Kooskõlastustaotlus

Annex 1

Description of NCSD plans to migrate the Estonian e-Register system and the ESIS system

(Electronic Shareholders Identification System) to the eServices platform (cloud)

5 July 2024

Nasdaq CSD SE (NCSD) has developed the eServices platform, a web-based platform accessible via

Internet browsers. The platform provides Baltic and Icelandic issuers with registered securities in NCSD

an alternative way to submit corporate actions (CA) forms.

To further enhance the customer experience and improve the usability of NCSD’s services, NCSD plans to

migrate the Estonian e-Register system and the ESIS system (Electronic Shareholders Identification

System) to the eServices platform, thus ensuring a single point of access to its services.

NCSD is and will remain responsible for maintaining the referred applications, while the infrastructure that

will house the applications will run on Amazon Web Services (AWS) cloud, as does the eServices platform.

Summary description of the systems being migrated to the eServices platform and thus to Amazon

Web Services (AWS) cloud:

• e-Register is an internet-based solution of the NCSD Estonian branch that is intended both for legal

entities and natural persons who have securities accounts and may view related information via e-

Register, or who would like to request shareholders’ information about listed or non-listed

companies in Estonia. Moreover, some contractual clients, including Estonian state entities, can

access shareholders’ and securities accounts information as required by the local Estonian laws

and regulations, via e-Register.

• ESIS is a web-based application that provides support for various services, including shareholder

identification, meetings, web service reports, and Investor Analytics. ESIS is utilized by issuers,

issuer agents, account operators, and the Financial Supervision Authority (FSA). Communication

with ESIS can be conducted through the application-to-application (A2A) mode and via a graphical

user interface (GUI).

In addition to the above two applications, NCSD also plans to migrate the NCSD website to AWS cloud.

Types of personal data that will be hosted in the AWS cloud due to migration of eRegister and/or ESIS

applications are the following:

• Personal Identification: Name, Surname, E-mail address, Phone number, Address, Birth date

(Securities Register Maintenance Act § 5 (4), 1), 2), 3)).

• Government Identifiers: ID code (Securities Register Maintenance Act § 5 (4) 3)).

• Financial: Securities account number, Bank account number, Amounts/Balances of securities held,

Pledges/Restrains (Securities Register Maintenance Act § 5 (4) 5), 6), 7), 9)).

Types of personal data that will be hosted in the AWS cloud due to the migration of the NCSD website are

the following:

• Publicly available data such as:

o Name, Surname under disclosed shareholders lists of publicly listed regulated market

equity issuers (EE) (Securities Register Maintenance Act § 7 (2) 1)).

o Search functionality for the securities account number (Securities Register Maintenance

Act § 7 (62)).

Summary description of the AWS technical and contractual setup:

The eServices platform is hosted on Amazon Web Services (AWS) cloud servers. The servers are in

Stockholm, Sweden (EU-North-1 region), each with redundant power, networking, and connectivity, housed

in separate facilities. This ensures that if one data center is down, the service can be picked up by another

one, thus reducing the risk of service interruptions.

The eServices platform uses a microservices architecture. Microservices means the system is divided into

smaller, independent services that work together. AWS provides auto-scaling, load balancing, and multi-

availability-zones (AZ) deployments. This means the eServices platform’s workload can be automatically

spread across multiple servers and availability zones. Therefore, if one server or zone goes down, the

overall system still stays operational since the work is distributed.

Data is neither transferred outside the EU, nor is it shared with third parties. Only external users with

authorized rights can see the personal data contained in e-Register and ESIS. Internally, only users with

defined access rights can see personal information.

The migration of the above applications to the eServices Platform and thus to AWS cloud is planned to start

in December 2024, with the migration of the public User Interface (front-end) of the two applications, after

which the back end will follow.

AWS is being utilized by Nasdaq for Infrastructure-as-a-Service (IaaS) platform. Nasdaq has an enterprise

agreement with AWS that establishes a master service agreement covering all Nasdaq group companies

including NCSD. This ensures consistent terms and conditions when using AWS cloud infrastructure

services.

Nasdaq Stockholm has entered into an agreement with Amazon Web Services, Inc., (“AWS, Inc.”) and an

affiliate of AWS, Inc., Amazon Web Services EMEA SARL L (together with AWS, Inc., “AWS”) related to

generally available services made available by AWS through the AWS Management Console (hereinafter

– AWS Cloud).

AWS Customer Agreement is available at: http://aws.amazon.com/agreement (as updated from time to

time). Additionally, Nasdaq has signed addendums for, among others, data processing (data processing

requirements and restrictions) and financial services (outsourcing related requirements).

Nasdaq Stockholm has outsourced the AWS Cloud through a sub-outsourcing arrangement to Nasdaq

CSD SE and other affiliates on December 21, 2022.

The outsourcing chain used by Nasdaq CSD was assessed according to the outsourcing policy in place

and brought to the Management Board for approval on November 19th, 2023. The assessment concluded

that the outsourcing was not critical considering that only the submission of corporate actions (CA) was in

scope. The results of the assessment were communicated to the Estonian Ministry of Finance.

Considering the addition of Estonian e-Register system and the ESIS system to the eServices platform,

NCSD will revisit the outsourcing assessment and determine the current criticality.

In case of contract termination or non-compliance with the agreement, NCSD will enact an exit plan where

the applications will be moved to another cloud provider or moved to on premises.

AWS commits to high service level agreements (SLAs) across metrics like uptime, availability, and

responsiveness. AWS guarantees 99.99% uptime SLA for its core infrastructure services. This matches or

exceeds the reliability Nasdaq sees in its own datacenters.

The Nasdaq procurement process validated that AWS has appropriate security, privacy, and compliance

controls. The areas examined during the assessment are as follows: Enterprise Risk Management,

Physical and Environmental Security, Operational Resilience, Environmental, Social, and Corporate

Governance, Security Policy, IT Operation Management, Compliance and Operational Risk, Threat

Management, Organizational Security, Access Control, Endpoint Device Security, Server Security, Asset

and Information Management, Application Security, Network Security, Cloud Hosting Services, Human

Resources Security, Cybersecurity Incident Management, Privacy.

Across all domains examined, the residual risk is deemed low, moreover risks identified with AWS are

primarily under Nasdaq control based on usage and configurations. No remediation of risk is required by

AWS at this time.

The agreement allows for audits of AWS to ensure they maintain regulatory requirements. As per the

agreement, AWS will provide, with reasonable advance notice, the supervisory authorities (a) access to all

necessary information related to the outsourced services, and (b) access to the AWS premises related to

the outsourced services.

AWS is compliant with the NIST cybersecurity framework as well ISO27001 standard.

Nasdaq CSD SE • Maakri 19/1 • 10145 Tallinn • ESTONIA • Registrikood 14306553 Tel: +372 640 88 40 • [email protected] • https://nasdaqcsd.com/

Riigi Infosüsteemi Amet Pärnu maantee 139a, Tallinn, 15169 [email protected] 05.07.2024

CC: Rahandusministeerium

Taotlus EVKS § 71 lõikes 3 nimetatud kooskõlastuse saamiseks

Väärtpaberite registri pidamise seaduse (EVKS) § 71 lõige 3 sätestab väärtpaberite registri pidaja

kohustuse kooskõlastada väljaspool Eestit infosüsteemi majutamise tingimused Finantsinspektsiooni

ja Riigi Infosüsteemi Ametiga.

Käesolevaga taotleb väärtpaberite registri pidaja Nasdaq CSD SE, mis tegutseb Eestis oma filiaali

(14306553) kaudu, Riigi infosüsteemi Ameti kooskõlastust e-teenuste platvormi (eServices platform)

migreeritavate rakenduste majutamiseks pilveserveritesse Rootsis.

Kokkuvõtlik ülevaade rakendustest, mille majutamist AWS pilveserveritesse soovib NCSD

kooskõlastada:

• e-Register: Nasdaq CSD SE internetipõhine lahendus, mis on mõeldud nii juriidilistele kui

füüsilistele isikutele, kellel on väärtpaberikontod ja kes saavad e-Registri kaudu tutvuda sellega

seotud informatsiooniga või kes soovivad küsida aktsionäride teavet börsil noteeritud või

noteerimata ettevõtete kohta Eestis.

• ESIS: Nasdaq CSD SE veebipõhine rakendus, mis pakub tuge erinevatele teenustele, sealhulgas

aktsionäride tuvastamisele, koosolekutele, veebiteenuste aruannetele ja investorite

analüütikale. ESIS-i kasutavad emitendid, emitendi agendid, kontohaldurid ja

Finantsinspektsioon.

• Nasdaq CSD SE koduleht aadressil https://nasdaqcsd.com/

Majutatavate rakenduste põhjalikum kirjeldus, pilveserverites talletatavate isikuandmete tüübid ja

pilveserverite tehnilise seadistuse ja lepinguliste kohustuste kokkuvõtlik kirjeldus on lisatud

käesolevale taotlusele inglise keeles (Lisa 1).

E-teenuste platvormi majutatakse Amazon Web Services (AWS) pilveserverites. Serverid asuvad

Rootsis Stockholmis, millest igaühel on puhvertoiteallikas, võrguühendus ja ühenduvus ning need

asuvad eraldi rajatistes. See tagab, et kui üks andmekeskus on maas, saab teenust kasutada teine,

Nasdaq CSD SE • Maakri 19/1 • 10145 Tallinn • ESTONIA • Registrikood 14306553 Tel: +372 640 88 40 • [email protected] • https://nasdaqcsd.com/

vähendades sellega teenuse katkemise ohtu. AWS ühildub nii NIST küberturvalisuse raamistikuga kui

ka ISO27001 standardiga.

Küsimuste korral on NCSD valmis jagama täiendavat infot ja selgitusi.

Taotlus on esitatud üheaegselt kooskõlastuseks Finantsinspektsioonile ja Riigi Infosüsteemi Ametile

ning esitatud informatsiooniks ka Rahandusministeeriumile.

Lugupidamisega,

Allkirjastatud digitaalselt

Kristi Sisa Juhatuse liige Nasdaq CSD SE Eesti filiaal

Lisad:

Lisa 1: NCSD e-Reg, ESIS, CSD Website migration to AWS Cloud

Kerttu-Kaarina Tombak, [email protected]

Anette Sooväli, [email protected]

Annex 1

Description of NCSD plans to migrate the Estonian e-Register system and the ESIS system

(Electronic Shareholders Identification System) to the eServices platform (cloud)

5 July 2024

Nasdaq CSD SE (NCSD) has developed the eServices platform, a web-based platform accessible via

Internet browsers. The platform provides Baltic and Icelandic issuers with registered securities in NCSD

an alternative way to submit corporate actions (CA) forms.

To further enhance the customer experience and improve the usability of NCSD’s services, NCSD plans to

migrate the Estonian e-Register system and the ESIS system (Electronic Shareholders Identification

System) to the eServices platform, thus ensuring a single point of access to its services.

NCSD is and will remain responsible for maintaining the referred applications, while the infrastructure that

will house the applications will run on Amazon Web Services (AWS) cloud, as does the eServices platform.

Summary description of the systems being migrated to the eServices platform and thus to Amazon

Web Services (AWS) cloud:

• e-Register is an internet-based solution of the NCSD Estonian branch that is intended both for legal

entities and natural persons who have securities accounts and may view related information via e-

Register, or who would like to request shareholders’ information about listed or non-listed

companies in Estonia. Moreover, some contractual clients, including Estonian state entities, can

access shareholders’ and securities accounts information as required by the local Estonian laws

and regulations, via e-Register.

• ESIS is a web-based application that provides support for various services, including shareholder

identification, meetings, web service reports, and Investor Analytics. ESIS is utilized by issuers,

issuer agents, account operators, and the Financial Supervision Authority (FSA). Communication

with ESIS can be conducted through the application-to-application (A2A) mode and via a graphical

user interface (GUI).

In addition to the above two applications, NCSD also plans to migrate the NCSD website to AWS cloud.

Types of personal data that will be hosted in the AWS cloud due to migration of eRegister and/or ESIS

applications are the following:

• Personal Identification: Name, Surname, E-mail address, Phone number, Address, Birth date

(Securities Register Maintenance Act § 5 (4), 1), 2), 3)).

• Government Identifiers: ID code (Securities Register Maintenance Act § 5 (4) 3)).

• Financial: Securities account number, Bank account number, Amounts/Balances of securities held,

Pledges/Restrains (Securities Register Maintenance Act § 5 (4) 5), 6), 7), 9)).

Types of personal data that will be hosted in the AWS cloud due to the migration of the NCSD website are

the following:

• Publicly available data such as:

o Name, Surname under disclosed shareholders lists of publicly listed regulated market

equity issuers (EE) (Securities Register Maintenance Act § 7 (2) 1)).

o Search functionality for the securities account number (Securities Register Maintenance

Act § 7 (62)).

Summary description of the AWS technical and contractual setup:

The eServices platform is hosted on Amazon Web Services (AWS) cloud servers. The servers are in

Stockholm, Sweden (EU-North-1 region), each with redundant power, networking, and connectivity, housed

in separate facilities. This ensures that if one data center is down, the service can be picked up by another

one, thus reducing the risk of service interruptions.

The eServices platform uses a microservices architecture. Microservices means the system is divided into

smaller, independent services that work together. AWS provides auto-scaling, load balancing, and multi-

availability-zones (AZ) deployments. This means the eServices platform’s workload can be automatically

spread across multiple servers and availability zones. Therefore, if one server or zone goes down, the

overall system still stays operational since the work is distributed.

Data is neither transferred outside the EU, nor is it shared with third parties. Only external users with

authorized rights can see the personal data contained in e-Register and ESIS. Internally, only users with

defined access rights can see personal information.

The migration of the above applications to the eServices Platform and thus to AWS cloud is planned to start

in December 2024, with the migration of the public User Interface (front-end) of the two applications, after

which the back end will follow.

AWS is being utilized by Nasdaq for Infrastructure-as-a-Service (IaaS) platform. Nasdaq has an enterprise

agreement with AWS that establishes a master service agreement covering all Nasdaq group companies

including NCSD. This ensures consistent terms and conditions when using AWS cloud infrastructure

services.

Nasdaq Stockholm has entered into an agreement with Amazon Web Services, Inc., (“AWS, Inc.”) and an

affiliate of AWS, Inc., Amazon Web Services EMEA SARL L (together with AWS, Inc., “AWS”) related to

generally available services made available by AWS through the AWS Management Console (hereinafter

– AWS Cloud).

AWS Customer Agreement is available at: http://aws.amazon.com/agreement (as updated from time to

time). Additionally, Nasdaq has signed addendums for, among others, data processing (data processing

requirements and restrictions) and financial services (outsourcing related requirements).

Nasdaq Stockholm has outsourced the AWS Cloud through a sub-outsourcing arrangement to Nasdaq

CSD SE and other affiliates on December 21, 2022.

The outsourcing chain used by Nasdaq CSD was assessed according to the outsourcing policy in place

and brought to the Management Board for approval on November 19th, 2023. The assessment concluded

that the outsourcing was not critical considering that only the submission of corporate actions (CA) was in

scope. The results of the assessment were communicated to the Estonian Ministry of Finance.

Considering the addition of Estonian e-Register system and the ESIS system to the eServices platform,

NCSD will revisit the outsourcing assessment and determine the current criticality.

In case of contract termination or non-compliance with the agreement, NCSD will enact an exit plan where

the applications will be moved to another cloud provider or moved to on premises.

AWS commits to high service level agreements (SLAs) across metrics like uptime, availability, and

responsiveness. AWS guarantees 99.99% uptime SLA for its core infrastructure services. This matches or

exceeds the reliability Nasdaq sees in its own datacenters.

The Nasdaq procurement process validated that AWS has appropriate security, privacy, and compliance

controls. The areas examined during the assessment are as follows: Enterprise Risk Management,

Physical and Environmental Security, Operational Resilience, Environmental, Social, and Corporate

Governance, Security Policy, IT Operation Management, Compliance and Operational Risk, Threat

Management, Organizational Security, Access Control, Endpoint Device Security, Server Security, Asset

and Information Management, Application Security, Network Security, Cloud Hosting Services, Human

Resources Security, Cybersecurity Incident Management, Privacy.

Across all domains examined, the residual risk is deemed low, moreover risks identified with AWS are

primarily under Nasdaq control based on usage and configurations. No remediation of risk is required by

AWS at this time.

The agreement allows for audits of AWS to ensure they maintain regulatory requirements. As per the

agreement, AWS will provide, with reasonable advance notice, the supervisory authorities (a) access to all

necessary information related to the outsourced services, and (b) access to the AWS premises related to

the outsourced services.

AWS is compliant with the NIST cybersecurity framework as well ISO27001 standard.

Nasdaq CSD SE • Maakri 19/1 • 10145 Tallinn • ESTONIA • Registrikood 14306553 Tel: +372 640 88 40 • [email protected] • https://nasdaqcsd.com/

Riigi Infosüsteemi Amet Pärnu maantee 139a, Tallinn, 15169 [email protected] 05.07.2024

CC: Rahandusministeerium

Taotlus EVKS § 71 lõikes 3 nimetatud kooskõlastuse saamiseks

Väärtpaberite registri pidamise seaduse (EVKS) § 71 lõige 3 sätestab väärtpaberite registri pidaja

kohustuse kooskõlastada väljaspool Eestit infosüsteemi majutamise tingimused Finantsinspektsiooni

ja Riigi Infosüsteemi Ametiga.

Käesolevaga taotleb väärtpaberite registri pidaja Nasdaq CSD SE, mis tegutseb Eestis oma filiaali

(14306553) kaudu, Riigi infosüsteemi Ameti kooskõlastust e-teenuste platvormi (eServices platform)

migreeritavate rakenduste majutamiseks pilveserveritesse Rootsis.

Kokkuvõtlik ülevaade rakendustest, mille majutamist AWS pilveserveritesse soovib NCSD

kooskõlastada:

• e-Register: Nasdaq CSD SE internetipõhine lahendus, mis on mõeldud nii juriidilistele kui

füüsilistele isikutele, kellel on väärtpaberikontod ja kes saavad e-Registri kaudu tutvuda sellega

seotud informatsiooniga või kes soovivad küsida aktsionäride teavet börsil noteeritud või

noteerimata ettevõtete kohta Eestis.

• ESIS: Nasdaq CSD SE veebipõhine rakendus, mis pakub tuge erinevatele teenustele, sealhulgas

aktsionäride tuvastamisele, koosolekutele, veebiteenuste aruannetele ja investorite

analüütikale. ESIS-i kasutavad emitendid, emitendi agendid, kontohaldurid ja

Finantsinspektsioon.

• Nasdaq CSD SE koduleht aadressil https://nasdaqcsd.com/

Majutatavate rakenduste põhjalikum kirjeldus, pilveserverites talletatavate isikuandmete tüübid ja

pilveserverite tehnilise seadistuse ja lepinguliste kohustuste kokkuvõtlik kirjeldus on lisatud

käesolevale taotlusele inglise keeles (Lisa 1).

E-teenuste platvormi majutatakse Amazon Web Services (AWS) pilveserverites. Serverid asuvad

Rootsis Stockholmis, millest igaühel on puhvertoiteallikas, võrguühendus ja ühenduvus ning need

asuvad eraldi rajatistes. See tagab, et kui üks andmekeskus on maas, saab teenust kasutada teine,

Nasdaq CSD SE • Maakri 19/1 • 10145 Tallinn • ESTONIA • Registrikood 14306553 Tel: +372 640 88 40 • [email protected] • https://nasdaqcsd.com/

vähendades sellega teenuse katkemise ohtu. AWS ühildub nii NIST küberturvalisuse raamistikuga kui

ka ISO27001 standardiga.

Küsimuste korral on NCSD valmis jagama täiendavat infot ja selgitusi.

Taotlus on esitatud üheaegselt kooskõlastuseks Finantsinspektsioonile ja Riigi Infosüsteemi Ametile

ning esitatud informatsiooniks ka Rahandusministeeriumile.

Lugupidamisega,

Allkirjastatud digitaalselt

Kristi Sisa Juhatuse liige Nasdaq CSD SE Eesti filiaal

Lisad:

Lisa 1: NCSD e-Reg, ESIS, CSD Website migration to AWS Cloud

Kerttu-Kaarina Tombak, [email protected]

Anette Sooväli, [email protected]