Estonia was one of the first countries to develop a national cybersecurity strategy (2008), followed by the publication of an updated strategy in 2014. The 2014 strategy builds on the initial strategy but includes new threats and needs, with a comprehensive assessment of cyber security threats facing Estonia and the capacity to respond to them, both in terms of operational capacity and legal framework. In addition to identifying and managing cyber risks, the 2014 strategy focuses on identifying and managing cyber security risks, ensuring the provision of vital services, increased efficiency on combatting cyber crime, developing national defence capacity, raising awareness and ensuring the availability of experts and solutions for cyber security.
The 2014 strategy has four key objectives:
Obj. 1 - Implement a comprehensive system of security measures, consisting of different levels, will be implemented in Estonia to ensure cyber security at national level. With regard to critical infrastructure, ensure the uninterrupted provision of services and their resilience. The reliability of services and infrastructure, including ensured and perceived high security, represents an important success factor for ensuring the attractiveness of Estonia to foreign investors.
Obj. 2 - Ensure safety in cyber space as an important component of fighting cyber crime, including the anticipation, detection and processing of cyber crimes.
Obj. 3 - Raise awareness among the public of information security risks. Improve the efficiency of fighting cyber crime by ensuring users of computers and smart equipment are able to deal with cyber threats in their everyday life and work.
Obj. 4 - Ensure that proportionate legal regulations serve to support the secure and extensive use of information systems.
Obj. 5 - Support the promotion of international co-operation and promote Estonia as a country with a very high level of information security competence and awareness.
The Estonian Information System Authority provides definitions for both “critical infrastructure” and “critical infrastructure protection”, as well as the term “vital systems”, which is used by the Estonian Government in legislation and policy related to information security: www.ria.ee.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||
2008 for the period 2009-2013.
Revised in 2014 for the period 2014-2017, Cyber Security, Ministry of Economic Affairs and Communications: www.mkm.ee/en/objectives-activities/information-society/cyber-security.
|Updates and revisions||
The revised 2014 strategy takes into account the lessons learned from the implementation of the previous strategy, experiences of other states.
|Implementation and monitoring||
The Ministry of Economic Affairs and Communications implements cyber defence policies in close co-operation with the Cyber defence unit of the Defence League, a voluntary organised group to defend Estonian cyber space; the International Centre for Defence Studies for research and analysis; Estonian Information System’s Authority (EISA), which coordinates the development of information systems: www.kaitseliit.ee/en/cyber-unit; www.ria.ee/en/.
The Ministry of Economic Affairs and Communications works in co-operation with the Ministry of Internal Affairs; the Ministry of Defence; the Ministry of Foreign Affairs; the Ministry of Education and Research and the Association of Information Technology and Telecommunications.
|Operational capacity building||
Estonia has two CERTs/CSIRTs: national/government and military.
The Estonia Computer Emergency Response Team (CERT EE) is responsible for managing security incidents in .ee computer networks. English: https://www.ria.ee/en/cert-estonia.html.
CERT-EE assists Estonian Internet users in the implementation of preventive measures in order to reduce possible damage from security incidents and to help them in responding to security threats. CERT Estonia deals with security incidents that occur in Estonian networks, start there, or which it has been notified about by citizens or institutions either in Estonia or abroad. The support provided by CERT Estonia depends on the type and severity of a security incident, on the number of users potentially affected by it and on resources available for the organisation.
Handling incidents: accepting reports, prioritising incidents according to their level of criticality, analysis, responding to incidents and technical support for solving the incidents. For simultaneous incidents, CERT will coordinate the response to such incidents.
Estonian Defence Forces Cyber Incident Response Capability (EDF CIRC).
In June 2016, Estonia joined the list of nations that have signed the new Memorandum of Understanding (MOU) on cyber defence co-operation with NATO: www.nicp.nato.int/estonia-signs-new-mou-on-cyber-defence-cooperation/ind....
This second generation MOU aims to further improve cyber defence cooperation and assistance between NATO and national cyber defence authorities. The Memorandum contributes to the enhancement and interoperability of NATO and national cyber defence capabilities and facilitates information sharing and assistance to improve cyber incident prevention, resilience and response capabilities.
Estonia conducted two national cyber exercises, Cyber Hedgehog in 2010 and Cyber Fever in 2012. Estonia took part in multi-national cyber exercises organised by NATO in 2013. NATO’s Cooperative Cyber Defence Centre of Excellence is based in Estonia: www.ccdcoe.org.
National incident management procedures are outlined in the Emergency Act 2009. Cyber security incidents are not addressed in particular: www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXXX26&pg=1&tyyp=X....
Legal measures in place
Pursuant to the Emergency Act 2009, which compels the government to establish security measures for certain vital information systems by means of regulation, the Regulation on Security Measures for Information Systems of Vital Services and Related Information Assets was adopted in 2013. The NCSS (2014) also sets the objective of providing appropiate legal measures.
The State Secrets and Classified Information of Foreign States Act 2007 assigns information deemed appropriate to be treated as state secret a classification level, according to a four-tiered system. The requirements that deem information a state secret are organised by the agency or area to which the information relates:
www. nsa.ee/files/State%20Secrets%20And%20Classified%20Information%20Of%20 Foreign%20States%20Act.pdf.
The State Secrets and Classified Information of Foreign States Act 2007 maps security practices to the classification level assigned to information deemed a state secret. These classification levels represent the importance of the information to the various functions of the Estonian government and foreign governments, including the level of risk involved in disclosing the information.
The State Secrets and Classified Information of Foreign States Act 2007 requires an annual inspection of the integrity of the storage in which state secrets assign the top or second tier classification level are contained. No further level of auditing or reporting is required by the Act. The Electronic Communications Act 2004, as amended in 2011, entitles the Technical Surveillance Authority of Estonia to require that any communications provider carry out a security audit. There is no timetable that dictates when Technical Surveillance Authority is to require the security audits: www.legaltext.ee/text/en/X90001K4.htm.
The 2008 Cyber Security Strategy requires that the Cyber Security Strategy Committee will monitor the implementation of the Cyber Security Strategy by submitting annual reports to the government, measuring the progress of the implementation against the Implementation Plan. The current Cyber Security Strategy does not include this provision but does state that it retains the goals and objectives of the 2008 strategy.
The Regulation on Security Measures for Information Systems of Vital Services and Related Information Assets 2013 requires
The entity must also submit a report to the Estonian Information System Authority following the resolution of the security incident.
The 2014 Estonian Cybersecurity Strategy includes a set of “principles and guidelines” for the procurement of national cyber security services and products. One of the principles encourages international cooperation. There are no local procurement requirements in place.
Missing legal measures
Business and Public Private Partnerships
There is not a defined public-private partnership for cybersecurity in Estonia. The Information System Authority (www.ria.ee) operates in close cooperation with private sector. Vaata Maailma (the Look@World Foundation) is public-private partnership (founded in 2001) dedicated to promoting the use of the internet and ICT services. It is composed of Estonian and international telecommunications providers: www.vaatamaailma.ee.
The foundation runs various projects that are primarily educational in nature, covering safe internet and computer use.
There are no significant industry-led platform that engages with cyber security. The Estonian National Cyber Defence League comprises IT professionals and representatives from organisations engaged with critical infrastructure and is one of the entities that cooperates with Ministry of Economic Affairs and Communications.
|Other capacity-building measures: research and education||
StudyITin.ee, http://studyitin.ee/en, is funded by the Estonian state (Ministry of Education and Research), managed by the Information Technology Foundation for Education (HITSA), and supported by Skype, for securing necessary labour force for the ICT sector and for creating preconditions for Estonia’s growth through ICT.
The center has a particular focus on cyber security training and has been organizing specific Cyber Security Summer School since 2015.
Under the Ministry of Economic Affairs and Communications, its co-operation with other government departments and related entities.
While a security audit is defined in the NCSS (2014), there is no timetable that dictates when Technical Surveillance Authority is to require such audits.
Estonia has signed agreements on developing training and cooperation in cybersecurity with Austria, Luxembourg and South Korea.
In the cyber security domain, the e-Governance Academy (eGA) focuses on organisational, regulative and technical measures for national cyber security and includes best practice from around the world. eGA assists nations and specific sectors in improving cyber security knowledge, developing policies and legislation, raising organisational and personnel capacity, implementing security technologies, and developing cooperation frameworks.
|Overall assessment/best practices||
According to the International Telecommunication Union’s Global Cybersecurity index, Estonia ranks fifth in the world and first in Europe in cybersecurity, learning from its past experiences in suffering a cyber attack.
Estonia also hosts the headquarters of the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD CoE).
|Date of last WISER analysis||July 2017|
Compliance with the GDPR and NIS Directive: Report a cyber incident
|Report a cyber incident to national CERT/CSIRT||
|Guidance and Updates||
CERT EE provides regular updates on the threat landscape and other related news through its website: https://www.ria.ee/en/an-id-card-software-update-brings-several-signific....
It also provides information about the protection of critical infrastructures, https://www.ria.ee/en/ciip.html, raising public awareness through EU structural funding, https://www.ria.ee/en/programme.html, and other topics related to cyber security.
|Date of last WISER analysis||July 2017.|