Cybersecurity 2026: How Russia’s Second Package of Digital Ministry Measures Is Set to Reshape the Industry

A Unified System

The package includes around 20 initiatives, ranging from the right for citizens to impose self-restrictions on certain financial transactions to new compliance requirements for telecom operators. It also introduces administrative and criminal liability for fraud. To curb the activity of so-called “mules,” limits are set on the number of bank cards an individual can hold – no more than ten per person.

Among the proposals most strongly highlighted by experts is a long-awaited unified system for managing consent to the processing of personal data. Citizens will be able to control these consents, including withdrawing them, through the national Gosuslugi public services portal.

Meanwhile, telecom operators will face new obligations. They will be required to transmit information about fraudulent phone numbers to the Anti-Fraud system. Moreover, if an operator’s inaction is proven to have led to the theft of funds from a mobile account, the operator will be required to compensate the damage within one month. A similar mechanism of responsibility and compensation will also be introduced for banks.

The new measures further tighten control over phone calls. Citizens will be given the option to block incoming calls from foreign numbers entirely. All other international calls will be accompanied by a special indicator warning the recipient.

Modernization and Export Potential

According to experts, a number of issues still require careful refinement, particularly in the area of allocating responsibility. A key challenge is clarifying which parties bear liability in the event of data breaches and preventing disputes between telecom operators and banks. Equally important is the development of precise criteria for out-of-court blocking of phishing websites – a step intended to strengthen protection while avoiding the accidental blocking of legitimate content.

The state is pushing small providers out of the market not because it does not want people to earn money, but because they fail to follow the rules. Security is expensive. If you cannot ensure security and do not have another business that allows you to maintain the necessary level of investment, then you should make room for those who can. Fraudsters exploit personal data leaks to deceive people, so encouraging investment in data protection ultimately benefits citizens

Eldar Murtazin

Lead Analyst at Mobile Research Group

From an export perspective, there is an opportunity to align Russian cybersecurity and personal data protection standards with international norms. If Russia adopts technological and regulatory measures that comply, for example, with international law, this could increase trust in its digital products abroad. At the same time, some initiatives may prove too narrowly tailored to local protection needs, potentially creating barriers to cross-border operations – particularly with regard to labeling foreign calls.

Effective and Well-Timed Measures

Earlier, Russia’s “sovereign internet” legislation restricted data routing, tightened infrastructure localization requirements, and strengthened traffic control. Despite criticism, the effectiveness of these measures was eventually demonstrated. Similarly, legislation governing the obligations of personal data operators increased oversight, tightened storage requirements, and introduced fines for data leaks. As a result, IT companies, banks, and government bodies increased investments in data protection and security audits.

Initiatives to combat banking fraud, including the rollout of two-factor authentication, showed partial effectiveness, but vulnerabilities related to phishing and social engineering persisted. Meanwhile, global frameworks such as GDPR and NIS2, which impose stringent requirements on data protection and system security, are becoming global reference points. Companies operating in international markets are already being forced to comply with them.

A New Era of Regulation

The 54-page package of amendments could mark the beginning of a new era in regulation, particularly in the mobile communications sector.

Over the next one to two years, new regulations are expected, along with possible amendments to existing laws, including those governing personal data protection. Technical systems – such as call labeling and consent registries – will begin rolling out, requiring operators, banks, and service providers to adapt and revise their security policies. Disputes over out-of-court blocking and the use of biometrics cannot be ruled out.

In the longer term, over a three-to-five-year horizon, these measures could lay the groundwork for a universal digital security standard. Such a standard would likely require adaptation not only within Russia but also in cooperation with international partners, particularly in the context of cross-border digital trade and data exchange.