Appendix: Data Exchange Layer Act (English Version)

This law has no English version in the Estonian parliamentary database, hence we retain our English translation here for future reference. All errors are ours.

1. Chapter 1 General Settings

§ 1. Scope of application

(1) This Regulation establishes requirements for the data exchange layer of information systems, its use and maintenance.

(2) This Regulation shall not apply to information systems containing state secrets or classified information of foreign origin.

§ 2. Terms

The following terms are used in this Regulation with the meanings indicated:

1) the data exchange layer of information systems (hereinafter X-Road) is the technical infrastructure and environment between X-Road members that enables secure and verifiable Internet-based data exchange;

2) X-Road Member is an institution or person who has joined the X-Road;

3) the center is the State Information System Agency, which is responsible for the management and development of X-Road;

4) data service is an X-Road member service through which Internet-based data exchange takes place;

5) the data service provider is a member of X-Road who provides data services to other members;

6) the data service user is a member of X-Road who uses the data service;

7) a data service broker is a member of X-Road, who allows a natural or legal person outside his or her organization to access the data service through his or her information system;

8) the data service end-user is a natural person who uses the data service via the X-Road member information system;

9) message is a set of formatted data that is exchanged between a data service provider and a user via X-Road;

10) the subsystem is a part of the X-Road member information system for the provision or use of data services, which is technologically and organisationally defined;

11) access right is the provision of data services in the X-Road software;

12) X-Road Basic Protocol is a set of rules that ensure the secure data exchange operation over a computer network;

13) security server is a software solution that follows the X-Road base protocol set;

14) X-Road Message Protocol is a part of the X-Road base protocol system that allows X-Road members to process messages;

15) e-stamp is a collection of electronic data according to Regulation (EU) No 910/2014 of the European Parliament and of the Council on e-identification and trust services for e-transactions in the internal market and repealing Directive 1999/93 / EC (OJ L 257, 28.08 .2014, pp. 73-114) (hereinafter "Regulation (EU) No 910/2014 of the European Parliament and of the Council");

16) query log is a part of the security server based on the X-Road base protocol network, where messages exchanged via X-Road confirmed by e-stamp are stored.

2. Chapter 2 X-Road Management

§ 3. X-Road management principles

The following principles are followed in the management of X-Road:

1) platform and architecture independence - X-Road enables a member of the X-Road on the software platform to communicate with the data service provider on the software platform via an information system;

2) Multilaterality - an opportunity for an X-Road member to request access to all data services provided through X-Road;

3) openness and standardization - where possible, international standards and protocols are used in the management and development of X-Road;

4) security - the integrity, availability and confidentiality of data will not change when exchanging data via X-Road.

§ 4. Tasks of the Center

(1) Center:

1) manages the information stored in X-Road members, X-Road security servers and X-Road subsystems in both production and test environments, which ensures that X-Road member security server has access to the information necessary for establishing an X-Road secure data exchange channel and data services;

2) organize the processing of requests for membership, subsystem and security server;

3) develop and publish the terms and conditions for joining and using the X-Road on the Centre's website;

4) ensures the possibility to use X-Road;

5) monitors the use of X-Road;

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

51) collects data service monitoring logs;

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

52) compiles and publishes non-personalized X-Road usage statistics;

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

6) deals with security incidents;

7) restrict the rights of an X-Road member in the cases provided for in this Regulation;

8) advise X-Road member on X-Road related issues;

9) inform the X-Road Member of any changes in the management or use of the X-Road and of any known circumstances hindering the use of the X-Road or of maintenance work;

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

10) manages and organizes the integration of the Estonian X-Road environment with other data exchange environments;

11) ensures free access to standardized security server software for X-Road members;

12) ensure compliance of the standard solution of the subsystem for the self-service data service end-user with the X-Road message protocol and the free availability of the software to the X-Road member;

13) prepares and implements X-Road infrastructure development projects and ensures X-Road architectural integrity;

14) in the case specified in subsection 14 (3), suspends the availability of the information necessary for the use of the data service to the security server of the X-Road member;

15) manages and develops the solutions necessary for the registration of members and the trust service and for the functioning of the monitoring service to ensure the functioning of the X-Road platform.

(11) The logs referred to in paragraph 1 51 shall be kept by the Center with data enabling the person making the request to be identified on behalf of the X-Road member for three years from the date of collection, after which the data shall be anonymised.

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

(12) The Center shall not disclose statistics on the use of the X-Road in the exercise of the functions set out in paragraph 1 52 by the security services and the Defense Forces structural unit performing military intelligence functions

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

(2) In carrying out the notification obligation under paragraph 1 (9), the Center shall respect the following periods of notice:

1) Changes in the management or operation of the X-Road or planned maintenance will be announced one month in advance;

2) The Center has the right to comply with a notice period shorter than the period specified in clause 1 when notifying about an emergency change in the administration and use of X-Road and unscheduled maintenance work;

3) changes to the X-Road Basic Protocol or X-Road Message Protocol which require changes to the X-Road Member Subsystem or Data Service shall be notified 18 months in advance.

3. 牽涉變更 X-Road 成員子系統或資料服務之 X-Road 基礎協定或 X-Road 通訊協定的變更,須於 18 個月前通知。

3. Chapter 3 Using X-Road

§ 5. Joining X-Road and its Membership

(1) In order to join the X-Road, the applicant shall submit an application to the Center.

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

(2) Upon joining the X-Road, the applicant shall enter into an accession agreement with the Center. The Accession Agreement sets out the rights, obligations and responsibilities of the parties.

(3) A member of the X-Road has the right to use the X-Road pursuant to the procedure provided for in this Regulation and the Accession Agreement.

(4) A member of X-Road is required to:

1) ensure consistency, management, development and safe and trouble-free operation of its information system when joining the X-Road;

2) implement the elements for ensuring secure and standardized data exchange provided for in § 7 and adapt its information system to work in the X-Road environment;

(3) implement measures to ensure the integrity, confidentiality and availability of data to mitigate security-related risks and to ensure independent auditing of the implemented measures at least every four years;

4) comply with the orders forwarded by the Center;

5) notify the Center of any changes in contact details;

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

6) inform the Center immediately of any problem related to the use of the X-Road and of any circumstances that may affect the fulfillment of the obligations of the Center or the X-Road member;

7) immediately inform the Center's incident management department of a security incident and imminent threat thereof;

8) [Repealed - RT I, 06.08.2019, 6 - Entry into force 9/9/2019]

9) provide, at the request of the Center, the information necessary for assessing the security of the security server, the security rules and a description of the measures taken.

(5) In maintaining the state and local government databases, a member of X-Road shall apply the specifications provided for in subsection 439 (3) of the Public Information Act when implementing the measures provided for in clause (4) 3) of this section and ensuring independent auditing of the measures.

§ 6. Refusal to join the X-Road

The Center has the right to reject an application to join the X-Road if:

1) the applicant does not have a unique identifier for which an e-stamp certificate conforming to the requirements published on the website of the Center can be issued;

2) the applicant has not submitted the documents necessary for establishing the right of representation at the request of the Center or the applicant has no right of representation to submit the application;

3) the information provided by the applicant is incorrect;

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

4) the applicant or his or her information system does not meet the other requirements set out in this Regulation or the principles of the operation of X-Road.

§ 7. Elements for ensuring secure and standardized data exchange

Secure and standardized X-Road data exchange is guaranteed when all of the following conditions are met:

1) by establishing a secure communication channel pursuant to § 8;

2) by ensuring the integrity of data exchange by electronic stamp pursuant to § 9;

3) by defining a subsystem according to § 10;

4) through harmonized requirements for the provision of data services pursuant to § 11;

5) determining the user of the data service through an agreement on the use of the data service and granting of access rights pursuant to § 12.

§ 8. Creating a secure data exchange channel

(1) To enable the creation of an X-Road secure data exchange channel, an X-Road member shall install a security server software information system and register a security server authentication certificate in the Center, which shall comply with the requirements published on the Centre's website.

(2) Only such security server software, which follows the X-Road basic protocol approved by the Center, may be used on X-Road.

(3) Upon using a security server, a member of X-Road is required to:

1) ensure the existence of a query log for messages exchanged on the X-Road by e-stamp and, in the event of archiving the query log, develop a query log archiving procedure which includes the frequency of archiving and the list of information to be archived;

2) determine who can access the archived query log of the security server when and under what conditions

3) ensure the same confidentiality requirements when processing archived messages as are required to use the data service when archiving a request log;

4) host the security server in the territory under the jurisdiction of the Republic of Estonia.

(4) In addition to performing the obligations specified in subsection (3), an X-Road member shall use the security server provided by the Center:

1) use the security server software in accordance with the instructions published on the Centre's website;

2) update the security server software no later than two months after the software updates are made available by the Center.

(5) A security server may be hosted outside the territory under the jurisdiction of the Republic of Estonia only with the permission of the Center if a member of X-Road:

1) ensure compliance with the obligations provided for in subsection 5 (4);

2) ensure the integrity, confidentiality and availability of data to mitigate security-related risks and to ensure independent auditing of the implemented measures at least every two years.

(6) An X-Road member shall use an encrypted connection and two-way authentication to connect the security server and subsystem when sharing his or her security server with another X-Road member.

§ 9. Ensuring integrity of data exchange with e-stamp

(1) Integrity of data exchange and identification of X-Road message and X-Road member authentication shall be ensured by an e-stamp, for which X-Road member is required to use the following trust services meeting the requirements of Regulation (EU) No 910/2014 of the:

1) certification service through which a qualified certificate for e-stamp is issued;

2) Certificate Validation Service;

3) time stamping service.

(11) An X-Road member may use the e-stamp certificate issued by the Center to create the e-stamp specified in subsection (1).

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

(2) An e-stamp on X-Road is valid if the time between the validity of the certificate used and the time stamp is not more than eight hours.

[RT I, 27.09.2016, 4 - jõust. 02.06.2017]

(3) It is prohibited for a member of X-Road to process data exchanged on X-Road which cannot be verified with the e-stamp specified in subsection (1) or (11 ).

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

§ 10. Subsystem interfaced to X-Road

(1) Only a subsystem that is registered at the Center may use or provide a service on X-Road.

(2) A member of the X-Road shall submit an application for registration of a subsystem on the X-Road to the Center.

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

(3) Only such subsystems can be registered by X-Road:

1)[Repealed - RT I, 06.08.2019, 6 - Entry into force 9/9/2019]

2) the natural person responsible for the operation of the subsystem and the contact details of the administrator of the security server serving the subsystem have been assigned;

3) which are subject to measures to ensure the integrity, confidentiality and availability of data to mitigate security risks and to be subject to independent auditing of implemented measures at least every four years, subject to the specifications set out in Article 5 (5).

(4) Following registration of a subsystem, a member of X-Road is required to:

1) determine the jobs and posts authorized to use the subsystem and thereby the data services made available by the subsystem, and allow access only within the organization to authorized persons;

2) ensure the safe and trouble-free operation of the subsystem connected to the X-Road and comply with the agreement on the use of the data service between the X-Road members.

(5) The Center shall have the right to reject an application for registration of a subsystem or to delete a registered subsystem if any of the requirements set out in paragraphs 3 and 4 is not met.

§ 11. Requirements for data services

The data service must:

1) comply with the X-Road message protocol established by the Center;

2) be documented together with a description of the data service which complies with the requirements of the Center and is timely, relevant and shall contain information on the security measures required for the use of the data service, taking into account the composition of data and the nature of the data service;

[RT I, 06.08.2019, 6 - jõust. 09.08.2019]

3) be usable also in X-Road test environment.

§ 12. Provision and use of data services

(1) The data service shall be provided and used in accordance with the agreement between the members of X-Road on the use of the data service. The data service agreement shall specify:

1) the information security measures necessary for the use of the data service and the organizational, physical and IT security measures required of the subscriber of the data service, taking into account the composition of the data to be processed and the requirements provided by legislation;

2) an authorization for the intermediation of data services to a third party pursuant to § 13;

3) Service Level Terms.

(2) A data service provider is required to:

1) register the data service with the technical description of the data service on the security server and keep the data service description on the security server up to date;

2) before entering into an agreement with a data service user, whether a legal person or a sole proprietor, the data service user shall take measures to ensure the integrity, confidentiality and availability of data to mitigate security-related risks;

3) ensure that the access rights of the X-Road system comply with the agreement on the use of the data service between X-Road members.

(3) The use of a data service is possible in an X-Road member subsystem which has been granted access rights to use a specific data service.

(4) Users and providers of data services are required to:

1) comply with the agreement on the use of data services;

2) link messages received to the security server with a time stamp.

(5) An X-Road member shall ensure the authentication and authorization of the end-user participating in the provision or use of the data service through its information system.

§ 13. Mediation of data services

(1) A member of X-Road may grant access to a subsystem to a natural or legal person outside the organization only if:

1) the member of X-Road has drawn up and made public the procedure for brokering data services pursuant to subsection (2);

2) a member of X-Road has registered as an intermediary of data service on X-Road;

3) the authorization for brokering of data services is specified in the agreement on the use of data services between X-Road members.

(2) The procedure for brokering data services shall include:

1) the basis for intermediation of data services;

2) the procedure for indirect authentication and authorization of the subsystem using the data service;

3) the procedure for archiving the authentication and authorization log of the subsystem using the data service and the term for keeping the log;

4) the procedure and term for archiving the X-Road query log and for accessing the archive.

(3) A member of X-Road is required to mediate data services:

1) follow the procedure for mediation of data services which he or she has established;

2) inform the Center and the data service provider whose intermediary has the right to use the data service of any changes in the procedure for mediation of the data service;

3) comply with the rights and obligations between the parties specified in the agreements referred to in clause (1) 3) and ascertain the admissibility of data service mediation;

4) disclose to the data service provider the data of the parties mediated by the subsystem in accordance with the X-Road basic protocol.

§ 14. Termination of X-Road membership

(1) A member of X-Road has the right to terminate membership at any time by submitting a written application to the Center.

(2) If the application specified in subsection (1) does not specify the date of termination of X-Road membership, the membership shall terminate on the working day following receipt of the above application.

(3) The Center shall have the right to terminate membership immediately or to limit the rights arising from membership or to grant a term for elimination of the deficiency if:

1) the member of X-Road violates the conditions provided for in this Regulation, the connection agreement or the procedure for mediation of data services;

2) the X-Road member has submitted false or incomplete information.

(4) The Center has the right to terminate membership by notifying the X-Road member by e-mail 30 calendar days in advance.

4. Chapter 4 Implementing provisions

§ 15. Specifications for ensuring integrity of data exchange with e-stamp

(1) The data service provider is required to ensure the integrity of the data exchange referred to in subsection 9 (1) by e-stamp as of 2 January 2017.

(2) The data service user is required to ensure the integrity of the data exchange referred to in subsection 9 (1) by e-stamp as of 2 June 2017.

§ 16. Distribution of X-Road software

The X-Road software is distributed under the MIT License.

§ 17. Repeal of Regulation

[Deleted in this text.]

§ 18. Entry into force of subsections 9 (2) and (3)

Paragraph 9 (2) and (3) shall enter into force on 2 June 2017.