Estonia Last Updated: August 2021

CYBERSECURITY POLICY

Strategy Documents

In Progress Estonia’s Digital Society Agenda 2030 Estonian Ministry of Economic Affairs and Communications

The Estonian Ministry of Economic Affairs and Communications is currently undertaking the process of putting together Estonia’s Digital Society Agenda 2030. The Agenda is developed in accordance with Estonia’s national long-term development strategy “Estonia 2035” and its aim that public services would be of a high quality, intuitive and available everywhere, while ensuring the protection of fundamental freedoms. The Agenda will also include the next iteration of Estonia’s Cybersecurity Strategy which sets out goals for national development for the coming years.

Source 2021

Estonian Foreign Policy Strategy 2030 Ministry of Foreign Affairs

Includes cyber and digital diplomacy aspects,

Source 2020

Cybersecurity Strategy 2019-2022 Republic of Estonia; Ministry of Economic Affairs and Communications

The Strategy for the period 2019-2022 focuses on four objectives:

A Sustainable Digital Society; Cybersecurity Industry, Research and Development; A Leading International Contributor; A Cyber-Literate Society.

Source Source 2 5 September 2019

National Security Concept 2017 Ministry of Defence

1. Estonian cyber security is based on close and trust-based cooperation between the public and private sectors; 2. Estonia will continue to develop cyber defence; 3. Estonia will develop digital services and cyber security primarily by investing in them, providing a role model for the private sector; and 4. Estonian cyberspace is part of the safe and stable global cyberspace. Cyber security is founded on constant and close international cooperation.

Source Source 2 2017

Implementation Frameworks

National Defence Development Plan 2017–2026 Ministry of Defence

Announces the upcoming establishment of the Cyber Command, which will achieve integration for carrying out cyber and information operations in cyberspace and the information sphere. Estonia Last Updated: August 2021

Source 2017

IT Baseline Security System (ISKE), Implementation Manual 8.0 Information System Authority (RIA)

Information security standard developed for the public sector; Includes organisational, infrastructural/physical, and technical measures; Made mandatory with Government Regulation no. 273 (12 August 2004).

Source Source 2 January 2017

STRUCTURE

National Centre or Responsible Agency

Cyber Security Council Security Committee of the Government of the Republic

Contributes to smooth co-operation between various institutions and conduct surveillance over the implementation of the goals of the Cyber Security Strategy; Chaired by the Secretary General of the Ministry of Economic Affairs and Communications.

Source 2009

Key Positions

Chair Cyber Security Council (Secretary General of the Ministry of Economic Affairs and Communications) Source

Head of Estonian Cyber Security Policy Department of State Information Systems, Ministry of Economic Affairs and Communications Source

Ambassador for Cyber Security Ministry of Foreign Affairs Source Source 2 4 September 2018 (first entered into function on)

Commander Cyber Command Source

Dedicated Agencies and Departments Estonia Last Updated: August 2021

Cyber Crime Unit Police and Border Guard Board

Investigates cyber crimes Raises awareness regarding cyber threats

Source 2012 (consolidated)

Information System Authority (RIA) Ministry of Economic Affairs and Communications

Organises protection of information and communication technology infrastructure; Remains the main institution responsible for the security of Estonia’s networks; Includes Department of Critical Information Infrastructure Protection (CIIP).

Source 2011 (formerly Estonian Informatics Centre)

Estonian Defence League's Cyber Unit Defence Forces Objectives include:

Cooperation among qualified volunteer IT specialists Raise the level of cyber security for CII Create a network which facilitates public private partnership and enhances crisis preparedness

Source 2008

Cyber Command Republic of Estonia, Defence Forces

The main mission of the Cyber Command is to carry out operations in cyberspace in order to provide command support for Ministry of Defence’s area of responsibility.

Cyber Command's essential tasks are: Provide information and communication technology infrastructure and services; Provide cyber defence; Plan and execute cyber operations; Gain, maintain and share cyberspace situation awareness; Plan and execute information operations; Provide Headquarters support for Joint Headquarters; Plan and execute strategic communicatons; Train, prepare and mobilize wartime and reserve units; Conduct functional area Training, Research and Development.

Source Source 2 2018

National Cybersecurity Department Ministry of Economic Affairs and Communications

Commenced its work on 1 May 2021; The formation of a new department allows to modernise national cybersecurity coordination and crisis management; The department will work closely with other parts of the Estonian cybersecurity ecosystem.

Source Estonia Last Updated: August 2021

1 May 2021

Cyber Diplomacy Department Ministry of Foreign Affairs of Estonia

Shapes Estonia's cyber diplomacy efforts Represents Estonia in international fora dedicated to cybersecurity, including in the UN and the OSCE Organises and supports activities related to cyber capacity building

Source

National CERT or CSIRT

Estonian National Computer Emergency Response Team (CERT-EE) Information System Authority (RIA)

Governmental CERT;

Aims of CERT-EE are:

1. Monitoring of the state of information security in Estonia by using received reports and collecting information about information security incidents; 2. Preventing security incidents and reducing security risks, mainly by raising awareness and through communication work; and 3. Assisting institutions regarding security incidents and advising them if they want law enforcement agencies to start an incident investigation.

Source Source 2 1 January 2006

LEGAL FRAMEWORK

Legislation

Personal Data Protection Act

Source 12 December 2018

Cybersecurity Act

The Act implements the Network and Security Directive; Contains provisions on the national level requirements for operators of essential services and digital service providers regarding the implementation of security measures and the notification of cyber incidents; Specifies the tasks of the Information System Authority in coordinating cyber security and organising cross-border cooperation.

Source Source 2 9 May 2018

Emergency Act

Source 1 July 2017 (entry into force)

Electronic Communications Act Estonia Last Updated: August 2021

Provides requirements for the public electronic communications networks and publicly available electronic communications services; Entitles Technical Surveillance Authority to require providers carry out a security audit.

Source 1 January 2005 (entry into force); 1 July 2015 (amended)

Penal Code

§206 Interference with computer data; §207 Hindering of functioning of computer systems; See also §208, §216, and §217.

Source Source 2 1 September 2002

Views on International Law

Summary of Estonia’s Position on How International Law Applies in Cyberspace Republic of Estonia, Ministry of Foreign Affairs

The summary of Estonia’s position states the following points:

International law applies to state behaviour in cyberspace;

States are responsible for their activities in cyberspace;

States have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states;

States have the right to attribute cyber operations both individually or collectively according to international law;

States have the right to respond to malicious cyber operations, including using diplomatic measures, countermeasures, and, if necessary, their inherent right of self-defence.

Source Source 2 29 May 2019

Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States submitted by participating governmental experts in the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security established pursuant to General Assembly resolution 73/266

The Group of Governmental Experts established pursuant to the he General Assembly resolution 73/266, adopted its report by consensus on 28 May 2021. In paragraph 73 of the Group’s report (A/76/135), it is stated that, in accordance with the Group’s mandate, an official compendium of voluntary national contributions of participating governmental experts on the subject of how international law applies to the use of ICTs by States will be made available on the website of the Office for Disarmament Affairs.

Source Source 2 May 2021

Estonian official positions on international law in cyberspace President of the Republic

In her speech, the President of the Republic elaborated the following five points: Estonia Last Updated: August 2021

existing international law applies in cyberspace States are responsible for their activities in cyberspace States must keep on strengthening their own resilience to cyber threats and disruptions, both individually and collectively States have the right to attribute cyber operations both individually and collectively according to international law States have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the inherent right of self-defence

Source 29 May 2019

COOPERATION

Multilateral Agreements

Budapest Convention PARTY Source 1 July 2004 (entry into force)

UN Processes

Represented at the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security

Source Source 2 2009, 2012/2013, 2014/2015, 2016/2017, 2019/2021

Expressed views to the Annual Report of the UN Secretary-General on Developments in the Field of Information and Telecommunications in the Context of International Security

Source Source 2 2017

Expressed Views at the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security

Source Source 2 2019/2020/2021

UN Security Council Arria-formula meeting: Cyber Stability, Conflict Prevention and Capacity Building

As part of its presidency of the UN Security Council, Estonia organised a virtual meeting focused on stability in cyberspace, cyber norms and international law.

Source 22 May 2020

UN Security Council High-Level Open Debate on Cyber Security

Estonia has raised the issue of maintaining international peace and security in cyberspace during its elected membership of the UN Security Council (2020-2021). In June 2021, Estonia organised the first high-level open debate on cybersecurity in the Council. Estonia Last Updated: August 2021

Source 29 June 2021

Bilateral and Multilateral Cooperation

Agreement between the Ministry of Foreign Affairs of the Republic of Estonia and the International Bank for Reconstruction and Development and the International Development Association concerning the Cybersecurity Multi-Donor Trust Fund

Since 2020, Estonia is a donor of the World Bank Associated Cybersecurity Trust Fund.

Source 2020

Co-Adopter of OSCE Confidence-Building Measure No 14; Estonia, Austria, Belgium

Participating States will, on a voluntary basis and consistent with national legislation, promote public-private partnerships and develop mechanisms to exchange best practices of responses to common security challenges stemming from the use of ICTs; Estonia is in the process of developing activities for the CBM 14.

Source Source 2 2020

Agreement for Collaborative Research in Cyberspace, Estonia - US Ministry of Defence

The United States Army and the Estonian Ministry of Defence signed an agreement that will enable the two countries to conduct future collaborative science and technology efforts in cyber defence; They will establish a multi-domain operations, cyber domain working group to identify opportunities for interoperability experimentation and demonstrations.

Source Source 2 23 September 2020

Memorandum of Understanding - Austria, Belgium, Estonia, Finland, Germany and Latvia European Defence Agency

Memorandum of Understanding on the pooling and sharing of their respective cyber ranges capabilities; Part of the Cyber Ranges Federation Project launched in May 2018: Cyber Defence Pooling & Sharing Project.

Source Source 2 28 June 2018

Cooperation, Estonia/NATO-Japan Prime Minister

Cooperation on cybersecurity; Japan to join the NATO-accredited cyber defence hub (NATO Cooperative Cyber Defence Centre of Excellence, CCDCOE) based in Tallinn.

Source 12 January 2018

Permanent Structured Cooperation (PESCO) in the area of security and defence European Union

Member; Estonia Last Updated: August 2021

There is 8 projects on cybersecurity out of 46 PESCO projects; Initiated one of PESCO's projects: forming Cyber Rapid Response Teams and Mutual Assistance in Cyber Security.

Source Source 2 11 December 2017 (decision adopted by the European Council)

Memorandum of Understanding, Mauritius-Estonia Prime Minister

Memorandum of Understanding on digital cooperation, which includes:

The implementation of national data exchange; Awareness building on cyber security and protection of critical infrastructure through training and exchange of experience in areas of data protection, cybercrime and protection of critical infrastructure; Support by the Estonian government for the setting up of the e-Governance Academy; The promotion of coopeartion among private ICT companies for implementing e-services; and Cooperation between educational institutions especially on e-governance related studies.

Source 29 November 2017

Nordic-Baltic Eight (NB8)-US Roundtable on Cyber Security

Annual dialogue meeting on international cyber issues.

Source Source 2 27 September 2017

Discussions, Estonia-Iceland Foreign Minister Discussions on cyber security and opportunities for cooperation in this area. Source 20 June 2017

Agreement on Data Embassy, Estonia-Luxembourg Head of State

"Data embassy" due to open in 2018 Agreement on housing data and information systems

Source 20 June 2017

Memorandum of Understanding, Estonia-Republic of Korea Ministry of Defence Cooperation agreement on developing training and cooperation in cyber security Source 31 May 2017

Cyber Hygiene Forum Ministry of Defence

Platform aimed to raise employees' awareness about cyber threats Cooperation project with the Latvian ministry of defense, created with CybExer Technologies in Estonia

Source Estonia Last Updated: August 2021

April 2017

Memorandum of Understanding, Austria-Estonia

Source

Cybersecurity Alliance for Mutual Progress - CAMP Initiative, Member Estonian Informatics Centre (EIC) Network platform to lift up the overall level of cybersecurity of members through development experiences and trends sharing. Source 11 July 2016

Memorandum of Understanding, Estonia-Latvia-Lithuania Ministry of Defence

Cooperation in cyber-security officially signed online (remotely) with electronic signature; The first intergovernmental agreement endorsed electronically in the Baltic states; The countries agreed to exchange knowledge and experience on their cyber security policies and practices, and to support cross-border collaboration for, and information sharing on, public-private research and development for protection of information systems and networks.

Source 4 November 2015

Exchange of best practices on cyber security, OAS-Estonia Four-day training event on the development and management of national computer security incident response teams. Source 27-30 April 2015

OAS Cyber Security Initiative (co-sponsor)

Argentina, Chile, Mexico, and Estonia as co-sponsors Addresses cyber security issues based on a flexible and dynamic approach, in which cyber security policies and the provision of technical training are adapted to new trends and evolving needs

Source 16 April 2015

Financial support, Estonia-OAS Financial support from Estonia for the Cyber Security Program. Source 27 March 2015

Global Forum on Cyber Expertise, Member

A global platform for countries, international organizations and private companies to exchange best practices and expertise on cyber capacity building.

Source Source 2 16 April 2015 (Member since)

Memorandum of Understanding, Estonia-OAS Director of Cyber Security of the Government of Estonia Estonia Last Updated: August 2021

Memorandum of Understanding to promote the development of cyber security capabilities in the Americas. Source 20 October 2014

Nordic-Baltic Cooperation (Nordic-Baltic Eight, or NB8)

Regional cooperation format which as of 1992 brought together five Nordic countries and three Baltic countries (Finland, Sweden, Norway, Iceland, Denmark, Estonia, Latvia and Lithuania) to discuss important regional and international issues

- Regional cyber cooperation set as priority issue in 2014 Source 2014

U.S.-Estonia Cyber Partnership Statement Ministry of Foreign Affairs Three elements to partnership:

1. Cooperation in cyber security and cyber defence 2. Bilateral collaboration in law enforcement, academic exchanges, etc. 3. Coordination on capacity building with third parties

Source 3 December 2013

Estonia-Ireland Cyber Security Discussions President Discussions on cyber security between the President of Ireland, Michael D. Higgins, Prime Minister, Enda Kenny, and Estonian President Toomas Hendrik Ilves. Source 4 April 2012

Memorandum of Understanding, Estonia - NATO Estonian Informations Centre and Estonian Communications Security Authority

Creates a legal framework for cyber defence cooperation.

Source 23 April 2010

Select Activities

Tallinn Winter School of Cyber Diplomacy Ministry of Foreign Affairs

Featured lectures and panel discussions by current and former cyber diplomats as well as experts from leading think tanks, academia and institutions.

Source 9 - 10 February 2021

Virtual Master Class for Cyber Diplomacy 2020 Ministry of Foreign Affairs

The open master class on cyber diplomacy featured insights on different aspects of cyber diplomacy, including international law applying in cyberspace, norms of responsible state behaviour, confidence building measures, and cyber capacity building. Estonia Last Updated: August 2021

Source 2 July 2020

Tallinn Summer School of Cyber Diplomacy Ministry of Foreign Affairs

A five-day course meant for diplomats as well as other government officials interested in complex cyber issues.

Source 22-26 July 2019

UN Group of Friends on e-governance and cybersecurity

Together with Singapore, the Permanent Representative of Estonia to the UN co-chairs the UN Group of Friends on e-governance and cybersecurity, which organises a range of events on pertinent issues for UN members.

Source

Membership

European Union (EU)

International Telecommunications Union (ITU)

North Atlantic Treaty Organization (NATO)

Organization for Security and Co- operation in Europe (OSCE)

United Nations (UN)