FSTECLicenseCompliance

FSTEC License: Who Needs It, What Types Exist, and How to Verify Your Contractor

May 8, 2025 · 8 min read · System Networks

Most companies do not need an FSTEC license — they need their information security service provider to have one. Understanding which types of licenses exist and how to verify them protects your organisation from legal and contractual risk.

What Is FSTEC

FSTEC (Federal Service for Technical and Export Control) is the Russian government body responsible for information security in non-cryptographic areas. It certifies security software and hardware, and licenses companies that provide information security services.

Types of FSTEC Licenses

License for TZKI activities

Technical Protection of Confidential Information

Required for companies providing information security services: audits, design of IS systems, implementation of security tools, monitoring. This is the most common license needed by IS service providers.

Required for: IT security companies, auditors, integrators

License for state secrets activities

Work with State Secrets

Required for companies working with classified information. Much stricter requirements. Rare for commercial companies — mainly defence contractors and government service providers.

Required for: Defence, government contractors

License for crypto activities

FSB jurisdiction

Cryptographic protection is regulated by FSB, not FSTEC. Separate licensing process. Required for companies providing cryptographic services or distributing certified crypto tools.

Required for: Handled by FSB, not FSTEC

Does Your Company Need an FSTEC License?

Organisation type	Needs FSTEC license?
Company using IS tools for own needs	No — only the tool vendor needs it
Company outsourcing IS to a provider	No — provider must have it
IT security service provider (audits, pentests, IS implementation)	Yes — TZKI license required
CII subject (13 regulated sectors)	No license needed, but must use certified tools
Government agency or ministry	Provider must have license; agency usually does not
Company developing security software	No license needed, but products need FSTEC certification

How to Verify an FSTEC License

1.Go to fstec.ru → section "Licensing" → "Register of TZKI licensees"

2.Search by company name, INN (tax ID), or license number

3.Verify: license is active (not suspended or revoked), licensed activities match what the contractor proposes to do

4.Check the license validity period — licenses require periodic renewal

Risks of Working with an Unlicensed Provider

Your audit results are not legally recognised

For CII subjects and 152-FZ compliance, audits and penetration tests must be performed by licensed providers to be legally valid.

Contract may be void or unenforceable

Services requiring a license cannot be legally provided without one. Contracts for such services may be invalidated.

Your FSTEC compliance is at risk

If regulators discover you used an unlicensed IS provider, your own compliance documentation may be rejected.

Liability may transfer to you

Using knowingly unlicensed services can create legal exposure for the client organisation, not just the provider.

FSTEC-licensed information security

Security audit by FSTEC-licensed specialists →

TZKI license · CII compliance · 152-FZ audit · Penetration testing