Grant Thornton Baltic announced on 1 April that it has proposed considering the partial privatisation of the Estonian Information System Authority (RIA) and, in cooperation, creating a new information system, MinuKüTS. The aim is to help companies finally understand which cybersecurity and information security requirements actually apply to them and what obligations they must fulfil.
At the core of the proposal is a new joint project, working-titled Kohustuste Kompass, MinuKüTS and, in a more ambitious phase, Suur-EITS. The goal is to create an information system that responds to real needs rather than only regulatory ideals.
The principle of the system is simple. A company logs in using a QR code, a two-factor NFC smart device and the latest SmartID++ solution. The system first helps the company understand what it actually does—not only based on EMTAK classification, but on its real operating model, services, clients, suppliers and business criticality. Only then does the system map which legal obligations actually apply to that company.
The system then provides a comprehensive overview: which obligations arise from legislation, which documents must be prepared, which controls must be performed, what the deadlines are, what must be reported and to whom, and which decisions the management board must adopt to ensure all of this functions.
According to Grant Thornton Baltic, the role of the state should remain where it is strongest: setting rules, supervision and protecting the public interest. However, practical implementation, interpretation, management of activities and convenient reporting could be solved on a market basis, using private sector experience and capability.
This is the idea behind MinuKüTS – a system that would help a company, upon logging in, identify its area of activity, applicable requirements, necessary actions, deadlines, reporting obligations and information security governance decisions at board level.
The aim is to give companies not just a list of obligations, but also the confidence in how to actually manage them.
This is an April 1 story. Unfortunately, the need it describes is entirely real.
