Critical Information Infrastructure Protection CIIP
The purpose of the critical information infrastructure protection (CIIP) is to maintain a trouble-free functioning of the country's essential information and communication systems.
The Information System Authority (RIA) organises protection on a national level for the public and private sector network and information systems that are essential for the functioning of the Estonian state.
The services that are essential for society are defined in subsection 3 of the Cybersecurity Act.
Aims and activities of CIIP
- Collection and administration of data about CII
- Compilation of sectoral reports on the risks to CII
- Sectoral involvement of service providers and information exchange
- Development of security measures
- Development of instructions and sample materials
- Provision of substantive advice and giving recommendations to service providers for risk analysis and a more effective implementation of security measures
- Raising cyber security awareness
- Cybersecurity Act »In force from 23 May 2018
- Requirements for risk analysis and security measures (503.58 KB, PDF)In force from 13 July 2018
- NIS Directive »Directive 2016/1148 of the European Parliament and of the Council
Critical infrastructure (CI) means an asset, system or part thereof, which is essential for the maintenance of vital societal functions, and the health, safety, security, economic or social well-being of people, and whose disruption or destruction would have a significant impact in a Member State as a result of the failure to maintain those functions (see Council Directive 2008/114/EC »)
Critical information infrastructure (CII) means information and communications systems whose maintenance, reliability and safety are essential for the proper functioning of a country. The critical information infrastructure is a part of the critical infrastructure.
Network and information system means an electronic communications network within the meaning of subsection 2 (8) of the Electronic Communications Act, any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data, or digital data stored, processed, retrieved or transmitted by aforesaid elements for the purposes of their operation, use, protection and maintenance.
The Cyber Security Act » lays down the obligations for service providers for ensuring the cybersecurity of network and information systems and the basis for notifications of cyber incidents; the Act also includes the criteria of cyber incidents with a significant impact. In addition, the Act regulates the tasks of the Information System Authority in co-ordinating cybersecurity and organising cross-border co-operation.
Requirements for risk analysis of network and information systems and description of security measures » (in Estonian only) establishes the requirements for carrying out a risk analysis of the network and information systems that are used to provide the services listed in the Cybersecurity Act and describes the organisational, info-technological, and physical security measures.
The Cyber Security Strategy 2014–2017 » (PDF) focuses mainly on three areas: ensuring the safety of vital services, improving the fight against cybercrime, and developing national defence capabilities. One of the main objectives of the strategy is to describe measures for the uninterrupted operation and durability of vital services and the protection of critical information infrastructure against cyber threats. Attention is drawn on managing the cross-dependency between crucial services, the guarantee of which does not depend on the capacities in Estonia.