Descriptions and requirements for continuous operation of payment services and cash circulation
Passed 13.07.2018 No. 7
RT I, 19.07.2018, 2
Entry into force 22.07.2018
Amended by the following legal instruments (show)
| Passed | Published | Entry into force |
|---|---|---|
| 01.03.2019 | RT I, 05.03.2019, 17 | 08.03.2019 |
| 17.03.2023 | RT I, 24.03.2023, 1 | 27.03.2023 |
| 18.06.2024 | RT I, 28.06.2024, 1 | 01.01.2025 |
| 02.02.2026 | RT I, 12.02.2026, 1 | 15.02.2026, partly 01.07.2027 |
This decree is established on the basis of § 37(2) of the Emergency Act and § 3(3) and § 871(3) of the Credit Institutions Act.
[RT I, 12.02.2026, 1 - entry into force 15.02.2026]
§ 1. Scope of the Decree
(1) The decree sets out the descriptions and requirements for continuous operation of payment services and cash circulation as vital services and a list of providers of vital services.
(2) The decree sets the requirements for the level of availability of vital services and the readiness of service provision, and the measures to prevent interruption of the vital services. It also sets out the process and conditions for restoring vital services, which concern emergencies that interrupt vital services extensively or with severe consequences, and the procedure for reporting an emergency or the threat of one.
§ 2. Providers of vital services
(1) The providers of vital services are:
1) AS SEB Pank;
2) Swedbank AS;
3) Luminor Bank AS;
4) AS LHV Pank;
[RT I, 05.03.2019, 17 – entry into force 08.03.2019]
5) Coop Pank AS.
[RT I, 24.03.2023, 1 – entry into force 27.03.2023]
(2) Eesti Pank reviews the list of service providers at least once a year and updates it as necessary.
(3) The providers of vital services named in § 2(1) of this decree are required to meet the requirements set out in § 5(2) and § 6 and § 7 of this decree after one year has passed from the date when they were added to the list of credit institutions and branches of foreign credit institutions providing vital services.
[RT I, 24.03.2023, 1 – entry into force 27.03.2023]
§ 3. Payment services
Vital payment services are the intra-bank payments provided by the service provider, payments between service providers, and card payments provided by the service provider.
§ 4. Cash circulation
The circulation of cash as a vital service means that the service provider allows clients to pay cash into their payment accounts and withdraw cash from those accounts.
§ 5. Requirements for preventing interruptions to vital services
(1) In writing the business continuity risk analysis and plan described in § 39(1) of the Emergency Act and planning preventative measures, the service provider must consider at least the following possible threats:
1) cyber incident;
[RT I, 28.06.2024, 1 - entry into force 01.01.2025]
2) failures in network and information systems;
[RT I, 28.06.2024, 1 - entry into force 01.01.2025]
3) terrorist attack;
4) fire;
5) long-lasting electricity outage;
6) lasting disruption to telephone services, mobile telephone services and data communication services;
[RT I, 28.06.2024, 1 - entry into force 01.01.2025]
7) public disorder;
8) epidemic;
9) strike;
10) flood;
11) interruption to outsourced vital activities.
[RT I, 12.02.2026, 1 - entry into force 15.02.2026]
(2) The service provider shall take at least the following measures to ensure the continuity of the information systems and equipment required for performing the operations critical to vital services:
1) a duplicate power supply must be available using alternatively routed cables;
2) data communications must be duplicated using alternatively routed cables and there must be a duplicate provider for data communication services;
3) the connections listed in 1) and 2) of this subsection must switch automatically to the duplicate means;
4) there must be an autonomous power supply system that starts automatically and provides an independent power supply for at least 24 hours;
5) payment terminals must, within 6 months at the latest, be set up for customers that are required by law or by the institution organising the operation of the vital service to accept card payment transactions in offline mode, at their request, in such a way that it is possible to make transactions in offline mode within the transaction limits set in the rules of international card organisations.
[RT I, 28.06.2024, 1 - entry into force 01.01.2025]
§ 6. Requirements for the availability level of vital services
(1) In an emergency, the service provider shall ensure that:
1) at least 10% of cash distribution points remain operational;
2) payments between accounts opened with the service provider and those with other service providers are settled at least once per settlement day;
3) the service provider’s information systems or equipment, or any backup systems or equipment remain operational, and card transactions are made in cooperation with third parties;
4) vital services are provided at the level of 70% of the average number of the transactions for each service under normal circumstances;
[RT I, 28.06.2024, 1 - entry into force 01.01.2025]
5) in the event that the usual card payment infrastructure is not available, customers who are fully capable natural persons can make card payments within the limits set by the service provider at card terminals that are correspondingly set up by identifying themselves with the strong authentication provided for in § 709 (122) of the Law of Obligations Act;
6) there is technical readiness to use offline backup solutions that ensure the continuity of the electronic personal identification service provided by the certification service provider named in § 94 (31) of the Identity Documents Act;
7) there is technical readiness to accept payment instructions submitted as data sets from customers for processing in at least one alternative way other than the usual solution;
8) ATMs of other service providers can be used to withdraw cash from current accounts. Service providers may restrict the use of this service only in justified cases and must immediately inform Eesti Pank and Finantsinspektsioon of this.
[RT I, 28.06.2024, 1 - entry into force 01.01.2025]
(2) In determining the location of the cash distribution points referred to in (1)1) of this section, the service provider shall consider the geographical coverage of the cash points, the population density in a particular region and the options normally available for withdrawing cash.
(3) The service provider shall coordinate the location of the cash distribution points referred to in (1)1) of this section with Eesti Pank.
(4) If the data or equipment needed to ensure the continuity of vital services are located in a foreign country and the electronic communication service or network that is usually used to access them is not operating, the service provider must use duplicate means and technologically alternative solutions to ensure that the services at least meet the requirements stated in (1) of this section.
[RT I, 12.02.2026, 1 - entry into force 15.02.2026]
§ 7. Permissible duration of interruption to vital services
The maximum permissible duration of an interruption to a vital service shall be 12 hours.
[RT I, 12.02.2026, 1 - entry into force 15.02.2026]
§ 8. Requirements for outsourcing services in support of core activities
(1) The outsourcing of services in support of the core activities of the service provider is when a critical activity as defined in the regulation established under § 39 (5) of the Emergency Act is fully or partially performed by an external service provider
(2) Outsourcing a service does not exempt the service provider from the obligations and responsibilities set by the Emergency Act or any legal act based on the Emergency Act.
(3) When the services listed in § 36 (1) 5), 6) and 7) and § 36 (11) 1) and 3) of the Emergency Act are outsourced, the provision of the vital service may not depend on companies that are not vital service providers.
[RT I, 28.06.2024, 1 - entry into force 01.01.2025]
(4) If a critical activity as defined in the regulation established under § 39 (5) of the Emergency Act with a level of criticality of 16 or more is outsourced, the provider of the service must comply with the security measures set out in § 7 of the Cybersecurity Act.
§ 9. Restoration of vital services and priorities for restoration
(1) If a vital service is interrupted or is at risk of interruption, the service provider shall take the remedial steps described in the recovery plan of the continuity plan, ensuring that the people and institutions involved in restoring and using the vital service participate accordingly.
(2) If possible, the service provider shall apply the following order of priorities in restoring the vital service:
1) vital services are first restored in regions with higher population density;
2) as a first priority, vital services are made available to other providers of vital services.
§ 10. Emergencies caused by an extensive or severe disturbance or interruption to vital services
(1) An emergency caused by an extensive or severe disturbance or interruption to a vital service arises when the following conditions are met:
1) The interruption to the service is lasting or seriously affects some users of the service;
2) Eesti Pank considers that recovering the service will need extraordinary measures to be applied.
[RT I, 28.06.2024, 1 - entry into force 01.01.2025]
(2) [Repealed – RT I, 28.06.2024, 1 – entry into force 01.01.2025]
(3) Eesti Pank coordinates the resolution of an emergency caused by an extensive or severe disturbance or interruption to a vital service.
§ 11. Reporting an interruption to vital services
(1) The service provider shall report any interruption to a vital service lasting for at least one hour, a risk of an interruption, any event significantly interfering with the continuity of the vital service or an impending risk of such an event to the email address [email protected] immediately and no later than the next business day.
[RT I, 28.06.2024, 1 - entry into force 01.01.2025]
(2) The notification referred to in (1) of this section must include the following information:
1) the duration and time of occurrence of the interruption, including the date and time or the interval;
2) a short description and the known or assumed cause of the incident;
3) the measures already taken or yet to be taken to restore the service and to mitigate the effects of the interruption;
4) information about any foreseeable losses incurred by the users of the service;
5) information about any foreseeable impact on the continuity of the vital services.
(3) If a situation referred to in (1) of this section has not been resolved within four hours or if the risk of an interruption to a vital service persists, the service provider shall give a preliminary notification with the information described in (2) of this section at the earliest opportunity and a full notification on the following business day at the latest. The preliminary notification shall contain at least the information described in (2) 1) and 2) of this section and the estimated duration of the disturbance.
(4) If the service provider reports the information described in (3) of this section to Eesti Pank under another legal act, the notification obligation stipulated in this section shall be deemed fulfilled.
(5) If email services are not functioning, the service provider shall notify Eesti Pank of the circumstances described in (1) of this section using the contact information provided in emergency response plans.
§ 111. Applying for an assessment
(1) The service provider may apply for Eesti Pank to assess the suitability of the duplicate means and technologically alternative solutions required by § 41(2) of the Emergency Act for ensuring continuity of vital services by submitting the documentation needed for the assessment together with the application.
(2) Eesti Pank may require additional information from the service provider in order to make the assessment.
(3) Eesti Pank may work with Finantsinspektsioon and the Information System Authority in making the assessment.
(4) Eesti Pank will issue the assessment within no more than three months of receiving all the documentation needed for the assessment from the service provider or a third party.
[RT I, 12.02.2026, 1 - entry into force 15.02.2026]
§ 12. Repeal of the Decree
§ 13. Entry into force of the Decree
Clause 6(1) of the Regulation enters into force on 1 July 2020.
Facebook
X.com