Russia Russia SORM surveillance VPN ban

Russia's SORM Order 1174 Extends Mandatory Surveillance Infrastructure to Banks, Universities, and Corporations — Not Just Telecoms

A May 2026 ministerial order forces every organisation running a corporate network to build FSB-accessible surveillance hardware, accelerating Russia's internet consolidation into five Kremlin-aligned providers.

Russia's SORM Expansion: The Numbers People of Internet Research · Russia 85 ISPs Fined by RKN Roskomnadzor fined 85 ISPs in May … 1,967 Licences Revoked Roskomnadzor terminated 1,967 tele… ~37,000 Telecom Jobs at Risk Industry estimates suggest ~37,000… ~$70K Min SORM Hardware Cost Minimum SORM deployment previously… peopleofinternet.com

Key Takeaways

The Order That Changed the Scope

On May 22, 2026, Russia's Ministry of Justice registered Ministry of Digital Development Order No. 1174 — signed December 16, 2025 and effective June 3, 2026. The order replaces Minkomsvyaz Order No. 646 from November 2019 and rewrites the technical foundation of SORM, the System for Operative Investigative Activities that has governed Russian communications surveillance since 1995.

SORMhas always had defenders with a point worth taking seriously. Russia faces real cybercriminals, ransomware operators, and organised fraud networks. Law enforcement in every major democracy maintains legal authority to intercept communications with judicial oversight. Requiring ISPs to install infrastructure that responds to lawful interception requests is not, in isolation, an unusual demand. The European Union's own lawful interception standards (ETSI ES 201 671) impose similar technical obligations. The question is not whether any lawful intercept mechanism exists — it is whether this one is bounded, proportionate, and subject to any meaningful check.

On those tests, Order No. 1174 fails badly.

Twenty-Three Data Categories, No Judicial Warrant for Metadata

The updated SORM standards specify 23 categories of information that operators must make continuously searchable at FSB request. The list goes far beyond call records: full names, passport data, home addresses, taxpayer identification numbers, banking details, IP addresses, MAC addresses, IMEI and IMSI device identifiers, SIM card data, geolocation coordinates, visited domains and URLs, account usernames, session timestamps, traffic volumes in bytes, VPN usage indicators, and even metadata from modern web protocols including GraphQL queries and WebSocket connections.

The stated goal, per Meduza's reporting on the order, is to let SORM "quickly establish links between individuals, devices, networks, accounts and online activity" — in effect, a single continuously updated digital profile for every connected person in Russia. Under Russian law, metadata access does not require a judicial warrant; only content interception formally does, and the distinction between the two has been steadily eroded as SORM evolved through its three generations.

Scope Creep: From ISPs to Everyone with an AS Number

The most significant change in Order No. 1174 is jurisdictional. Previous SORM obligations fell primarily on licensed telecommunications operators and internet service providers. The new order applies to all "owners of technological communication networks" that hold an autonomous system (AS) number — the routing identifier used by any organisation managing its own internet infrastructure.

That definition sweeps in an enormous range of non-telecom entities: banks including Sber and VTB, oil majors like Gazprom and Lukoil, online marketplaces like Ozon, technology conglomerates like Yandex, research universities, hosting companies, data centres, and cloud operators. Each must now deploy dedicated SORM hardware, configure it to government technical standards, and maintain a permanently open channel for FSB remote access — at their own cost.

Separately, Meduza has reported that the FSB demanded in early 2026 that several major banks install SORM equipment on the grounds that their mobile applications qualify them as "organisers of the distribution of information." Banks that refused were removed from the government whitelist allowing their apps to function during mobile internet shutdowns — a coercive lever that effectively made compliance mandatory without any formal legal order.

As of April 1, 2026, the FSB also gained statutory authority to demand free copies of operator databases on demand.

Enforcement Teeth: Fines, Licence Revocation, Market Consolidation

Roskomnadzor has already used its enforcement authority. In May 2026, the regulator fined 85 ISPs for refusing to provide data on IP addresses assigned to their customers — a precursor requirement under the expanded SORM framework. In April 2026, 1,967 telecom licences were terminated across Russia for reporting failures, with Moscow and the Moscow Region accounting for 286 cancelled licences from 42 companies alone.

The threat of licence revocation is existential for small providers. Ministry of Digital Development proposals would require operators to connect SORM before an operating licence is issued — effectively making surveillance infrastructure a precondition of market entry. Combined with new minimum capital requirements ranging from 5 million to 100 million rubles and proposed licence fees up to 50 million rubles, the compliance burden is structured to eliminate smaller players.

Russia currently has approximately 10,000 ISPs; analysts tracking the regulatory trajectory expect the market to consolidate around five large providers — Rostelecom, MTS, VimpelCom, MegaFon, and ER-Telecom — all of which have existing government relationships. Industry groups have warned that up to 37,000 telecom sector workers could lose jobs as small providers exit, and that rural and remote communities currently served only by local ISPs risk losing internet access entirely.

VPN Crackdown as a Parallel Pillar

Order No. 1174 does not stand alone. By April 15, 2026, Russia required major internet platforms to detect and block VPN users. Apple was ordered to block App Store top-ups via mobile accounts from April 1. The Ministry of Digital Development plans to expand the capacity of its deep-packet inspection (TSPU) infrastructure to 954 terabits per second by 2030 at a cost of approximately $186 million — specifically to improve VPN detection and blocking. Telegram faced intensified restrictions from February 10, 2026, and an FSB criminal investigation was opened against its founder.

Together, these measures form a coherent architecture: SORM captures and links identifying data at every network node; VPN blocking prevents evasion; licence revocation removes non-cooperative providers; and market consolidation reduces the number of entities the FSB must manage.

A Surveillance State Without Guardrails

The European Court of Human Rights ruled in 2015 that Russian SORM legislation fails to provide "adequate and effective guarantees against arbitrariness," specifically because warrantless access to metadata is structurally embedded in the system. That ruling predates Order No. 1174 by more than a decade. The 2026 update does not introduce any new oversight mechanism, independent audit body, or judicial review pathway. It extends the same structurally unchecked access to a vastly larger set of institutions.

The effect is not just a privacy problem. Requiring Sber, Yandex, and Ozon to maintain open FSB infrastructure channels imposes engineering and security costs that divert resources from product development, deters foreign technology partnerships, and creates systemic security vulnerabilities — any backdoor available to the FSB is a backdoor that adversarial actors will probe. For a country whose stated ambition is to build a competitive domestic technology sector, Order No. 1174 is an own goal dressed up as a security measure.

Sources & Citations

  1. Meduza — Ministry Expands SORM Data List (May 27, 2026)
  2. Meduza — SORM Inside Every Major Company (explainer)
  3. The Record — Russia Upgrades SORM Rules (June 8, 2026)
  4. Risky Biz — Russia Expands SORM Requirements
  5. iStories — Reforms May Leave Some Areas Without Internet (April 2026)
  6. www1.ru — Roskomnadzor Revoked 1,967 Licences (April 23, 2026)
  7. Zona.media — Russian Internet Censorship in 2026