Russia's digital services sector is undergoing its most significant legislative overhaul in years. Amendments to information technology legislation and digital services rules – which entered into force in early 2025 – impose new obligations on foreign and domestic technology companies operating in or directing services toward Russian users. Companies that fail to act risk access restrictions, software liability exposure, and loss of technology licensing permissions in the Russian market.
Russia's updated digital services regulation introduces mandatory localisation, registration, and algorithmic accountability obligations for technology companies exceeding defined user-volume thresholds. International companies providing digital services to Russian users must assess their exposure and complete initial compliance steps within the deadlines set by the relevant supervisory authority. Companies that do not meet the requirements face enforcement measures that include blocking of their digital services on Russian networks.
This alert covers the regulatory change, the business categories affected, and the immediate actions international companies should take now.
What changed and when it takes effect
Russia's information technology legislation was amended to expand the scope of obligations for providers of digital services, online platforms, and software products directed at Russian users. The amendments build on existing rules governing organizatory rasprostraneniya informatsii (organisers of information dissemination) and extend similar requirements to a broader class of digital service providers.
The core changes take effect across two tranches. The first set of obligations – covering registration with the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) – applied from January 2025. The second tranche, covering data localisation verification, algorithmic accountability reporting, and software liability documentation, applies from July 2025.
Key new obligations include:
- Registration as a digital service provider with Roskomnadzor, including appointment of a local representative
- Storage of Russian user data on servers physically located within the Russian Federation
- Submission of algorithmic accountability reports describing recommendation and content-moderation logic
- Maintenance of technology licensing records for software products distributed through Russian app stores or directly to Russian users
- Response to regulatory information requests within prescribed timeframes
Roskomnadzor retains authority to impose access restrictions – including full blocking of digital services – on non-compliant providers. Enforcement action has already been taken against several international platforms that did not meet earlier registration deadlines.
For companies with existing intellectual property assets registered in Russia, the new rules interact directly with software licensing obligations. A company that holds Russian IP registrations but fails to meet digital services registration requirements may find those registrations insufficient to protect continued market access.
Who is affected and which thresholds apply
The new requirements apply to any legal entity or individual – domestic or foreign – that provides digital services to users located in Russia. The obligations scale with the size and nature of the service.
Threshold criteria for full compliance obligations:
- Daily active Russian users exceeding 500,000 – triggers registration, data localisation, and algorithmic accountability obligations
- Any volume of Russian users – triggers data localisation requirements where personal data is processed
- Distribution of software products through Russian app marketplaces – triggers technology licensing documentation requirements
- Provision of recommendation systems or content-moderation tools to Russian users – triggers algorithmic accountability reporting
Foreign companies operating through Russian subsidiaries are not automatically exempt. The obligation attaches to the entity providing the service to Russian users, regardless of corporate structure. A foreign parent that controls the platform and directs it at Russian users bears the primary obligation.
Companies providing purely business-to-business software with no end-user interface directed at Russian individuals fall outside the primary scope. However, they remain subject to data localisation rules if they process any personal data of Russian nationals.
For companies already advising on their broader technology regulation exposure, our AI and technology law practice in Russia covers the full scope of digital services. AI Act compliance considerations for cross-border operations. Additionally, software liability assessments under Russian law.
To receive an expert assessment of your digital services compliance position in Russia, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
Companies with Russian user exposure should treat the July 2025 deadline as the hard compliance horizon. The registration deadline has already passed. Non-registered companies are already in breach and should prioritise remediation immediately.
The following five actions should be initiated without delay:
- Map your Russian user base. Determine whether your service has daily active users in Russia and whether that figure crosses the 500,000 threshold. Even below that threshold, data localisation obligations may apply.
- Appoint a local representative. Roskomnadzor requires a designated point of contact within Russia for regulatory correspondence. Appointing this representative is a prerequisite for registration.
- Audit data storage arrangements. Identify all processing flows involving Russian personal data. Where storage occurs outside Russia, develop a migration or segmentation plan to meet localisation requirements before July 2025.
- Document your algorithmic systems. If your platform uses recommendation algorithms or automated content moderation, prepare the documentation needed for algorithmic accountability reporting. This includes a description of the logic, the data inputs used, and the moderation criteria applied.
- Review technology licensing records. If software products are distributed to Russian users, confirm that technology licensing documentation is current and consistent with the updated requirements under Russian information technology legislation.
Companies in adjacent CIS markets should also note that parallel digital services regulation developments are under way regionally. Our separate alert on digital services regulation in Kazakhstan addresses comparable obligations in that jurisdiction.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising technology companies, investors, and institutional clients across 46 jurisdictions. Our CIS practice covers digital services regulation, AI Act compliance for cross-border operations, software liability, and technology licensing across Russia and the broader CIS region. We combine Portuguese civil law expertise with English common law tradition to support international companies managing regulatory obligations in high-growth and emerging markets. Engaging a lawyer in Russia with cross-border experience is critical when obligations span multiple legal systems – our team provides coordinated advice across jurisdictions from a single point of contact. To discuss your digital services compliance position in Russia, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.