In accordance with the requirements of Article 19 of the Federal Law "On Personal Data", the Government issued Decree No. 1119, which, depending on the amount of data being processed, determines the required level of protection (a number from 1 to 4).
The FSTEC of the Russian Federation, in accordance with the Federal Law and PP-1119, issued 2 orders: for state institutions - Order No. 17, for commercial institutions - Order No. 21, which indicate what protection measures should be implemented, and if it is important, then their characteristics. Password protection is specified for all 4 security levels, however, the parameters of this password protection are not specified. Thus, in fact, they can be chosen by you by anyone, if you, in case of verification, prove the impossibility of cracking them by exhaustive search during his (password) life (otherwise it will contradict the same Order No. 21).
Further, you should start from the search speed and calculate the required information capacity (entropy) of the password from it. Entropy does not set explicit requirements for the character set, but by increasing the sets, you actually allow the password to be made shorter (with the same information capacity). And I strongly advise you to implement a timeout in the system (for example, 2 minutes) after 5-10 incorrect password guessing attempts. Otherwise, the required minimum length will be simply unrealistic for an ordinary user to remember.

Read the law. The law is not about that at all.