The State Duma, in its second and third (final) readings, passed a bill that introduces administrative responsibility for violating authorization rules. Now, according to the deputies' initiative, owners of Russian websites will be fined for allowing users to log in through foreign services (e.g., Google or Apple ID). Details of the initiative and who it may affect are in the analysis by 'Novaya-Europe'. What is the initiative? The bill was introduced in November 2025 by a group of deputies, including Andrey Lugovoy and Anton Gorelkin. One of the provisions of the new anti-fraud law adds Article 13.55 ('User Authorization') to the Russian Code of Administrative Offenses. According to it, if a website or application requires users to authorize, its owners must ensure they are from Russia and use permitted methods. The authors of the bill stated in the explanatory note that an amendment to the law 'On Information' was made back in 2023, obliging websites to allow users to log in only via a Russian phone number, 'Gosuslugi', biometrics, or a Russian authorization service. However, there were no fines for non-compliance with this rule until now. Now, according to the bill, fines will be imposed for authorizing on online portals through foreign services, including Gmail and Apple ID: for individual website owners, the fine will be up to 20,000 rubles, for officials – up to 50,000, and for legal entities – up to 700,000. What else is in the bill? A separate part of the bill concerns TLS certificates, which ensure a secure HTTPS connection, i.e., encrypt traffic in the browser. The law formalizes the operation of the Russian national certification authority (NCA) and obliges developers of Russian browsers to embed its certificate as trusted. The government, by decree, receives the right to make the NCA certificate mandatory in certain areas – for example, in the banking sector. Thus, the state now controls both DNS (where the domain leads) through the National Domain Name System and TLS (whether the browser trusts the domain). 'This indeed carries certain risks to security and anonymity for Russian users. It's another infrastructural step towards the sovereignty of Runet,' is convinced IT specialist and coordinator of eQualitie projects in Russian, Leonid Yudashev. 'In particular, the state can thus conduct a Man-in-the-Middle attack, where the regulatory body, which sees which pages of which sites you visit, if these sites have this Russian state certificate, can substitute one page for another if necessary. And we know such cases in Kazakhstan in 2019.' With the same law, deputies have again complicated the operation of VPNs. Now, hosting providers and data centers can no longer provide servers to VPN clients that grant access to resources blocked in Russia. Servers located within the country were particularly effective for bypassing blocks, notes Yudashev. Traffic from them is perceived by Russian infrastructure as internal and is less susceptible to filtering through TSPU. Does the authorization law apply to absolutely any websites? The law does not apply to any websites in principle, but only to Russian information resources (websites, applications, information systems). That is, logging into Instagram via Gmail will still be possible after the law is passed. Moreover, the document establishes requirements and fines exclusively for their owners. User responsibility is not prescribed in the law. 'The law does not prohibit ordinary users from having a conditional Gmail,' noted IT specialist Sarkis Darbinyan in a conversation with 'Novaya-Europe'. However, it imposes an obligation on the owners of Russian websites and applications not to use foreign services as a means of authorizing users from the Russian Federation if the site operates in the Russian Federation and allows login/registration. 'This means that for an ordinary user, it will be noticeable that on websites in the .ru zone and Russian apps, there will be fewer and fewer alternative authorization methods. Citizens are not subject to fines. However, for owners of services in the RU zone – websites and applications – the project adds a new significant risk in the form of a fine of up to 700,000 rubles, which is quite substantial for small businesses,' says the expert. Photo: Artem Geodakyan / TASS / ZUMA Press / Scanpix / LETA. What should users do now? If the bill is passed, it does not mean that only Russian emails are needed, noted Sarkis Darbinyan. 'According to the expert, one needs to have different emails and different services for different purposes. Many services will still offer the option to use any email for registration, but for authorization in some applications, only the methods specified in the law can be used. 'Gosuslugi and ESIA are not the only choice. Authorization will be possible via a Russian mobile number or through Yandex and VK. It is worth noting that the use of these services is fraught with the platform's compliance with the Yarovaya law, which means extrajudicial access by an FSB major to all available information, including the content of emails in the mailbox. If constant monitoring is not a concern [on a specific platform where you will use a Russian service for authorization], then this can be a workable solution,' says the expert. Did Russian services really ignore authorization requirements? An analysis by 'Agentstvo' in November last year showed that 16 out of the top 50 websites (almost a third) still offer login through foreign services: these include Google, X, Apple ID, and Telegram. Among them are Mail.ru, Ozon, Avito, Yandex, and Odnoklassniki. In addition, other well-known services also ignored the law: several Yandex projects (Market, Music, Kinopoisk), Mail.ru services (Cloud, News), as well as Drom, Drive2, hh.ru, 2GIS, Russian AliExpress, and even the manga site Mangalib. Although Yudashev considers the new restrictions on VPN and TLS more important than the ban on authorization through foreign services, he is confident that Russian regulators will indeed start fining website owners for violating this ban. 'And who will like this?' he sums up. What did the authors of the bill say? Gorelkin, commenting on the initiative, wrote back in November: 'Authorization via Google – that's ALL.' However, he assured that ordinary users would not be affected – only those 'owners of websites and applications who have been ignoring the law for two years.' 'The initiative is aimed at further reducing Runet's dependence on decisions from unfriendly countries,' he stated. In the explanatory note, the deputies justified the law with cybercrime statistics: 380,000 fraud cases in 2024, with damages of almost 189 billion rubles. At the same time, they did not explain how banning authorization, VPN hosting, and foreign certificates would help combat this.