The Parliament of Estonia (Riigikogu) passed the Cyber Security Act with 79 votes in favour. The purpose of the Act is to improve the protection of network and information systems that are used in providing essential services to the society, as well as of the systems employed by state and local authorities.
The Cyber Security Act (597 SE) transposes the European network and information security directive. It establishes the national level requirements for operators of essential services and digital service providers in implementing security measures and notifying of cyber incidents.
The Act also specifies the tasks of the national supervisory authority, the Information System Authority, in coordinating the ensuring of cyber security, and in organising cross-border cooperation.
The service providers who have a significant impact on the functioning of the society (for example, vital services, important infrastructure businesses, the Estonian Internet Foundation) as well as larger digital service providers (online marketplaces, search engines, or cloud computing services) will have to implement organisational, physical, and information technology security measures based on risk analysis.
They will also have to monitor activities that jeopardise security, and implement measures to reduce the impact and spreading of incidents. In addition, they will be made responsible for notifying the Information System Authority of any cyber incidents with a significant impact.
In the public sector, the obligation to implement information security measures also extends to mail servers, file servers, document management systems, and others. So far, the obligation to implement security measures arising from the legislation has applied only to information systems that are databases under the definition of the Public Information Act. The Act will not provide for significant new obligations for the public sector. Ensuring the security of information systems has been part of the development and management of IT-system for a long time already.
The Cyber Security Act leads to amendments in the Health Care Services Organisation Act. As a result, the security requirements of the information systems used by GPs will be harmonized in 2022, in order to avoid, for example, personal data leakages or data encryption in the course of ransomware attacks. The Act also leads to the amendment of the Estonian Public Broadcasting Act, obliging the Estonian Public Broadcasting to ensure the security of the systems that transmit information on situations that threaten the general public or the national independence as of 2022.