Information Security Doctrine of the Russian Federation (Presidential Decree No. 646 of December 5, 2016)

Executive Summary

The Information Security Doctrine of the Russian Federation, approved by Presidential Decree No. 646 on December 5, 2016, is a foundational strategic planning document that establishes the system of official state views on ensuring national security in the information sphere. The Doctrine replaced a predecessor document from 2000, reflecting the fundamentally transformed landscape of information threats and the new role of digital technologies in the life of society and the state.

The document was adopted against a backdrop of escalating geopolitical tensions, a surge in cyber threats, and intensified information warfare that had sharpened notably since 2014. The Doctrine acknowledges serious challenges: from the buildup by certain states of capabilities for information-technical attacks on Russian infrastructure to the intensification of information-psychological operations aimed at destabilizing the domestic political situation. Particular attention is given to the high level of dependence of the Russian economy on foreign information technologies in terms of electronic components, software, computing equipment, and telecommunications.

The Doctrine serves as the legal and conceptual foundation for shaping state policy in the field of information security, defining strategic goals and main directions of activity across five key areas: defense, state and public security, economics, science and education, and strategic stability and international partnerships. It is mandatory for all government authorities and serves as the basis for developing sectoral strategic planning documents throughout the Russian governance system.

Key Provisions

Definition of information security: A state of protection of the individual, society, and the state from internal and external information threats, in which constitutional rights and freedoms of citizens, a decent quality of life, sovereignty, territorial integrity, and sustainable socio-economic development are ensured.
National interests in the information sphere: Protection of constitutional rights of citizens regarding information; stable and uninterrupted functioning of critical information infrastructure (CII); development of the IT industry and electronics sector; communication of reliable information about state policy to Russian and international audiences; contribution to forming a system of international information security.
Principal information threats: Buildup by foreign states of capabilities for information-technical attacks on Russian infrastructure for military purposes; technical intelligence activities targeting Russian government bodies; information-psychological influence on the population; activities of terrorist and extremist organizations in the information space; growth of cybercrime, particularly in the financial sector.
Technology dependency: The Doctrine explicitly acknowledges the high level of dependence of Russian industry on foreign IT — specifically in electronic components, software, computing equipment, and communications — which makes the country's socio-economic development dependent on the geopolitical interests of foreign states.
Scientific and personnel deficits: The document notes insufficient effectiveness of scientific research in advanced IT, a low level of adoption of domestic developments, and inadequate staffing in the information security field.
Organizational framework: The information security system encompasses the Federation Council, the State Duma, the Government, the Security Council, federal executive authorities, the Central Bank, the Military-Industrial Commission, as well as regional and municipal authorities.

Goals and Timelines

As a strategic-level document, the Doctrine does not contain specific quantitative KPIs or rigid deadlines. Instead, it establishes strategic goals across five domains:

Defense: Protection against threats arising from the use of IT for military-political purposes contrary to international law; strategic deterrence; improvement of the information security system of the Armed Forces; neutralization of information-psychological influence.
State and public security: Protection of sovereignty and territorial integrity; enhanced protection of CII and resilience of its operations; counteraction of extremism and terrorism in the information space; protection of classified information; promotion of domestic IT products.
Economic sphere: Minimizing the impact of dependence on foreign IT; development of competitive information security tools and services; elimination of technological dependency through the creation and adoption of domestic solutions; development of a domestic electronic component base.
Science and education: Support for innovative development of the IT industry; achievement of competitiveness for Russian technologies; development of human capital in information security; fostering a culture of personal information security among citizens.
Strategic stability: Formation of a sustainable system of non-conflictual interstate relations in the information space; creation of international legal mechanisms for conflict prevention in cyberspace; development of a national management system for the Russian Internet segment.

Priority areas for the medium term are determined by the Security Council of Russia based on strategic forecasting, and monitoring results are reflected in the annual report of the Security Council Secretary to the President.

Implementation Mechanisms

Strategic governance: The composition of the information security system is determined by the President of the Russian Federation. The Security Council establishes priority areas for the medium term. Implementation is carried out on the basis of sectoral strategic planning documents.

Monitoring and oversight: The annual report of the Security Council Secretary to the President on the state of national security and measures for its strengthening includes results of monitoring the Doctrine's implementation. This provides a systematic feedback mechanism at the highest level of government.

Operating principles: Legality of social relations in the information sphere; constructive cooperation between government bodies, organizations, and citizens; balance between citizens' need for free information exchange and restrictions necessitated by national security; sufficiency of forces and means for information security; compliance with international law and treaties.

Multi-level system: Information security operates through a delineation of powers across federal, interregional, regional, and municipal levels, as well as at the level of specific informatization facilities and information system operators. Regular drills and exercises are provided for to maintain readiness.

Engagement with business and civil society: Participants in the information security system include not only government bodies but also owners of CII facilities, telecommunications operators, financial institutions, media outlets, developers of information security tools, educational organizations, and individual citizens.

Industry Impact

The 2016 Information Security Doctrine established the conceptual framework for all subsequent legislation and regulation in the sphere of IT security and Russia's technological sovereignty.

Legislative consequences: The Doctrine became the ideological foundation for adopting Federal Law No. 187-FZ on CII security (2017), the "sovereign Internet" law (2019), tightened personal data processing requirements, and Presidential Decree No. 166 on import substitution at CII facilities (2022). Virtually every major legislative initiative in the IT and information security sphere in recent years references the Doctrine's provisions.

Information security market: The Doctrine stimulated growth of the domestic information security market by substantiating the need to create and deploy Russian-made solutions. This led to a significant expansion of the IS solutions market in terms of both volume and the number of companies operating in the segment. Russian cybersecurity firms received a strategic mandate to develop alternatives to foreign products.

Personnel policy: The emphasis on developing human capital contributed to the expansion of information security educational programs at universities, an increase in state-funded positions in relevant specialties, and the development of professional retraining systems. This recognized the acute shortage of qualified information security professionals in the country.

International cooperation: The Doctrine cemented Russia's course toward promoting its approaches to international information security, including initiatives at the UN, SCO, and BRICS on countering the use of IT for military purposes and developing international norms of responsible behavior in cyberspace. It positioned Russia as an active proponent of sovereign Internet governance.

Business environment: For IT companies, the Doctrine established a long-term signal — the development of domestic technologies is not merely desirable but a strategic priority of the state. This influenced investment decisions, development strategies, and partnership models across the industry, creating incentives for companies to invest in Russian-made solutions and collaborate with government agencies on cybersecurity.

Amendment History

The Information Security Doctrine of 2016 has not been formally amended since its approval. It superseded the Information Security Doctrine of 2000 (approved by the President of the Russian Federation on September 9, 2000, No. Pr-1895), which was declared null and void.