European Commission President Jean-Claude Juncker heaped praise on Estonia’s cybersecurity expertise during a press conference in Tallinn on Friday (30 June). The Baltic country could help the EU to move ahead on technology policies, Juncker said one day before the country takes over for a six-month leadership role.
Estonian Prime Minister Jüri Ratas said while standing next to Juncker that his country with just over one million inhabitants will make “digital Europe and the free movement of data” a priority while steering legislation through negotiations until the end of this year.
Ratas said he wants Estonia to focus on the “principle” that “Europe is much more positive than negative.”
Estonia has pointed to its top-ranking digital government services like e-voting and its recovery from massive cybersecurity attacks in 2007 to argue that it punches above its weight on technology issues.
The government also promotes its so-called e-residency programme as a way for companies to establish themselves in Estonia at low costs, with little bureaucracy compared to other European countries and a 25% corporate tax rate.
EU Council presidencies of smaller member states are “always the most effective,” Juncker said. Juncker, who was prime minister of Luxembourg before he became president of the Commission in 2014, joked that he does not have a smartphone but still understands that digital services are important.
He told reporters that he hopes to “depend” on Estonia’s experience with cybersecurity.
In 2008, shortly after the attacks, NATO set up a cybersecurity research centre in Estonia that feeds into the alliance’s response to military-level attacks on digital infrastructure.
The Baltic country’s leadership role starts three months before the EU plans to announce broad changes to its cybersecurity policy.
The Commission is getting ready to publish an updated cybersecurity strategy for the bloc, which is expected to outline for the first time how the EU should respond to vulnerabilities in internet-connected devices.
The September announcement will also include a new labelling scheme to grade devices based on how secure they are.
In September, EU defence ministers will take part in a “table-top” cybersecurity exercise in Tallinn.
“When you’re sitting around the table and you have to make a decision on issues that can be very dramatic, like blowing up power stations, civilian control […], we believe people will acquire a much better understanding for how this works,” Defence Minister Jüri Luik said during a press briefing later in the afternoon on Friday (30 June).
But Klen Jäärats, Ratas’ EU advisor, told journalists Thursday that diplomats running the Estonian presidency’s work will focus on the economic impact of cybersecurity breaches rather than on defence measures.
When the Petya malware attack swept companies in several European countries this week, a handful of Estonian companies were affected—but only ones that were connected to servers in other countries. Companies with infrastructure based only in Estonia were safe, government ministers said.
Digital Minister Urve Palo said the Petya attack showed that it “doesn’t make sense” if Estonia has strong cybersecurity safeguards but other countries in Europe do not.
“We will be attacked anyway. We have to do it together in the EU,” Palo said.
Some member states have been sensitive to increasing EU cooperation on cybersecurity because they do not want to share vulnerable information about the attacks they have suffered, which could reveal their potential weaknesses.
The Estonian presidency will also be in charge of leading negotiations on a slew of controversial technology bills, including an overhaul of copyright law and new telecoms rules.
Estonia is one of the most vocal countries calling for the EU to propose legislation on the free movement of data. Member states have been divided over whether they want to regulate data flows. Disagreements between EU countries put pressure on the Commission, causing the executive to redraft a bill it originally planned last year to outlaw so-called data localisation restrictions that require companies to store data in only one EU member state.
Andrus Ansip, the Commission Vice-President in charge of digital policies, told EURACTIV this week that the proposal he will announce in September will now be more “balanced” than the draft from last year. France has pushed for security and data access exemptions to the rules.
“We wish for the free movement of data to be accepted as the fifth freedom of the EU,” Ratas said Friday.