ESTONIA: X-road and audit
In Estonia, public organisations have their own information systems to process information relevant to the state and its citizens to provide public services. Information and services often run on different systems that suit the function of a given organisation. X-Road is a distributed information exchange platform that makes it possible for these different systems to communicate all across the governmental sector; for example, the police can access data from the health system, tax board or business registry, and vice versa.
But to do this, X-Road must satisfy three criteria. First, the platform must be interoperable and technically easy for each member of the system to access the data they need. Second, the data cannot be corrupted in transit by the system or by an external third party. And third, the data must be protected from prying eyes so that unauthorised individuals cannot view the content of the data en route.
The backbone of e-Estonia
To run a country where public services are accessible online for 24/7, you need interoperable information systems. To cope with such a challenge, Estonia developed the X-Road platform which was initially used for making queries to different national databases but is now being used also as a platform for amending data in multiple databases, transmitting large data sets and executing searches across several databases. Working as an organizational model, X-Road has become backbone of e-Estonia that allows the nation’s various databases, both in the public and private sector, to link up and operate in harmony.
Facts and figures
- 2 922 services can be used via X-Road
- 612 institutions and enterprises and 1 377 interfaced information systems are connected to X-Road
- 1 570 741 229 requests were made in the previous year in X-Road
- Complies with the European Framework of Interoperability
- Complies with the eIDAS requirements for trusted services
Audit “Administration and reliability of X-Road” (2021)
The performance of public functions, including information exchange between authorities or provision of services, has inevitably become largely digital. This means that the need to exchange large amounts of electronic data increases every year.
The number of users of the secure data exchange layer for information systems developed in the early 2000s and the number of queries made using it is still growing. At the same time, the software and operating principles necessary for the operation of X-Road have started to be exported to foreign countries, and development of software jointly with Finnish colleagues has also commenced.
Significance of the audit topic
As of 1 December 2020, 200 public sector authorities (incl. local government authorities) and 525 private sector institutions had joined X-Road, and approximately indirectly 52 000 enterprises and institutions indirectly used X-Road services. 1,263 information systems have been interfaced with the secure data exchange layer. The authorities and institutions using X-Road, or members of X-Road, had installed 164 security servers.
Given the number of queries made through X-Road (nearly 133 million queries in one calendar month), the provision of the majority of public services would become impossible or at least significantly more difficult should X-Road not be operational. Replacing data exchange carried out via X-Road with non-electronic data exchange would be practically impossible or at least very costly.
Scope of the audit
The National Audit Office audited whether the Information System Authority responsible for the management of the X-Road Centre has taken into account the major risks to X-Road and implemented measures to mitigate them. It was also examined whether the Authority together with the users of X-Road has complied with the requirements established by the state for the management of X-Road to ensure the operation of secure data exchange in a sustainable manner.
Key audit findings
In the audit report, the National Audit Office concluded that the central services of the X-Road infrastructure have been relatively reliable: over the last three years, there has been one significant interruption in the X-Road services caused by the central components of X-Road. It became clear as a result of the audit that the Information System Authority and the members of X-Road observed in the audit have generally implemented measures necessary for ensuring the reliability of X-Road.
The audit revealed that several of the requirements established for X-Road by the Government of the Republic Regulation “Data Exchange Layer for Information Systems” are general and allow members of X-Road to interpret them differently in implementation.
In the course of the audit, the National Audit Office identified a few risks that could endanger the integrity and confidentiality of databases interfaced with X-Road and create opportunities for unauthorised access to data or making unauthorised changes. The two main reasons for these risks are the following:
- There is no common practice for entering into data service agreements, and some authorities do not enter into these agreements at all. Compliance with data service agreements is checked up on only by few members of X-Road.
- None of the audited national authorities make sure before entering into an agreement with a data service user whether an entrepreneur who is a private legal entity implements adequate measures for ensuring the integrity, confidentiality and availability of data to mitigate security risks.
Although the Information System Authority has not prepared an operational continuity plan for X-Road, several measures have been implemented for the continued operation of secure data exchange and requirements have been established in other documents to ensure operational continuity. Irregularity of performing recovery tests and failure to document them may be considered shortcomings. So can the fact that the vitality and sensitivity of information assets related to X-Road have not been assessed separately.
Audit recommendations
The National Audit Office recommended that the Director General of the Information System Authority initiate an amendment of the Regulation “Data Exchange Layer for Information Systems” governing the operation of X-Road that would make the established requirements more precise and unambiguous so that data service providers could implement the requirements and the Information System Authority could check up on the implementation thereof.
The National Audit Office also recommended assessing the risks to the security of databases arising from the failure to enter into data service contracts and implementing activities to mitigate these risks.
The National Audit Office recommended developing a system for auditing private legal persons using the X-Road services to ensure the integrity, confidentiality and availability of data. In addition, the National Audit Office recommended performing regular recovery tests on the central components of X-Road and documenting them. In the event of deficiencies, the necessary corrective actions must be taken.