Here is an analysis of the main points and how this will affect business processes.
1. Sovereign AI and a closed club for CII
- What's in the law. The concept of a "national AI model" is introduced. To be included in the "Register of Trusted Models", a neural network must be developed entirely in the Russian Federation, using Russian data and by Russian citizens. The public sector and CII (critical information infrastructure) facilities will only be able to use them.
- Impact on business. Large retail, logistics, and banks are closely linked to CII. This is a clear signal: building long-term products on the OpenAI, Claude, or even foreign open-source models APIs is becoming a toxic compliance risk. The corporate AI market will be forcibly transferred to solutions from Sber, Yandex, and those who can obtain FSB and FSTEC certificates.
2. Presumption of guilt for algorithm "hallucinations"
- What's in the law. The developer and operator (the company that implemented the system) are responsible for damage from AI. Moreover, they are guilty by default unless they prove that they took "exhaustive measures" to prevent the incident. It is unclear who will determine how "exhaustive" the measures were.
Impact on business. A dream for the security service and legal department. Now, any implementation of AI agents (for example, to manage supply chains of thousands of stores or dynamic pricing) will require a rock-solid paper justification. If the algorithm mistakenly drops prices below purchase prices or violates antitrust rules, the operating company will be responsible. The speed of launching innovative pilots will be significantly slowed down due to approvals.
3. Blow to loyalty programs and e-commerce
What's in the law. A vague ban is introduced on AI that engages in "exploitation of human vulnerabilities", and algorithms are required to comply with "traditional values".
Impact on business. Supervisory authorities, if desired, will be able to classify any smart recommendation systems, personal discounts, algorithmic product feeds, or predictive demand analytics as "exploitation of vulnerabilities". A risky area for all loyalty programs and targeted marketing.
4. Mandatory labeling of everything
What's in the law. All AI content must have human- and machine-readable labeling.
Impact on business. This will add a headache to marketing and automated support services. Any generated product cards, advertising creatives, and chatbot responses will have to be run through a separate labeling circuit.
Summary
The law comes into force on September 1, 2027. Major players have a year and a half to completely overhaul their AI stack. The main focus of innovative divisions will now shift from finding the smartest global LLMs to deploying secure local circuits (on-premise) and building a risk management system. Innovation will now have to be done not only quickly, but also with an eye on the criminal code.
The period of "wild AI from the West" and quick tests on the fly is ending, the state is taking technology under strict control
