In today’s environment, the cloud business is no longer a “wild west”. It has become a tightly regulated industry where information law, personal data legislation, communications regulations, licensing, sanctions, and antitrust rules all intersect.
What is needed is not abstract advice, but workable legal structures that allow companies to lease cloud capacity, store data in it, develop software, provide services to third parties, and do so without fear of blocks and fines.
Full‑cycle legal compliance for cloud service operators (IaaS, PaaS, SaaS), IT infrastructure providers, corporate cloud users, and companies migrating to Russian cloud environments.
Against the backdrop of sanctions pressure, the mass exodus of foreign vendors, and the tightening of Russian legislative requirements regarding data localisation, information security, and import substitution, the sustainability of a business using cloud services directly depends on the legal soundness of its contractual model, compliance with mandatory requirements, and protection from regulatory risks.
Levant & Partners supports cloud providers, lessees of cloud infrastructure, IT service operators, and companies implementing digital services at every stage – from jurisdiction selection and relationship structuring to ongoing compliance and judicial protection.
We step in when standard legal solutions fall short, and mistakes in activity licensing, personal data processing, cross‑border transfers, sanctions structuring, or SLA agreements lead to service shutdowns, multimillion‑ruble fines, or emergency suspension of operations.
When our assistance is needed
- Legal uncertainty about the nature of cloud services – classification of IaaS/PaaS/SaaS as licensed activities, communications services, or lease/software access.
- Sanctions risks associated with foreign software and clouds – disconnection of access, termination of support, blocked payments, import substitution.
- Violations of Federal Laws No. 152‑FZ and No. 149‑FZ – processing of personal data without consents, cross‑border transfers without notification, failure to fulfil obligations as an information dissemination organiser (ORI) or hosting provider.
- Non‑compliance with the new SORM rules (126‑FZ) – communications operators and hosting providers are required to grant the FSB access to traffic on equipment located in Russia.
- Risks related to the new internet advertising labelling system (ERID) – failure to label cloud provider advertising materials may result in turnover‑based fines.
- Disputes over service quality (SLA) – non‑fulfilment of availability indicators, unjustified write‑offs, downtime without compensation.
- Information security requirements (FSTEC, FSB) – certification of informatisation facilities for handling state secrets and personal data.
- Incorrect structuring of international contracts – issues of applicable law, jurisdiction, and liability for data leaks, addressed through gateway agreements between Russian and foreign companies.
Our clients
- IaaS providers (Infrastructure as a Service) – rental of virtual servers, virtual data centres, disk space, and network services.
- PaaS providers (Platform as a Service) – environments for application development and deployment, databases, middleware.
- SaaS providers (Software as a Service) – off‑the‑shelf cloud services (CRM, ERP, document management, HR, finance, analytics).
- Corporate cloud service customers – from SMEs to large corporations migrating to the cloud and replacing foreign vendors.
- Hosting providers and ORI – website hosting and server equipment services, obligations as organisers of information dissemination.
- IT companies – developers and integrators that offer software rental services on their own cloud infrastructure.
- Construction, industrial, and logistics companies transitioning to cloud‑based management, document flow, and sales systems.
Stages of support (full cycle)
- Structuring and registration (Pre‑cloud)
- Selection of the legal model for the cloud service – classification as information services, hosting, communications services, or a licence/sublicence (for SaaS).
- Determination of licensing requirements, registration in the hosting provider register, obtaining ORI status, or registration as a personal data operator.
- Incorporation of a legal entity taking into account IT industry requirements (IT company accreditation, obtaining Ministry of Digital Development status for tax benefits).
- Registration in the internet advertising labelling system (ORD) – obtaining ERID tokens for cloud service advertisements; mandatory registration with an advertising data operator (ORD).
- Contractual work (SLA, AUP, DPA)
- Drafting and adaptation of licence agreements, public offers, and IaaS/PaaS/SaaS contracts under Russian law and judicial practice.
- Service Level Agreement (SLA) – clear KPIs for availability, response times, compensation mechanisms (refunds, credits), and claim procedures.
- Acceptable Use Policy (AUP) – prohibitions on mining, illegal content, DDoS attacks from the leased cloud (particularly relevant after recent court rulings in disputes similar to those with Cloud4Y).
- Data Processing Agreement (DPA) – allocation of liability for personal data leaks between the provider and the customer.
- Sanctions clauses in contracts with foreign vendors – rights of suspension in case of cloud disconnection, alternative supplier provisions, change of applicable law and arbitration.
- Compliance and AML/CFT (115‑FZ)
- Development and implementation of Internal Control Rules under 115‑FZ for cloud providers that accept payments from legal entities and individual entrepreneurs.
- KYC / client identification when providing cloud services (for both individuals and legal entities).
- Determination of suspicious transaction indicators tailored to the cloud provider’s specifics (e.g., a sudden spike in resource consumption, payments from different legal entities using the same card account).
- Personal Data (152‑FZ) and Localisation
- Localisation of Russian users’ databases on servers located in the Russian Federation – a mandatory requirement of 152‑FZ, enforced by Roskomnadzor in 2026 with heightened liability.
- Notification to Roskomnadzor of cross‑border data transfers (if personal data is transferred abroad).
- Legal review of destination countries – whether they are included in the list of states ensuring adequate protection of personal data subjects’ rights (Council of Europe countries, as well as China, UAE, India, Turkey, Kazakhstan, Uzbekistan).
- Support during Roskomnadzor inspections for compliance with 152‑
- Information Security (FSTEC, FSB)
- Certification of informatisation facilities for state information systems (GIS) and personal data information systems (ISPDn) in accordance with FSTEC requirements (new Order No. 117 of 11.04.2025, effective from 1 March 2026).
- Alignment with the required security class of the information system based on the personal data protection level.
- Protection against DDoS attacks – deployment of anti‑DDoS systems, inclusion in the register of Russian software for access protection systems.
- Certification of information security means (FSTEC or FSB certificate) for cloud providers handling state secrets and personal data.
- Sanctions Compliance and Import Substitution
- Legal support for the inventory of foreign software and clouds in the company’s IT infrastructure (including back‑office, accounting, CRM, ERP, email, file sharing, corporate portals).
- Assessment of sanctions risks related to foreign vendors from unfriendly countries.
- Development of an import substitution plan – migration from foreign solutions to Russian software (Ministry of Digital Development registers) and Russian clouds.
- Legal support for data and application migration: contracts with new providers, protection of intellectual property rights, recovery of advances from departing vendors.
- Ongoing Support and Judicial Protection
- Continuous monitoring of legislative changes in the field of cloud services, communications, information, personal data, and sanctions (all four streams of updates from FSTEC, Roskomnadzor, the Ministry of Digital Development, and sanctions regulation).
- Support during inspections by Roskomnadzor, FSTEC, the Federal Antimonopoly Service (FAS), the Prosecutor’s Office, and the Federal Tax Service (FNS).
- Pre‑trial claims and judicial defence:
- o disputes between cloud service customers and providers (quality, downtime, unauthorised access, data leaks);
- o unilateral termination of contracts, including on sanctions grounds;
- o prohibition of cross‑border personal data transfers disguised as IT architecture optimisation (following the departure of SAP);
- o revocation of accredited IT company status (risks of losing tax and insurance contribution benefits).
Our advantages
- Law + IT architecture + regulation – we understand not only the provisions of 149‑FZ, 152‑FZ, and 126‑FZ, but also the technical specifics of IaaS/PaaS/SaaS, cloud‑to‑cloud migration, SLA requirements, and performance metrics.
- Expertise of attorneys with many years of experience in telecom, IT, and GR, including interaction with the Ministry of Digital Development, Roskomnadzor, and the State Duma.
- GR support – taking into account draft laws at the discussion stage.
- Focus on business continuity – we help preserve the ability to lease cloud capacity, develop and launch new digital services, process transactions, and pass inspections.
- Confidentiality and speed – discretion and strict information control are vital for clients planning urgent migration from departing clouds.
Where we are particularly effective
- Cloud providers (IaaS, PaaS, SaaS) – from drafting commercial proposals to judicial protection of software rights.
- Companies implementing import substitution – migration from foreign cloud vendors.
- IT companies – developers and integrators building their own cloud services for B2B and B2C.
- Marketplaces and superapps – using cloud infrastructure to process transactions and personal data of millions of users.
- Banks, financial institutions, and payment system operators – moving their services to the cloud while complying with 115‑FZ and AML/CFT requirements.
Results of our assistance
- Legally sound cloud service model – elimination of uncertainty regarding licensing, register entries, hosting provider obligations, and ORI duties.
- Reduced regulatory risks – protection from fines for unlicensed activities, non‑compliance with 152‑FZ (up to 6 million rubles turnover‑based fine for personal data leaks) and 149‑FZ (service blocking).
- Protection against sanctions‑related disconnection – structured agreements with alternative suppliers, sanctions clauses, readiness for vendor departure.
- Structured contracts with clients – offers, SLA, AUP, DPA that protect you in court over quality disputes.
- Legal readiness for inspections – by Roskomnadzor, FSTEC, FAS, the Prosecutor’s Office, and the Federal Tax Service.
- Ability to scale your business – into new regions, new B2B/B2G segments, and new jurisdictions.