Amendments to the Emergency Act Expand the Scope of Essential Service Providers
On October 18, 2024, amendments to the Emergency Act took effect, expanding the range of essential service providers, introducing a nationwide sector-specific risk profile, improving service accessibility during crises, and requiring background checks for employees of essential service providers.
Expansion of Essential Services
The amendments incorporate the EU’s Critical Entities Resilience (CER) Directive into Estonian law, thereby broadening the definition of essential service providers. Essential services are defined as those with a critical impact on society's functioning, whose disruption directly endangers lives, health, or the operation of other essential or public interest services, potentially causing significant environmental harm, or impacting national economy and defense.
In addition to the previously recognized 14 essential services, the list now includes airport operations, air navigation, ports, public railway services, general medical care, and supply of medicines and food. Additionally, the designation now includes all water, district heating companies, and road maintenance providers, regardless of the population size of the area they serve. This expansion brings the total number of essential services in Estonia to 21, with over 400 companies now categorized as essential service providers.
Expanded Responsibilities for Essential Service Providers
The responsibilities of essential service providers include conducting continuity risk assessments and planning, maintaining reserves for emergency service continuity, and holding biannual crisis response drills.
Under the new amendments, essential service providers must be notified of their designation within 30 days, with a deadline provided for creating a continuity risk analysis, crisis plan, and compliance with resilience requirements. Providers are also now required to submit an annual report on measures taken to prevent service disruptions, maintain service standards, and conduct annual training to raise staff awareness on service continuity, emergency procedures, and response measures.
Essential service providers must also notify the relevant supervisory body or designated authority if an incident has, or may have, a significant impact on continuity across one or more EU Member States. Companies must also prepare for independent audits to assess the adequacy of continuity measures.
In addition to these provider responsibilities, the state must compile a national risk assessment, based on risk analyses by agencies and local governments, to identify and analyze potential threats to service continuity in emergencies or similar situations.
Background Checks Required for Certain Employees
To ensure reliability, essential service providers must conduct background checks on individuals in sensitive roles, those with direct or indirect access to critical facilities, information, or control systems, or those under consideration for such roles. These checks are intended to assess security risks and will focus only on criminal records. Specific guidelines for background checks are expected to be established by the government through upcoming regulations, which have yet to take effect.