Cybersecurity Strategy 2024–2030: Cyber-Conscious Estonia

February 2024

View the original document

Strategies and Action Plans

Author: Ministry of Economic Affairs and Communications of Estonia

The Cybersecurity Strategy 2024–2030, titled Cyber-Conscious Estonia, is Estonia’s national policy framework designed to enhance the country’s resilience to cyber threats while maintaining its position as one of the most advanced digital societies. This strategy represents the fourth iteration of Estonia’s cybersecurity policy and builds upon previous frameworks to address evolving challenges in the cyber domain.

The primary purpose of the Cybersecurity Strategy 2024–2030 is to safeguard Estonia’s digital infrastructure, protect its citizens and institutions from cyber threats, and reinforce the country’s international cybersecurity cooperation. The strategy aims to create a secure, reliable, and resilient cyber environment in which Estonian citizens, businesses, and government agencies can operate safely, even in the face of heightened geopolitical tensions and emerging technological threats.

1. Strategic context

Estonia, as one of the most digitalized societies, faces increasing cyber threats. Key global and regional challenges influencing Estonia’s cybersecurity approach include:

  • Increased cyber threats due to growing digital dependency, AI, and quantum technology.
  • State-sponsored cyber activities, particularly from Russia, China, Iran, and North Korea.
  • Ransomware and cybercrime, with rising financial losses from phishing and fraud.
  • Technological trends, such as AI, IoT, and 5G, impacting cybersecurity defenses.
  • European and NATO cooperation, emphasizing shared cybersecurity regulations and international partnerships.

2. Managing the development of national cybersecurity

To ensure national resilience, Estonia’s cybersecurity management is based on:

2.1 National management & policy-making

  • Estonia follows a decentralized cybersecurity management approach, with multiple institutions responsible for different aspects.
  • The Ministry of Economic Affairs and Communications oversees national cybersecurity policy.
  • A Cyber Security Council coordinates across ministries and sectors.
  • Challenges: Fragmented responsibilities and inconsistent legislative alignment.
  • Key Actions:
    • Assess whether consolidating cybersecurity functions into a single institution is beneficial.
    • Regularly update cybersecurity legislation to align with EU & NATO directives.
    • Implement risk-based cybersecurity regulations for various industries.

2.2 Funding of cybersecurity

  • Estonia’s cybersecurity funding increased from €3.9 million (2020) to €16.1 million (2024), but funding remains project-based.
  • Private sector investment in cybersecurity is inadequate, often leading to reactionary spending after attacks.
  • Key Actions:
    • Secure permanent funding for national cybersecurity.
    • Encourage SMEs to invest in cybersecurity via financial incentives and regulatory measures.

3. Enhancing societal resilience

Ensuring a cyber-aware and prepared society is critical for national security.

3.1 Up-to-date threat landscape

  • Cybersecurity monitoring in Estonia needs improvement, with CERT-EE (national incident response team) lacking full visibility into threats.
  • Key Actions:
    • Improve cyber intelligence sharing across sectors.
    • Establish a national threat monitoring framework.

3.2 Comprehensive prevention

  • Cyber-awareness is improving but remains low among SMEs and public sector employees.
  • Key Actions:
    • Implement national cybersecurity awareness programs.
    • Promote cybersecurity best practices among businesses and individuals.

3.3 Implementation of information security standards

  • Estonia has adopted E-ITS (Estonian Information Security Standard) aligned with ISO/IEC 27001.
  • Challenges: Complex implementation for smaller organizations.
  • Key Actions:
    • Automate E-ITS compliance processes for ease of adoption.
    • Align E-ITS with international standards.

3.4 Secure basic architecture & modern security principles

  • 40% of Estonia’s e-services rely on outdated (legacy) systems, posing risks.
  • Key Actions:
    • Reduce legacy software reliance by 50% by 2030.
    • Implement zero-trust security models in government institutions.
    • Prepare for quantum computing risks with post-quantum cryptography.

3.5 Enhancing crisis resilience of vital services

  • Critical infrastructure is a prime target for cyberattacks.
  • Estonia’s cybersecurity reserve (created in 2022) helps manage national cyber crises.
  • Key Actions:
    • Enhance cyber resilience of vital services.
    • Ensure manual control options for critical infrastructure in case of cyber failure.

4. Strong cyber-shield – Monitoring & preventing incidents

  • Estonia is strengthening its national cyber defense mechanisms.
  • Key Actions:
    • Establish a nationwide Information Security Monitoring Centre (SOC).
    • Improve CERT-EE capabilities to detect and mitigate cyber threats.
    • Expand penetration testing programs for public services.

5. Shaping a secure cyber environment in Estonia & globally

  • Estonia is committed to EU and NATO cybersecurity frameworks.
  • International partnerships include:
    • Joint cyber defense exercises with NATO.
    • Strengthening supply chain security against state-sponsored cyber threats.
    • Expanding cyber education and workforce development.

Conclusion

The Cybersecurity Strategy 2024–2030 aims to ensure a cyber-resilient Estonia by:

  • Enhancing governance & coordination across government and private sectors.
  • Developing a cybersecurity-aware society through training & awareness programs.
  • Upgrading cyber defense infrastructure, including AI-driven monitoring & threat intelligence.
  • Strengthening crisis management for vital services and national security.