The digital nervous system that underpins public- and private-sector services is highly complex.
The reliability of each node depends on the presence and integrity of others. If one node becomes inaccessible, it disrupts all interconnected systems and services.
This interdependence makes cybersecurity an integral part of the broader framework, which requires constant attention.
Direction and purpose
Without a national policy and strategic direction in cybersecurity, efforts would resemble Brownian motion – random, uncoordinated movements lacking a unified goal.
Imagine a country where cybersecurity is managed through isolated projects and ad hoc decisions. Each organisation would act according to its best judgment, but the result would be a fragmented system unable to respond effectively to threats or ensure the continuity of critical services. Such a state would undoubtedly be highly vulnerable.
It is, therefore, essential for digitally advanced nations, including Estonia, to establish and implement cybersecurity policies grounded in a long-term vision and a systematic approach. Citizens, businesses, critical infrastructure and the public sector must understand and commit to a shared goal.
Unified policies ensure that cybersecurity measures are coordinated, mutually reinforcing and quickly adaptable to evolving threats. Only then can a country maintain resilience and security.
The architecture of national information systems must account for potential interdependencies and risks. Every new system or technology should be assessed for its impact on the broader ecosystem, guided by thorough risk analysis.
Risk assessment is not a one-time project but an ongoing process that adapts to changing threat landscapes and technological developments.
Cybersecurity is more than an IT concern; it is a matter of national sustainability. Just as system resilience testing and regular risk assessments are vital, so too is analysing the overall resilience of organisations and the state as a whole.
A unified legal framework
Given the evolving security landscape, it is essential to harmonise the legal framework for cybersecurity, network and information security, and crisis management to make sure it reflects best practices and secures the continuity and safety of Estonia’s services in even the most challenging situations.
In the near future, it will be important to incorporate international directives into Estonian law in a way that balances national defence, business freedom and cybersecurity requirements.
European Union (EU) directives form a critical part of Estonia’s cybersecurity framework. However, their implementation should avoid rigid and unconsidered solutions. Too often, Estonian legislators fall into the trap of rigorously and meticulously implementing EU directives and regulations while losing sight of their purpose and intended benefits. A smart approach to implementing EU directives involves analysing their impact and adapting them to local conditions.
For example, when adopting the NIS2 directive in Estonia – which outlines cybersecurity requirements for essential service providers – the focus should go beyond merely meeting technical requirements. Instead, priority should be given to fostering local business development and strengthening the country’s digital resilience. This involves considering the size of local businesses, the unique characteristics of various sectors and the state of infrastructure development.
Such an approach ensures that regulations genuinely enhance security rather than devolving into burdensome bureaucracy. Otherwise, large international corporations with greater resources and experience would gain a competitive edge – an outcome that is clearly not in Estonia’s best interests.
Looking to the future
As policymakers shaping cybersecurity, we must address immediate issues while also preparing for the future.
Within the next decade, quantum computing will fundamentally transform data protection and cybersecurity, breaking the currently secure and reliable cryptographic methods.
Thus, it is essential to begin adopting quantum-resistant algorithms, also known as post-quantum cryptography.
Cybersecurity requires more than implementing physical, technical and procedural measures. It demands a systemic and community-based approach to protecting the nation as a whole. Cybersecurity is a matter of national sustainability and must not be underestimated.
To enhance our defences, we must combine our knowledge and skills and collaborate not only within the public sector but also with the private sector and internationally. Cybersecurity demands a unified ‘we’ mindset, moving beyond blame games and divisive ‘us versus them’ attitudes to work together towards a shared goal. Only then can we ensure the security of our digital state.
Last updated: 17.02.2025
