Full Report
Vladimir Putin signed a law on Monday that prohibits state institutions, banks and others from using foreign messaging apps when communicating with customers.
Analysis Summary
# Regulation/Compliance: Russian Cyber Fraud Protection Law
## Overview
A new law signed by Russian President Vladimir Putin mandates specific security and communication restrictions for Russian entities, particularly financial institutions and large digital platforms, aimed at combating record levels of financial cybercrime, data leaks, and scams within the country.
## Key Details
- Issuing Authority: Russian Government (Signed by President Vladimir Putin)
- Effective Date: Implied to be immediate upon signing (Monday), though specific implementation deadlines for technical requirements are not explicitly detailed in the summary.
- Jurisdiction: Russian Federation
- Status: In Effect (Law signed)
## Requirements
### Mandatory Requirements
1. **Prohibition of Foreign Messaging Apps:** State institutions, banks, and digital platforms with over 500,000 daily users are prohibited from using foreign messaging applications for communication.
2. **Caller ID Labeling:** Organizations must implement a system to label incoming calls with their official names to prevent spoofing and identity-based scams.
3. **Creation of a State System:** A state-run information system must be established to track individuals involved in cyber offenses.
4. **Compliance with Data Breach Penalties:** Organizations must adhere to increased administrative and criminal penalties for data breaches and the illegal circulation of personal data (established via a prior November law).
5. **Restrictions on Foreign Services:** Ongoing prohibition on the use of cybersecurity services from "unfriendly" countries, which impacts access to international open-source repositories (e.g., GitHub), foreign cloud services, and security technologies.
### Recommended Practices
1. Migration to state-controlled or domestic infrastructure, driven by the policy of digital isolation and restrictions on foreign tech services.
## Affected Organizations
- Industries: Financial Sector (Banks), State Institutions, Major Digital Platforms.
- Organization Size: Digital platforms serving over 500,000 daily users.
- Geographic Scope: Within the Russian Federation.
## Compliance Timeline
- November (Previous Year): Legislation signed increasing penalties for data breaches.
- Monday (Signing Date): New primary legislation concerning messaging app prohibition and caller ID implementation signed into law.
- Ongoing: Compliance efforts necessary to migrate off prohibited foreign services and implement tracking systems.
- Final deadline: Not specified for all new mandates, requiring organizations to monitor official publications for implementation schedules.
## Implementation Guidance
### Assessment Phase
- Conduct an inventory of all utilized third-party communication platforms (especially messaging apps) used by state institutions and major digital platforms to identify those originating from "foreign" sources.
- Audit current systems for call management to determine capability for displaying official caller identification labels.
### Implementation Phase
- Immediately cease use of prohibited foreign messaging applications for official communications within the defined scope.
- Initiate the process to integrate state-approved communication and tracking mechanisms.
- Begin procurement or development of local/domestic cybersecurity technologies to replace services from "unfriendly" countries.
### Validation Phase
- Auditing communication logs and service contracts to ensure no prohibited messaging applications are in use.
- Testing the public-facing telephone system to verify that incoming calls from the organization display the mandated official name.
## Technical Requirements
- Deployment of technology platforms capable of providing verified, official caller identification for outbound calls.
- Phasing out dependency on international platforms for critical security functions (e.g., open-source code repositories, cloud security infrastructure).
## Penalties & Enforcement
- Fines: Increased administrative and criminal penalties exist for data breaches and illegal personal data circulation (established in the prior November law).
- Other Consequences: Potential disruption or outage of services if local infrastructure cannot adequately replace foreign services (as seen with prior Cloudflare issues).
- Enforcement: Enforcement mechanisms are tied to the state-run information system designed to track cyber offenders and compliance adherence across regulated entities.
## Related Standards
- The requirements align with the broader Russian government goals of **digital isolation** and increasing state control over the domestic digital ecosystem. (No specific international frameworks like NIST or ISO were mentioned as replacements or guidance.)
## Resources
- Official Documentation: http://publication.pravo.gov.ru/document/0001202504010010?index=3 (link to the signed legislation)
- Guidance Documents: Organizations must rely on subsequent decrees or guidelines released by relevant Russian regulatory bodies (e.g., Roskomnadzor, Bank of Russia) regarding timeline and technical specifications.
- Tools: Expect the government to mandate or provide proprietary state-controlled tools for tracking cyber offenses.
## Practical Recommendations
1. **Messaging Audit:** Immediately map out all communication channels; transition state/bank communications away from any platform deemed foreign or non-domestic.
2. **Caller ID Project:** Prioritize budget and resources for implementing mandatory Caller ID labeling across all outbound lines.
3. **Internal Security Review:** Review recent data security incidents in light of the increased penalties enacted in November, ensuring all data handling complies with stricter Russian standards to mitigate administrative/criminal exposure.