Clifford Chance

On 1 November 2019 a law that has now widely become known as the 'Sovereign Runet Law' will take effect, amending the Federal Law On Communications and the Federal Law On Information, Information Technologies and Protection of Information.

The Sovereign Runet Law purports to ensure the stability, security and integrity of the part of the Internet which uses the Russian language. In other words, the rationale behind the law is to prevent a complete shutdown of the Russian Internet in case of cyber interference or cut-off from the global network.

How does it work?

As a framework instrument the Sovereign Runet Law is broadly worded, but it also uses numerous undefined terms such as 'emergency situations' and 'threats'. While more than a dozen drafts of secondary legislation have already been prepared, none of them appear to substantially clarify or address the various practical issues that will arise once the law comes into effect.

That said, the main takeaway is that the law will enable Russian authorities to take control over Internet routing in emergency situations. To this end, in preparation for implementation of the law, Russian authorities will be mapping Internet exchange points (IXPs) in Russia and deploying so-called 'threat counteracting equipment'.

Who will be affected?

Naturally, the routing of Internet traffic will require cooperation by and will directly affect the following types of businesses:

• telecom operators;
• owners of and other persons controlling (i) communications lines that cross the border of the Russian Federation, and (ii)  IXPs; and
• so-called 'organizers of dissemination of information'.

Less obvious, but still among the entities that will be regulated by the Sovereign Runet Law are:

• owners of and other persons controlling 'operational communications networks' (i.e. private networks set up and used for business operations); and
• other entities holding autonomous system numbers (ASNs).

What are the obligations?

Depending on each regulated entity's status, it will be required to:

• inform Roskomnadzor of any communications devices used to connect to communications lines that cross the border of the Russian Federation;
• notify Roskomnadzor of any new IXPs put into operation;
• provide connection only to owners of communications networks or other persons controlling communications networks which are compliant with federal laws;
• comply with requirements applicable the functioning of IXPs established by Roskomnadzor, as approved by the Federal Security Service;
• inform Roskomnadzor of locations where the regulated entity's devices connect to communications lines that cross the border of the Russian Federation, the routes of electronic communications, the infrastructure of communications lines, etc.;
• facilitate the implementation of measures by Roskomnadzor and assist law enforcement agencies in matters related to criminal investigations.

As phase two, once the preparatory work has been completed, the authorities will start conducting mandatory training drills for regulated entities in order to stress-test the 'threat counteracting equipment' provided by the authorities and, ultimately, their ability to successfully route traffic.

What to expect?

It is difficult to predict how burdensome compliance with the new requirements may turn out to be for companies that are designated regulated entities. In particular, it may be worth assessing the extent to which non-telecom operators that have private networks may be affected by the obligations under the new law. What is already clear is that some amount of business interruption can be expected as a result of implementation of the law. For example, the law explicitly absolves telecom operators from any liability to their clients for service failures resulting from operation of the 'threat counteracting equipment'.