News

This year, new digital services and cybersecurity requirements will impose additional obligations on a large number of Estonian companies. Primarily, these changes will affect companies that provide their services electronically. From the consumer's perspective, our digital environment will become safer and more predictable through these changes. However, for businesses, offering services will become more complex and expensive, write Timo Kullerkupp and Mikk Ilves from the RASK law firm.

As of February this year, both Estonia and the European Union as a whole will apply the digital services act, which establishes new and stricter requirements for services and their providers. Firstly, this concerns businesses whose service consists of transmitting information via a communications network or providing access to it, such as internet service providers and providers of internet-based messaging and voice services. Secondly, it affects businesses whose service involves transmitting information through a communications network, but in the process also involves storing that information, such as various network support service providers. And thirdly, businesses engaged in information storage or cloud service provision, for example, web hosting service providers or companies that maintain a web-based sales environment or social media platform.

What Changes with the Digital Services Act?

Firstly, there is an obligation for rapid response to the spread of illegal content. Following the enactment of the digital services act, businesses must be prepared to react quickly and efficiently, and upon government order, implement measures to limit the spread of illegal content. From a business perspective, this means knowing how to act upon receiving such an order.

Additionally, there is an obligation to publish contact details. Intermediary service providers must ensure that they have published contact details online, such as an email address, phone number, or messaging option, allowing for quick communication.

Thirdly, and in our view, the most significant change is the tightening of requirements for service conditions. According to the digital services act, service providers must include information in their terms of use about all restrictions they may apply to consumer-transmitted information. It must be clear how this is done, what happens to the information, and how content is moderated. However, it must not unduly restrict the freedom of expression and other fundamental rights of service recipients. For businesses, this means that providing the service becomes more complex, and its conditions must be aligned with the requirements.

Illegal Content Reporting Must Be Possible

Additionally, providers of information storage services face further obligations. Firstly, there must be accessible options for anyone to report illegal content. Secondly, any restrictions on the service recipient must be justified. This means that the service provider must have considered the applicable restrictions in advance and be prepared to justify them to the service recipient. This information must also be included in the service conditions.

From a consumer perspective, the changes mean that it will be easy and quick to contact the service provider in case of any problems in the future. If a service provider restricts a consumer's ability to use the service (for example, by closing their social media account), they can no longer leave the service recipient in the dark and must provide them with information on how to protect their rights against these measures. Undoubtedly, this means that services will become more expensive for all parties involved.

Digital platforms with over 50 employees and an annual turnover and/or total annual balance sheet exceeding 10 million euros are subject to additional obligations under the digital services act to create an internal complaint handling system. Requirements for advertising presentation and the protection of minors are also established.

Cybersecurity Requirements Tighten

New obligations also come with the second directive on cybersecurity, which member states must transpose by October 17, 2024. This means that the precise requirements to be applied in Estonia are not yet known. However, the directive provides a good indication of what to expect. There are two major changes.

Firstly, the scope of companies subject to obligations expands. Now, providers of trust services, cloud computing services, data center services, public electronic communications networks, and public electronic communications services, among representatives of many other sectors, must comply with this directive.

Secondly, risk measures become mandatory. This means that companies must manage risks that threaten the security of networks and information systems used in their operations or in providing services and regularly train both members of the management bodies and employees in cybersecurity. The directive also lists the minimum technical measures. Unlike before, violators may face penalties.

It's Worth Preparing Early

Considering Estonia's previous practice of transposing directives, the cybersecurity requirements soon to be applied in Estonia could even be stricter than those outlined in the directive. Therefore, we recommend that companies start restructuring early. Otherwise, the requirements that will become applicable in the second half of the year may prove too extensive and impossible to meet by the time of enactment, exposing the company and its operations to potential sanctions. As these requirements will inevitably affect the price and sustainability of services, it's also important to address these issues early.

In conclusion, the changes accompanying the digital services act and the second directive on cybersecurity are welcome, as they will make our digital environment safer, simplify communication between users and service providers, and ensure uniform requirements throughout the European Union. At the same time, and as always with requirements, it can affect the availability and conditions of services and possibly lead to consolidation in the market.