russian Federation - Managing the Risk of Information Security Violations in Outsourcing (only available in Russian here);
- Central Bank Standard STO BR BR BFBO-1.5-2018 Security of Financial (Banking) Operations - Managing Information Security Incidents - Forms and Terms of Interaction of the Central Bank with Participants of Information Exchange When Detecting Incidents Related to Violation of Information Security Requirements (only available in Russian here); and
- Central Bank Guideline No. 716-P of 8 April 2020 on Requirements to the Operational Risk Management System in a Credit Institution and Banking Group (only available in Russian here).
Heath institutions are a subject of CII. Information about health status is considered as sensitive data; therefore, it is a special category of personal data. To process sensitive data, consent in written form is required with certain limited exceptions.
Written form of consent means consent made and stored in a recordable medium and signed physically by the data subject. The written consent should include:
- surname, first name, patronymic, address of the data subject, and information on the data subject's identity document;
- details (name and address) of the data operator and/or third-party processor;
- purpose of processing;
- list of relevant personal data to be processed;
- list of actions for which consent is given, as well as ways of processing (i.e. with or without using means of automatisation);
- term of the consent and procedure for its revocation/withdrawal; and
- the data subject's signature.
Communication operators are a subject of CII.
The Law on Communications is the basic legal act stipulating framework regulations for communication services, including licensing requirements, storage of data on communications, and content of communications and technical requirements to be fulfilled by the communication operators.
The Law on Information provides the following definitions in relation to network and information systems:
- information system: a set of information contained in databases and information technologies and technical means which ensure the processing of information;
- operator of an information system: a person or a legal entity carrying out activities for the operation of the information system, including the processing of information contained in its databases; and
- information and telecommunication network: a technological system intended for the transfer of information by communication lines which is carried out with the use of computer facilities.
The Organiser is obliged to:
- store, in the territory of Russia, information on the facts of receipt, transmission, delivery, and/or processing of their internet users' voice data, text messages, pictures, sounds, or other messages within six months as of the date of termination of such actions within one year;
- store, in the territory of Russia, their users' text messages, voice data, pictures, sounds, video messages, or other electronic messages up to six months as of the date of receipt, transmission, delivery, and/or processing of these messages;
- provide the above information to respective enforcement or security state authorities upon their request; and
- provide state security authorities with the information necessary to decode users' messages in case of the use of additional encryption of electronic messages or provide the users with possibilities of such additional encryption.
The communication operator is obliged to:
- store, in Russia, information on the facts of receipt, transmission, delivery, and/or processing of their internet users' voice data, text messages, pictures, sounds, or other messages within six months of the date of termination of such actions within three years; and
- store, in Russia, their users' text messages, voice data, pictures, sounds, video messages, or other electronic messages up to six months as of the date of receipt, transmission, delivery, and/or processing of these messages.
Instant messaging services are obliged to:
- identify their users by their mobile numbers;
- restrict the possibility for (a) particular user(s) to exchange messages which contain prohibited information within 24 hours upon receiving a state authority's request;
- ensure the possibility to transmit electronic messages on the initiative of Russian state authorities; and
- prevent transmission of electronic messages in certain cases and according to the procedure established by the Government.
There are no specific cybersecurity requirements adopted in the labour sector. The requirements will vary depending on the status of the employer (e.g. CII, licensed operator, etc.).
Based on the Labour Code of the Russian Federation of 30 December 2001 No. 197-FZ (as amended) (only available in Russian here), an employer should obtain an employee's consent in written form to transfer personal data of employees to any third party, save for certain limited exceptions.
An employer does not have a right to receive and process the employee's personal data about their membership in public associations or labour unions unless otherwise provided by law.
Employers may not ground any of their decisions, which affects or will affect the interests of an employee, on the employee's personal data obtained solely as a result of automated processing.
There are no notable sector-specific cybersecurity requirements. However, the particular scope of applicable security measures depends on the types of processed data. Determination of the necessary security measures requires the assistance of IT/technical specialists.
Insurance companies are obliged to store information on all operations in their database within five years and transfer backup copies of these databases to the insurance supervision authority for storage within five business days after the end of each reporting half-year and each reporting year. However, the Central Bank will refrain from applying any sanctions in case of a violation of the said requirement until 1 January 2023.
There are no other notable sector-specific cybersecurity requirements. However, the particular scope of applicable security measures depends on the types of processed data. Determination of the necessary security measures requires the assistance of IT/technical specialists.
Violations of the Law on CII
In case of non-compliance with the requirements in fields of security of CII of the Russian Federation, the following administrative fines may be imposed:
- for violation of requirements for the security of significant objects of the CII of the Russian Federation or requirements for its security systems, up to RUB 100,000 (approx.. €1,400) for legal entities;
- for violation of the procedure of informing on computer incidents, responding to them, and taking measures on liquidation of consequences of hacking, up to RUB 500,000 (approx.. €7,200) for legal entities; and
- for violations of the procedure of informing about computer incidents between subjects of CII of the Russian Federation, between subjects of the critical infrastructure of the Russian Federation, and authorised bodies of foreign states and international, international non-governmental, and foreign organisations operating in the field of computer incidents response, up to RUB 500,000 (approx.. €7,200) for legal entities.
Additionally, Article 274.1 of the Criminal Code of the Russian Federation of 13 June 1996 No. 64-FZ (as amended) (only available in Russian here) provides criminal liability for illegal interference with the objects of critical infrastructure, namely for the following activities:
- the creation, distribution, and/or use of software or other computer information, deliberately intended to make an illegal impact on the CII of the Russian Federation may entail the imposition of a fine of up to RUB 1 million (approx. €14,400) or imprisonment up to five years;
- the unauthorised access to protected computer information contained in the CII of the Russian Federation may entail the imposition of a fine of up to RUB 1 million (approx. €14,400) or imprisonment up to six years; and
- for violations of the rules for the processing of information contained in the CII of the Russian Federation, or information systems, telecommunication networks, telecommunication networks related to the CII of the Russian Federation, if such violations caused damage to CII, imprisonment up to six years may be imposed.
For further information on CII, see section 11 below.
Organisers of dissemination of information on the internet, including instant messaging services
In case of non-compliance, organisers of dissemination of information on the internet including instant messaging services may be subject to the following penalties:
- the blocking of the related websites by a court ruling; and
- administrative fines may be imposed for:
- failure to notify respective state authorities on the start of their activity as organisers of dissemination of information may entail a fine up to RUB 300,000 (approx. €4,300) for legal entities;
- repeated failure to notify respective state authorities on the start of their activity as organisers of dissemination of information may entail a fine up to RUB 1 million (approx. €14,400) for legal entities;
- violation of the requirement to store the information on the facts of receipt, transmission, delivery, and/or processing of users' electronic messages may entail a fine up to RUB 1 million (approx. €14,400) for legal entities;
- repeated violation of the requirement to store the information on the facts of receipt, transmission, delivery, and/or processing of users' electronic messages may entail a fine up to RUB 6 million (approx. €86,400) for legal entities;
- failure to comply with law enforcement authorities' requirements with respect to equipment, software, and technical means used in the informational systems may entail a fine up to RUB 500,000 (approx. €7,200) for legal entities;
- repeated failure to comply with law enforcement authorities' requirements with respect to equipment, software, and technical means used in information systems may entail a fine up to RUB 6 million (approx. €86,400) for legal entities;
- violation of providing state security authorities with the information needed for decoding messages may entail a fine up to RUB 1 million (approx. €14,400) for legal entities; and
- repeated violation of providing state security authorities with the information needed for decoding messages may entail a fine up to RUB 6 million (approx. €86,400) for legal entities.
Administrative liability may be also imposed on communication operators for failure to comply with the requirements of the Law on Communications.
Personal data operator
In case of non-compliance, personal data operators may be subject to the following penalties:
- the blocking of the related websites by a court ruling; and
- administrative fines may be imposed for:
- processing personal data in ways not permitted by the Law on Personal Data or processing personal data that is incompatible with the purposes of collecting personal data may entail a fine up to RUB 100,000 (approx. €1,400) for legal entities;
- repeated violation under point (1) above may entail a warning or a fine up to RUB 300,000 (approx. €4,300);
- processing personal data without the data subject's written consent when it is necessary under the law, or processing personal data without including required information into written consent may entail a fine up to RUB 150,000 (approx. €2,200) for legal entities;
- repeated violation under point (3) above may entail a fine up to RUB 500,000 (approx. €7,200) for legal entities;
- failure to provide data subjects with information about personal data processing may entail a fine up to RUB 80,000 (approx. €1,150) for legal entities;
- failure to timely satisfy a data subject's request to detail, block, or delete personal data when personal data is incomplete, out of date, incorrect, illegally received, or not needed for the stated purpose of processing may entail a fine up to RUB 90,000 (approx. €1,300) for legal entities;
- repeated violation under point (7) above may entail a fine up to RUB 500,000 (approx. €7,200) for legal entities;
- failure to comply with the requirement to keep personal data secure and to prevent unauthorised access to such personal data while storing physical copies (i.e. when no automated means of processing are used), if this has led to illegal or accidental unauthorised access to, or destruction, modification, blocking, copying, provision, or distribution of, personal data or other illegal actions, unless such offence constitutes a crime, may entail a fine up to RUB 100,000 (approx. €1,400) for legal entities;
- failure to comply with the data localisation rules may entail a fine up to RUB 6 million (approx. €86,400) for legal entities; and
- repeated failure to comply with the data localisation rules may entail a fine up to RUB 18 million (approx. €260,000) for legal entities.
In accordance with the information provided by the Ministry, the same has prepared a bill aimed to establish criminal liability for data breaches. At the moment, the bill has not been published. Also, in accordance with publicly available sources, the Ministry is preparing a draft law aimed to establish turnover fines for data leaks. Please note that this bill has also not been published.
Other administrative liability
Failure to provide an individual with information that must be provided once requested under Russian law entails the imposition of a fine on officials up to RUB 10,000 (approx. €140).
Failure to provide state authorities with the required information leads to administrative liability in form of a warning or a fine on legal entities in an amount up to RUB 5,000 (approx. €72).
The use of non-certified information systems, databases, and data banks, as well as non-certified information protection means, if required, may entail the imposition of an administrative fine on legal entities up to RUB 25,000 (approx. €360), with or without confiscation of uncertified means of information protection.
Failure to obtain a licence for technical protection of confidential information may entail the imposition of a fine on a legal entity of up to RUB 20,000 (approx. €290), with or without confiscation of the means of information protection.
Other criminal liability
Illegal access to legally protected computer information, if it resulted in destruction, blocking, modification, or copying of the computer information, entails the imposition of a fine in the amount of up to RUB 200,000 (approx. €2,900) or imprisonment of up to two years.
The creation, dissemination, or use of software or other computer information, intended for unauthorised destruction, blocking, modification, or copying of computer information or for blocking information security tools entails imprisonment of up to four years and imposition of a fine in the amount of up to RUB 200,000 (approx. €2,900).
Violation of the rules for the operation of facilities for computer information storage, processing and transfer of information telecommunication systems and related equipment, rules of access to information telecommunication networks, which resulted in the destruction, blocking, modification, or copying of computer information causing major damage entails imposition of a fine of up to RUB 500,000 (approx. €7,200) or imprisonment of up to five years.
11. OTHER AREAS OF INTEREST
In February 2020, the Tagansky District Court of Moscow imposed fines in the amount of RUB 4 million (approx. €65,000) each on Twitter, Inc. and Facebook, Inc. for a failure to record, systemise, accumulate, store, clarify (i.e. update, change), and ensure retrieval of personal data of Russian citizens in databases located within the territory of Russia. In accordance with the information provided by the Roskomnadzor (only available in Russian here), as of 1 July 2021, both companies have not confirmed their compliance with the localisation requirements and may be subject to an administrative fine up to RUB 18 million (approx. €202,760).
A fine of RUB 3 million (approx. €50,000) was also imposed on Google LLC based on the same ground.
Further, in August 2022, the Tagansky District Court of Moscow fined WhatsApp LLC RUB 4 million (approx. €65,000) for non-compliance with the data localisation rule under the Russian Law on Personal Data. Facebook, Inc. and Twitter, Inc. were fined RUB 15 million (approx. €245,000) and RUB 17 million (approx. €280,000) respectively for repeated violations of the data localisation rule under the Law on Personal Data.
On 27 May 2022, the Roskomnadzor reported that it had drawn up administrative protocols against Airbnb, Inc., Pinterest, LikeMe Inc., Twitch Interactive, Inc., Apple Inc., United Parcel Service ('UPS'), and Google for the non-fulfilment of the data localisation requirement (i.e. not storing personal data on the territory of the Russian Federation). The Tagansky District Court of Moscow has received protocols and scheduled the hearings. Since it will be the second (i.e. repeated) violation for Google, it faces a fine of up to RUB 18 million (approx. €260,000). The other mentioned companies have not been brought to such a liability before; therefore, they face a fine up to RUB 6 million (approx. € 93,000).
The administrative liability described herein for a breach of legislation on CII has been in force since 2021 only, and the enforcement practice is only developing.
The Law on CII was adopted to ensure the security of CII facilities in Russia, the functioning of which is critically important for the state economy. These objects are called objects of CII and include information systems and networks in the following fields:
- banking and financial services;
- atomic energy;
- defence and aerospace industry;
- mining, metallurgical, and chemical industries; and
- infrastructure providing interaction between the above systems and networks.
Objects of CII along with telecommunication networks create the general concept of CII. The Law on CII ensures its stable functioning in case of cyber attacks.
Russian legislation uses the term 'subject' instead of 'operator.' Subjects of CII include:
- state bodies, state institutions, Russian legal entities, and/or individual entrepreneurs owning information systems, information, and telecommunication networks;
- automated management systems operating in the field of healthcare by right of ownership, lease, or on other legal grounds;
- banking and other areas of the financial market;
- fuel and energy complexes;
- rocket space;
- mining, metallurgical, and chemical industries;
- Russian legal entities; and/or
- individual entrepreneurs who provide the interaction of these systems or networks.
In addition, subjects of CII are required to:
- immediately inform authorised bodies of cyber incidents;
- assist authorised bodies in detecting, preventing, and eliminating the consequences of cyber attacks; and
- ensure that an operating procedure is implemented for devices designed to detect, prevent, and eliminate the effects of cyber attacks.
The Law on CII provides two generals steps in order to ensure the security of the CII:
- categorisation of objects of CII; and
- design and implementation of security systems corresponding to the results of categorisation.
Furthermore, the Decree of the Government of 8 February 2018 No. 127 on the Approval of the Rules for Categorising Objects of Critical Information Infrastructure of the Russian Federation, as well as the List of Indicators of Criteria for the Significance of Objects of Critical Information Infrastructure of the Russian Federation and their Values (only available in Russian here) established three categories of objects of CII. The category of the CII object is defined based on multiple human, material, and spatial impacts which might occur by potential computer incidents. Subjects of CII who own objects of CII, which have been recognised as 'significant objects of CII', shall develop action plans for responding to computer incidents and taking measures to eliminate the consequences of computer attacks within 90 days after being included in the Register of Significant Objects of CII. This action plan is subject to approval by the FSB.
As noted in section 6 above, the Computer Incidents Order sets up the requirement for subjects of CII to conduct training of employees on annual basis to improve the action plan.
Operators of essential services
The concept of operators of essential services is not known under Russian law. However, special regimes and restrictions on the functioning of healthcare, electricity, water supply, police, and other essential infrastructures are regulated fragmentally.
Cloud computing services
There is no special regulation of cloud computing services in Russia. However, a few legislative acts indirectly related to cloud computing include definitions that might provide for certain clarity on this issue.
For example, the Decree of the Government of 16 November 2015 No. 1236 on The Establishment of a Ban on the Admission of Software Originating from Foreign Countries, for the Purpose of Procurement for State and Municipal Needs (only available in Russian here) provides the definition for cloud computing services, i.e. the leasing or using software through the use of communication channels and external information technology and hardware-software infrastructure providing data collection, processing, and storage.
Digital service providers
The Law on Information provides the definition 'hosting provider', which means the entity providing computing power for the placement of information on the information system, which is constantly connected to the internet.
Various data localisation requirements are established under Russian law, in particular, in the area of personal data processing, in accounting, finance, telecommunication, and audit sectors.
In addition, the software and hardware and software tools included in the objects of CII of the first and second categories of significance that store and process information must be located within the territory of the Russian Federation.
In general, the data localisation rule means the legal requirement under which companies must ensure that certain data is processed and stored in the databases located within the territory of the Russian Federation. Usually, cross-border data transfers are still allowed subject to general compliance rules, for as long the data remains in a local database as well.