From Strategy to the X-Road®: Considering Cybersecurity Through the Lens of Estonia

Provided in this post is a compilation of informational article extracts that may be helpful for those seeking to learn more about cybersecurity and how it is approached from strategy and vision to interoperability and architecture by one of the most digitally-advanced and cybersecurity-savvy countries in the world, Estonia.

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Editor’s Note: As the operational landscape for legal discovery professionals expands beyond the traditional core eDiscovery tasks of collection, processing, and review, and moves from the trigger point of audits, investigations, and litigation to the creation of data at the endpoint, many law firms, corporations, and legal service providers are now heavily focused on addressing the increasing challenges and growing opportunities related to cybersecurity. Provided in this post is a compilation of informational article extracts that may be helpful for those seeking to learn more about cybersecurity and how it is approached from strategy and vision to interoperability and architecture by one of the most digitally-advanced and cybersecurity-savvy countries in the world, Estonia. While the information shared originates from a nation-state point of view, many of the elements and frameworks can also be applied at industry and organizational levels, to include the legal services industry and law firms, legal departments, and legal services providers.


Extract from an article by Monica Ruiz as published in WIRED

To Bolster Cybersecurity, the US Should Look to Estonia

The 2007 cyberattacks against Estonia were a turning point for when cybersecurity began to be accepted as an essential part of national security. The incident, a response to the relocation of a Soviet War bronze soldier statue, crippled the websites of banks, government agencies, and media outlets for weeks. Today, the country is on its third National Cybersecurity Strategy (2019–22)—previous strategies ran from 2008–13 and 2014–17. Estonia’s current strategy highlights its innovator role at the vanguard of novel cyber approaches.

The tiny European nation has come a long way after crippling cyberattacks in 2007. Now it offers key lessons in attracting tech talent and educating citizens.

Read the complete article at To Bolster Cybersecurity, the US Should Look to Estonia


Extract from Estonia’s Third National Cybersecurity Strategy Document

2019-2022 Cybersecurity Strategy for the Republic of Estonia

The Estonian cybersecurity strategy was among the first of its kind globally. Today, national cybersecurity strategies are commonplace, as is the approach that the first Estonian cybersecurity strategy adopted. The 2013 European Union (EU) cybersecurity strategy defined a national cybersecurity baseline (designating national competent authorities, establishing national incident response teams, developing a national cybersecurity strategy); the 2016 EU Network and Information Systems Security Directive established these as a legal obligation. As of the development phase of this document, about fifteen nations and the EU have a second-generation cybersecurity strategy, Estonia among them. With the third cybersecurity strategy, we are among the first countries in the world.

Functioning cybersecurity covers the whole information system and service lifecycle starting from architecture, which is an organic part of service. To allow this principle to have a practical outlet as well, both technical design and process design and regulatory requirements must be considered when developing state information systems and digital services. Security competence and testing must go hand in hand with service design right from the start of the development process.

Estonia’s digital architecture is based on the government-issued secure electronic identity and the X-road data exchange layer, which has helped to enable and leverage the rapid digital innovation and ensures that security is organized in a manner that is convenient and natural for citizens. X-road is the means for securely structuring state services and data exchange and cooperation and the ID card as the obligatory identity documents are the means used by the state to provide its citizens with a digital identity certificate (authentication and signing means) and encryption device, thus spreading secure technology to the general population. More than in just the existence of the technology, Estonia is distinct from other countries in terms of its capability of implementing the technology.

Read the complete 2019-2022 Cyber Security Strategy for the Republic of Estonia

Third Estonian Cybersecurity Strategy Document (PDF)

Estonia Cybersecurity Strategy

Extract from X-Road® Fact Sheet as published by e-Estonia

e-Estonia X-Road® Fact Sheet

In Estonia, public organizations have their own information systems to process information relevant to the state and its citizens to provide public services. These often run on different systems that suit the function of the organization. X-Road is a distributed information exchange platform that makes it possible for these different systems to communicate all across the governmental sector; for example, the police can access data from the health system, tax board or business registry and vice versa. But to do this X-Road must satisfy three criteria. First, the platform must be interoperable and technically easy for each member of the system to access the data they need. Second, the data cannot be corrupted in transit by the system or an external third party. And third, the data must be protected from prying eyes so that unauthorized individuals cannot view the content of the data en route. X-Road has satisfied all three criteria since 2001, performing all the required functions for the state and the people of Estonia. It has enabled to increase the depth of cooperation between public organizations and reduced paperwork exponentially so that public employees can concentrate on tasks that require human interaction.

Read the complete X-Road® Fact Sheet

X-Road Fact Sheet (PDF)

X-Road Fact Sheet

Extract from the Nordic Institute of Interoperability Solutions

X-Road Basics

X-Road is an open-source data exchange layer solution that enables organizations to exchange information over the Internet. X-Road is a centrally managed distributed data exchange layer between information systems that provides a standardized and secure way to produce and consume services. X-Road ensures confidentiality, integrity and interoperability between data exchange parties.

X-Road is used nationwide in the Estonian data exchange layer X-tee and the Suomi.fi Data Exchange Layer service in Finland. X-Road is released under the MIT open source license and is available free of charge for any individual or organization.

X-Road implements a set of common features to support and facilitate data exchange. X-Road provides the following features out of the box:

  • address management
  • message routing
  • access rights management
  • organization-level authentication
  • machine-level authentication
  • transport-level encryption
  • time-stamping
  • digital signature of messages
  • logging
  • error handling

The identity of each organization and technical entry point (Security Server) is verified using certificates that are issued by a trusted Certification Authority (CA) when an organization joins an X-Road ecosystem. The identities are maintained centrally, but all the data is exchanged directly between a consumer and provider. Message routing is based on organization and service level identifiers that are mapped to physical network locations of the services by X-Road. All the evidence regarding data exchange is stored locally by the data exchange parties, and no third parties have access to the data. Time-stamping and digital signature together guarantee non-repudiation of the data sent via X-Road.

Two X-Road ecosystems can be joined together, federated. Federation is a one to one relationship between two ecosystems. Members of the federated ecosystems can publish and consume services with each other as if they were members of the same ecosystem. It is possible to create federation connections with multiple ecosystems, but transitive federation relationships are not supported. An ecosystem does not have a federation relationship with another ecosystem that it’s not directly federated with. Federation enables easy and secure cross-border data exchange between X-Road ecosystems.

Read more on the X-Road@, The Free and Open Source Data Exchange Layer Software 


Extract from Republic of Estonia Information System Authority

Data Exchange Layer X-tee

X-Road® software-based solution X-tee is the backbone of e-Estonia. Invisible yet crucial, it allows the nation’s various public and private sector e-service information systems to link up and function in harmony.

X-tee, the data exchange layer for information systems, is a technological and organizational environment enabling secure Internet-based data exchange between information systems.

To exchange data, a member of X-tee describes the shared data and other members can use that data based on an agreement. Due to the large number of systems that have joined X-tee, all members of X-tee can use the services and data of other members to improve their own business processes.

X-tee has a versatile security solution: authentication, multi-level authorization, a high-level system for processing logs, and data traffic that is encrypted and signed.

How Does X-tee Work?

  • X-tee is based on an interoperable ecosystem and a technical ability to exchange data. To exchange data, one member of X-tee describes the shared data and other members are able to use this data based on an agreement.
  • Due to the large number of systems that have joined X-tee, all members of X-tee can use the services and data of other members to improve their own business processes.
  • One example is a solution by the police for controlling driving licenses. A driver no longer has to carry a physical driver’s license with them, as a police officer can, via X-tee, make an operative inquiry from the database of the Republic of Estonia Road Administration using an identification document to control driving licenses. The Tax and Customs Board has a somewhat similar data service that enables controlling tax arrears of private or legal persons.
  • To implement already created services, you must become a member of X-tee, install an X-Road security server, make an agreement with a suitable X-tee service provider, work out a logic to create the internal data for the service you chose, and process the reply. X-Road® has been developed for over ten years now, and a large amount of code is available, which significantly simplifies the creation of new solutions. In the X-Road context, the reusable code is called a reusable component.
  • If there is no suitable X-tee service yet, it can be created in cooperation between the parties. Very specific and sensitive data can also be exchanged. We follow the principle that the owner controls the data throughout the whole process, and the X-Road technology only offers a secure data exchange.
  • X-tee enables exchanging many types of information: simpler cases involve texts, but you can also exchange files.

Operating Principles of X-tee

  • Independence of platform and architecture – X-tee enables the information systems of X-tee members on any software platform to communicate with the information systems of data service providers on any software platform.
  • Multilateralism – X-tee members are able to request access to any data services provided through X-tee.
  • Availability and standardization – for managing and developing X-Road, international standards and protocols are used where possible.
  • Security – exchanging data through X-tee does not affect the integrity, availability or confidentiality of the data.

Read the complete overview of X-tee


Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

The results of the recent Summer 2020 eDiscovery Business Confidence Survey present the unfortunate and continuing impact of COVID-19 on the business of eDiscovery. However, for these pandemic-driven results to be fully understood, they should be viewed through the contextual lens of the results of all nineteen surveys that have been administered to eDiscovery professionals since the inception of the eDiscovery Business Confidence Survey in early 2016.



Check Out the Observations Now!

Interested in Contributing?

ComplexDiscovery combines original industry research with curated expert articles to create an informational resource that helps legal, business, and information technology professionals better understand the business and practice of data discovery and legal discovery.

All contributions are invested to support the development and distribution of ComplexDiscovery content. Contributors can make as many article contributions as they like, but will not be asked to register and pay until their contribution reaches $5.

Mitratech Acquires Acuity ELM

According to Mike Williams, CEO of Mitratech, “We came to the...

Veritas Acquires Globanet

“By integrating Globanet’s technology into our digital compliance portfolio, we’re making...

Five Great Reads on eDiscovery for September 2020

From cloud forensics and cyber defense to social media and surveys,...

Time for a Change? FTC Proposes Changes to HSR Act Premerger Notification Rules

The Federal Trade Commission, with the support of the Department of...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

The eDisclosure Systems Buyers Guide – 2020 Edition (Andrew Haslam)

Authored by industry expert Andrew Haslam, the eDisclosure Buyers Guide continues...

The Race to the Starting Line? Recent Secure Remote Review Announcements

Not all secure remote review offerings are equal as the apparent...

Enabling Remote eDiscovery? A Snapshot of DaaS

Desktop as a Service (DaaS) providers are becoming important contributors to...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Revisions and Decisions? New Considerations for eDiscovery Secure Remote Reviews

One of the key revision and decision areas that business, legal,...

A Macro Look at Past and Projected eDiscovery Market Size from 2012 to 2024

From a macro look at past estimations of eDiscovery market size...

An eDiscovery Market Size Mashup: 2019-2024 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Festive or Restive? The Fall 2020 eDiscovery Business Confidence Survey

Since January 2016, 2,189 individual responses to nineteen quarterly eDiscovery Business...

Casting a Wider Net? Predictive Coding Technologies and Protocols Survey – Fall 2020 Results

The Predictive Coding Technologies and Protocols Survey is a non-scientific semi-annual...

Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

Based on the aggregate results of nineteen past eDiscovery Business Confidence...

A Growing Concern? Budgetary Constraints and the Business of eDiscovery

In the summer of 2020, 56% of respondents viewed budgetary constraints...

Mitratech Acquires Acuity ELM

According to Mike Williams, CEO of Mitratech, “We came to the...

Veritas Acquires Globanet

“By integrating Globanet’s technology into our digital compliance portfolio, we’re making...

An eDiscovery Holiday Season Down Under? Macquarie Prepares Nuix for IPO

According to John Beveridge, writing for Small Caps, Macquarie holds a...

ayfie to Acquire Haive

According to Johannes Stiehler, CEO of ayfie Group AS, “This acquisition...

Five Great Reads on eDiscovery for September 2020

From cloud forensics and cyber defense to social media and surveys,...

Five Great Reads on eDiscovery for August 2020

From predictive coding and artificial intelligence to antitrust investigations and malware,...

Five Great Reads on eDiscovery for July 2020

From business confidence and operational metrics to data protection and privacy...

Five Great Reads on eDiscovery for June 2020

From collection market size updates to cloud outsourcing guidelines, the June...