On May 23, 2026, Russia's Ministry of Digital Development (Mintsifry) officially published Order No. 1174, dated December 16, 2025 and registered with the Justice Ministry on May 22 under No. 86587. The 69-page document rewrites the technical requirements for SORM — Russia's System for Operative Investigative Activities — and it does something the previous rules never did: it turns every internet provider into a live, queryable identity database for the security services.
What the order actually mandates
Under Order No. 1174, operators must make a vastly broader set of user data searchable on demand for the FSB and other authorized agencies. According to Meduza, the categories now include passport data and home addresses, taxpayer identification numbers, banking details, IP addresses, accessed domains, usernames, and geolocation coordinates. As Risky Business reported, these personal records must be bound to hardware identifiers — phone numbers, MAC addresses, IMEI and IMSI codes — and even to login credentials visible in plaintext to the provider.
The architecture is the giveaway. The order specifies that agencies query operators through GraphQL, WebSocket, and HTTP interfaces — the toolkit of a modern real-time API, not an archival warrant system. Cyber-advocate Sarkis Darbinyan told The Insider that this represents "a mechanism of real-time deanonymization," letting officials observe a network event the system deems significant and instantly correlate it with subscriber identity. SORM was already a retrospective dragnet; Order No. 1174 makes it a live targeting system.
This sits atop retention obligations Russia has built since 2016. The Yarovaya law (Federal Law 374-FZ, signed by Vladimir Putin in July 2016) already requires operators to store the content of calls and messages for six months and communications metadata for three years. The new order does not shorten that — it expands what is indexed and how fast it can be pulled.
The steelman
The case for lawful interception is real and should not be caricatured. Every democracy permits targeted communications surveillance under judicial oversight to investigate terrorism, child exploitation, and organized crime, and identifier-binding genuinely helps attribute attacks. The irony cuts in Russia's favor here: days after the order surfaced, Dutch police dismantled a 17-million-device botnet tied to ASOCKS, a Russia-based residential-proxy service used to mask criminal traffic, as Ars Technica reported. Anonymizing infrastructure is abused, and states have a legitimate interest in attribution.
Why proportionality is the whole argument
But proportionality is precisely what Order No. 1174 abandons. Lawful interception in a rights-respecting system is targeted, judicially authorized, time-bound, and auditable. Russia's SORM is none of these. The European Court of Human Rights already ruled on this: in Roman Zakharov v. Russia (2015), the Grand Chamber found that SORM allowed security services "to intercept the communications of each citizen without requiring interception authorisation," violating Article 8 of the Convention — a finding catalogued in peer-reviewed analysis of RuNet's infrastructure-based censorship in First Monday. Order No. 1174 does not fix that defect; it industrializes it by adding financial and biometric-adjacent identifiers to a system that already operates without prior authorization.
The enforcement design confirms the intent. Operators that fail to connect SORM can have their license revoked for up to ten years — commercially fatal. Mintsifry is also weighing the removal of the moratorium on scheduled inspections specifically to verify SORM installation, and floating tiered licenses that could cost operators between 1 and 50 million rubles. Small ISPs, which cannot absorb compliance hardware starting around five million rubles, face a simple choice: wire up total surveillance or exit the market. That is not security policy; it is consolidation by mandate.
The cost to Russia's own digital economy
The damage is not only to civil liberties — it is to innovation. A regime that binds bank details and tax IDs to browsing domains in a queryable government store creates a single catastrophic breach surface; insider abuse and leakage of SORM-adjacent data have a long Russian track record. It raises the fixed cost of operating any network, pushing capital away from smaller and regional providers. And it accelerates Russia's broader 2026 campaign against circumvention tools — VPN app removals, protocol blocking, and traffic charges aimed at international data — that has already degraded the open internet for ordinary users.
The through-line matters for every jurisdiction watching: surveillance capacity scales with infrastructure mandates, and once an API for real-time deanonymization exists, the legal limits on its use become an afterthought. The defensible version of lawful access keeps the data with the operator, requires a judge to authorize each reach, and logs every query. Order No. 1174 does the opposite — it pre-stages the data, removes the judge, and threatens any operator who hesitates. Democracies tempted by "identifier-binding" data-retention proposals of their own should read it as a warning, not a template.