Russia and China: Convergence of Cyber Control. The Rise of Centralized Cyber Security Models (FSB and CCP) and the New Frontiers of Preventive Surveillance
- Gabriele Iuvinale
- 7 minuti fa
- Tempo di lettura: 4 min
Both China and Russia are significantly strengthening their respective cybersecurity regulatory frameworks. A comparative analysis of the amendments to China's Cybersecurity Law (CSL) (effective January 2026) and the new Russian FSB ordinances (draft regulatory proposals currently under public consultation, slated to take effect in January 2026) reveals strong analogies in their strategies for cyberspace control. These reflect common geopolitical trends oriented toward centralizing power, preventive surveillance, and protecting critical assets.
Key Analogies and Common Strategies
Both sets of regulations exhibit distinctive similarities, particularly concerning State control and the management of Critical Information Infrastructure (CII):
Feature | China (CSL 2025/2026) | Russia (FSB Ordinances 2026 – Drafts under consultation) | Analogy |
Centralized Control | The CSL introduces the mandatory requirement to "adhere to the Leadership of the Chinese Communist Party"Â (New Art. 3). | The FSB coordinates all actions and expands its control functions, positioning the National Coordination Center for Computer Incidents (NCCCA)Â as the central collection/response entity | Centralization of Power:Â The key intelligence/security body (FSB/NCCCA) or the guiding party (CCP) is explicitly placed at the apex of the cybersecurity strategy. |
Expanded Scope | The CSL addresses not only incidents but also the supervision of AI risks and the control over prohibited information traffic. | The new ordinances explicitly include the concept of "cyberattacks" in addition to incidents, extending the regulatory scope. | Proactive and Preventive Approach: Both countries move beyond merely responding to incidents, including prevention and the detection of imminent threats as key objectives. |
Mandatory Interaction | CII Subjects must undergo a national security review for product procurement and face mega-fines for non-compliance. | Continuous interaction with the NCCCA’s technical infrastructure via personal accounts is enforced, and CII subjects must report on measures taken in response to warnings within 24 hours. | Obligation for Continuous Engagement: A centralized, mandatory cooperation mechanism is imposed (via state infrastructure or the FSB) for data collection and the receipt/execution of alerts. |
Reporting Timelines | CII operators must provide a report on adopted measures within 24 hours of receiving a cyberattack notification. | The time to inform the NCCCA is reduced: up to 3 hours for incidents and up to 24 hours for attacks. | Speed Requirements: Drastic reduction of response and reporting times, critical for real-time intelligence. |
Accreditation/Vendor Control | The CSL introduces severe penalties for selling non-certified or non-approved network products after a security review. | The FSB introduces the accreditation procedure for centers of the State System, which must comply with requirements and pass a practical cyber training phase. | Standardization and Filtering: Centralized control over the quality and compliance of actors operating in the CII space, acting as a security filter. |
Geopolitical and Intelligence Implications
These analogies are not coincidental; they point to a strategic convergence between Beijing and Moscow in constructing a cyberspace governance model that distinctly deviates from the Western (multilateral and open governance) approach.
Reinforcement of Digital Sovereignty and Cyber-Isolation
Both countries are consolidating their digital sovereignty, ensuring that ultimate control over data, critical infrastructure, and information flows remains within national borders and under the control of State or Party entities (CCP and FSB). This aligns with the "cyberspace sovereignty" doctrine, which prioritizes internal control over global connectivity.
Centralization of Intelligence Control
Both the FSB (security/intelligence service) in Russia and the Chinese Communist Party (with the CSL mandating technical support to national security organs) are positioning their security structures as the focal points for cyber defense and offense.
The Russian draft package is significant because, if approved, it will formalize the extended powers of the FSB. The FSB is set to gain expanded powers to acquire information not only on past incidents but also on imminent attacks, transforming the NCCCA into a true predictive alert and intelligence center. Similarly, China, with its mega-fines (up to RMB 10 million), ensures its critical assets are protected according to CCP dictates, a move that is both defensive and a means to impose State surveillance over networks.
Emphasis on Cyber-Resilience and Mandated Interaction
Legislative Convergence and Strategic Signaling
The fact that both China (with an approved law) and Russia (with an imminent package of drafts) are legislating almost simultaneously (both regulatory sets are scheduled for entry into force in January 2026) in ways that expand intelligence powers and centralize cyber-governance is highly significant. This convergence indicates not only similar internal challenges but also the potential adoption of shared best control practices or strategic consultation between partners who perceive themselves as counterpoints to a globally dominant Western cyber system.
In conclusion, the legislative initiatives in China and Russia mark a decisive step toward models of centralized, intelligence-driven "cyber-control." The priority is not liberty or multilateral governance, but State stability and national security ensured through total visibility of critical infrastructure and the subordination of private actors to the central authority (CCP or FSB). The fundamental difference lies in the status of implementation: in China, the law is approved, whereas in Russia, it remains in the final consultation phase.