Estonia Last Updated: August 2021

CYBERSECURITY POLICY

Strategy Documents

In Progress Estonia’s Digital Society Agenda 2030

Estonian Ministry of Economic Affairs and Communications

The Estonian Ministry of Economic Affairs and Communications is currently undertaking the process of putting together Estonia’s Digital Society
Agenda 2030.
The Agenda is developed in accordance with Estonia’s national long-term development strategy “Estonia 2035” and its aim that public services
would be of a high quality, intuitive and available everywhere, while ensuring the protection of fundamental freedoms.
The Agenda will also include the next iteration of Estonia’s Cybersecurity Strategy which sets out goals for national development for the coming
years.

Source
2021

Estonian Foreign Policy Strategy 2030

Ministry of Foreign Affairs

Includes cyber and digital diplomacy aspects,

Source
2020

Cybersecurity Strategy 2019-2022

Republic of Estonia; Ministry of Economic Affairs and Communications

The Strategy for the period 2019-2022 focuses on four objectives:

A Sustainable Digital Society;

Cybersecurity Industry, Research and Development;
A Leading International Contributor;
A Cyber-Literate Society.

Source Source 2
5 September 2019

National Security Concept 2017

Ministry of Defence

1. Estonian cyber security is based on close and trust-based cooperation between the public and private sectors;
2. Estonia will continue to develop cyber defence;
3. Estonia will develop digital services and cyber security primarily by investing in them, providing a role model for the private sector; and
4. Estonian cyberspace is part of the safe and stable global cyberspace. Cyber security is founded on constant and close international cooperation.

Source Source 2
2017

Implementation Frameworks

National Defence Development Plan 2017–2026

Ministry of Defence

Announces the upcoming establishment of the Cyber Command, which will achieve integration for carrying out cyber and information operations
in cyberspace and the information sphere.
 Estonia Last Updated: August 2021

Source
2017

IT Baseline Security System (ISKE), Implementation Manual 8.0

Information System Authority (RIA)

Information security standard developed for the public sector;

Includes organisational, infrastructural/physical, and technical measures;
Made mandatory with Government Regulation no. 273 (12 August 2004).

Source Source 2
January 2017

STRUCTURE

National Centre or Responsible Agency

Cyber Security Council

Security Committee of the Government of the Republic

Contributes to smooth co-operation between various institutions and conduct surveillance over the implementation of the goals of the Cyber
Security Strategy;
Chaired by the Secretary General of the Ministry of Economic Affairs and Communications.

Source
2009

Key Positions

Chair
Cyber Security Council (Secretary General of the Ministry of Economic Affairs and Communications)
Source

Head of Estonian Cyber Security Policy

Department of State Information Systems, Ministry of Economic Affairs and Communications
Source

Ambassador for Cyber Security

Ministry of Foreign Affairs
Source Source 2
4 September 2018 (first entered into function on)

Commander
Cyber Command
Source

Dedicated Agencies and Departments

 Estonia Last Updated: August 2021

Cyber Crime Unit

Police and Border Guard Board

Investigates cyber crimes

Raises awareness regarding cyber threats

Source
2012 (consolidated)

Information System Authority (RIA)

Ministry of Economic Affairs and Communications

Organises protection of information and communication technology infrastructure;

Remains the main institution responsible for the security of Estonia’s networks;
Includes Department of Critical Information Infrastructure Protection (CIIP).

Source
2011 (formerly Estonian Informatics Centre)

Estonian Defence League's Cyber Unit

Defence Forces
Objectives include:

Cooperation among qualified volunteer IT specialists

Raise the level of cyber security for CII
Create a network which facilitates public private partnership and enhances crisis preparedness

Source
2008

Cyber Command
Republic of Estonia, Defence Forces

The main mission of the Cyber Command is to carry out operations in cyberspace in order to provide command support for Ministry of Defence’s
area of responsibility.

Cyber Command's essential tasks are:

Provide information and communication technology infrastructure and services;
Provide cyber defence;
Plan and execute cyber operations;
Gain, maintain and share cyberspace situation awareness;
Plan and execute information operations;
Provide Headquarters support for Joint Headquarters;
Plan and execute strategic communicatons;
Train, prepare and mobilize wartime and reserve units;
Conduct functional area Training, Research and Development.

Source Source 2
2018

National Cybersecurity Department

Ministry of Economic Affairs and Communications

Commenced its work on 1 May 2021;

The formation of a new department allows to modernise national cybersecurity coordination and crisis management;
The department will work closely with other parts of the Estonian cybersecurity ecosystem.

Source
 Estonia Last Updated: August 2021

1 May 2021

Cyber Diplomacy Department

Ministry of Foreign Affairs of Estonia

Shapes Estonia's cyber diplomacy efforts

Represents Estonia in international fora dedicated to cybersecurity, including in the UN and the OSCE
Organises and supports activities related to cyber capacity building

Source

National CERT or CSIRT

Estonian National Computer Emergency Response Team (CERT-EE)

Information System Authority (RIA)

Governmental CERT;

Aims of CERT-EE are:

1. Monitoring of the state of information security in Estonia by using received reports and collecting information about information security incidents;
2. Preventing security incidents and reducing security risks, mainly by raising awareness and through communication work; and
3. Assisting institutions regarding security incidents and advising them if they want law enforcement agencies to start an incident investigation.

Source Source 2
1 January 2006

LEGAL FRAMEWORK

Legislation

Personal Data Protection Act

Source
12 December 2018

Cybersecurity Act

The Act implements the Network and Security Directive;

Contains provisions on the national level requirements for operators of essential services and digital service providers regarding the
implementation of security measures and the notification of cyber incidents;
Specifies the tasks of the Information System Authority in coordinating cyber security and organising cross-border cooperation.

Source Source 2
9 May 2018

Emergency Act

Source
1 July 2017 (entry into force)

Electronic Communications Act

 Estonia Last Updated: August 2021

Provides requirements for the public electronic communications networks and publicly available electronic communications services;
Entitles Technical Surveillance Authority to require providers carry out a security audit.

Source
1 January 2005 (entry into force); 1 July 2015 (amended)

Penal Code

§206 Interference with computer data;

§207 Hindering of functioning of computer systems;
See also §208, §216, and §217.

Source Source 2
1 September 2002

Views on International Law

Summary of Estonia’s Position on How International Law Applies in Cyberspace

Republic of Estonia, Ministry of Foreign Affairs

The summary of Estonia’s position states the following points:

International law applies to state behaviour in cyberspace;

States are responsible for their activities in cyberspace;

States have to make reasonable efforts to ensure that their territory is not used to adversely affect the rights of other states;

States have the right to attribute cyber operations both individually or collectively according to international law;

States have the right to respond to malicious cyber operations, including using diplomatic measures, countermeasures, and, if necessary, their
inherent right of self-defence.

Source Source 2
29 May 2019

Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and
communications technologies by States submitted by participating governmental experts in the Group of Governmental Experts on
Advancing Responsible State Behaviour in Cyberspace in the Context of International Security established pursuant to General Assembly
resolution 73/266

The Group of Governmental Experts established pursuant to the he General Assembly resolution 73/266, adopted its report by consensus on 28 May 2021.
In paragraph 73 of the Group’s report (A/76/135), it is stated that, in accordance with the Group’s mandate, an official compendium of voluntary national
contributions of participating governmental experts on the subject of how international law applies to the use of ICTs by States will be made available on
the website of the Office for Disarmament Affairs.

Source Source 2
May 2021

Estonian official positions on international law in cyberspace

President of the Republic

In her speech, the President of the Republic elaborated the following five points:
 Estonia Last Updated: August 2021

existing international law applies in cyberspace

States are responsible for their activities in cyberspace
States must keep on strengthening their own resilience to cyber threats and disruptions, both individually and collectively
States have the right to attribute cyber operations both individually and collectively according to international law
States have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures, and if necessary, the
inherent right of self-defence

Source
29 May 2019

COOPERATION

Multilateral Agreements

Budapest Convention
PARTY
Source
1 July 2004 (entry into force)

UN Processes

Represented at the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context
of International Security

Source Source 2
2009, 2012/2013, 2014/2015, 2016/2017, 2019/2021

Expressed views to the Annual Report of the UN Secretary-General on Developments in the Field of Information and Telecommunications
in the Context of International Security

Source Source 2
2017

Expressed Views at the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context
of International Security

Source Source 2
2019/2020/2021

UN Security Council Arria-formula meeting: Cyber Stability, Conflict Prevention and Capacity Building

As part of its presidency of the UN Security Council, Estonia organised a virtual meeting focused on stability in cyberspace, cyber norms and international
law.

Source
22 May 2020

UN Security Council High-Level Open Debate on Cyber Security

Estonia has raised the issue of maintaining international peace and security in cyberspace during its elected membership of the UN Security Council
(2020-2021). In June 2021, Estonia organised the first high-level open debate on cybersecurity in the Council.
 Estonia Last Updated: August 2021

Source
29 June 2021

Bilateral and Multilateral Cooperation

Agreement between the Ministry of Foreign Affairs of the Republic of Estonia and the International Bank for Reconstruction and
Development and the International Development Association concerning the Cybersecurity Multi-Donor Trust Fund

Since 2020, Estonia is a donor of the World Bank Associated Cybersecurity Trust Fund.

Source
2020

Co-Adopter of OSCE Confidence-Building Measure No 14; Estonia, Austria, Belgium

Participating States will, on a voluntary basis and consistent with national legislation, promote public-private partnerships and develop
mechanisms to exchange best practices of responses to common security challenges stemming from the use of ICTs;
Estonia is in the process of developing activities for the CBM 14.

Source Source 2
2020

Agreement for Collaborative Research in Cyberspace, Estonia - US

Ministry of Defence

The United States Army and the Estonian Ministry of Defence signed an agreement that will enable the two countries to conduct future
collaborative science and technology efforts in cyber defence;
They will establish a multi-domain operations, cyber domain working group to identify opportunities for interoperability experimentation and
demonstrations.

Source Source 2
23 September 2020

Memorandum of Understanding - Austria, Belgium, Estonia, Finland, Germany and Latvia

European Defence Agency

Memorandum of Understanding on the pooling and sharing of their respective cyber ranges capabilities;
Part of the Cyber Ranges Federation Project launched in May 2018: Cyber Defence Pooling & Sharing Project.

Source Source 2
28 June 2018

Cooperation, Estonia/NATO-Japan
Prime Minister

Cooperation on cybersecurity;
Japan to join the NATO-accredited cyber defence hub (NATO Cooperative Cyber Defence Centre of Excellence, CCDCOE) based in Tallinn.

Source
12 January 2018

Permanent Structured Cooperation (PESCO) in the area of security and defence

European Union

Member;
 Estonia Last Updated: August 2021

There is 8 projects on cybersecurity out of 46 PESCO projects;

Initiated one of PESCO's projects: forming Cyber Rapid Response Teams and Mutual Assistance in Cyber Security.

Source Source 2
11 December 2017 (decision adopted by the European Council)

Memorandum of Understanding, Mauritius-Estonia

Prime Minister

Memorandum of Understanding on digital cooperation, which includes:

The implementation of national data exchange;

Awareness building on cyber security and protection of critical infrastructure through training and exchange of experience in areas of data
protection, cybercrime and protection of critical infrastructure;
Support by the Estonian government for the setting up of the e-Governance Academy;
The promotion of coopeartion among private ICT companies for implementing e-services; and
Cooperation between educational institutions especially on e-governance related studies.

Source
29 November 2017

Nordic-Baltic Eight (NB8)-US Roundtable on Cyber Security

Annual dialogue meeting on international cyber issues.

Source Source 2
27 September 2017

Discussions, Estonia-Iceland
Foreign Minister
Discussions on cyber security and opportunities for cooperation in this area.
Source
20 June 2017

Agreement on Data Embassy, Estonia-Luxembourg

Head of State

"Data embassy" due to open in 2018

Agreement on housing data and information systems

Source
20 June 2017

Memorandum of Understanding, Estonia-Republic of Korea

Ministry of Defence
Cooperation agreement on developing training and cooperation in cyber security
Source
31 May 2017

Cyber Hygiene Forum

Ministry of Defence

Platform aimed to raise employees' awareness about cyber threats

Cooperation project with the Latvian ministry of defense, created with CybExer Technologies in Estonia

Source
 Estonia Last Updated: August 2021

April 2017

Memorandum of Understanding, Austria-Estonia

Source

Cybersecurity Alliance for Mutual Progress - CAMP Initiative, Member

Estonian Informatics Centre (EIC)
Network platform to lift up the overall level of cybersecurity of members through development experiences and trends sharing.
Source
11 July 2016

Memorandum of Understanding, Estonia-Latvia-Lithuania

Ministry of Defence

Cooperation in cyber-security officially signed online (remotely) with electronic signature;

The first intergovernmental agreement endorsed electronically in the Baltic states;
The countries agreed to exchange knowledge and experience on their cyber security policies and practices, and to support cross-border
collaboration for, and information sharing on, public-private research and development for protection of information systems and networks.

Source
4 November 2015

Exchange of best practices on cyber security, OAS-Estonia

Four-day training event on the development and management of national computer security incident response teams.
Source
27-30 April 2015

OAS Cyber Security Initiative (co-sponsor)

Argentina, Chile, Mexico, and Estonia as co-sponsors

Addresses cyber security issues based on a flexible and dynamic approach, in which cyber security policies and the provision of technical training
are adapted to new trends and evolving needs

Source
16 April 2015

Financial support, Estonia-OAS

Financial support from Estonia for the Cyber Security Program.
Source
27 March 2015

Global Forum on Cyber Expertise, Member

A global platform for countries, international organizations and private companies to exchange best practices and expertise on cyber capacity
building.

Source Source 2
16 April 2015 (Member since)

Memorandum of Understanding, Estonia-OAS

Director of Cyber Security of the Government of Estonia
 Estonia Last Updated: August 2021

Memorandum of Understanding to promote the development of cyber security capabilities in the Americas.
Source
20 October 2014

Nordic-Baltic Cooperation (Nordic-Baltic Eight, or NB8)

Regional cooperation format which as of 1992 brought together five Nordic countries and three Baltic countries (Finland, Sweden, Norway,
Iceland, Denmark, Estonia, Latvia and Lithuania) to discuss important regional and international issues

- Regional cyber cooperation set as priority issue in 2014

Source
2014

U.S.-Estonia Cyber Partnership Statement

Ministry of Foreign Affairs
Three elements to partnership:

1. Cooperation in cyber security and cyber defence

2. Bilateral collaboration in law enforcement, academic exchanges, etc.
3. Coordination on capacity building with third parties

Source
3 December 2013

Estonia-Ireland Cyber Security Discussions

President
Discussions on cyber security between the President of Ireland, Michael D. Higgins, Prime Minister, Enda Kenny, and Estonian President Toomas Hendrik
Ilves.
Source
4 April 2012

Memorandum of Understanding, Estonia - NATO

Estonian Informations Centre and Estonian Communications Security Authority

Creates a legal framework for cyber defence cooperation.

Source
23 April 2010

Select Activities

Tallinn Winter School of Cyber Diplomacy

Ministry of Foreign Affairs

Featured lectures and panel discussions by current and former cyber diplomats as well as experts from leading think tanks, academia and
institutions.

Source
9 - 10 February 2021

Virtual Master Class for Cyber Diplomacy 2020

Ministry of Foreign Affairs

The open master class on cyber diplomacy featured insights on different aspects of cyber diplomacy, including international law applying in
cyberspace, norms of responsible state behaviour, confidence building measures, and cyber capacity building.
 Estonia Last Updated: August 2021

Source
2 July 2020

Tallinn Summer School of Cyber Diplomacy

Ministry of Foreign Affairs

A five-day course meant for diplomats as well as other government officials interested in complex cyber issues.

Source
22-26 July 2019

UN Group of Friends on e-governance and cybersecurity

Together with Singapore, the Permanent Representative of Estonia to the UN co-chairs the UN Group of Friends on e-governance and cybersecurity, which
organises a range of events on pertinent issues for UN members.

Source

Membership

European Union (EU)

International Telecommunications
Union (ITU)

North Atlantic Treaty Organization

(NATO)

Organization for Security and Co-

operation in Europe (OSCE)

United Nations (UN)