Full Report
In the new version of Russia’s Information Security Doctrine, mobile devices, satellite internet systems such as Starlink, as well as email services and other IT technologies developed by Western companies are defined as instruments of “destructive information-technical influence” on Russia. At the “InfoForum-2026,” Dmitry Gribkov, an aide to the secretary of Russia’s Security Council, stated…
Analysis Summary
# Regulation/Compliance: Russia's Information Security Doctrine Update (Focus on Foreign Technology Control)
## Overview
This summary outlines the implications of the forthcoming revision to Russia’s Information Security Doctrine, which officially categorizes Western-developed IT technologies—including mobile devices, satellite internet systems (like Starlink), and Western email services—as instruments of "destructive information-technical influence." The doctrine signals a shift toward strengthening digital sovereignty, implying stricter state control over digital space and personal devices.
## Key Details
- Issuing Authority: Russian Security Council (Aide Dmitry Gribkov confirmed statements at "InfoForum-2026").
- Effective Date: Not explicitly stated, as the document is "currently being prepared." (Implied future enforcement upon finalization).
- Jurisdiction: Russian Federation and entities operating within its sphere of influence.
- Status: Proposed doctrine revision, intended to serve as the foundation for future legislation and applied programs.
## Requirements
### Mandatory Requirements
*Note: Specific regulatory text is not provided, but mandatory requirements are inferred based on the stated goal of strengthening sovereignty and controlling digital space.*
1. **Elimination/Restriction of Designated Western Technologies:** Organizations will likely be mandated to phase out or strictly control the use of identified foreign IT infrastructure (mobile devices, satellite systems, Western email platforms) utilized within their operations, especially Critical Information Infrastructure (CII).
2. **State Control Integration:** Digital systems, including those based on Artificial Intelligence, must comply with state control requirements throughout their lifecycle, "from the moment of creation to the start of operation."
3. **Data and Device Oversight:** Implementation of mechanisms allowing the state to oversee and manage control over personal devices and the digital space to neutralize "destructive influence."
### Recommended Practices
1. **Accelerated Import Substitution:** Prioritize the development and implementation of domestic, "sovereign" IT solutions to replace targeted Western services preemptively.
2. **Enhanced Internal Auditing:** Conduct comprehensive audits to identify all presently deployed Western IT assets that fall under the doctrine's definition of influence instruments.
## Affected Organizations
- Industries: All sectors reliant on information technology, particularly critical infrastructure sectors given the strategic nature of the doctrine.
- Organization Size: All organizations operating within the Russian Federation, though state-affiliated entities will likely face the strictest immediate enforcement.
- Geographic Scope: Applies within the jurisdiction of the Russian Federation.
## Compliance Timeline
- Currently: Doctrine is being prepared.
- Future Milestones: Deadlines for compliance will be established through subsequent legislation and applied programs based on the finalized doctrine.
- Final deadline: To be determined upon the publication and official enactment of the new Information Security Doctrine and related decrees.
## Implementation Guidance
### Assessment Phase
- Conduct a thorough inventory of all deployed IT assets, specifically flagging mobile device fleets, reliance on satellite communications (e.g., Starlink), and the use of non-Russian certified email/cloud service providers.
### Implementation Phase
- Develop phased migration plans away from designated foreign technologies toward state-approved/developed technical solutions.
- Establish internal procedures ensuring all new digital systems undergo a review confirming compliance with forthcoming state control mechanisms across their entire lifecycle.
### Validation Phase
- Await specific certification standards detailed in the new legislation to validate the substitution of foreign technologies.
- Prepare for potential state audits verifying the removal or neutralization of designated "destructive influence" instruments.
## Technical Requirements
*Specific technical standards are not detailed in the excerpt but will likely revolve around:*
1. **Mandatory Use of Certified Hardware/Software:** Adherence to Russian national certification standards for all IT components, especially communication and data processing tools.
2. **Centralized Traffic Management:** Requirements for routing and monitoring communications to ensure no unauthorized foreign data pathways are utilized (targeting systems like satellite internet).
3. **Lifecycle Security Mandates:** Security controls must be demonstrably embedded from the initial design phase of any digital system, including AI.
## Penalties & Enforcement
- Fines: Specific fines are not mentioned, but deviation from a strategic doctrine intended as a "foundation for legislation" will likely result in severe administrative and legal penalties, potentially including operational shutdowns.
- Other Consequences: Potential revocation of operational licenses, administrative liability for officials overseeing technological infrastructure, and designation as non-compliant with national security standards.
- Enforcement: Expected to be rigorously enforced by security services (FSB, FSTEC, etc.) following the doctrine's official promulgation, targeting non-sovereign technology usage as a direct security threat.
## Related Standards
- **Russian National Standards (GOST/FSTEC requirements):** The new doctrine will dictate the overriding national requirements for digital sovereignty, superseding or heavily modifying existing local standards regarding data processing and technical infrastructure certification.
- **Alignment:** This move indicates an intent to align information security more closely with state geopolitical control objectives rather than international benchmarks (like ISO 27001 or NIST).
## Resources
- Official Documentation: The finalized text of the *Information Security Doctrine* (once published by the Security Council).
- Guidance Documents: Related Federal Laws and decrees issued by relevant ministries (e.g., Ministry of Digital Development, Communications and Mass Media).
- Tools: Domestic software evaluation and certification platforms endorsed by the Russian government.
## Practical Recommendations
1. **Proactive Inventory:** Immediately document all reliance on Western mobile, satellite, and email platforms.
2. **Budget for Substitution:** Allocate resources for procuring or developing Russian-certified alternatives over the next fiscal cycle.
3. **Monitor Security Council Directives:** Closely track official announcements from the Security Council regarding the timeline for enacting legislation based on this new doctrine.
4. **Assess Cyber Risk of Current Tools:** Begin treating currently used Western tools not just as security risks, but as potential legal liabilities under the new framework.