Estonia’s citizens, residents and e-residents have been updating their digital ID cards with new certificates to help protect against a potential security vulnerability discovered by a group of international security researchers.

On Friday, the Estonian Police and Border Guard decided to suspend all previous certificates affected by the vulnerability.

Estonian Prime Minister Jüri Ratas explained that the danger of the security threat becoming real was increased by the fact that it was not a flaw of the Estonian ID card alone, but also included cards and computer systems around the world that use the chips by the same producer. This brought the safety flaw to the attention of international cybercrime networks which had significant means to take advantage of the situation.

“The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card,” said Prime Minister Jüri Ratas. “As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real. By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card.”

The Prime Minister added that the decision was not made lightly, but protecting people, their companies and their state must come first.

This means that Estonian digital ID cards issued between 16 October 2014 and 25 October 2017 — including all but the very newest cards issued to e-residents — will no longer work online without the update.

This will be inconvenient for e-residents who have not yet updated their certificates, especially as the process has been more difficult than any of us wanted. We are aware that many citizens, residents and e-residents have been receiving error messages due to the high volume of people updating at the same time.

As a result, the ability to update certificates was temporarily restricted last weekend in order to prioritise people who use their digital ID cards to provide vital services, such as medical professionals inside Estonia, as well as the most frequent users, which will include e-residents that will be notified by email.

All e-residents can now update their certificates again, but you may not need to rush anyway.

The deadline for updating the new certificates is the end of March 2018, but e-residents who signed up for Smart-ID while their certificates were active can continue accessing many of the same benefits — even when their certificates are suspended.

You only have to update your certificates before you need to digitally sign documents, access state services (such as the Business Register) or access banking if you haven’t already set up Smart-ID. The Finnish banking provider Holvi is unaffected though.

We understand that the certificates update process is still not as smooth as it should be, but authorities are working hard to improve this for those that want to update straight away.

As the Prime Minister has also said, we are all truly sorry for any inconvenience you may have experienced. However, Estonia’s highest priority is to protect the digital identities of citizens, residents and e-residents — as well as their companies and their state.

Estonia is proud to be a digital leader and help spread the benefits of our digital nation to as many people around the world as possible through e-Residency. That also means we will sometimes be the first to encounter new challenges and must take responsibility for the solution. We will always do so with full transparency because our digital nation depends on the trust of all its people — citizens, residents and e-residents.

Thank you for your patience.