The obligations of an X-tee member have been provided in the regulation of the government ‘Data Exchange Layer’

An X-tee member can delegate the performance of obligations to a third person but must not forget that the X-tee member will still remain liable for the performance of the obligations. For example, in case of a hosted security server, the host handles duties related to the security server, but in the context of X-tee, the company itself is liable for the performance of these duties.

In order to keep their information systems up to date and trustworthy, X-tee members are obliged to

  • ensure that in case of joining X-tee, their information systems are consistent, managed, and developed, and function securely and without failures, so that other members would be able to exchange data with them in a trustworthy manner;
  • fulfil orders given to the X-tee member from the X-tee centre with regard to using X-tee;
  • keep their data in X-tee Self-Service portal up to date;
  • communicate applications and other information related to X-tee to the X-tee centre via X-tee Self-Service portal. Applications and notifications that cannot be communicated via X-tee Self-Service portal are communicated electronically;
  • In case of introducing the information system outside of the territory of the Republic of Estonia, it has to be coordinated with RIA.

In order to keep their information systems secure, X-tee members are obliged to

  • implement data protection measures and appropriate physical, organisational, and information technology measures taking into consideration the Public Information Act. In order to manage risks related to security, measures to ensure the integrity, confidentiality, and availability of data must be implemented;
  • upon joining, confirm the compliance of information security requirements with a relevant letter of confirmation (referred to in the user manual);
  • upon a request of the X-tee centre, submit information necessary to evaluate the security of the security server, including security regulations and a description of the implementation of the implemented measures;

In order to ensure information security, it is advisable to implement a generally known standard. For example, ISKE, ISO/IEC 27000, COBIT, ITGrundschutzhandbuch. It is important to make sure that the used methods can be audited and that independent audits are carried out at least every four years.

Public sector institutions which do not fall under the Public Information Act may have special regulations in some other acts regulating the methods of ensuring the information security of their information systems. For example, State Secrets and Classified Information of Foreign States Act.

  • provide and use data services pursuant to the agreements on using data services between X-tee members. The agreement on using data services must specify, inter alia:
  • the information security measures necessary for using the data service and organisational, physical, and information technology security measures required from the subsystem of the data service user, considering the constitution of the data to be processed and the requirements of legislation;
  • a permission to mediate data services to third persons, if the X-tee member mediates data services. In case of using a data services mediator, a policy of mediating the service must be agreed on;
  • service level terms and conditions.
  • specify the positions which have the authority to use the subsystem and thereby the data services available to the subsystem and only permit access to the persons with the respective authority in their organisation;
  • immediately notify the X-tee centre of problems in using X-tee and circumstances which affect or may affect the X-tee centre or an X-tee member in performing their duties. Thereat, an X-tee member shall notify the X-tee centre’s information security incident response department (CERT-EE) immediately of security incidents and the immediate threat they pose;
  • when using a public cloud service for hosting the information system, it is advisable to be guided by the manual for secure usage of public cloud services (in Estonian).

In order for data services to be available for all X-tee members, the data services are obliged to

  • register the data service along with a technical description in the security server and keep the descriptions of the data service both in the security server and X-tee Self-Service portal relevant and up to date;
  • before concluding an agreement with an user of the data service, to make sure that the user of the data service implements sufficient organisational, physical, and information technology measures, also taking into consideration the particularities arising from the members of the joined environments and the legal form of a member;
  • ensure the compliance of the X-tee system access rights with the data service usage agreements between members. It is possible to use the data service in the subsystems of X-tee members to which access rights for using the specific data service have been granted;
  • adhere to the data service usage agreement;
  • time/stamp the received messages in the security server at a pace necessary for processing data.