Current status of implementation

The Ministry of Economic Affairs and Communications has drafted a new Act specifically for cyber activities (Cyber Security Act). The Act is intended to come into effect on 10 May 2018. Currently the Cyber Security Act is going through coordination by different ministries.

Implementation Act

New Act to be implemented, details are not known yet. The Directive will be implemented by the Cyber Security Act (CSA).

Determination of operators of essential services (Art. 5 NIS)

Estonian legislator will adopt the existing term "vital service" from the current Emergency Act. According to the definition in the Emergency Act, A vital service is a service that has an overwhelming impact on the functioning of society and the interruption of which is an immediate threat to the life or health of people or to the operation of another vital service or service of general interest. A vital service is regarded in its entirety together with the building, equipment, staff, reserves and other similar facilities indispensable to the operation of the vital service. There are 45 vital services listed by law, but the list of providers of the vital services is not publicly available. According to the information on the website of Ministry of the Interior, there are currently 167 vital service providers. Section 3(2) of the draft CSA specifies, that a service provider mentioned in section (3)1 who operates in sectors mentioned in Annex II of the NIS Directive, is regarded as an operator of essential services. Section 3(1) refers to the term "vital service" in the current Emergency Act but also adds services in following areas 1) certain railway companies, 2) aviation (international aerodrome operators), 3) certain port operators, 4) communications companies providing cable service to more than 10 000 end users; 5) certain health care providers; 6) certain domain name register administrators, 7) Estonian Public Broadcasting, 8) provider of communications, maritime communications and operational radio network of critical importance.
Reporting obligations

Providers of services notify immediately, but no later than 24 hours from receiving the information, the Information System Authority (ISA) of the cyber incidents that have a significant effect. In addition the provider must notify the persons who could be affected by the incident. Providers of digital services notify immediately the competent authority or CSIRT of the cyber incidents that have a significant effect on the digital service. The term "significant" is in particular determined by the implementing acts pursuant to Art. 16 para. 8 of the NIS Directive. The notice must allow the competent authority or CSIRT to determine the international effect of the incident. If the incident has a significant effect on the contingency of the digital service in another state, the competent authority will notify the affected state. No report is required if the provider does not have sufficient access to information that is necessary to evaluate the impact and severity of the security incident.
Sanctions regime

Section 19 of the CSA provides for administrative fines of up to EUR 20,000,  where the security measures of service providers set out in section 7(1)-(3) of the CSA are not followed.
Competent authorities

The competent authority in terms of Article 8(1) and the single point of contact in terms of Article 8(3) is the Information System Authority that operates under the Ministry of Economic Affairs and Communications.
Jurisdictional applications

The service providers are generally subject to Estonian law based on the principle of territorial applicability of the CSA

Special rules apply to reporting by providers of digital services. A report must be submitted to the competent authority or CSIRT of the relevant member state where (i) the digital services provider is established; (ii) the parent company is established in case of a group of undertakings or (iii), providers of digital services from third countries have appointed a representative in another EU member state. State supervision over such digital service providers will only be exercised (i) if the digital services provider is established in Estonia; (ii) where the parent company is established in Estonia in case of a group of undertakings or (iii) if providers of digital services from third countries have appointed a representative in Estonia.

Remarks (if any)

No public information about the implementation is available yet. The information regarding the NIS Directive in this document is provided on a no-name basis by the officials responsible for the implementation of the act. Therefore, changes are possible during the actual implementation phase because the drafting of the local cyber activities Act is still in process.

Last reviewed 28.02.2018