On 27 November 2023, the Bill amending the Code of Administrative Offences of the Russian Federation, including fines for noncompliance with cybersecurity measures resulting in data breaches (Bill No. 502104-8), was adopted by the Federal Council. The Bill introduces obligations for operators to notify the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) in the event of personal data breaches and reduces exceptions allowing data processing without notification. The Bill imposes fines for failing to notify personal data processing, ranging from RUB 100,000 to 300,000, with higher fines for unlawful data transfers (up to RUB 10 million). Data breaches result in fines based on the volume of leaked data, ranging from RUB 3 million to 10 million, with repeated violations leading to fines of up to 3% of annual revenue, capped at RUB 500 million.
Original source