On September 10, 2025 the Court of Justice of the European Union issued a decision rejecting the Russian Positive Group PAO, which tried to lift EU sanctions, under which it fell in 2023. This case may be important for a number of Russian IT companies.
In 2023 tthe Council of the European Union adopted “the IT criterion” concept, under which sanctions can be imposed on companies licensed by the Federal Security Service of the Russian Federation (FSB) Centre for Licensing, Certification, and Protection of State Secrets or a “weapons and military equipment” licence administered by the Russian Ministry of Industry and Trade.
Based on these criteria, Positive Group PAO, a company engaged in cybersecurity and protection against hacking attacks, was sanctioned by the EU. Its technologies and services are used by over 4,000 organizations around the world.
In the court, the company argued that the “IT criterion”, without establishing any provable connection to activities “undermining or threatening the territorial integrity of Ukraine”, constitutes a disproportionate interference with freedom of business.
The Positive Group argued that the formulation of this criterion is inaccurate as it assumes there is only one type of licence issued by the Federal Security Service (FSB), whereas in fact the FSB issues a wide range of licences covering minor business activities.
The company also stated that there are various types of “state secrets” licences in Russia and that they are not only issued to IT companies, but also mobile operators, construction firms, and cleaning service providers. According to Positive Group, thousands of Russian businesses in all sectors are licensed by FSB and have no connection to information warfare.
However, the court considered that the criterion was beyond doubt.
The court’s materials contain the following statements: “It should be argued that, since Russian IT companies depend on the FSB to carry out their activities, the FSB has levers to mobilize these companies to assist Russian security services in particular in waging information warfare.”
The court’ materials also contain data from several media outlets and studies by analytical foundations stating that “any organization engaged in telecommunications in Russia can be involved by FSB in its activities” and “Russian cyber companies have no choice but to follow orders of government and its security agencies” as well as that “it’s impossible to work in this field without having relations with Russian security services”.
The Positive Group is the first and only cybersecurity company listed on the Moscow Stock Exchange (MOEX: POSI). The number of shareholders exceeds 220 thousand. The revenue of the Positive Group in the second quarter of 2025 amounted to 4.41 billion rubles, which is 42% more than the same indicator in 2024. The net loss for this period amounted to 5 billion rubles (for the first half of 2024 – 4.4 billion rubles). The company has projects in the UAE, Qatar, Saudi Arabia, Tunisia, Egypt, Indonesia, Malaysia, Vietnam and Mexico.
