On 1 November 2019, the majority of the provisions of the Sovereign Internet Law* will come into force in Russia.
The Law’s main goal is to create an autonomous system that can support the operation of the Russian segment of the Internet in the event of disconnection from the global network. The Law provides for the adoption of a number of regulations surrounding its application.
Before its adoption, the press and business community actively discussed the possible results of the Law. Representatives of the State Duma* and other politicians* argued that the Law is aimed solely at protecting the Internet in the event of any threats from foreign states, and not at censoring or isolating the Russian Internet.
Persons subject to the Law
In its current version, the Law imposes obligations on certain categories of persons, namely:
- communication service providers (i.e. companies holding a relevant licence);
- owners of technological communication networks (i.e. networks designed to support the production control and activities of companies);
- owners of communication lines crossing the borders of the Russian Federation;
- owners of Internet Exchange Points (i.e. network infrastructure for traffic exchange between networks);
- information dissemination organisers (e.g. social networks, mail services); and
- persons having an autonomous system number (ASN) (i.e. companies that receive blocks of IP addresses to create an autonomous system, including Internet service providers, owners of cloud services and certain business companies).
The Law provides for certain obligations for the persons listed above. These obligations can be grouped into separate goals, such as:
- providing certain information to the Federal Service for Supervision over Communications, Information Technology and Mass Media (“Roskomnadzor”), including:
- information on the purpose of using a communication line that crosses the Russian border, and the means of communication installed on it;
- notifications by owners of Internet Exchange Points for the creation of a register of Internet Exchange Points (“Register”);
- information on communication networks, including infrastructure, connection to other networks, particularly connections crossing the Russian border;
- participating in drills arranged by Roskomnadzor;
- restricting interaction between networks (e.g. by allowing to use only the Internet Exchange Points listed in the Register) and prohibiting owners of Internet Exchange Points from connecting communication networks to Internet Exchange Points when such networks fail to comply with the requirements of the Law; and
- installing hardware and software tools that enable Roskomnadzor to monitor traffic, including access to resources blocked in Russia.
Threats to RuNet
Separately, the Law addresses threats to the stability, security and integrity of the Internet in Russia. At present, no list of these possible threats has been adopted, but a draft Resolution of the Government has tentatively identified the following threats and vulnerable areas:
- the inability to access communication services due to accidents or the overload of a communication centre;
- information security (i.e. the confidentiality, integrity and availability) of automated communication network management systems;
- access to blocked Internet resources; and
- computer attacks and other information influences (both intentional and unintentional) on the means of communication and communication networks, that could result in the malfunction of the Internet in Russia.
This tentative list and the rules for determining the existence of a threat give state authorities considerable discretionary power in safeguarding the Russian Internet.
In response to any threat, Roskomnadzor can centrally manage public communication networks by issuing mandatory instructions to persons subject to the Law or through special technical means. These technical means will be mandatorily installed by communication service providers.
Persons subject to the Law are required to comply with Roskomnadzor’s rules for routing telecommunication messages if such messages are sent or received by a person located in Russia. In this case, only Russian communication networks and Internet Exchange Points can be used.
To date, only two regulations have been adopted (on the establishment of a Centre for Monitoring and Managing the Public Communications Network* and on its subsidisation*), and approximately 40 more regulations are at different stages of development. These 40 regulations will set out specific obligations and procedures. A more detailed description of the measures to be taken by persons subject to the Law will be approved later.
At this stage, companies should check whether they are subject to the Law and, in particular, whether they have technological communication networks or an autonomous system number. If so, they will be required to provide certain information, and should take into account the costs of any changes they may need to make to their IT infrastructure and of organisational measures to comply with the Law.