The Chamber supports reducing the administrative burden on small businesses in complying with cybersecurity requirements

The Ministry of Justice and the Ministry of Digital Affairs have prepared a draft act under which micro and small enterprises will no longer be required to comply with the Estonian Information Security Standard or the ISO/IEC 27001 standard in their networks and information systems as subjects of the Cybersecurity Act. The Chamber supports this amendment.

Reduced burden for small businesses
According to the draft, micro and small enterprises that are subjects of the Cybersecurity Act and have an average of fewer than 50 employees per financial year and whose annual balance sheet total or turnover does not exceed 10 million euros will not be required to directly implement the security measures set out in the Estonian Information Security Standard or ISO/IEC 27001. The amendment will reduce the administrative burden for about 200 companies that are service providers under the meaning of the Cybersecurity Act. These include, for example, providers of essential services.

In addition, the draft exempts small enterprises from the obligation to conduct an audit on compliance with the Estonian Information Security Standard.

Basic security measures must be applied
The draft provides that all subjects of the Cybersecurity Act must in future implement basic security measures. These basic security measures serve as a baseline to ensure that the measures applied to networks and information systems are sufficient to comply with the security requirements set out in the Cybersecurity Act.

The basic security measures concern, for example, information security management, user awareness and training, data security, cyber incident management, protection of cloud services, as well as the protection of communication links and networks.

In the Chamber’s view, it makes sense that basic security measures must be applied by those small enterprises that are exempted under the draft from implementing the security measures set out in the Estonian Information Security Standard or ISO/IEC 27001. However, it remains unclear why basic security measures must also be applied by companies that are already obliged to comply with the cybersecurity measures specified in the standard.

If the application of basic security measures is extended to all companies, this will unreasonably increase the burden and costs for companies that are already required to implement the security measures set out in the standard. First, these companies would have to analyse whether they comply with the basic security measures. If it turns out that they do not apply all the security measures, they would then be obliged to make corresponding changes to their measures in order to comply. At the same time, under the standard, a company has the right to omit certain measures if it provides justification for why such a measure is not reasonable in the company’s context.

The Chamber proposed to the Ministry that the draft be amended so that the application of basic security measures is mandatory only for those companies that are exempted from the obligation to implement the security measures set out in the standard.

In addition, we requested the Ministry to clarify and amend the basic security measures included in the draft so that they are reasonable, clear, and understandable, and so that their application would be practically possible without imposing an unreasonably heavy burden or cost on small businesses.

According to the draft, the amendments will enter into force on 1 September this year.