Identification, Responsibility, Control: Russia’s Digital Ministry Drafts New Cybersecurity Measures
Russia’s Ministry of Digital Development has introduced a second legislative package aimed at strengthening citizens’ digital security. The package includes about 20 measures, with the overarching goal of ensuring 'basic security by default.' The focus is on closing vulnerabilities in phone calls, SMS, online payments, and government service access.
New Regulatory Standards
The proposed measures include:
1. Labeling foreign phone calls with a special identifier.
2. Allowing subscribers to block incoming calls and SMS from foreign numbers.
3. Making banks and telecom operators financially liable for damages caused by their negligence.
4. Establishing an extrajudicial process for blocking phishing websites, malware, and other malicious resources.
5. Enabling account recovery for government services through biometric identification, banks, messengers, and service centers.
6. Creating a registry of user consent for personal data processing.
7. Expanding cooperation between banks and telecoms, including automatic data exchange through the 'Antifraud' system.
This package covers communications, finance, and digital government infrastructure. Far from being a set of isolated fixes, it aims to close systemic gaps. By setting new regulatory standards, it could reshape requirements for operators, banks, and providers. The reforms are also expected to enhance personal data protection, reduce fraud risks, and simplify secure access to public services. The ultimate effect would be stronger public trust in digital platforms and reduced financial losses from cybercrime.
Balancing Protection and Convenience
Most of the proposals will require updates to regulations and may trigger administrative or criminal liability. Implementation will involve building and maintaining infrastructures such as call labeling systems, consent registries, the Antifraud platform, and tools for blocking malicious websites. Experts anticipate resistance from operators, banks, and providers, citing added costs, technical difficulties, and international communication challenges. Enforcement will also be a concern, with potential fines and stricter liability on the horizon.
From an international perspective, these initiatives could be aligned with global cybersecurity and data protection standards. If Russia adopts measures consistent with international law, trust in domestic digital products could increase. At the same time, some initiatives may represent localized protection—such as mandatory call labeling—that complicates cross-border operations.
Technically, the reforms face challenges around interagency coordination, changes to telecom and banking databases, and the risk of overblocking or misuse. The legality of extrajudicial blocking and biometric data handling could invite criticism from a human rights and privacy standpoint.
Building on Previous Efforts
Earlier laws, such as the 'sovereign internet' package, introduced routing restrictions, data localization mandates, and tighter internet traffic controls—despite heavy criticism, they proved enforceable. Legislation on personal data responsibilities has already raised compliance demands, imposed fines for breaches, and spurred investment in security audits.
Banking anti-fraud measures, including two-factor authentication and cybercrime investigations, delivered partial success but left gaps, particularly in phishing and social engineering. Global standards such as the EU’s GDPR and NIS2 directives are increasingly becoming reference points for companies active in international markets, forcing them to adapt.
Toward a Cybersecurity Standard
This second package reflects Russia’s push to embed 'secure by default' principles in engineering and regulation. If implemented effectively, it could sharply reduce fraud cases and strengthen confidence in both government and commercial digital services.
Over the next one to two years, regulatory acts and amendments are expected, followed by the rollout of technical systems such as call labeling and consent registries. Banks, telecoms, and service providers will adapt policies and internal processes. Legal debates will likely continue around extrajudicial blocking and biometric use. In the longer term (three to five years), these reforms could form the foundation of a cybersecurity standard applicable not only in Russia but also in cross-border digital trade and data flows.
