Russia Introduced New Requirements for Hosting Providers

Which hosting services are regulated?
What are the hosting provider registration requirements?
What are other key requirements to hosting providers?
Why are the new requirements important for[VB1] international IT companies?
Comment

Beginning on 1 February 2024, hosting providers operating in Russia must obtain state registration. The recent amendments aim to strengthen state supervision over the hosting services. These rules may affect international IT businesses engaging Russian hosting providers.

Which hosting services are regulated?

According to art.2(18) of the Russian Federal Law On Information, Information Technologies, and Information Protection dated 27 July 2006 No. 149-ФЗ, as amended (the IT Law), the hosting provider is an entity that provides processing power for hosting data in an information system that is constantly connected to the Internet. Russian law does not define the term processing power. The Cambridge Dictionary defines it as “the ability of a computer to process information (= perform a particular series of operations on the information, such as a set of calculations), or the speed at which it can do this”.

From that perspective, the IT Law should apply to cloud hosting, virtual dedicated servers, and other most common hosting services. The definition of the term hosting provider may be interpreted literally, meaning that collocation services fall outside the scope of new requirements. However, the Russian authorities have not published any guidance on this matter yet.

What are the hosting provider registration requirements?

Under new art.10.2-1 of the IT Law, hosting providers must notify the cybersecurity watchdog (Roscomnadzor) of their business in Russia. Roscomnadzor records the notices in the publicly available state Hosting Provider Register. International companies may obtain registration if they have either a branch or representative office, or a subsidiary in Russia (art.6 of the Hosting Provider Register Creating and Maintaining Rules, est. by the Governmental Decree No. 2008 dated 28 November 2023).

From 1 February 2024, hosting providers that are not listed are prohibited from providing processing power for hosting data in the Internet.

What are other key requirements to hosting providers?

The IT Law provides that hosting providers:

• establish the identity of all clients;
• obey data security requirements established by the Ministry of Digital Development, Telecom and Mass Communications and participate in IT security activities held by the Russian state;
• cooperate with the Federal Security Service for the purposes of state security, surveillance and investigations;
• eliminate non-compliance with law (if any) according to the binding instructions of Roscomnadzor (if a hosting provider fails to do so, it will be excluded for the Hosting Provider Register);
• suppress access to extremist, fraudulent and other illegal web resources; and
• perform other obligations.

Why are the new requirements important for international IT companies?

The non-Russian companies doing business on the Internet must process personal data of Russian nationals “with the use of databases” physically located within Russia pursuant to art.18(5) of the Federal Law On Personal Data No.152-ФЗ dated 27 July 2006 (so-called data localization requirement).

Article 10.1 of the IT Law provides that the owners of messengers and/or other web services allowing exchanging messages between users or posting must retain user data and their messages for up to 6 months on Russia-based servers and disclose the said information to the Federal Security Service for state security, surveillance, and investigation purposes. Such owners are called data dissemination organizers. There are cases where the Russian authorities apply these requirements to foreign companies.

Consequently, if an IT company runs an online game, cloud-based service, mobile app, or similar digital product intended for Russians, that company must arrange a Russia-based hosting at least to store the mentioned databases.

Starting from 1 December 2023, the hosting provider must perform a client identification procedure adopted by the Governmental Decree dated 29 November 2023 No.2011. That procedure allows several options, such as using digital signature issued in Russia, providing corporate registration documents of a Russian legal entity, paying service fees from an account with a bank in Russia or Eurasian Economic Union, etc. The procedure is intended for Russian entities and, therefore, foreign IT companies have to use local representatives or intermediaries to purchase hosting services.

Comment

By adopting the new requirements, Russia continues its policy towards strengthening state supervision in the IT field. These rules may hamper online activities of the IT companies that refrain from setting up an office in that country due to sanctions but continue offering their products and services to Russian users. While choosing a local hosting provider, such companies should check through the public Hosting Provider Register. They should also enquire their hosting provider how to pass the client identification procedure and keep monitoring changes in the IT Law.