Government Takes Control on the Hosting Providers

Summary

In April 2026, Russia tightened the rules for two layers of telecom infrastructure at once: ISPs and hosting providers.

The government is moving to eliminate the infrastructure on which VPN services rely. At the same time, it is shifting the responsibility for filtering from the regulator to market participants. Hosting providers have effectively become telecom operators. Small and medium-sized market players are being pushed out. Traffic control is consolidating around the “Big Five” — MTS, MegaFon, VimpelCom, T2, and Rostelecom.

What is happening

On April 3, 2026, CNews reported that the Ministry of Digital Development was discussing a radical tightening of telecom operator licensing rules with market participants. The proposal includes reducing the 17 existing license types to three and setting minimum authorized capital requirements from 5 million to 100 million rubles (about $67,000 to about $1,330,000). The rules would also ban individual entrepreneurs from holding licenses and allow licenses to be revoked for repeated violations, with a 10-year ban on re-licensing. The changes may take effect on September 1, 2026. In practice, this would reduce the number of players in the telecom operator market.

Earlier, on April 16, 2026, Kommersant reported on amendments proposed for the second reading of the “Anti-Fraud 2.0” bill. These amendments directly ban hosting providers from providing computing resources to website and IT system owners that enable access to information blocked in Russia. This effectively bans hosting VPN server infrastructure on Russian services.

Meanwhile, the Ministry of Digital Development stated that “the amendments are being coordinated with interested agencies” and that no final version of the document is ready yet.

By early May, the signals from authorities had sharpened. On May 4, 2026, reports said that “Anti-Fraud 2.0” was scheduled for adoption in May. The amendments imply that hosting providers can no longer claim the neutral status of a mere technical platform. In practice, this means a shift from a “respond to complaint” model to a “pre-emptively verify and prevent” model.

Technical publications and discussions from April–May 2026 note that VPN detection increasingly relies on a combination of DPI, TLS fingerprints, and behavioral analysis. Consequently, a hoster only needs to receive a tip from the regulator or a telecom operator about a suspicious node to deal directly with the client and shut down the service.

In practice, responsibility is being pushed down the chain: from the government and ISPs to hosting providers. VPNs are being disabled “through hosting,” rather than through payments, app stores, or targeted website blocking.

The government is forming a regime where Russian hosting becomes an active participant in controlling censorship circumvention. Even if the final sanctions and procedures have not yet been fully disclosed in public texts, the practice is already taking shape. It involves client vetting, compliance with orders, monitoring of “suspicious” services, and disconnecting them based on links to VPN infrastructure.

Mechanics

The key element of this logic is reclassifying hosts as “technical intermediaries” rather than “controllers.”

This is not entirely new. Some hosting providers had already included bans on using their resources to run VPN servers and proxies in their Terms of Service (ToS). The reasons were partly commercial: VPN and proxy services generate disproportionately high traffic, overloading channels, and affecting other clients. They were also partly regulatory. Since 2017, VPN services in Russia have been required to restrict access to banned resources. Hosting providers did not want to assume liability for clients who provided circumvention tools. TOS bans served as insurance against regulatory risks and conflicts with RKN (Roskomnadzor, the federal media and communications regulator) even before the state formalized the relevant requirements in law.

How it looks in terms of service (ToS)

Beget — shared hosting, acceptable use rules:

“It is forbidden to use the Contractor’s resources to provide mass public mail services, VPN services, or proxy services.”

In Beget’s cloud rules, the wording is softer, but it directly refers to jurisdiction:

“It is forbidden to use the Contractor’s resources to provide mass VPN services or proxy services if this contradicts the rules of the country where the platform is hosted.”

RUVDS — public offer, Appendix 1, clause 2.3.5:

«[It is forbidden to] host public proxies, or VPN servers, or systems for testing third-party ones; host private ones using more than 10 Gb of total daily traffic; host VPNs, proxy servers, traffic anonymization tools, and any other tools for accessing resources whose access is restricted within the territory of the Russian Federation.”

NTX.ru — service agreement, clause 11.1.5:

“It is prohibited to host open proxies, open VPNs, or other public services, including those with paid or private access, that may serve as auxiliary tools for unlawful actions on the Internet.”

Previously, ToS versions formulated bans primarily through load restrictions (traffic, CPU resources) or vague “unlawful actions.” In later versions, such as RUVDS’s, the wording directly states “tools for accessing resources whose access is restricted within the territory of the Russian Federation.”

This is no longer business logic. It is legal risk mitigation, directly synchronized with the RKN registry. The “Anti-Fraud 2.0” amendments effectively turn this voluntary practice by some hosting providers into a mandatory requirement for all 566 participants in the hosting provider registry. Hosters now perform ISP-like filtering functions without legally being classified as ISPs.

This practice had already been tested “manually” before the law was adopted, and hosters received corresponding letters from RKN. For example, in December 2025, the hosting provider Aeza received a list of IP addresses in its network (subnet 138.124/16) from Roskomnadzor. RKN demanded the removal of VPN servers from their IPs within 24 hours, threatening to block the entire hosting service otherwise. Users had to send a screenshot of the removed VPN to confirm compliance.

Notably, RKN has learned to identify VPN servers even when they use obfuscated protocols such as Xray, in “clean” subnets where easily detectable OpenVPN and WireGuard had not previously been run. This indicates an improvement in VPN detection capabilities at the TSPU level (Technical Measures to Counter Threats, the specialized DPI hardware controlled by RKN).

Requirements for registered hosting providers already exist. Since February 2024, hosters outside the RKN registry have not been allowed to provide services in Russia. As of April 2026, 566 organizations are registered. The new “Anti-Fraud 2.0” amendments obligate all registry participants to actively identify and disconnect violating clients — specifically those using capacity for VPNs.

What else to consider

The reform affects several infrastructure layers simultaneously, which is no coincidence. Tightening telecom licensing forces out small and regional ISPs who either lack TSPU or have installed it improperly. According to the Association of Small Operators of Russia (AMOR), tens of thousands of employees will leave the market. According to a source in the Leningrad region quoted by Important Stories, “the medium-sized ones will be bought up, and the small ones will be squeezed” within three years.

The hosting requirements close off the last segment that remained relatively free: VPN server infrastructure inside Russia. Even if a VPN service operates through a foreign server, its client-side components, billing, control panel, or CDN might reside on Russian hosting. Now, this is also banned.

The financial side also matters. The hosting industry is already under increased pressure: rising hardware prices, a higher VAT rate, and the implementation of SORM (System for Operative Investigative Activities, the Russian lawful interception system) at hosting providers’ expense have increased service costs by more than 30%. According to Nikita Tsaplin of RUVDS, integration with RKN databases and the mandatory rejection of certain clients “will lead to guaranteed price hikes for everyone else.”

Blocking is accelerating, and the legal framework to support it at the infrastructure level is being put in place alongside. As of the end of February 2026, Roskomnadzor had blocked access to 469 VPN services, up from 400 in mid-January.

How to mitigate the consequences

For VPN providers and their users, the measures described above create several new constraints that require adaptation:

Self-hosted solutions on foreign VPS providers, using modern masking protocols such as Trojan, obfs4, and Xray with non-standard configurations, remain the most resilient option currently.
Russian hosting is becoming completely unsuitable for VPN server infrastructure. Any hoster in the RKN registry will be forced to disconnect such a client upon request (or proactively). Foreign hosting providers that operate within the Russian legal field or have Russian co-owners face the risk of similar pressure.
Protocol obfuscation ( Xray, VLESS, Shadowsocks) slows down but does not stop RKN detection. The Aeza precedent showed that even “clean” subnets with obfuscated traffic can end up blacklisted.
IP address rotation and the use of low-profile subnets from small hosting providers remain relevant, but the window of opportunity is narrowing as small operators are pushed out of the market.
For users deploying personal VPNs on VPS instances, it is critical to choose hosters outside Russian jurisdiction and without Russian shareholders.