New fines for websites and apps: “Sign in with Google” is now banned
On June 9, 2026, the State Duma passed Bill No. 1069392-8 in its second and third readings, establishing administrative liability for violations of user identification rules. The bill awaits the President’s signature and will take effect upon official publication.
Background
The requirement to use only Russian authentication methods has been in effect since December 1, 2023 (Federal Law "On Information, Information Technologies, and Information Protection" dated July 27, 2006, No. 149-FZ).
However, until now, there has been no liability for violating it under the Code of Administrative Offenses. The bill closes this loophole—the provision now carries real penalties.
The initiative “aims to further reduce the Russian internet’s dependence on solutions from unfriendly countries.
What is prohibited
Owners of websites and applications serving users in Russia are prohibited from using the following for authentication:
-
Google OAuth / Gmail
-
Apple ID
-
Microsoft Account
-
GitHub
-
Discord
-
And other foreign platforms — any foreign email address as an identifier
What is allowed
-
Authentication is permitted only via one of the following methods:
-
Russian mobile phone number
-
ESIA (“Gosuslugi”)
-
Unified Biometric System (UBS)
-
A Russian authentication service owned by a Russian citizen or a Russian legal entity (VK ID, Yandex ID, Sber ID, and similar)
Penalties: Table of Fines
|
Violation |
Citizens |
Officials |
Legal entities |
|
First violation of authorization rules |
10,000–20,000 rubles |
30,000–50,000 rubles |
500,000–700,000 rubles |
|
Repeat violation |
up to 40,000 rubles |
up to 100,000 rubles |
up to 1.4 million rubles |
|
Violation of recommended technology guidelines |
10,000–20,000 rubles |
30,000–50,000 rubles |
up to 700,000 rubles |
|
Repeat violation (recommended technologies) |
up to 40,000 rubles |
up to 100,000 rubles |
up to 1.4 million rubles |
|
Failure to comply with the RKN’s requirements to cease the use of recommended technologies (repeat violation) |
— |
— |
up to 2.8 million rubles |
Telecom operators bear separate liability: for disclosing methods of operational-investigative activities, the fine for legal entities will be 3–5 million rubles; for a repeat violation—1–3% of annual revenue, but not less than 10 million rubles.
What businesses need to know
-
The law is not retroactive. Existing accounts created through foreign services before the law took effect will continue to function. The changes apply only to new registrations
-
The law applies to everyone: online stores, delivery services, marketplaces, B2B platforms, corporate portals, mobile apps—any resource with user registration
-
Recommendation algorithms are a separate category. Resource owners using personalized feeds, product or content recommendations are required to: notify users about the use of such technologies, publish rules for their use, and display information about the resource owner. Each of these violations carries a separate fine
-
Technical task: You will need to remove login buttons for foreign platforms and ensure integration with Russian identification systems. This affects not only the frontend but also the backend registration logic.
What to do right now
-
Conduct an audit of all entry points on the website and in the apps
-
Identify registration forms and OAuth buttons that use foreign services
-
Choose an alternative: VK ID, Yandex ID, Sber ID, or phone-based authorization
-
Check for a section on recommendation technologies, if they are used
-
Draft the necessary user notifications and policies
The authorization requirements have been in effect since 2023—the law merely adds financial liability to them. If your service has not yet brought its login system into compliance, now is the last chance to do so without facing penalties.