Introduction

Since 2016, the Russian Federation has constructed a comprehensive legal and technical framework that fundamentally reshapes the nature of digital communication within its jurisdiction.

At the center of this system are:

• The Yarovaya legislative package
• The Registry of Information Dissemination Organizers (ORI) maintained by Roskomnadzor
• Mandatory data retention and decryption obligations imposed on online platforms

This framework does not merely regulate digital services. It integrates communication platforms into a state-controlled surveillance architecture.

Understanding how this system functions is critical not only for regional security analysis, but for evaluating the geopolitical dimensions of digital sovereignty worldwide.

1. Legal Foundation: The Yarovaya Package

In 2016, Russia adopted the so-called “Yarovaya package” (Federal Laws No. 374-FZ and No. 375-FZ), which significantly expanded state authority over digital communications.

The legislation amended the Federal Law “On Information…” (Article 10.1), introducing the concept of Information Dissemination Organizers (ORI).

In 2018, Government Resolution No. 445 further specified:

• Data storage obligations
• Retention timeframes
• Technical compliance requirements

This regulatory structure formalized state access mechanisms into the legal environment of online services.

2. The ORI Registry: Institutionalizing Surveillance

Roskomnadzor maintains a centralized registry of services classified as Information Dissemination Organizers.

The registry includes any platform that enables electronic communication, including:

• Messengers
• Social networks
• Forums
• Dating platforms
• Other communication-enabled digital services

Inclusion in the ORI registry triggers legally binding obligations.

Obligations Imposed on Listed Services

Platforms included in the registry must:

1. Store message content (text, voice, video, files, images) of Russian users for at least six months (in some regulatory interpretations up to one year).
2. Store metadata (connection records, timestamps, IP addresses, sender and recipient information) for up to three years.
3. Provide stored data to Russian law enforcement agencies, including the FSB, upon request.
4. If encryption is used, provide decryption keys or technical means sufficient to decode communications.
5. Ensure the possibility of remote automated access by security authorities.

Failure to comply can result in fines, regulatory pressure, or service blocking.

The well-known conflict between Russian authorities and Telegram over encryption keys is an example of this enforcement model.

3. Expansion to International Messengers

By the end of 2024, the ORI registry contained more than 450 services.

In December 2024, numerous international messengers were added to the registry, including:

• WhatsApp (Meta)
• Skype
• Wire
• Element
• Threema
• Telegram
• Session
• DUST
• Keybase
• Trillian
• Status
• Crypviser
• Pinngle Safe Messenger

Inclusion means that, under Russian law, these platforms are recognized as Information Dissemination Organizers and must comply with the full set of Yarovaya obligations.

The case of the Swiss messenger Threema, added to the registry in 2017, illustrates how even platforms marketed as privacy-oriented may become legally exposed within certain jurisdictions.

4. Practical Consequences: “Transparency” as a Legal Requirement

The Russian regulatory model establishes legally mandatory transparency for any service that:

1. Is included in the ORI registry
2. Continues to operate legally within the Russian market

This has several implications:

• The confidentiality of correspondence becomes conditional.
• End-to-end encryption is subject to legal override.
• Architectural modifications may be required to ensure access capability.

Even when companies publicly state that they do not cooperate with authorities, the legal obligations remain binding.

Inclusion in the registry signifies ongoing regulatory pressure and compliance exposure.

5. Geopolitical Implications: Communication Platforms as Instruments of State Power

The ORI registry model demonstrates how digital infrastructure can be systematically integrated into national security architecture.

Communication platforms are no longer neutral technological intermediaries.

They are increasingly embedded within sovereign regulatory systems that can compel access.

Under the Yarovaya framework, legal authority extends beyond passive monitoring. It institutionalizes access capability.

This reflects a broader geopolitical shift: digital regulation has become an instrument of strategic state power.

6. From Encryption to Jurisdiction: The Real Axis of Control

Cybersecurity discourse often emphasizes encryption standards — AES-256, RSA-4096, end-to-end encryption, zero-knowledge architecture.

However, encryption alone does not determine security.

Jurisdiction does.

If a platform operates within a legal system that mandates access to communications, encryption becomes conditional rather than absolute.

Legal compulsion can supersede architectural claims.

This transforms secure communication from a technical feature into a sovereignty question.

7. Structural Risk in a Fragmented Digital Order

Global platforms frequently operate across jurisdictions with divergent legal systems.

When a messenger remains legally active in a surveillance-oriented regulatory environment, it may face:

• Regulatory coercion
• Compelled technical adaptation
• Data retention mandates
• Gradual integration into access frameworks

This creates structural risk that may extend beyond national borders.

Governments, corporations, defense institutions, and critical infrastructure operators may unknowingly rely on communication systems legally exposed to adversarial oversight.

8. Regulatory Integration as a Surveillance Strategy

The ORI registry illustrates a broader global trend:

States increasingly formalize surveillance through legal integration rather than covert intrusion.

Rather than hacking platforms, they regulate them into compliance.

This approach offers:

• Legal legitimacy
• Long-term enforceability
• Scalable access
• Institutional normalization

Once embedded, such mechanisms operate predictably and systematically.

9. Strategic Conclusion

The Yarovaya framework and ORI registry provide a concrete example of how legal structures can reshape the security properties of digital platforms.

For global actors, the central question is no longer:

“Is this messenger encrypted?”

The decisive question is:

“Under which sovereign authority does this platform ultimately operate?”

In a multipolar digital environment, encryption without jurisdictional sovereignty does not equal strategic security.

It represents conditional privacy within a legally subordinated framework.