Ministry of Digital Development to Establish Unified Policy for Increasing VPN Traffic in Russia

The head of the Ministry of Digital Development, Maksut Shadayev, announced at the TAdviser SummIT that the agency will establish a unified policy regarding VPN services in Russia within the next six months.

«In the coming half-year, we will outline our policy in this area. The share of VPN traffic is rising. Roskomnadzor is taking action against unfriendly VPNs that do not comply with Russian laws, but sometimes this also affects corporate VPNs that are essential. We are currently working on a clear policy regarding this matter. It is time to agree on some unified rules. Right now, I cannot provide details on the direction we will take—I will have more information closer to autumn,» Shadayev stated.

Previously, Roskomnadzor indicated that it would not block certain VPN services that comply with Russian legislation. A list of these compliant services exists within the regulatory body, but it is not publicly disclosed. Included in this list are VPN services that have met the requirements for connecting to the federal state information system (FGIS), which contains a registry of banned websites. Once connected to this system, official VPN services must filter content in accordance with the registry and block access to prohibited resources in Russia.

On April 16, 2025, Roskomnadzor announced that 75,000 entries using foreign encryption protocols had been added to its «whitelist» of IP addresses.

«The whitelist of IP addresses created by the Roskomnadzor-affiliated Center for Monitoring and Managing Public Communication Networks (CMU SSO) consists of 75,000 entries, which have increased sixfold since 2023,» Roskomnadzor reported.

Foreign encryption protocols are standards used to secure data in VPNs but do not comply with Russian GOST standards.

Roskomnadzor has been requesting owners of foreign private virtual networks (VPNs) to provide their IP addresses, protocols, and their purposes to be included in this list if companies cannot technically abandon these protocols.

The Federal Service for Technical and Export Control and the Federal Security Service of Russia previously approved a number of technological solutions using Russian encryption algorithms developed with various Russian cybersecurity companies, including Solar Group, Code Security, and InfoTeCS. For example, the «GOST VPN» is currently employed in the «Continent» and ViPNet crypto-gateways. As noted by leading engineer Mikhail Sergeev from CorpSoft24, these solutions are competitive in areas requiring compliance with national standards, such as public sector and critical infrastructure. However, their usage is currently restricted in sectors dependent on global standards, like international trade and IT development, due to incompatibility with Western systems.

«If Roskomnadzor blocks all communications not following GOST standards, Russian businesses will provide their addresses to the regulator in order to maintain communication with their remote employees and offices, as well as with other companies,» said internet security consultant Alexey Lukatsky from Positive Technologies. Nikita Tsaplin, CEO of hosting provider RUVDS, does not rule out that future access to VPNs may require regulatory approval.

On April 10, 2025, Roskomnadzor recommended that Russian private VPN owners refrain from using foreign encryption protocols for data transmission, and if technical necessity arises, they should apply to the Center for Monitoring and Managing Public Communication Networks (CMU SSO) of the Main Radio Frequency Center (GRCHC), which is part of Roskomnadzor.

«We recommend refraining from using foreign encryption protocols for data transmission, particularly those used by applications that grant access to forbidden information,» stated Roskomnadzor’s press service.

«In cases of technical necessity, we ask that requests including justification and specifying the relevant IP addresses for exceptions be sent to the CMU SSO via email at white_list@cmu.gov.ru. The provided data will be added to the exception lists,» they added.

Applications must include the following information: organization name and TIN, the connection protocol used, source IP address (if technically possible), destination IP address, purpose of the connection, responsible contact within the organization for interaction, and any additional comments (if necessary).

A profile expert indicated that Roskomnadzor’s recommendation for private VPN owners to avoid foreign encryption protocols for data transfer appears to be a monitoring measure to assess the number of users utilizing foreign protocols.

«Currently, a significant number of companies in Russia continue to utilize foreign protocols, often because it is more advantageous and convenient. It is premature to discuss forced blockages, as Roskomnadzor’s request seems more like a monitoring measure to ascertain the extent of foreign protocol usage,» stated Timofey Voronin, deputy director of the National Technology Initiative’s Big Data Storage and Analysis Technologies Center.

Accessing information forbidden in Russia was previously classified as a threat to the sustainability and security of the Russian Internet, resulting in VPNs used for accessing blocked resources being blocked through telecommunications service providers (TSPU). As of late October 2024, nearly 200 VPN services were reported to be blocked. Additionally, starting March 1, 2024, a ban on disseminating information that advertises or promotes means to circumvent restrictions for accessing illegal content came into effect.

In October 2023, the Ministry of Digital Development announced that companies relying on VPN services may encounter difficulties due to the blocking of banned resources. To resolve such issues, companies need to reach out to Roskomnadzor or relevant industry bodies. If the issue remains unresolved, they should notify the Ministry of Digital Development.

Andrei Lipov, the head of Roskomnadzor, mentioned at the end of October 2023 that the regulator has not observed widespread issues with VPN usage among companies, noting that problems are generally resolved within three hours. By that time, 12,000 IP addresses had been included in the regulator’s whitelist.

«Even if problems emerge, we resolve them within three hours. When a company contacts us, we promptly analyze why their employees need to use the VPN protocol. This is part of our work. There are many companies in our whitelist—12,000 IP addresses—which were provided by the companies themselves to ensure secure access within their corporate networks,» added Roskomnadzor’s head, Andrei Lipov.

On October 17, 2023, the Ministry of Digital Development published information for companies in Russia and their network administrators facing challenges with VPN services for clients and employees.

Companies using VPN services for remote employee access or integrating servers into a single network may find themselves struggling due to the blocking of prohibited resources. VPN protocols might be subject to Roskomnadzor’s restrictions, but these can be lifted if the service is necessary for work purposes. Here’s how to lift these restrictions.

If a company has difficulties working with VPNs, they should contact Roskomnadzor.

Typically, lists of companies are submitted to Roskomnadzor through relevant authorities. For example, a telecom operator must first raise such an issue with the Ministry of Digital Development.

If the agency has not informed Roskomnadzor about your company, you can do it yourself by calling 8-495-748-13-18 or sending a letter to supervising@noc.gov.ru.

What to include in your request:
— Company name;
— IP addresses;
— Types of VPN services and protocols used.

Roskomnadzor will verify the information and add the company’s IP addresses to the «whitelist,» restoring access to VPNs. However, if a company has reached out to Roskomnadzor directly, the data must still be validated by the relevant authority within a month.

What to do if issues persist: If difficulties with the use of VPN services remain after contacting Roskomnadzor, companies should reach out to the Ministry of Digital Development at vpn@digital.gov.ru.

At the end of September 2023, Maksut Shadayev revealed that there are no plans to impose penalties for using VPN services that are blocked for failing to meet Russian legal requirements. He reiterated that VPNs that do not comply with traffic filtering demands for prohibited information in Russia are currently being blocked.

In November 2022, «Rostelecom» introduced a channel encryption service called «GOST VPN» to Russian telecom operators, data centers, and state companies for constructing and operating secure networks. The «GOST VPN» solution enables secure interaction between geographically dispersed facilities across the country, and its implementation adheres to Russian data protection laws.