In 2012, Russia revised regulations concerning licenses for distributing encryption products, extending licensing requirements to consumer electronic products that previously did not require such licenses. This change now necessitates an activity license for distributing encryption products, which indirectly adds burdens to their importation process. According to Decision No. 134 of the Eurasian Economic Commission (2012), licensing procedures are applied to the importation of certain digital goods to the Eurasian Economic Union, including Russia. These digital goods include (i) Civil radio-electronic equipment and/or high-frequency devices, including those that are built-in or form a part of other goods; (ii) Special hardware meant for secret information acquisition; (iii) Encryption devices.

It is reported that the Russian Government had established barriers to importing telecommunication equipment that incorporates encryption technology (encryption products) in accordance with Annex 9 of the Decision No. 30 of the Eurasian Economic Commission. Despite commitments under the WTO to permit the importation of "mass market" consumer electronics without needing an import license or other customs formalities apart from import duties, Russia now mandates, at a minimum, a one-time notification or, for products with strong encryption, permission from security services, in addition to an import license. These requirements significantly escalate import costs and frequently prevent imports altogether. Moreover, under Government Resolution No. 313 (April 16, 2013), as amended, Russia also mandates an activity license for distributing encryption products, including numerous commonplace consumer electronics, further restricting access to the Russian market for exporters.

Stakeholders have observed that the Russian Government does not consistently publish all regulations, judicial decisions, and administrative rulings of general application concerning customs matters. Furthermore, customs enforcement reportedly varies by region and port of entry, with frequent and unpredictable regulatory changes exacerbating costs and causing delays at the border.

The Single List of Goods contains the goods on which export prohibitions or restrictions apply in the Customs Union member States, including Russia. The following digital goods are among the goods that are subject to export restrictions: (i) Special hardware meant for secret information acquisition; (ii) Encryption devices; (iii) Civil radio-electronic and/or high-frequency means (REM and HFM) including built-in or forming part of other goods; (iv) Audiovisual materials and other information media containing information against the public morals, public order and security are banned from exportation.
In addition, equipment and devices containing encryption have to be registered with the Federal Security Service (FSS), and the manufacturer or the seller has to obtain FSS notification upon exportation of such equipment from the territory of the Eurasian Economic Union, including Russia in accordance with Annex No. 9 to the Decision No. 30 of the Board of the Eurasian Economic Commission dated 21 April 2015. FSS notification is necessary for the exportation of equipment and devices, both general civil, industrial, scientific, and other purposes, including a large list of products containing cryptographic components, which include many high-tech devices such as mobile phones, tablet computers, laptops, wireless keyboards, wireless mice, servers, RFID tags, among others.

Amendments introduced by Federal Law No. 241 prohibit the anonymous use of instant message (“IM”) services. Providers are obliged to identify users of the instant messaging service by the subscriber number of the mobile radiotelephone operator in the manner established by the Government of the Russian Federation, on the basis of an identification agreement concluded by the organiser of the instant messaging service with the mobile radiotelephone operator.

According to Art. 1253, intermediaries are not liable for third-party content unless they knew or ought to have known that infringing material was being used illegally on their service. It is reported that the article contains a “constructive knowledge” clause that may incentivise intermediaries to monitor their services in order to locate “illegal” material.

In December 2022, Russia signed a law requiring platforms to monitor content and remove “LGBT propaganda,” adding this term to the list of information that is illegal to distribute online. In April and October 2022, the platform Tik Tok was fined for refusing to remove “LGBT propaganda” and promoting “homosexual relations.”

Russia has a telecommunications authority: The Federal Communications Agency. However, it is reported that the decision-making process of this entity is not fully independent from the government.

Art. 18.5 of Federal Law No. 152-FZ provides that during personal data collection, including through the Internet, the data operator shall ensure that databases located within the Russian Federation are used to record, systematise, accumulate, store, update, modify and retrieve personal data of Russian citizens. However, the requirements do not apply to companies that do not receive the data directly from either data subjects or such third parties or inadvertently in the course of normal business activity. Moreover, provided that personal data, when initially collected, is placed in a primary database located and maintained in Russia, personal data contained in the database may then be transferred abroad and placed in other secondary databases, provided the requirements for data transfers are complied with. As a result, once personal data is collected, it shall be placed in the database located in Russia (i.e., the primary database). All mentioned operations on the data should be carried out locally. Afterwards, the data can be transferred abroad for further processing (i.e., to the secondary database).
It is reported that since 2015, the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) has been active in enforcing the above-mentioned measure. For instance, in November 2016, subject to the claim from Roskomnadzor, the court in Moscow restricted access to the LinkedIn social network due to the breach of the measure. Further cases mostly included administrative fines, which were also issued to major multinational companies, including Meta Platforms, Inc. (formerly Facebook, Inc.), Twitter, Inc. and later WhatsApp LLC, Google LLC, Airbnb, Inc., Apple, Inc., Twitch Interactive, Inc., United Parcel Service, Inc., Pinterest, Inc., Likeme Pte. Ltd., Ookla, LLC., Snap Inc., Match Group, LLC, Hotels.com, L.P., Spotify AB, and Zoom Video Communications, Inc. Some companies also faced repeated higher fines.
The Code of Administrative Offences establishes fines of up to RUB 6 million (approx. USD 64,620) for the first offence and up to RUB 18 million (approx. USD 193,860) for the subsequent offence.

Art. 30.6.4 of Federal Law No. 161-FZ requires that foreign-based credit card companies transmit data for all transactions within Russia through state-owned operators: the National System of Payment Cards. It is reported that this affects the possibility for financial supplies to use their processing facilities located outside of Russia.

Art. 64 of Federal Law No. 126-FZ requires telecom operators to store in the territory of the Russian Federation the following information:
- Information on the facts of reception, transmission, delivery and (or) processing of voice information, text messages, images, sounds, video or other messages of users of communication services - within three years from the moment of the end of such actions;
- Text messages of users of communication services, voice information, images, sounds, video or other messages of users of communication services - up to six months from the moment of termination of their reception, transmission, delivery and (or) processing.
In addition, Art. 10.1 of Law No. 149-FZ requires distributors of information, such as internet and telecom companies, messengers, email services, forums and other platforms that allow the exchange of information on the internet, to store in the territory of the Russian Federation the following information:
- Information on the facts of reception, transmission, delivery and/or processing of voice information, written text, images, sounds, video or other electronic messages of internet users and information about these users for one year after the end of such actions;
- Text messages of internet users, voice information, images, sounds, video and other electronic messages of internet users up to six months from the end of their reception, transmission, delivery and/or processing.

Art. 12 of Federal Law No. 152-FZ prohibits the cross-border transfer of data to countries that do not provide adequate protection of data subjects. However, cross-border transfers of personal data are permitted in the following circumstances: (i) approved by the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) as providing adequate protection, which will include countries party to Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108); or (ii) in cases where such transfer is necessary to protect the life, health, or other vital interests of the data subject or other persons. Starting from 1 March 2023, operators have to notify any cross-border transfers of personal data before such transfers and, for transfers to countries which are not 'adequate', obtain permission from the Roskomnadzor for the transfer, with limited exceptions.

Russia has not joined any agreement with binding commitments to open transfers of data across borders.

Federal Law No. 152-FZ provides a comprehensive regime of data protection in the Russian Federation and follows an approach similar to that of EU Directive 95/46/EC. However, data protection in Russia is regulated by several laws in addition to the Law about Personal Data; other notable laws include the Federal Law No. 149-FZ of 27 July 2006 on Information, Information Technologies and Protection of Information.

Russian news aggregators are required to store the news disseminated, information about the news source, as well as information about the terms of its dissemination for six months and to provide access to such information to the Russian Federal Service for Supervision of Telecom, Information Technologies and Mass Media.