Russia Yarovaya Law Mass Surveillance Requirements What

Last updated: March 16, 2026

The Yarovaya Law (Федеральный закон № 374-ФЗ), officially known as the “Yarovaya package,” is a sweeping Russian surveillance legislation enacted in 2016 that fundamentally changed data retention requirements for telecom operators, internet service providers, and messaging services. For developers and power users working with Russian infrastructure or serving Russian users, understanding these requirements is essential for compliance and privacy-conscious architecture decisions.

What is the Yarovaya Law?

Named after Russian parliamentarian Irina Yarovaya who sponsored the legislation, Federal Law No. 374-FZ was adopted in July 2016 and subsequently amended multiple times. The law dramatically expanded Russia’s surveillance capabilities by mandating extensive data retention and providing law enforcement agencies with unprecedented access to user communications data.

The legislation applies to:

Telecom operators (mobile and fixed-line)
Internet service providers (ISPs)
Messaging services and VoIP providers
VPN and proxy services
Email providers
Data centers and hosting providers

Mandatory Data Retention Requirements

Telecom Operator Obligations

Russian telecom operators must store the following data:

{
  "voice_calls": {
    "caller_number": "required - stored for 6 years",
    "recipient_number": "required - stored for 6 years",
    "call_duration": "required - stored for 6 years",
    "imei_numbers": "required - stored for 6 years",
    "imsi_numbers": "required - stored for 6 years",
    "cell_tower_location": "required - stored for 6 years",
    "timestamp": "required - stored for 6 years"
  },
  "sms_messages": {
    "sender_number": "required - stored for 6 years",
    "recipient_number": "required - stored for 6 years",
    "message_content": "required - stored for 6 years",
    "timestamp": "required - stored for 6 years"
  },
  "data_services": {
    "ip_addresses_assigned": "required - stored for 6 years",
    "traffic_metadata": "required - stored for 6 years",
    "session_duration": "required - stored for 6 years"
  }
}

Internet Service Provider Requirements

ISPs operating in Russia must retain:

ISP data retention requirements under Yarovaya Law
ISP_RETENTION_REQUIREMENTS = {
    "subscriber_data": [
        "full_name",           # Full legal name
        "passport_details",    # Government ID
        "registration_address", # Legal address
        "installation_address", # Service location
        "contract_start_date"
    ],
    "network_data": [
        "assigned_ip_address",     # Dynamic/static IP
        "connection_timestamp",
        "session_duration",
        "volume_of_data_transferred",
        "protocol_information",
        "destination_ip_addresses",
        "dns_queries_made"
    ],
    "access_logs": [
        "authentication_records",
        "service_usage_times",
        "billing_information"
    ],
    "retention_period": "6 years"
}

Messaging and VoIP Services

The Yarovaya Law significantly impacts messaging applications:

All messages must be traceable: Even encrypted services must maintain the ability to provide message metadata to authorities
User identification required: Services must verify user identity through Russian phone numbers
Real-time interception capability: Providers must build systems allowing live surveillance
Content storage: Message content may need to be stored for up to 1 year

Technical Implementation Examples

Log Format for ISP Compliance

Here’s how an ISP might structure compliance logs:

// Compliance log structure for Yarovaya Law
const complianceLog = {
  event_type: "SESSION_START",
  timestamp: "2026-03-16T10:30:00Z",
  subscriber: {
    account_id: "ACC-123456",
    legal_name: "Ivan Petrov",
    passport: "12 34 567890",
    address: "Moscow, Russia"
  },
  network_session: {
    session_id: "SES-7890123456",
    assigned_ip: "85.11.22.33",
    nas_ip: "10.0.0.1",
    connection_type: "PPPoE",
    vlan_id: 100,
    ingress_interface: "eth0/0/1"
  },
  metadata: {
    destination_ips: ["93.184.216.34"],
    destination_domains: ["example.com"],
    protocol: "TCP",
    port: 443,
    bytes_sent: 15234,
    bytes_received: 45678
  }
};

TLS Certificate Infrastructure Implications

The Yarovaya Law has significant implications for TLS/SSL certificate infrastructure:

Russian CA requirements under Yarovaya Law
TLS certificates must be issueable by FSB-approved CAs
Service providers must be able to decrypt TLS traffic

Required configuration for compliance:
1. Deploy FSB-approved SSL/TLS interception proxies
2. Maintain private keys accessible to authorities
3. Implement SORM-compliant logging systems
4. Configure packet capture for all HTTPS traffic
5. Store SSL session keys for decryption capability

VPN and Proxy Service Requirements

VPN providers operating in Russia face particularly stringent requirements:

Requirement	Details
License	Must obtain government license to operate
User Logging	Store all connection logs for 1 year
IP Assignment	Record which IP assigned to which user
Timestamps	Log connection start/end times
Bandwidth	Record volume of data transferred
Metadata	Store all connection metadata
Access	Provide real-time access to FSB

VPN provider compliance data structure
VPN_COMPLIANCE_DATA = {
    "connection_logs": {
        "user_id": "required",
        "real_ip_address": "required",
        "vpn_ip_assigned": "required",
        "connection_start": "required - ISO 8601",
        "connection_end": "required - ISO 8601",
        "bytes_transmitted": "required",
        "destination_servers": "required",
        "protocol_used": "required"
    },
    "retention_period": "1 year minimum",
    "access_requirement": "Real-time FSB access capability"
}

Implications for Developers and Power Users

For Application Developers

If you’re building services for Russian users:

Infrastructure planning: Plan for data retention systems from the start
Data minimization: Collect only necessary data to limit liability
Encryption considerations: Understand that encryption may not exempt you from retention requirements
User notifications: Implement clear data handling disclosures
Jurisdictional awareness: Consider where you host data and how laws apply cross-border

For Privacy-Conscious Users

Users concerned about these requirements can:

Use foreign services: Services outside Russian jurisdiction may have different obligations
End-to-end encryption: Use applications with genuine E2E encryption (though metadata may still be collected)
Tor and I2P: These networks provide stronger anonymity guarantees
VPN considerations: Understand that Russian-licensed VPNs must log data
Device security: Use devices with hardware security features to protect local data

Technical Countermeasures

For users implementing technical countermeasures:

Network isolation approach
Route sensitive traffic through non-Russian exit nodes

DNS configuration
Use DNS over HTTPS with non-Russian providers
Cloudflare (1.1.1.1) or Google (8.8.8.8)

Traffic analysis prevention
Use obfuscated protocols (obfs4, Meek, Shadowsocks)
Implement perfect forward secrecy in custom applications

Enforcement and Penalties

Non-compliance with Yarovaya Law requirements carries significant penalties:

Fines: Up to 1 million rubles for operators
License revocation: ISPs and telcos can lose operating licenses
Criminal liability: executives can face criminal charges
Website blocking: Non-compliant services can be blocked in Russia

Frequently Asked Questions

Who is this article written for?

This article is written for developers, technical professionals, and power users who want practical guidance. Whether you are evaluating options or implementing a solution, the information here focuses on real-world applicability rather than theoretical overviews.

How current is the information in this article?

We update articles regularly to reflect the latest changes. However, tools and platforms evolve quickly. Always verify specific feature availability and pricing directly on the official website before making purchasing decisions.

Are there free alternatives available?

Free alternatives exist for most tool categories, though they typically come with limitations on features, usage volume, or support. Open-source options can fill some gaps if you are willing to handle setup and maintenance yourself. Evaluate whether the time savings from a paid tool justify the cost for your situation.

Can I trust these tools with sensitive data?

Review each tool’s privacy policy, data handling practices, and security certifications before using it with sensitive data. Look for SOC 2 compliance, encryption in transit and at rest, and clear data retention policies. Enterprise tiers often include stronger privacy guarantees.

What is the learning curve like?

Most tools discussed here can be used productively within a few hours. Mastering advanced features takes 1-2 weeks of regular use. Focus on the 20% of features that cover 80% of your needs first, then explore advanced capabilities as specific needs arise.