The Estonian government on Thursday approved a cybersecurity bill aimed at strengthening the structures providing essential services to society and protection of state and municipal networks and information systems.
With the bill submitted by Minister of Entrepreneurship and Information Technology Urve Palo (SDE), Estonia would transpose the EU directive on the security of network and information systems, by which requirements concerning the implementation of security measures and notification about cyber incidents are imposed on domestic operators of essential services and digital services.
The bill also specifies the duties of the national supervisory body, the Information System Authority (RIA), in coordinating the ensuring of cybersecurity and organizing cross-border cooperation, spokespeople for the government said.
Essential service operators, such as providers of vital services, significant infrastructure companies, the Estonian Internet Foundation, as well as major providers of digital services, such as online marketplaces, search engines and cloud data processors are required to take risk estimate-based organizational, physical and information technology security measures. They must also monitor activities jeopardizing security and take measures to reduce the impact and spread of incidents when necessary.
In addition, the obligation will be introduced to notify the RIA of significant cyber incidents.
In the public sector, including in municipalities, the obligation to implement information security measures will be expanded to cover mail servers, file servers and document management systems, for instance. Currently, the obligation to implement security measures arising from a legislative act has only applied to information systems which are databases as described in the Public Information Act.
The bill would impose no significant new obligations on the public sector, as ensuring the security of information systems has been a part of the development and administration of IT systems for a long time already, the spokespeople added.
The law is scheduled to enter into force on May 10, with the exception of the requirements concerning the Estonian Internet Foundation and government and local government units, which are to enter into force on Jan. 1, 2020. The longer transition period is necessary due to recent changes in connection with the nationwide administrative reform and the process of fiscal planning.
Editor: Aili Vahtla