Table of Contents
The NIS 2 directive provides measures for a high common level of cybersecurity across the EU and is an important legislation for ensuring the functioning of various IT services. In Estonia, the Cybersecurity Act (CSA) implements the NIS 2 directive. While the CSA was ambiguous regarding the scope of application before, it was amended in 2022 and now clearly lists the scope of application.
The CSA clearly lists responsible persons as ‘service providers’ in Section 3 i.e. providers of essential services such as medical, telecom, banking, and transportation, as well as the public sector. The responsible persons are tasked with implementing security measures and complying with other obligations related to preventing and resolving incidents. Cloud service providers are also responsible persons if they have over 50 employees or their annual revenue exceeds 10 million euros. However, cloud service providers that do not exceed these thresholds may also need to follow the CSA under certain circumstances.
How Are Cloud Services Regulated Under the CSA?
While the CSA is clear in its scope – responsible persons must implement the standards within their organisation – they might also prefer to outsource some specific services for cost measures and/or streamlining processes. Namely, they might wish to use external cloud services to store public information. Outsourced cloud services are not left untouched by the CSA in this regard.
According to a regulation applicable from 1 July 2024 and implementing the CSA, a responsible person must perform a risk assessment if they use an external cloud service to store any kind of public information. The regulation is wide in scope and makes no exceptions. For example, Google’s reliability must be assessed if a local authority uses Google Cloud to store local citizens’ data.
The risk assessment must consider the cybersecurity measures, the nature of data being processed, the trustworthiness, and the technical resilience of the systems. This rather extensive obligation could create a hassle for responsible parties, meaning they have to perform time-consuming assessments prior to adopting new cloud services.
How to Act If You Are a Cloud Service Provider?
The regulation specifically obliges the responsible person to conduct risk assessments. However, the scale of risk assessments could be hard to grasp and the assessment could take time and resources due to various reasons. For example, the personnel of the responsible person might not have the competence or resources necessary to conduct the assessment. Moreover, exchanging information and draft documents uses up valuable time. We would thus recommend that the cloud service provider, who knows the ins and outs of the product, complete the self-assessment beforehand and share it with the responsible person.
If the cloud provider completes the assessment themselves, they could bring it up at the starting point of the negotiations, easing the negotiating process and enabling smooth onboarding. As an added sales argument, the completed self-assessment could be brought up to demonstrate compliance with the CSA from the get-go, building trust in the eyes of the responsible person, e.g. local municipality.
A noteworthy step in the assessment is analyzing and categorizing risks according to the Estonian E-ITS information security standard. However, this time-consuming step can be skipped if you are ISO compliant and have notified RIA about the ISO certification. We recommend all ISO certification holders bypass the E-ITS assessment, ensuring that only the ISO standard is applicable.
If you have essential service providers or the public sector as your clients, we can assist you with the risk assessment process. We have drafted the initial risk assessment form based on the regulation and can assist you with the legal aspects. If you are a cloud service provider, feel free to contact us to discuss possible collaboration for completing the self-assessment. We have prior experience that having the risk assessment ready could be beneficial during negotiations with the public sector and providers of essential services.
