In late August, the Russian Ministry of Digital Development introduced the draft law “On the Introduction of Changes in Individual Legislative Acts of the Russian Federation (As Regards Combatting Offenses Committed with the Use of Information and Communions Technologies” via the federal portal of draft regulatory legal acts (project ID: 02/04/08-25/00159652) (hereinafter – “Draft Law”).
According to the explanatory note, the goal of the Draft Law is to comprehensively refine measures for combatting crimes committed with the use of information and communications technologies.
Later, in October 2025, a modified version of the Draft Law was published, according to which it is now proposed to introduce changes to nine (9) federal laws at once. Despite the fact that the Draft law has not yet been submitted to the State Duma for consideration, if approved, it would dramatically affect a significant number of companies, mainly in the IT, banking and telecommunications sectors.
We plan a series of overviews dedicated to the initiative at hand, and, in the first issue, we plan to analyze the changes introduced to the Federal Law “On Information and Information Technologies and on the Protection of Information” (hereinafter – “Law on Information”).
Key changes introduced into the Law on Information:
In some cases, the Russian Government will be able to obligate the owners of Russian websites or services to only carry out user authorization by means of email addresses created with the use of domains registered in the “Russian national domain zone” (which refers to the group of top-level domains (TLDs) that includes .RU, .РФ, and .SU);
The Russian Government can further introduce a list of actions performed online that will require two-factor authentication (by means of an SMS sent to a user’s number);
Disseminating misleading information (in the guise of reliable messages) will be prohibited if such may create a threat of property damage or obtaining unlawful access to personal data; such misleading information will be considered “information disseminated with violation of the law”;
Hosting providers, social networks, and Russian messengers will be obliged to (i) cooperate with the “state information system for combatting crime” that was introduced earlier this year with the purpose of facilitating cooperation between law-enforcement agencies, banks, and telecom operators; and (ii) implement measures aimed at preventing and suppressing offenses (the list of such measures will be established by the Russian Government);
Russian ORIs ("organizers of dissemination of information”) will be required to check if the mobile number of a minor is being used when authorizing users, and the Russian Government will set out the specific features of access to disseminated content by minors;
Providing computing for the functioning of means of communication (both in the form of software and in the form of hardware-software complexes) is only permitted with the use of Russian network addresses that are included in the recreated “state information system”;
The Russian Government will introduce the procedure for identification of users requesting computing power from hosting providers for the purpose of operation of virtual telephone exchanges;
Social networks included in the so-called “registry of social networks” will be required to update their terms of use to bring them in line with the requirements of the Law on Information within two months;
Information on the possibility of acquiring means of communication that have not passed the mandatory confirmation of conformity procedure will now be included in the list of “information dissemination of which is prohibited in the Russian Federation”;
Roskomnadzor (the Russian federal executive body responsible for overseeing media, telecommunications, and information technology) will upload information on the blocking of websites and services to the “state information system for combatting crime”;
Notices reporting “information disseminated with violation of the law” may now also be sent by authorities to Roskomnadzor by means of the “state information system for combatting crime”;
Information on software intended for “unlawful access, destruction, modification, blocking, copying, provision, and dissemination of information” will be categorized as “information disseminated with violation of the law”. The Russian Government will develop criteria for such information.
It is planned that the majority of the changes will enter into effect on September 1, 2026, while some of them on March 1, 2026.