Ettevõtlus- ja infotehnoloogiaminister
määrus
algtekst-terviktekst
avaldamine
avaldatud
2019-01-11
4
RT V2019-10-1020191510102019001
2019-01-18+02:00
1
2019-10-09
maarus_1_10.02.2010.xsd
510102019001
6
2019-10-10
Mari Peetris
100744Määruse raamskeem XML struktuuri koostamiseks
The description and requirements for ensuring the continuity of digital identification and digital signing as a vital service
The Regulation is established under subsection 37 (2) of the Emergency Act.
1
Description of the vital service
Digital identification and digital signing as a vital service (hereinafter vital service) means the ensuring of the availability of the validity confirmation service for certificates by the certification service provider (hereinafter service provider) specified in subsection 94 (31) of the Identity Documents Act in order for the identification of a person, the verification of their identity and the digital signing in an electronic environment with the documents issued pursuant to the Identity Documents Act.
2
Requirements for the level of the vital service and the time permitted for an interruption
1
The service provider is required to ensure the continuity of the vital service for at least 361 calendar days per year.
2
The time permitted for an interruption of the vital service is a maximum of 45 minutes per working day between 9:00 a.m. and 6:00 p.m. and a maximum of 3 consecutive hours outside of working hours. The total duration of permitted interruptions shall ensure the continuity of the service on the level provided in subsection 2 (1).
3
In the event of an interruption of the vital service, the service provider shall act in accordance with the procedure for the restoration of the vital service as described in the continuity plan of the vital service specified in subsection 39 (1) of the Emergency Act.
3
Requirements for the prevention of interruptions of the vital service
1
In order to ensure the functioning and prevent interruptions of the vital service, the service provider shall take into account at least the following threats upon the preparation of the continuity risk analysis and plan referred to in subsection 39 (1) of the Emergency Act:
1
interruption to the data communication service;
2
electricity interruption;
3
malevolent activity directed against the network and information system;
4
serious technical failures.
2
In order to ensure the continuity of the vital service, the service provider shall apply at least the following measures:
1
ensure the availability of an autonomous electricity supply system which guarantees the supply of electricity for at least 24 hours;
2
ensure data communication which does not rely on a single cable route and a single provider of a data communication service.
4
Emergency caused by an interruption to the vital service
An emergency caused by an extensive interruption of the vital service or an interruption of the vital service with severe consequences occurs if at least one of the following conditions is met:
1
due to the interruption of the vital service, at least 200 000 users are unable to use the digital identification or digital signing service for a period exceeding 72 hours;
2
the interruption leads to another emergency caused by an interruption of a service specified under section 36 of the Emergency Act.
5
The organisation of reporting of an emergency or a risk thereof
1
The service provider shall immediately inform the Information System Authority of an interruption to the vital service, a risk of an interruption, any event significantly interfering with the continuity of the vital service or an impending risk of such an event in a form which can be reproduced in writing.
2
If it is not reasonably possible to comply with the formal requirement specified in subsection (1) of this section due to the time-dependency of the situation, the service provider shall notify the Information System Authority in whatever manner possible, but shall thereafter and no later than within 24 hours send a notice in a form which allows reproduction in writing.
3
The notice must contain at least the following information about the interference or interruption:
1
time and estimated duration;
2
initial evaluation whether the interruption or interference was caused by human error, system failure, natural disaster, malevolent activity or an error by a third party;
3
description of the cause;
4
initial evaluation of the impact on the integrity, availability and confidentiality of the service;
5
the measures applied and to be applied to eliminate the interference or interruption and mitigate the adverse impact;
6
initial evaluation of the impact on a user of the service;
7
initial evaluation of the impact on the continuity of other vital services;
8
initial evaluation of the cross-border impact.
4
At the request of the Information System Authority, the service provider shall, not later than within 10 calendar days, submit to the Information System Authority a report on the interference or interruption, which contains at least the following information:
1
date and time of the beginning and end of the interference or interruption;
2
number of affected users, and the services and information systems affected;
3
cross-border impact of the interference or interruption;
4
explanation of whether the interference or interruption was caused by human error, system failure, natural disaster, malevolent activity or an error by a third party;
5
date, time and manner of discovery of the reason for the interference or interruption;
6
description of the reason and chronology of the interruption;
7
impact on the integrity, availability and confidentiality of the service;
8
the measures applied;
9
overview of the current and planned communication to institutions, users and the public.
6
Entry into force
Clause 3 (2) 2) of the regulation shall enter into force on 1 January 2020.
Minister of Entrepreneurship and Infotechnology
Rene
Tammist
Secretary General
Ando
Leppiman