This decree is established on the basis of subsection 37 (2) of the Emergency Act and subsection 3(3) of the Credit Institutions Act.
§ 1. Scope of the Decree
(1) The decree sets out the descriptions and requirements for continuous operation of payment services and cash circulation as vital services and a list of providers of vital services.
(2) The decree sets the requirements for the level of availability of vital services and the readiness of service provision, and the measures to prevent interruption of the vital services. It also sets out the process and conditions for restoring vital services, which concern emergencies that interrupt vital services extensively or with severe consequences, and the procedure for reporting an emergency or the threat of one.
§ 2. Providers of vital services
(1) The providers of vital services are:
1) AS SEB Pank;
2) Swedbank AS;
3) Luminor Bank AS;
4) AS LHV Pank;
[RT I, 05.03.2019, 17 – entry into force 08.03.2019]
5) Coop Pank AS.
[RT I, 24.03.2023, 1 – entry into force 27.03.2023]
(2) Eesti Pank reviews the list of service providers at least once a year and updates it as necessary.
(3) The providers of vital services named in § 2(1) of this decree are required to meet the requirements set out in § 5(2) and § 6 and § 7 of this decree after one year has passed from the date when they were added to the list of credit institutions and branches of foreign credit institutions providing vital services.
[RT I, 24.03.2023, 1 – entry into force 27.03.2023]
§ 3. Payment services
Vital payment services are the intra-bank payments provided by the service provider, payments between service providers, and card payments provided by the service provider.
§ 4. Cash circulation
The circulation of cash as a vital service means that the service provider allows clients to pay cash into their payment accounts and withdraw cash from those accounts.
§ 5. Requirements for preventing interruptions to vital services
(1) In writing the business continuity risk analysis and plan described in §39(1) of the Emergency Act and planning preventative measures, the service provider must consider at least the following possible threats:
1) cyber attack;
2) faults in information systems and equipment;
3) terrorist attack;
4) fire;
5) long-lasting electricity outage;
6) disruption to telephone services, mobile telephone services and data communication services;
7) public disorder;
8) epidemic;
9) strike;
10) flood.
(2) The service provider shall take at least the following measures to ensure the continuity of the information systems and equipment required for performing the operations critical to vital services:
1) backup power supply must be available by alternatively routed cables;
2) backup data communications must be available by alternatively routed cables and there must be a backup provider for data communication services;
3) the connections listed in clauses 1) and 2) of this subsection must switch automatically to backup;
4) there must be an autonomous power supply system that starts automatically and provides an independent power supply for at least 24 hours.
§ 6. Requirements for the availability level of vital services
(1) In an emergency, the service provider shall ensure that:
1) at least 10% of cash distribution points remain operational;
2) payments between accounts opened with the service provider and those with other service providers are settled at least once per settlement day;
3) the service provider’s information systems or equipment, or any backup systems or equipment remain operational, and card transactions are made in cooperation with third parties;
4) vital services are provided at the level of 70% of the average number of the transactions for each service under normal circumstances.
[RT I, 19.07.2018, 2 – entry into force 01.07.2020]
(2) In determining the location of the cash distribution points referred to in clause (1) 1) of this section, the service provider shall consider the geographical coverage of the cash points, the population density in a particular region and the options normally available for withdrawing cash.
(3) The service provider shall coordinate the location of the cash distribution points referred to in clause (1) 1) of this section with Eesti Pank.
§ 7. Permissible duration of interruption to vital services
(1) A vital service is interrupted if failures in the delivery of the service cause the number of service transactions to fall below 20% of the average number of transactions for a comparable preceding period.
(2) The maximum permissible duration of an interruption to a vital service shall be 12 hours.
(3) The service provider shall calculate the ratio showing the extent of the interruption to the vital service, referred to in the regulation established under § 39 (5) of the Emergency Act, as a ratio of client queries interrupted or rejected to the total number of client queries.
§ 8. Requirements for outsourcing services in support of core activities
(1) The outsourcing of services in support of the core activities of the service provider is when a critical activity as defined in the regulation established under § 39 (5) of the Emergency Act is fully or partially performed by an external service provider.
(2) Outsourcing a service does not exempt the service provider from the obligations and responsibilities set by the Emergency Act or any legal act based on the Emergency Act.
(3) When the services listed in § 36 (1) 1), 3), 5), 6) and 7) of the Emergency Act are outsourced, the provision of the vital service may not depend on companies that are not vital service providers.
(4) If a critical activity as defined in the regulation established under § 39 (5) of the Emergency Act with a level of criticality of 16 or more is outsourced, the provider of the service must comply with the security measures set out in § 7 of the Cybersecurity Act.
§ 9. Restoration of vital services and priorities for restoration
(1) If a vital service is interrupted or is at risk of interruption, the service provider shall take the remedial steps described in the recovery plan of the continuity plan, ensuring that the people and institutions involved in restoring and using the vital service participate accordingly.
(2) If possible, the service provider shall apply the following order of priorities in restoring the vital service:
1) vital services are restored first in regions with higher population density;
2) as a first priority, vital services are made available to other providers of vital services.
§ 10. Emergencies caused by an extensive or severe disturbance or interruption to vital services
(1) Emergencies caused by an extensive or severe disturbance or interruption to payment services include large-scale interferences that affect the continuity of an interbank settlement system, or the total cessation of the operation of the system.
(2) Emergencies caused by an extensive or severe disturbance or interruption to cash circulation include large-scale interferences affecting the continuity of cash-in-transit, or the total cessation of cash-in-transit operations.
(3) Eesti Pank coordinates the resolution of an emergency caused by an extensive or severe disturbance or interruption to a vital service.
§ 11. Reporting an interruption to vital services
(1) The service provider shall report any interruption to a vital service lasting for at least one hour, a risk of an interruption, any event significantly interfering with the continuity of the vital service or an impending risk of such an event to the email address [email protected] at the first possible opportunity and no later than the next business day.
[RT I, 24.03.2023, 1 – entry into force 27.03.2023]
(2) The notification referred to in subsection (1) of this section must include the following information:
1) the duration and time of occurrence of the interruption, including the date and time or the interval;
2) a short description and the known or assumed cause of the incident;
3) the measures already taken or yet to be taken to restore the service and to mitigate the effects of the interruption;
4) information about any foreseeable losses incurred by the users of the service;
5) information about any foreseeable impact on the continuity of the vital services.
(3) If a situation referred to in subsection (1) of this section has not been resolved within four hours or if the risk of an interruption to a vital service persists, the service provider shall give a preliminary notification with the information described in subsection (2) of this section at the earliest opportunity and a full notification on the following business day at the latest. The preliminary notification shall contain at least the information described in clauses (2) 1) and 2) of this section and the estimated duration of the disturbance.
(4) If the service provider reports the information described in subsection (3) of this section to Eesti Pank under another legal act, the notification obligation stipulated in this section shall be deemed fulfilled.
(5) If email services are not functioning, the service provider shall notify Eesti Pank of the circumstances described in subsection (1) of this section using the contact information provided in emergency response plans.
§ 12. Repeal of the Decree
[Omitted from this text].
§ 13. Entry into force of the Decree
Clause 6(1) of this decree enters into force on 1 July 2020.