In 2012, Russia revised regulations concerning licenses for distributing encryption products, extending licensing requirements to consumer electronic products that previously did not require such licenses. This change now necessitates an activity license for distributing encryption products, which indirectly adds burdens to their importation process. According to Decision No. 134 of the Eurasian Economic Commission (2012), licensing procedures are applied to the importation of certain digital goods to the Eurasian Economic Union, including Russia. These digital goods include (i) Civil radio-electronic equipment and/or high-frequency devices, including those that are built-in or form a part of other goods; (ii) Special hardware meant for secret information acquisition; (iii) Encryption devices.

It is reported that the Russian Government had established barriers to importing telecommunication equipment that incorporates encryption technology (encryption products) in accordance with Annex 9 of the Decision No. 30 of the Eurasian Economic Commission. Despite commitments under the WTO to permit the importation of "mass market" consumer electronics without needing an import license or other customs formalities apart from import duties, Russia now mandates, at a minimum, a one-time notification or, for products with strong encryption, permission from security services, in addition to an import license. These requirements significantly escalate import costs and frequently prevent imports altogether. Moreover, under Government Resolution No. 313 (April 16, 2013), as amended, Russia also mandates an activity license for distributing encryption products, including numerous commonplace consumer electronics, further restricting access to the Russian market for exporters.

Stakeholders have observed that the Russian Government does not consistently publish all regulations, judicial decisions, and administrative rulings of general application concerning customs matters. Furthermore, customs enforcement reportedly varies by region and port of entry, with frequent and unpredictable regulatory changes exacerbating costs and causing delays at the border.

Russian authorities have reportedly continued to block online platforms in Russia and occupied Ukraine to control the narrative and disseminate disinformation through official channels. Platforms such as X (formerly Twitter), Facebook, and Instagram have been blocked, and authorities have also threatened censorship against others like YouTube and WhatsApp to enforce compliance with government directives. Facebook and Instagram have been inaccessible since October 2022, after Meta, their parent company, was designated an extremist organisation for permitting criticism of Russia's invasion of Ukraine. In 2023, Meta was compelled to cancel the launch of WhatsApp Channels in Russia due to threats from the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor). Furthermore, authorities have intensified efforts to block circumvention tools, such as VPNs, and by November 2023, eight of the 15 most popular VPN service domains had been blocked.

Federal Law No. 482-FZ allows the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) to block a digital platform either partly or in full if this platform restricts the distribution of content from Russian state media outlets. It is reported that the law was adopted in response to complaints from Russian state-owned media that foreign internet portals such as Twitter, Facebook, and YouTube were censoring their accounts.

According to the amendments introduced by Law No. 241-FZ, ISPs are required, within 24 hours from the moment of receipt of the relevant request from the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor), to restrict the ability of the user of the instant messaging service specified in this requirement to transfer electronic messages containing information, the dissemination of which is prohibited in the Russian Federation, as well as information disseminated in violation the requirements of the legislation of the Russian Federation. The ISPs that fail to meet this requirement can be blocked by the authorities.
According to the Art. 13.34 of the Administrative Offences Code (introduced in 2017), ISPs that do not block banned sites according to the information received from state regulator Roskomnadzor will be required to pay between 100,000-500,000 Rubles (approx. 1600 USD - 8500 USD) penalty. The officials of those legal entities (ISPs) will face fines of 5,000-30,000 Rubles (approx. 85 USD - 500 USD) for failing to implement Roskomnadzor’s instructions. If the actions are repeated during the year, the amount of penalties will be 30,000-50,000 Rubles (approx. 500 USD - 850 USD) for officials and 500,000-800,000 Rubles (approx. 8500 USD - 13500 USD) for ISPs.

Russia has not joined any agreement with binding commitments to open transfers of data across borders.

Federal Law No. 152-FZ provides a comprehensive regime of data protection in the Russian Federation and follows an approach similar to that of EU Directive 95/46/EC. However, data protection in Russia is regulated by several laws in addition to the Law about Personal Data; other notable laws include the Federal Law No. 149-FZ of 27 July 2006 on Information, Information Technologies and Protection of Information.

Russian news aggregators are required to store the news disseminated, information about the news source, as well as information about the terms of its dissemination for six months and to provide access to such information to the Russian Federal Service for Supervision of Telecom, Information Technologies and Mass Media.

According to Art. 19 of the Law No. 152-FZ, the data operator should take all reasonable organisational and technical measures when processing personal data in order to prevent unauthorised access to personal data, its destruction, alteration, blocking, copying, distribution or conduct of other illegitimate acts.
Art. 22.1 of the Law, which has been in force since 2011, requires the appointment of a person responsible for organising the processing of personal data. This person is responsible for organising the processing of personal data and should:
- exercise internal control over compliance by the operator and its employees with the legislation of the Russian Federation concerning personal data, including requirements relating to the protection of personal data;
- make employees of the operator aware of the provisions of the legislation of the Russian Federation concerning personal data, of by-laws on the processing of personal data and of requirements relating to the protection of personal data;
- organise the acceptance and processing of applications and requests from data subjects or their representatives and (or) exercise control over the acceptance and processing of such applications and requests.

Federal Law No. 374-FZ provides that Internet and telecommunications companies are required to disclose communications and metadata, as well as “all other information necessary,” to authorities on request and without a court order. The law penalises companies that fail to disclose requested information with fines of up to one million rubles (approx. USD 16,500) (Arts. 11, 13, 15).

The so-called “Anti-Piracy Law” establishes a safe harbour for Internet Service Providers (ISPs) in certain cases. According to Art. 1253.1 introduced by this Law to Part IV of the Civil Code, an information intermediary transferring material in an information and telecommunication network is not responsible for the violation of IP rights resulting from this transfer, provided that the following conditions simultaneously exist: (i) he is not the initiator of this transfer and does not determine the recipient of the specified material; (ii) he does not change the specified material when providing communication services, with the exception of changes made to ensure the technological process of transferring the material; (iii) he did not know and should not have known that the use of the corresponding result of intellectual activity or means of individualisation by the person who initiated the transfer of material containing the corresponding result of intellectual activity or means of individualisation is illegal.
In addition, according to the Article, an information intermediary providing the possibility of posting material in an information and telecommunications network is not responsible for the violation of IP rights that occurred as a result of the posting of materials in the network by a third party or at his direction, while the intermediary observes the following conditions: (i) he did not know and should not have known that the use of the corresponding result of intellectual activity or means of individualisation contained in such material is illegal; (ii) in case of receiving in writing a statement of the copyright holder about the infringement of intellectual rights with an indication of the website page and (or) the network address on the Internet on which such material is posted, he took the necessary and sufficient measures in a timely manner to stop the infringement of intellectual rights. (the so-called "Notice and takedown" rule).
The information intermediary, who is not held responsible for the violation of IP rights accordingly, may be subject to claims for the protection of IP rights, including the removal of information that violates exclusive rights or restricting access to it.

While there is a safe harbour for copyright infringement under Federal Law No. 187-FZ, "On Amendments to Certain Legislative Acts of the Russian Federation on the Protection of Intellectual Property Rights in Information and Telecommunication Networks", the country lacks a safe harbour for activities beyond copyright infringement. According to Art. 13.34 of Federal Law No. 18-FZ, "On Amendments to the Code of the Russian Federation on Administrative Offences" (introduced in 2017), ISPs that fail to block banned sites as instructed by the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) are liable to fines ranging from RUB 100,000 to RUB 500,000 (approx. USD 1,600 – USD 8,500). Officials of these legal entities (ISPs) face fines between RUB 5,000 and RUB 30,000 (approx. USD 85 – USD 500) for non-compliance with Roskomnadzor’s directives. If such violations are repeated within a year, penalties increase to RUB 30,000–RUB 50,000 (approx. USD 500 – USD 850) for officials and RUB 500,000–RUB 800,000 (approx. USD 8,500 – USD 13,500) for ISPs.

Law No. 97-FZ and the corresponding government decrees, Decree No. 758 and Decree No. 801, have established several requirements regarding the identification of Wi-Fi users in public places, such as parks, hotels, cafeterias, restaurants, clubs, cinemas and shopping malls, among others. The Act and the decrees require that
- ISPs must identify Internet users by means of identity documents (such as passports);
- ISPs must identify terminal equipment by determining the unique hardware identifier of the data network;
- All legal entities in Russia must provide ISPs on a monthly basis with the list of persons connecting to the Internet using their network.

Amendments introduced by Federal Law No. 241 prohibit the anonymous use of instant message (“IM”) services. Providers are obliged to identify users of the instant messaging service by the subscriber number of the mobile radiotelephone operator in the manner established by the Government of the Russian Federation, on the basis of an identification agreement concluded by the organiser of the instant messaging service with the mobile radiotelephone operator.