Critical Information Infrastructure Protection CIIP
The purpose of the critical information infrastructure protection (CIIP) is to maintain a trouble-free functioning of the country's essential information and communication systems.
The Information System Authority (RIA) organises protection on a national level for the public and private sector network and information systems that are essential for the functioning of the Estonian state.
The services that are essential for society are defined in subsection 3 of the Cybersecurity Act.
Aims and activities of CIIP
- Collection and administration of data about CII
- Compilation of sectoral reports on the risks to CII
- Sectoral involvement of service providers and information exchange
- Development of security measures
- Development of instructions and sample materials
- Provision of substantive advice and giving recommendations to service providers for risk analysis and a more effective implementation of security measures
- Raising cyber security awareness
- Cybersecurity Act »In force from 23 May 2018
- Requirements for risk analysis and security measures (503.58 KB, PDF)In force from 13 July 2018
- NIS Directive »Directive 2016/1148 of the European Parliament and of the Council
Critical infrastructure (CI) means an asset, system or part thereof, which is essential for the maintenance of vital societal functions, and the health, safety, security, economic or social well-being of people, and whose disruption or destruction would have a significant impact in a Member State as a result of the failure to maintain those functions (see Council Directive 2008/114/EC »)
Critical information infrastructure (CII) means information and communications systems whose maintenance, reliability and safety are essential for the proper functioning of a country. The critical information infrastructure is a part of the critical infrastructure.
Network and information system means an electronic communications network within the meaning of subsection 2 (8) of the Electronic Communications Act, any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data, or digital data stored, processed, retrieved or transmitted by aforesaid elements for the purposes of their operation, use, protection and maintenance.
The Cyber Security Act » lays down the obligations for service providers for ensuring the cybersecurity of network and information systems and the basis for notifications of cyber incidents; the Act also includes the criteria of cyber incidents with a significant impact. In addition, the Act regulates the tasks of the Information System Authority in co-ordinating cybersecurity and organising cross-border co-operation.
Requirements for risk analysis of network and information systems and description of security measures » (in Estonian only) establishes the requirements for carrying out a risk analysis of the network and information systems that are used to provide the services listed in the Cybersecurity Act and describes the organisational, info-technological, and physical security measures.
The Cyber Security Strategy 2019–2022 » (PDF) is about resilience and focuses mainly on four objectives: being a sustainable digital society, supporting cybersecurity industry, research and development, being leading international contributor and raising awareness to be cyber-literate society. Fundamental principles in the strategy are:
- We consider the protection and promotion of fundamental rights and freedoms as important in cyberspace as in the physical environment.
- We see cybersecurity as an enabler and amplifier of Estonia's rapid digital development, which is the basis for Estonia's socioeconomic growth. Security must support innovation and innovation must support security.
- We recognise the security assurance of cryptographic solutions to be unique importance for Estonia as it is the foundation of our digital ecosystem.
- We consider transparency and public trust to be fundamental for digital society. Therefore, we commit to adhere to the principle of open communication.