Requirements and procedure for a continuity risk assessment and plan of a vital service, for the preparation thereof and the implementation of a plan
Passed 21.06.2017 No. 29
This regulation is established under § 39 (5) of the Emergency Act.
Chapter 1 General Provisions
§ 1. Scope of application
(1) This regulation establishes the requirements for preparing a continuity risk assessment of a vital service (hereinafter risk assessment) and a continuity plan of a vital service (hereinafter plan) provided by a provider of the vital service (hereinafter service provider).
(2) The regulation establishes the procedure for submitting and updating a risk assessment and a plan and for implementing a plan.
§ 2. Definitions
(1) For the purposes of this regulation, an interference with a vital service means an impediment to the provision of the vital service due to which the vital service is provided partially and which may lead to an interruption of the vital service.
(2) For the purposes of this regulation, an interruption of a vital service means the discontinuation of the provision of the vital service.
(3) For the purposes of this regulation, a critical activity of the provision of a vital service (hereinafter critical activity) means the activities of a service provider, the lack of which leads to an interruption of or interference with the vital service.
(4) For the purposes of this regulation, the time permitted for an interruption of or interference with a vital service means the longest permitted period of time of an interruption of or interference with a vital service provided for in the regulation established under § 37 (2) of the Emergency Act or in other legislation.
(5) For the purposes of this regulation, a preventive measure means a measure applied to prevent an interruption of or interference with a vital service or to decrease the risk thereof.
(6) For the purposes of this regulation, the time required for the recovery of a critical activity means a period of time determined by the service provider during which the critical activity shall be recovered to prevent an interruption of or interference with the vital service. The time permitted for an interruption of or interference with a vital service shall be taken into account when determining the time required for the recovery of a critical activity.
(7) For the purposes of this regulation, the resources necessary for the functioning of a critical activity (hereinafter critical activity resources) mean the staff, buildings, territory, pieces of equipment, information technology systems, information, funds and other services necessary for the functioning of the critical activity, including other vital services, suppliers and partners, and other important resources the lack of which may affect the functioning of the critical activity and lead to an interruption of or interference with a vital service.
(8) For the purposes of this regulation, a mitigating measure means a measure applied in resolving an interruption of or interference with a vital service, which is used to prevent the negative effect from expanding to or to decrease the negative effect on the provision of the vital service and its consumers until the recovery of the vital service.
(9) For the purposes of this regulation, a threat means an event caused by human activity, a natural event, technology, technique or another circumstance, including an emergency or the lack of resources necessary for the functioning of critical activities which may lead to an interruption of or interference with a critical activity necessary for the operation of a vital service.
(10) For the purposes of this regulation, a plan is a document which describes activities for recovering a vital service in the case of an interference or interruption.
(11) For the purposes of this regulation, a risk class means the probability of the realization of a scenario and the estimated severity of its consequences.
(12) For the purposes of this regulation, a risk assessment means a document in which the risks of the continuity of a vital service are assessed and preventive measures for preventing an interference with or interruption of the vital service are planned.
(13) For the purposes of this regulation, a scenario means the expected course of an event caused by the realization of a threat which affects critical activities.
(14) A recovery plan is part of a plan, which describes the resolution of an interruption of or interference with a vital service.
Chapter 2 Procedure for Preparation of Risk Assessment and Plan
§ 3. Preparation of risk assessment and plan
(1) For planning the continuity of the vital service, assessing risks and recovering the continuity, the service provider shall prepare a risk assessment and a plan and shall submit these to the authority organising the continuity of the vital service (hereinafter organising authority) for approval.
(2) A service provider who is required to prepare a risk assessment and a plan for the first time shall submit these to the organising authority for approval pursuant to the procedure provided by the Emergency Act no later than within a year as of the moment it meets the characteristics of a service provider provided by law.
(3) A service provider shall assess risks based on a scenario. Several scenarios may be set out in a risk assessment and a plan.
(4) The title page of a risk assessment and a plan shall set out the title of the document, the date of approval and the person giving the approval, the undertaking’s business name and the author’s given name and surname, title of office, e-mail address, phone number and, if necessary, additional information.
(5) A risk assessment and a plan may be prepared as one document. In that case, the parts of the risk assessment and the plan shall be clearly distinguished in the document.
(6) A service provider may submit a risk assessment and a plan as part of another document which is prepared under another legal instrument. In that case, the document shall set out the information required under this regulation and the parts of the risk assessment and the plan shall be clearly distinguished from the rest of the information.
(7) A risk assessment and a plan shall be signed by the legal representative of the service provider.
(8) Considering the particular nature of the provision of the service, the organising authority may give the service provider its consent to use methods different from that provided for in Chapter 3 of this regulation, if such methods are internationally recognised.
(9) Before giving its consent, the organising authority shall coordinate the methods described in subsection (8) of this section with the Ministry of the Interior.
§ 4. Updating of risk assessment and plan
(1) A service provider shall assess whether a risk assessment and a plan are up to date at least once every two years or whenever critical activities, threats or other significant circumstances affecting the provision of the vital service change. If necessary, the service provider shall initiate the updating of the risk assessment and the plan and shall present it to the organising authority for approval pursuant to the procedure provided by the Emergency Act.
(2) If in the course of the assessment referred to in subsection (1) of this section it becomes clear that the risk assessment and the plan are up to date and they need not be updated, the service provider shall inform the organising authority thereof.
(3) If the service provider has failed to update the risk assessment and the plan due to changes in the significant circumstances referred to in subsection (1) of this section and to submit these to the organising authority for approval, the organising authority has the right to demand that the service provider initiate the updating of the risk assessment and the plan and submit the updated risk assessment and plan to the organising authority for approval.
Chapter 3 Risk Assessment
§ 5. Parts of risk assessment
A risk assessment shall comprise the following parts:
1) a description of the vital service and the required level of the service;
2) an analytical part which shall be prepared pursuant to §§ 7–11 of this regulation;
3) illustrative tables and figures;
4) a summary.
§ 6. Description of vital service and required level of service
(1) In a risk assessment the service provider shall give a brief description of the service provided and the level of the service required by law.
(2) The description of the vital service shall set out the following information:
1) which part of the service is considered as vital according to the regulation established under § 37 (2) of the Emergency Act and a description thereof;
2) the persons using the service and their number;
3) in which region the service is provided.
(3) The following information shall be set out concerning the required level of the vital service:
1) considering the requirements established under § 37 (2) of the Emergency Act, at which level the vital service shall be provided in an emergency, in another similar situation and in case of an interruption of other vital services;
2) the time during which the vital service shall be recovered considering the time permitted for an interruption of or interference with the vital service, determined by legal instruments.
§ 7. Identification of critical activities
(1) On the basis of the description of the vital service and the required level of the service, the service provider shall name the activities necessary for the provision of the vital service and shall assess the criticality thereof according to Annex 1 to this regulation.
(2) The organising authority shall give instructions on how to calculate the ratio referred to in Table 2 in Annex 1 to this regulation.
(3) The criticality of an activity is calculated as the product of the time until an interruption of or interference with the vital service takes place and the level of the criticality of the extent of the interruption of the vital service determined in Annex 1 to this regulation. Activities that score less than 10 points shall not be analysed any further in the course of preparing a risk assessment.
§ 8. Identification of critical activity resources
(1) For every critical activity, the service provider shall identify the resources indispensable for the functioning thereof and shall describe their connection to the provision of the service.
(2) When identifying the critical activity resources, the service provider shall proceed from the following types of resources:
1) staff – the optimum and minimum number of staff necessary for the functioning of the critical activity and which skills and knowledge must the staff have;
2) buildings and territory – which buildings and territory are indispensable for the functioning of the critical activity and which alternative building or territory can be used;
3) pieces of equipment and information technology systems – which pieces of equipment and information technology systems, including databases and communications systems, are important to the functioning of the critical activity;
4) information necessary for the functioning of the critical activity – which information is necessary for the functioning of the critical activity and how is it stored;
5) funds – what are the service provider’s everyday funds for the functioning of the critical activity;
6) other services, including vital services – the interruption of or interference with which other services may affect the functioning of the critical activities of the service provider;
7) suppliers and partners – who are important suppliers and partners on whom the functioning of critical activities depends.
(3) For each critical activity, the service provider shall describe in the risk assessment the resources necessary for the functioning thereof by the types of resources listed in subsection (2) of this section in a way that shows to which critical activity the resource is connected, how long is it possible to manage without the resource and how important is the resource for the functioning of the critical activity.
(4) A summary of the critical activity resources shall be presented in a risk assessment according to Annex 2 to this regulation.
(5) In addition to clause (2) 1) of this section, the service provider shall determine, if necessary, the number of employments by titles of office which are directly connected to ensuring the continuity of the vital service and which, according to the service provider, shall be defined as employment with national defence work obligation pursuant to the National Defence Act.
§ 9. Identification of threats
(1) A service provider shall identify the threats that could cause an interruption of or interference with critical activities. The organising authority may specify by vital services which possible threats the service provider shall assess.
(2) The lack of critical activity resources shall be considered a threat only if the service provider assesses the critical activity resources as significant under § 8 (3) of this regulation.
§ 10. Assessment and description of probability and consequences of realization of scenario
(1) On the basis of an analysis under §§ 7–9 of this regulation, the service provider shall identify the scenarios that may lead to an interference with or interruption of the vital service and shall present their description in the risk assessment.
(2) The service provider shall assess in the risk assessment the probability of the realization of a scenario on the basis of the criteria set out in Annex 3 to this regulation and the severity of a consequence on the basis of the criteria set out in Annex 4 to this regulation, taking into account the relevant statistics, research results, expert opinions, preventive measures applied and other relevant information.
(3) An overall assessment of the consequences of the realization of a scenario shall be given on the basis of the severest consequence.
(4) The organising authority may add to the list of criteria in Annex 4 to this regulation for the assessment of the consequences of the realization of a scenario.
(5) If a threat affecting the functioning of a critical activity is an interruption of or interference with a service provided by another service provider, supplier or contract partner, the service provider shall request from the relevant contract partner relevant information, including about the contract partner’s ability to recover the service. On the basis of the information received, the service provider shall assess the probability and consequence of the realization of the scenario.
(6) On the basis of an assessment of the probability and consequences of the realization of a scenario, the risk class for the scenario shall be determined pursuant to Annex 5 to this regulation.
(7) For scenarios with the risk class of significant, high and very high, an overall table of probability and consequences set out in Annex 5 to this regulation shall be filled in.
§ 11. Preventive measures
(1) A service provider shall describe in a risk assessment the preventive measures applied by the moment of preparation of the assessment and, in the order of importance according to Annex 7 to this regulation, the preventive measures that are planned to be applied within at least the next three years for preventing an interruption of or interference with a critical activity and the vital service and among other things for reaching the level described on the basis of § 6 (3) of this regulation.
(2) As a preventive measure, the reserve of resources necessary to ensure critical activities or the organisation of the ensuring thereof shall also be described.
§ 12. Summary of risk assessment
In the summary of a risk assessment the service provider shall set out:
1) a list of critical activities in the order of their importance;
2) a list of scenarios which are assessed in the risk assessment to belong to the risk class of significant, high and very high together with reasons therefor;
3) an overview of threats that may lead to a prolonged interruption of the vital service or an interruption with severe consequences and of the possible consequences thereof, and possible conduct instructions for people shall also be set out. On the basis of the information presented, the organising authority shall carry out relevant risk communication.
Chapter 4 Plan and Procedure for Implementation thereof
§ 13. Structure of plan
A plan shall comprise the following parts:
1) a part describing the conditions for the implementation of the plan;
2) a recovery plan.
§ 14. Part describing conditions for implementation of plan
(1) A service provider shall describe in a plan the conditions in the case of which the measures described in the plan shall be applied.
(2) The service provider shall describe in the plan the procedure for the implementation thereof.
§ 15. Recovery plan
(1) In a plan, the service provider shall set out a recovery plan for each scenario which is assessed in the risk assessment to belong to the risk class of significant, high or very high.
(2) If an interruption of or interference with a vital service is resolved similarly or the same way in the case of different scenarios, the service provider may prepare a joint recovery plan for those scenarios and, if necessary, set out any relevant differences.
(3) A recovery plan shall set out the following information:
1) the contact details of the person in charge of resolving an interruption of or interference with a critical activity or the vital service (hereinafter person in charge of resolving a situation);
2) activities that the service provider is planning for resolving a situation;
3) the contact details and principal activity and, if possible, any alternative activity of a person involved in resolving an interruption of or interference with a critical activity or the vital service;
4) a list of critical activity resources necessary for resolving an interruption of or interference with a critical activity or the vital service and an explanation concerning the manner in which the resources are acquired and the time it takes to acquire them;
5) if possible, the alternative activities of the service provider or a partner for resolving an interruption of or interference with a critical activity or the vital service if earlier activities did not yield the desired result;
6) mitigating measures or, by agreement with the organising authority, the procedure for deciding on how to apply those measures;
7) information and conduct instructions given to the public;
8) the estimated time of recovery of the vital service.
(4) When planning activities in the recovery plan, the service provider shall take into account the time permitted for an interruption of or an interference with the vital service determined by the organising authority, except if the situation cannot be resolved within the specified period of time due to reasons independent of the service provider.
§ 16. Procedure for implementation of plan
(1) A plan shall be available to at least the part of the service provider’s staff who participates in resolving an interruption of or interference with a critical activity or the vital service or in preventing a threat of an interruption or interference.
(2) In the case of the realization of a scenario, the person in charge of resolving a situation shall be informed thereof based on the organisation of work agreed upon beforehand.
(3) When receiving information, the person in charge of resolving a situation shall act according to the recovery plan and shall also apply, if necessary, relevant activities and measures not referred to in the recovery plan for resolving the situation.
Chapter 5 Implementing Provisions
§ 17. Implementation of regulation
(1) A service provider shall update and submit to the organising authority for approval any risk assessments and plans prepared before 1 July 2017 no later than on 1 July 2018.
(2) An undertaking who as of 1 July 2017 meets the characteristics of a provider of a vital service provided by law and who is required to prepare a risk assessment and a plan for the first time shall prepare and submit the risk assessment and the plan to the organising authority for approval no later than on 1 July 2018.
(3) Until the regulation established under § 37 (2) of the Emergency Act enters into force, the information referred to in § 6 (2) 1) and § 6 (3) of this regulation shall be submitted by agreement of the service provider and the organising authority.
§ 18. Entry into force of regulation
This regulation enters into force on 1 July 2017.
Andres Anvelt
Minister of the Interior
Lauri Lugna
Secretary General
Annex 1 Assessment of the criticality of activities
Annex 2 Description of resources important to the functioning of critical activities
Annex 3 Assessment of the probability of the realization of a scenario
Annex 4 Assessment of a consequence of the realization of a scenario
Annex 5 Risk classes
Annex 6 Overall table of the probability and consequences of the realization of a scenario
Annex 7 Measures preventing an interruption of or interference with a critical activity or a vital service
Facebook
Twitter