Law Messenger
New U.S. IT sanctions: exploring nuances and impact
20.06.2024
On 12 June 2024, the U.S. Office of Foreign Assets Control (OFAC) announced new restrictive measures targeting the Russian IT sector. The newly introduced rules closely mirror the European Union’s approach to IT services and software, which saw significant expansion of restrictive measures under the EU’s 12th package of sanctions in December 2023. Furthermore, certain United States rights holders were contemplating access restrictions as early as this spring, following the spirit of the EU’s measures. However, OFAC’s new independent regulations have their own unique nuances.
The restrictive measures adopted by OFAC prohibit the exportation, reexportation, sale, or supply—directly or indirectly—from the United States, or by a United States person, wherever located, of the following categories of services to any person located in the Russian Federation:
- IT consultancy and design services; and
- IT support services or cloud-based services for enterprise management software and design and manufacturing software.
These restrictions will take effect on 12 September 2024.
Note that the restrictions do not apply to (1) any service to an entity located in the Russian Federation that is controlled, directly or indirectly, by a United States person, or (2) any service in connection with the wind down or divestiture of an entity located in the Russian Federation that is not owned or controlled, directly or indirectly, by a Russian person.
The OFAC FAQ gives examples of situations that fall under the new restrictions:
- A U.S. company sells a cloud-based enterprise resource planning software subscription to a Russian company.
- A U.S. company signs a contract with a Russian company to assist the Russian company in upgrading its IT systems.
- A U.S. service provider signs a contract with a Russian company for the design and engineering of software that the Russian company uses for internal purposes.
The OFAC FAQ also explains that the prohibition does not apply to scenarios where a U.S. company provides Russian individuals and entities with continued access to cloud-based, free-of-charge, publicly available web applications, such as email, spreadsheet, and document applications. However, no mention is made as to whether these services can be used for commercial purposes.
General Licenses
Alongside the new restrictive measures, OFAC has also issued corresponding General Licenses. Specifically, General License 6D permitting software updates for medical devices, and General License 25D addressing transactions related to telecommunications and certain Internet-based communications.
The following transactions are authorized under General License 25D:
- All transactions ordinarily incident and necessary to the receipt or transmission of telecommunications.
- Exportation or reexportation, sale, or supply—directly or indirectly—from the United States or by U.S. persons, wherever located, to the Russian Federation of services incident to the exchange of communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, blogging, social media platforms, collaboration platforms, video conferencing, e-gaming, e-learning platforms, automated translation, web maps, user authentication services, web hosting, and domain name registration services.
- Exportation or reexportation, sale, or supply—directly or indirectly—from the United States or by U.S. persons, to the Russian Federation of software, hardware, or technology incident to the exchange of communications over the Internet, provided that:
- The software, hardware, or technology is subject to the Export Administration Regulations (EAR); or
- The software, hardware, or technology is not subject to the EAR but would be eligible for a license exception or otherwise authorized by the Department of Commerce if it were subject to the EAR.
General License 25D does not authorize:
- The opening or maintaining of a correspondent account or payable-through account for or on behalf of any entity subject to Directive 2 under Executive Order (E.O.) 14024;
- Any debit to an account on the books of a U.S. financial institution of the Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation, or the Ministry of Finance of the Russian Federation;
- Any transactions prohibited by E.O. 14066 or E.O. 14068; or
- Any transactions involving Joint Stock Company Channel One Russia, Joint Stock Company NTV Broadcasting Company, Television Station Russia-1, Limited Liability Company Algoritm, New Eastern Outlook, Oriental Review, or Garantex Europe OU, unless separately authorized.
Impact of the new restrictions
In the near future, as the discussed restrictive measures come into effect, Russian businesses are set to encounter new challenges. It is highly likely that these sanctions will be enforced not only by U.S. companies but also by rights holders from other countries, mindful of the risk of secondary sanctions. We cannot dismiss the possibility of overcompliance, where foreign companies might restrict access to IT products beyond OFAC restrictions to fully protect themselves.
According to the Determination and OFAC FAQ, the categories of prohibited software align with those under EU restrictions. Similar to the EU context, uncertainty persists as to which specific software products are subject to prohibition. Further analysis of current software and IT services in use is necessary to ascertain their alignment with restricted categories.
Among the most prevalent U.S. software solutions used in Russia are, for example, IT solutions from Microsoft, widely adopted across the vast majority of companies. It is worth noting that, in certain cases, some software within Microsoft software packages may qualify under General License 25D (for instance, the Outlook email service), while the status of other software remains undetermined (including Excel, Word, and other products not explicitly mentioned in the prohibited software categories nor listed in General License 25D).
Given the risks associated with the new restrictions, it is recommended to focus on analyzing how these measures apply to the software your company uses and developing strategies to mitigate their impact. This analysis will require input from technical IT experts, IT directors and legal professionals specializing in sanctions and intellectual property.
The B1 team has extensive experience in legal consulting on sanctions and is prepared to provide advice on any issues concerning IT-related restrictive measures.
Authors
.jpg)
Natalia Aristova
B1 Partner
Legal Services. Expert in corporate, finance and banking law, sanctions compliance, energy and environmental law
Contact
.jpg)
Anton Sidnin
B1 Senior Associate
Legal Services
Contact
.jpg)
Polina Bychenok
B1 Associate
Legal Services
Contact
New sector-specific rules adopted for categorizing critical information infrastructure in financial services
On 6 February 2026, the Russian Government adopted Decree No. 92, establishing sector-specific rules for categorizing critical information infrastructure (CII) in the banking sector and other segments of the financial market. The new regulation, which entered into force on 15 February 2026, requires CII entities to take immediate compliance actions.
11.02.2026
.png)
Extended producer responsibility (EPR): what has changed since 1 January 2026 and how it affects businesses
Federal Law No. 495-FZ of 28 December 2025 “On Amendments to Article 29¹ of the Federal Law ‘On Production and Consumption Waste’ and Certain Legislative Acts of the Russian Federation” (“Law No. 495-FZ”) was enacted on 31 December 2025 to introduce the new EPR transition timeline for importers from non-EAEU countries.
14.01.2026
New U.S. sanctions
On 22 October 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a press release announcing the imposition of new sanctions against Russia. Below is an overview of the new restrictions and licenses.
27.10.2025
.jpg)
Changes in the regulation of the security of critical information infrastructure (CII)
In 2025, Federal Law No. 187-FZ “On the Security of Critical Information Infrastructure of the Russian Federation” dated 26 July 2017 was significantly amended to strengthen CII technology independence and security. The amendments, introduced by Federal Law No. 58-FZ dated 7 April 2025 (effective 1 September 2025) and Federal Law No. 325-FZ dated 31 July 2025 (effective 1 March 2026), determine CII entities and establish new obligations for them. We highlight the key developments that require companies to promptly adapt their approaches to categorizing CII facilities and building the software mix.
20.10.2025
.jpg)
Overview of potential restrictions resulting from the 19th EU sanctions package
On 19 September 2025 the European Commission presented member states of the European Union with proposals for a 19th package of sanctions against Russia. At the time of writing the package has not yet been approved by the EU Council and its scope and content remain under discussion. Below is a brief summary of the proposed measures based on public statements made by the EU Commission and individual EU officials as well as information available in the mass media as of 7 October.
07.10.2025
.jpg)
Changes to the rules for the distribution of audiovisual works in Russia: new requirements and restrictions
On 31 July 2025 a new federal law was published which amends the rules for the issuance and revocation of distribution certificates1 for audiovisual works and may have a major impact on the activities of owners of streaming services and social networks in Russia. The changes will come into force on 1 March 2026.
28.08.2025
New Russian Civil Code provisions regarding compensation for infringements of intellectual property rights
Federal Law No. 214-FZ “On Amendments to Part Four of the Civil Code of the Russian Federation”, which was published on 7 July 2025, transforms the system of compensation for infringements of intellectual property rights.
26.08.2025