What is AI regulation in Russia?
AI regulation: countries and regions
As of 6 June 2026, AI regulation in Russia is not one standalone AI Act. It is a state-led mix of the National AI Strategy to 2030, the voluntary AI Code of Ethics, experimental legal regimes for controlled testing, and binding rules on personal data, localisation, information security and sector law. In practice, Russia's model is sovereignty-focused: it pushes "trusted" domestic AI, keeps key data under Russian control, and enforces the parts that bite through existing regulators and courts.
What this means
Russia does not yet have an EU-style AI regime with one enacted national compliance code for all AI systems. Instead, AI is governed through strategy, soft law, adjacent hard law and special pilots. That means the legal answer depends heavily on what the system does, what data it uses, who uses it, and whether it operates inside a state-approved experimental regime.
The strongest binding duties today often come from outside any dedicated AI text. For many organisations, the first serious issue is not model design but personal data law, especially database localisation for Russian citizens' data. If the system is aimed at public authorities or sensitive state functions, Russia's newer idea of "trusted AI" becomes central as well.
So when someone asks what AI regulation in Russia is, the practical answer is: a mixed framework. It combines presidential direction, voluntary governance standards, sandbox legislation, and enforceable data and security rules.
Why it matters
This matters because organisations can misread Russia if they look only for a single "AI law". Many of the real compliance burdens already sit in force, especially around personal data handling, hosting, localisation, procurement, information security and human accountability. A project can therefore fail on basic legal architecture even if the AI itself is technically sound.
It also matters because Russia's policy direction is unusually clear. The state wants AI that is safe, controllable, locally supportable and aligned with national security and public sector priorities. For suppliers, buyers and operators, that affects vendor selection, infrastructure design, contracting, market access and public sector eligibility, not just internal governance paperwork.
How it works
Russia uses a layered model, not one AI act
Russia's current framework has several layers. First, there is top-down state strategy. Second, there is soft law, especially the AI Code of Ethics. Third, there are experimental legal regimes, often called sandboxes, that let the state relax or reshape ordinary rules in a tightly defined pilot. Fourth, there is the existing hard law that already applies to many AI deployments, especially personal data, information security and sector supervision.
That mix is important. It means "AI regulation in Russia" is broader than any one statute and narrower than a general theory of digital sovereignty. It is mainly about how Russia directs AI development, how it tests new uses under state control, and how existing law constrains data-heavy AI systems.
The 2030 strategy sets the state's direction
The centre of gravity is the National AI Strategy to 2030, adopted by presidential decree in 2019 and substantially updated in 2024. The 2024 update matters because it refreshed the strategy after the rapid rise of large generative models and after the technological and market shifts of 2022 to 2023.
The updated strategy is not just a slogan. It expands the vocabulary of Russian AI policy, including large generative models, large "fundamental" models and "trusted AI". It also sharpens the state's priorities: more domestic computing capacity, more support for Russian developers, stronger use of AI in the economy and public administration, and a clearer legal and security framework around deployment.
The 2024 changes also make the state's sovereignty bias explicit. The strategy frames AI as a field of international competition and links AI development to technological independence, national security and resilience under external pressure. That is why Russia's regime is best understood as state-led and sovereignty-focused, rather than purely market-led or purely rights-led.
For public authorities, the strategy goes even further. It points toward a system of "trusted AI" in government, including tested technologies, a register of approved tools, use of the state digital platform "GosTech", certification-oriented assurance, and minimum standards for state bodies. Those directions matter most in public sector deployment, but they also influence suppliers that want to sell into that environment.
The ethics layer is voluntary but influential
Russia's AI Code of Ethics, launched in 2021, is the most visible soft law instrument. It is not a statute and does not create direct administrative penalties. Joining it is voluntary. Even so, it matters because it gives Russia a practical governance language for responsible AI where binding law is still fragmented.
The Code applies across the AI life cycle and addresses developers, owners, operators, experts and others involved in deployment. Its themes are familiar but operationally useful: compliance with law, transparency, user awareness, data security, information security, fairness, reliability and human oversight. One of its clearest ideas is that a human or legal person must remain responsible for the consequences of using an AI system.
That makes the Code more than a symbolic document. It can shape internal policy, procurement expectations, public sector trust assessments and evidence that an organisation has taken AI governance seriously. It also supports voluntary certification and labelling practices, which fit well with Russia's wider move toward "trusted" deployment in state and quasi-state settings.
At the same time, organisations should keep the legal status straight. The Code is soft law. It complements binding law, but it does not replace the duties in personal data, security or sector regulation.
Sandboxes create controlled spaces for special rules
Russia has relied heavily on experimental regulation. The general framework is Federal Law No. 258-FZ of 2020 on experimental legal regimes. Under that law, the Government can approve a programme for a defined test, in listed technology areas that include neurotechnology and AI. The programme sets the scope, participants, safeguards, monitoring and which ordinary legal requirements are changed or disapplied inside the experiment.
For operators, this is one of the most practical parts of Russian AI regulation. If an AI use case does not sit comfortably inside ordinary law, a sandbox may provide a lawful route for controlled testing. Participation is formal. It depends on programme terms and recognised participant status. It is time-limited, normally up to three years under the general law, and participant status can be suspended or terminated if programme conditions are breached.
Separate from the general sandbox law, Russia adopted Federal Law No. 123-FZ in 2020 for a special Moscow AI experiment. The statute set that city-level experimental regime for five years from 1 July 2020. That point matters for current status. As of 6 June 2026, the original five-year experimental phase has, on the face of the statute, run its course.
But that does not make the law irrelevant. In 2024, Federal Law No. 233-FZ amended both the personal data law and the Moscow AI law, expanding the latter so that it also governs special rules for forming regional sets of depersonalised personal data and granting access to them. The result is a two-part picture: the original Moscow experiment should now be treated as largely historical, while the amended statute still matters because its data-related mechanisms survive as live legal infrastructure.
Data sovereignty is where compliance becomes concrete
For many AI deployments, the hardest live legal issue is data geography. Russia's personal data law, Federal Law No. 152-FZ, requires operators, when collecting personal data of Russian citizens, including online, to ensure that the core acts of recording, systematisation, accumulation, storage, updating and retrieval are carried out using databases located in Russia. In plain English, many systems need a Russia-based primary data layer.
This is why data localisation is central to AI governance in Russia. If a model is trained, tuned or operated on Russian user data, the organisation must think carefully about where the first operational database sits, where annotations happen, where logs are stored, and whether external vendors or clouds upset the legal architecture.
The 2024 depersonalised-data reform goes further in the direction of state-controlled data access. It allows the federal authority responsible for information technology policy to require operators, in government-defined cases, to provide depersonalised personal data into a state information system so that grouped data sets can be formed for public administration and other purposes allowed by federal law. The law also says those data sets and their processing must not be used where that could harm life, health, morality, rights and legitimate interests, the environment, cultural heritage, defence or state security.
For organisations, the lesson is simple. In Russia, AI governance quickly becomes a question of data residency, depersonalisation quality, hosting design, access control and documentary evidence. Model governance matters, but data architecture often matters first.
Enforcement comes through existing regulators and courts
Russia does not yet have one single AI supervisor that does for AI what a dedicated national AI authority might do elsewhere. Instead, responsibility is split.
The President and Government set strategic direction. The Ministry of Digital Development sits at the centre of many implementation questions, especially where state digital infrastructure and depersonalised data are involved. Roskomnadzor is the best known enforcement body for the personal data layer, including localisation. Courts remain important because they backstop site restrictions, registry measures and administrative penalties. Sector authorities add their own overlay when AI enters regulated fields such as finance, healthcare, transport or public administration.
The practical bite comes from this adjacent-law enforcement model. Russia has already shown that it will use the personal data and localisation layer against major internet companies. So even without a single omnibus AI act, the legal risk is real.
A broader framework law is proposed, not enacted
The biggest near-term uncertainty is whether Russia moves from this layered model to a clearer general AI statute. In March 2026, MinTsifry published a draft federal law on the state regulation of the spheres of AI application for public discussion.
If enacted in something like its published form, that draft would be a major shift. It proposes a risk-based approach, definitions for sovereign, national and trusted AI models, duties for developers, operators, owners and users, notices for some AI-generated audio and visual material, rights to challenge certain AI-linked decisions, and a right to claim compensation for harm caused by unlawful AI use.
But as of 6 June 2026, that text is still a draft. It is not in force. Organisations should track it closely, but they should not treat it as current law.
Examples
A customer-data AI rollout. A platform collects names, account details, support messages or voice material from users in Russia and wants to use those data in search, ranking or assistant features. Before it gets to model governance, it has to check the personal data law and the localisation rule. If the primary database for Russian citizens' data sits outside Russia, the project can have a basic legal defect before any AI-specific review has even begun.
A public sector assistant. A ministry, region or state-linked organisation wants an internal AI assistant for drafting, document handling or service delivery. In that setting, the key questions are not only accuracy and productivity. They are also whether the tool fits the state's idea of "trusted AI", whether it should run through state digital infrastructure, what certification or testing is expected, and how human control is preserved.
A legally awkward pilot. A developer wants to test an AI use case in an area where ordinary law is too rigid or incomplete. Under Russia's experimental legal regime framework, the more realistic route may be a government-approved programme with defined participants, monitoring, scope limits and a sunset date. In Moscow, the city-specific AI experiment served that purpose from July 2020, and the amended Moscow statute now still matters for certain depersonalised-data arrangements even after the original experimental window passed.
Common misunderstandings
Myth: Russia already has one general AI Act like the EU. Reality: as of 6 June 2026, it does not. Russia still relies on strategy, soft law, sandboxes and adjacent hard law.
Myth: The AI Code of Ethics is binding law. Reality: it is voluntary soft law. It can shape governance expectations and trust signals, but it does not itself create statutory fines.
Myth: Data localisation means data can never leave Russia. Reality: localisation is stricter than many foreign regimes, but it is not the same thing as a total export ban. The key point is that the legally required database layer for collected Russian citizens' personal data must sit in Russia.
Myth: The Moscow AI experiment is the same as Russia's entire AI regime. Reality: it was one special city-level pathway. Its original five-year experimental term has passed, even though the amended law still matters for depersonalised-data access rules.
Myth: "Trusted AI" is already a universal licence category for all private firms. Reality: it is mainly a strategic and public-sector governance concept at present, although it could influence procurement, assurance and future legislation more broadly.
Risks and boundaries
Russia's current framework leaves real gaps. It tells you the state's direction clearly, but it still does not give one stable, enacted, cross-sector compliance code for every AI use case. That means organisations need to map AI issues back to the surrounding law, especially personal data, information security, procurement, sector supervision and general civil liability.
There are also point-in-time traps. The Moscow AI law is easy to overread because its original experimental phase was tied to a five-year term from 1 July 2020, while later amendments added continuing significance in the area of depersonalised data. The March 2026 draft framework bill is another trap. It may signal where Russia is going, but it is not current law. Organisations should therefore separate enacted duties, soft-law expectations and pending proposals, and date-stamp their analysis.
What to do next
Start with data maps. Identify exactly which Russian personal data enter the AI stack, where collection begins, where the first operational database sits, which vendors touch the data, and whether any training, fine-tuning or logging takes place outside Russia.
Separate hard law from soft law. Keep one list of binding duties, another list of ethics and procurement expectations, and a third list of draft reforms that are still only proposals. This avoids treating a strategy document or discussion draft as if it were already enforceable.
Assess whether your use case touches the public sector, security-sensitive functions or other high-trust environments. If it does, plan for stricter assurance, stronger logging, clearer human override and a more formal explanation of why the system should count as "trusted AI".
Check whether a sandbox route exists before assuming a novel deployment is either fully lawful or fully blocked. In Russia, controlled experimentation is often the bridge between policy ambition and permanent law.
Keep the position under review. This is a fast-dating area. A Russia AI memo that was accurate in early 2025 can already be wrong in mid-2026 if it missed the 2024 strategy overhaul, the depersonalised-data reforms, or the 2026 draft framework bill.
FAQs
Does Russia currently have a single AI Act in force?
No. As of 6 June 2026, Russia still regulates AI through a mix of strategy, ethics, sandbox laws and adjacent binding law, rather than one enacted omnibus AI statute.
Is the AI Code of Ethics mandatory?
No. It is voluntary. It matters because it shapes governance expectations and can influence procurement, partnerships and public trust, but it is not itself a source of direct statutory penalties.
What is "trusted AI" in Russia?
It is a strategic category used in the updated National AI Strategy. Broadly, it means AI that meets security, objectivity, non-discrimination and ethical expectations, especially in state and sensitive deployments.
Does Russian data localisation block all cross-border AI processing?
Not automatically. But it does require a Russia-based database layer for collected personal data of Russian citizens, and that can reshape hosting, vendor and workflow design in a major way.
What happened to the Moscow AI experiment?
The original city-level special regime was set for five years from 1 July 2020. By June 2026, that original experimental phase has, on the face of the statute, passed. But the law still matters because 2024 amendments added ongoing rules around regional depersonalised data.
Who enforces AI rules in Russia?
There is no single AI regulator yet. Enforcement is split across existing bodies, especially Roskomnadzor for personal data, plus courts and sector regulators, while the President, Government and MinTsifry shape policy direction.
Is Russia moving toward a broader AI law?
Possibly. MinTsifry published a draft framework law in March 2026. It would be a significant change if enacted, but as of 6 June 2026 it remains a draft, not binding law.