EPM Audit of Milestones and Targets Estonian Recovery and Resilience Plan

H.E. Mr Aivo Orav

Ambassador, Permanent Representative

Permanent Representation of Estonia to the EU

Rue Guimard 11/13, 1040, Brussels

Mr Jürgen Ligi

Minister of Finance

Ministry of Finance

Suur-Ameerika 1, 10122 Tallinn

Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111

EUROPEAN COMMISSION DIRECTORATE-GENERAL ECONOMIC AND FINANCIAL AFFAIRS

Resources and performance management

The Director

Brussels, ECFIN.R.4/GG/(2025)5189567

Subject: EPM Audit of Milestones and Targets

Estonian Recovery and Resilience Plan

Ref.: EE-Q2-2025-M/T Audit on M/T (to be used in all correspondence)

Your Excellency,

I am writing to inform you that the Control and evaluation Unit of the Directorate General for

Economic and Financial Affairs (DG ECFIN) will carry out an audit on milestones and targets

in the context of the Recovery and Resilience Facility (RRF).

The possibility of such audit is foreseen in Article 12 of the Financing Agreement of the

Recovery Resilience Plan between the European Commission and the Estonia in accordance

with Article 22(2)(e) of the RRF Regulation1.

1. OBJECTIVE OF THE AUDIT

The objective of the audit is to obtain reasonable assurance on the satisfactory fulfilment of

the milestones and targets as declared in the request(s) for payment n°3 submitted by the

Estonia to the European Commission, on 09 December 2024.

The specific objective of the audit is to verify the reliability of reported data on achieved

milestones and targets as declared in the requests for payment to the European Commission,

as well as their aggregation.

2. SCOPE OF THE AUDIT

The scope of the audit is limited to:

- a verification of the achievements of milestones and targets declared in the request for

payment n°3 submitted on 09/12/2024 to the European Commission;

1 Regulation (EU) 2021/241 of the European Parliament and of the Council of 12 February 2021 establishing the Recovery

and Resilience Facility

2

- a verification that the Member State ensured compliance with the applicable Union

and national law (public procurement).

The above-mentioned verifications will focus on the following milestones/targets:

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE PUBLIC PROCUREMENT

CODE

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES) RESPONSIBLE FOR

REPORTING AND IMPLEMENTATION

Target 12Skills reform for the

digital transformation

of businesses

PP 267578 Number of people enrolled in

training activities supported

under this measure, consisting

of awareness-raising for SME

managers, and upskilling and

retraining for ICT specialists.

A minimum of 35% of

participants enrolled in these

training activities shall be

women.

Ministry of Education and

Research (HTM)

The Education and Youth Board

(HARNO)

Target 55Reconfiguration of

basic digital services

and safe transition to

cloud infrastructure

PP 231776 Number of information

systems for which the

migration to the private cloud

infrastructure shall be

completed.

Ministry of Justice and Digital

Affairs (MJDA)

The Estonian Information and

Communication Technology

Centre (RIT)

The audit work will trace and verify (recount) data for selected milestones and targets, where

possible.

3. ORGANISATION OF THE AUDIT WORK

The audit will consist of several phases carried out in the Commission (preparation, reporting

and follow-up) and at the premises of the Coordinating body, bodies implementing reforms

and investments, and if applicable, final recipients:

• Preparation (analysis of key documents such as manuals, checklists, procedures,

verification reports, methodology, etc.).

• Fieldwork (review of the data management and reporting systems and of the data

reported for the selected milestones and targets, including data verification for a

sample of final recipients/operations).

• Reporting and contradictory (observations) procedure.

• Follow-up.

3

4. DATES

The audit field work will be carried out during the week of 10-13 June 2025.

As indicated in chapter 6 of this letter, the lead auditor will be in contact with Estonian

authorities and will send a detailed agenda once the requested documentation has been

received. The audit will take place at the premises of the Coordinating body and of the bodies

implementing reforms and investments. In addition, further to the analysis of the information

requested in point 6, the audit may also take place, if appropriate, at the premises of the final

recipients of the selected operation(s)/project(s).

For this particular audit, the body(ies) implementing reforms and investments concerned are

indicated in point 2, as responsible for the implementation and reporting. In case there are

other bodies responsible for implementing and reporting on the selected milestones and

targets, I would be grateful if Estonian authorities could inform us.

The audit body is invited to participate in the audit as an observer.

5. AUDIT TEAM

The lead auditor responsible for the conduct of the audit is Ms GALLI Giulia, +32 2 29 88200,

[email protected], the associated auditor is Ms ECKHARDT RODRIGUEZ Ana.

I would be grateful if the Estonian authorities concerned could indicate the name, telephone

number and e-mail address of the contact person(s) in the Coordinating body of the Recovery

and Resilience Plan responsible for this audit, in order to make further practical arrangements

ensuring the smooth operational running of this task, in particular the exchange of documents

and information as well as the clearing and adversarial procedures.

6. DOCUMENTS AND INFORMATION REQUIRED

In order to facilitate the preparation of the audit, I would be grateful if the services concerned

would provide the information set out in annexes II, III and IV, by 23 May 2025. In addition

to the documentation required, these annexes (information sheets) allow the bodies being

audited to identify the tasks to be performed by the audit team and the key persons whose

presence is needed during the fieldwork.

Following examination of these documents, a sample of RRF operations/final recipients will

be selected for review. Further details, including the detailed agenda and the list of the

operations/final recipients selected for this audit will be communicated later following the

analysis of the information requested. For the selected operations/final recipients, a

comprehensive file (including all the relevant working papers on the milestone and target data

processing) should be made available to the auditors.

For any queries or clarifications, in particular with regard to the requested information and

documents in preparation of this audit, please do not hesitate to contact the lead auditor for

this audit is Ms GALLI Giulia, +32 2 29 88200, [email protected].

7. PROTECTION OF PERSONAL DATA

The Commission services would like to draw your attention to the fact that data collected

during the audit may include information relating to an identified or identifiable natural

4

person (‘data subject’). Such information could be stored on the servers of the Commission.

Regulation (EC) No 2018/1725 (OJ L 295, 21.11.2018, p.39) of the European Parliament and

of the Council, applicable to Union institutions, and Regulation (EU) 2016/679 (OJ L 119,

4.5.2016, p.1), applicable to Member States, protect the right to privacy of natural persons

with respect to the processing of personal data. In order to inform the data subjects of their

rights, you are kindly asked to deliver the enclosed Information note on Protection of Personal

Data collected by DG Economic and Financial Affairs’ Control and Evaluation Unit (Annex

I) to the bodies or organisations to be audited in the context of this audit.

Yours faithfully,

Bernadette Fréderick

Enclosure: Annex I - Information note on Protection of Personal Data collected by the

Control and evaluation Unit of DG ECFIN

Annex II - Information Sheet for the Coordinating body selected for the Audit

on milestones and targets.

Annex III - Information Sheet for the Intermediary body level selected for the

Audit on milestones and targets.

Annex IV - Information sheet for the Final recipients selected for the Audit on

milestones and targets.

Copies: The Coordinating Body

Triin Tomingas, Head of Foreign Financing Unit, State Budget Department,

Ministry of Finance of the Republic of Estonia

Siret Soosein, Expert, State Shared Service Centre, RRP coordinator

Katri Targama, Head of the Grants Management Unit, State Shared Services

Centre

Audit Body

Anu Alber, Head of Financial Control Department, Ministry of Finance of

the Republic of Estonia, the RRF audit body

Mart Pechter, Advisor of the Financial Control Department, Ministry of

Finance of the Republic of Estonia, the RRF audit body

Audited Authorities

Triin Savisto, Adviser, Ministry of Education and Research

Martin Sõmer, Head of Centre for Engineering and Digital Education,

Education and Youth Board

Monika Karu, Adviser, Ministry of Justice and Digital Affairs

Ergo Tars, Director, Estonian Information and Communication Technology

Centre

e-signed

5

Directorate-General for Economic and Financial Affairs

Declan Costello, Deputy Director-General, Coordination of economic

policies of Member States

Bernadette Fréderick, Director, ECFIN.R

Yaniz Igal Javier, Acting Director, ECFIN.E

Joern Griesse, Head of Unit, ECFIN.E.2

Recovery and Resilience Task Force

Luebking Johannes, Director, SG REFORM.D

and Acting Head of Unit, SG REFORM.D2

European Anti-fraud Office (OLAF)

James Sweeney, Director, OLAF.C – Anti-Fraud Knowledge Centre

Andrea Bordoni, Acting Head of Unit OLAF.C.1 - Anti-Corruption, Anti-

Fraud Strategy and Analysis

Joint audit service for Cohesion (DAC)

Franck Sébert, Director, REGIO.EMPL.DAC

European Climate, Infrastructure and Environment Executive Agency

(CINEA)

Paloma Aba Garrote, Director, CINEA

European Court of Auditors

[email protected]

6

Annex I - Information note on Protection of Personal Data collected by Directorate-

General for Economic and Financial Affairs’ Control and evaluation unit at the

European Commission

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your

personal data and to respect your privacy. The Commission collects and further processes

personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the

Council of 23 October 2018 on the protection of natural persons with regard to the processing

of personal data by the Union institutions, bodies, offices and agencies and on the free

movement of such data, is applicable (repealing Regulation (EC) 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way

we collect, handle and ensure protection of all personal data provided, how that information

is used and what rights you have in relation to your personal data. It also specifies the contact

details of the responsible Data Controller with whom you may exercise your rights, the Data

Protection Officer and the European Data Protection Supervisor.

This privacy statement concerns the processing operation ‘External audits and controls’,

undertaken by the Commission (DG ECFIN, unit R.4) as presented below.

2. Why and how do we collect your personal data?

Purpose of the processing operation: The Commission collects and uses your personal data to

do any kind of financial control including ex-ante controls, desk checks, financial

verifications and audits of grant agreements or contracts to verify beneficiaries’ or

contractors’, subcontractors’ or third parties’ compliance with all contractual provisions

(including financial provisions), in view of checking that the provisions of the grant

agreements or the contracts are being properly implemented and in view of assessing the

legality and regularity of the transaction underlying the implementation of the general budget

of the Union.

Your personal data will not be used for an automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data?

The possibility for the Commission to carry out checks and financial controls is foreseen in

the model grant agreement and contract signed between the Commission and the

beneficiary/contractor, as required by the Financial Regulation (‘FR’) applicable to the

General Budget of the European Communities2.

We process your personal data because:

2 Articles 117-123 FR on internal audits, article 127 on cross-reliance audits, articles 183 and 203 FR on

audits covering grant agreements and articles 254 – 259 FR on external audits by the Court of Auditors.

7

The processing operations on personal data carried out in the context of audit and control

activities3 are necessary and lawful under the following articles of the Regulation (EU)

1725/2018:

a) processing is necessary for the performance of a task carried out in the public interest or

in the exercise of official authority vested in the Union institution or body4;

b) processing is necessary for compliance with a legal obligation to which the controller is

subject5.

4. Which personal data do we collect and further process?

In order to carry out any kind of financial controls, ex-ante and ex-post, the Data Controller

could collect the following categories of personal data:

Mandatory:

• Mandatory contact data: name, company, e-mail address, telephone number;

• Mandatory data for access to finance and contractual obligations. Such data can be:

bank account reference (IBAN and BIC codes), VAT number, passport or ID number;

timesheets, salary slips, accounts, details of the costs, missions, reports, information

coming from local IT system used to declare costs as eligible, supporting documents

linked to travel costs, minutes from mission and other similar data depending of the

nature of the grant/contract, etc.;

• Mandatory information for the evaluation of selection criteria or eligibility criteria:

expertise, technical skills and languages, educational background, professional

experience, including details on current and past employment.

Voluntary:

• Voluntary data: other contact details (mobile telephone number, fax number,

professional postal address, function and department, country of residence);

• Voluntary data that may be collected by the website if there is consent to its cookies:

IP address, language preference, etc.

3 The audit and control activities are varied across the Commission departments as they can be conducted at

any time during the performance of the programme or project and can concern beneficiaries, projects,

system, transactions, etc. depending on the needs of the contracting authority. The audit and control

activities may be carried out on documents and/or on the spot, and may be carried out either before or after

the final payment to the beneficiary. Audits and controls of documents may be carried out in any place

where the funds in question are managed or used; the geographical scope is therefore worldwide.

The specific contract should specify what the audit and control is to cover (subject and location).

4 Article 5 (1) (a) of Regulation (EU) 2018/1725 and, in particular, Articles 317, 319 TFEU and Article 106

(a) of the Euratom Treaty.

5 In particular Articles 117, 183, 203.4 and 5, and 262 of the FR.

8

5. How long do we keep your data?

The Data Controller only keeps your personal data for the time necessary to fulfil the purpose

of collection or further processing, namely for 10 years after the audit is closed on condition

that no contentious issues occurred; in this case, data will be kept until the end of the last

possible legal procedure.

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of

data, etc.) are stored either on the servers of the European Commission or of its contractors

(processors), if contractors are engaged to assist the controller. All processing operations are

carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017

on the security of communication and information systems in the Commission.

In order to protect your personal data, the Commission has put in place a number of technical

and organisational measures in place. Technical measures include appropriate actions to

address online security, risk of data loss, alteration of data or unauthorised access, taking into

consideration the risk presented by the processing and the nature of the personal data being

processed. Organisational measures include restricting access to the personal data solely to

authorised persons with a legitimate need to know for the purposes of this processing

operation.

If the controller uses (a) contractor(s) (processor(s)) to assist the controller, this will be

indicated in the specific privacy statement and the following paragraph will be provided:

The Commission’s contractors are bound by a specific contractual clause for any processing

operations of your data on behalf of the Commission, and by the confidentiality obligations

deriving from the transposition of the General Data Protection Regulation in the EU Member

States (‘GDPR’ Regulation (EU) 2016/679).

7. Who has access to your data and to whom is it disclosed?

Access to your personal data may be provided on a ‘need to know’ basis to Commission

services and staff dealing with the external audit or control (including those

supervising/approving), inclusive of OLAF.

In addition, staff from the Council, European Parliament, European Court of Auditors may

have access to your personal data. Finally, your data may be shared with national managing,

certifying and audit authorities in shared management, beneficiaries/final recipients and

external contractors.

The information we collect will not be given to any third party, except to the extent and for

the purpose we may be required to do so by Union law, including the possible transmission

of personal data to EU bodies or institutions in charge of audit or inspection in accordance

with the EU Treaties.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation

(EU) 2018/1725, in particular the right to access, rectify or erase your personal data and the

right to restrict the processing of your personal data. Where applicable, you also have the right

to object to the processing or the right to data portability.

9

You have the right to object to the processing of your personal data, which is lawfully carried

out pursuant to Article 5(1)(a) on grounds relating to your particular situation.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data

Protection Officer. If necessary, you can also address the European Data Protection

Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing

operations, please provide their description (i.e. their Record reference(s) as specified under

Heading 10 below) in your request.

9. Contact information

- The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have

comments, questions or concerns, or if you would like to submit a complaint regarding the

collection and use of your personal data, please feel free to contact the Data Controller.

European Commission, DG ECFIN, Unit R.4 at [email protected].

- The Data Protection Officer of the European Commission

You may contact the Data Protection Officer ([email protected]) with

regard to issues related to the processing of your personal data under Regulation (EU)

2018/1725.

- The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data

Protection Supervisor, https://edps.europa.eu:data-protection/our-role-

supervisor/complaints_en or [email protected], if you consider that your rights under

Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal

data by the Data Controller.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing

operations on personal data by the Commission, which have been documented and notified to

him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the

following Record reference: 04466.1

10

Annex II - Information Sheet for the Coordinating body selected for the Audit on milestones and

targets

1. Objective of the audit

The objectives of the audit are to:

• Verify that appropriate data management and reporting systems are in place; and

Assess the reliability of the reported data for the selected milestones and targets.

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE PUBLIC PROCUREMENT

CODE

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES) RESPONSIBLE FOR

REPORTING AND IMPLEMENTATION

Target 12Skills reform for the

digital transformation

of businesses

PP 267578 Number of people enrolled in

training activities supported

under this measure, consisting

of awareness-raising for SME

managers, and upskilling and

retraining for ICT specialists.

A minimum of 35% of

participants enrolled in these

training activities shall be

women.

Ministry of Education and

Research (HTM)

The Education and Youth Board

(HARNO)

Target 55Reconfiguration of

basic digital services

and safe transition to

cloud infrastructure

PP 231776 Number of information

systems for which the

migration to the private cloud

infrastructure shall be

completed.

Ministry of Justice and Digital

Affairs (MJDA)

The Estonian Information and

Communication Technology

Centre (RIT)

3. Tasks performed by the audit team at the Coordinating body

• Interview Manager and staff involved in monitoring and reporting and data-management;

• Review of the systems and procedures relating to the collection, storage, verification

and reporting of data on the achievement of milestones and targets;

• Review availability, completeness, and timeliness of reports received from the lower levels (e.g.

bodies implementing reforms and investments and final recipients);

• Review of the reports/data received from the lower levels (e.g. bodies implementing reforms and

investments and final recipients);

• Re-count numbers from received reports/data and compare result to the information reported to

the Commission in Fenix.

11

4. Staff to be available at the Coordinating body during the audit

• RRP Manager.

• Staff involved in reviewing and compiling reports received from lower levels.

• IT staff involved in database management, if applicable.

12

5. Documentation to prepare in advance of arrival of the audit team - deadline for sending this

information to DG ECFIN is 23 May 2025

All documents submitted should be in one of these formats: .pdf, .doc, .docx, .xls, .xlsx, .xml, .msg, .csv,

.ods, .txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats will be discussed

case by case.

During the visit, for the operations/final recipient selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing) should be

made available to the audit team.

6. Expected time of audit team at the Coordinating body

In person kick- off meeting and one online wrap up meeting but a more detailed planning of the audit

mission will be communicated at a later stage.

WARNING: In no circumstances should reports be fabricated for the purpose of the audit.

13

Annex III – Information Sheet for the Intermediate body level

selected for the Audit on milestones and targets

1. Objective of the audit

The objectives of the Audit are to:

• Assess that appropriate data management and reporting systems are in place; and

• Verify the reliability of the reported data for the selected milestones and targets.

• Verify that the Member State ensured compliance with the applicable Union and

national law (public procurement)

2. Milestones and Targets and related indicators included in the audit

SEQUENTIAL

NUMBER (AS

IN CID)

NAME OF MEASURE PUBLIC PROCUREMENT

CODE

INDICATORS

(QUANTITATIVE / QUALITATIVE)

BODY(IES) RESPONSIBLE FOR

REPORTING AND IMPLEMENTATION

Target 12Skills reform for the

digital transformation

of businesses

PP 267578 Number of people enrolled in

training activities supported

under this measure, consisting

of awareness-raising for SME

managers, and upskilling and

retraining for ICT specialists.

A minimum of 35% of

participants enrolled in these

training activities shall be

women.

Ministry of Education and

Research (HTM)

The Education and Youth Board

(HARNO)

Target 55Reconfiguration of

basic digital services

and safe transition to

cloud infrastructure

PP 231776 Number of information

systems for which the

migration to the private cloud

infrastructure shall be

completed.

Ministry of Justice and Digital

Affairs (MJDA)

The Estonian Information and

Communication Technology

Centre (RIT)

3. Tasks performed by the audit team at the Intermediate body level

• Interview body implementing reforms and investments manager and staff involved in

monitoring, reporting and data-management.

• Review of the systems and procedures relating to the collection, storage, verification and

reporting of data on the achievement of milestones and targets;

• Review availability, completeness, and timeliness of reports received from the lower levels (e.g.

final recipients);

• Review of the reports/data received from the lower levels (e.g. final recipients);

14

• Re-count numbers from received reports and compare result to the numbers reported to the next

level.

• Review the procedures in place for compliance with EU and national law, such as but not

exclusively on public procurement and State aid.

4. Staff to be available at the Intermediate body level during the audit

• Manager of the body implementing reforms and investments,

• Staff involved in reviewing and compiling reports received from reporting Final recipients.

• IT staff involved in database management, if applicable.

• Staff involved in public procurement and/or State aid controls.

5. Documentation to prepare in advance of arrival of the audit team, if different than the

documentation provided by the coordinating body - deadline for sending this information to DG

ECFIN is 23 May 2025.

Education and Youth Board, Estonian Information and Communication Technology

Centre, Ministry of Justice and Digital Affairs, Ministry of Education & Research

1. Reported data to the next level (e.g. Coordinating body) for the milestone/target selected for the

audit and the related indicators, e.g. complete dataset

2. Organisational chart including management, monitoring and reporting responsibilities

3. Manual of procedures in place at the body implementing reforms and investments, regarding the

data collection and reporting system(s), including a description of all data verification,

aggregation, and correction steps performed on data submitted by the lower levels of

implementation (e.g. final recipients)

4. Description of how the data is collected, validated, stored and recorded (in particular which

source and supporting documents)

5. Instructions and guidance to the lower levels of implementation (e.g. final recipients) on data

collection, reporting requirements and deadlines

6. Written procedures for addressing specific data quality issues (e.g., double-counting, “lost to

follow-up”), including instructions sent to the lower levels of implementation (e.g. final

recipients)

7. Guidelines and schedules for management verifications for RRF operations/projects

(administrative and on-the-spot visits), and checklists of the management verifications performed

regarding the milestones/targets selected for the audit and the related indicators

8. Data specified in Article 22(2)(d) of the RRF Regulation on final recipients, contractors,

subcontractors, beneficial owners and list of measures for the implementation of reforms and

investments, in an electronically readable format

All documents submitted should be in one of these formats: .pdf, .doc, .docx, .xls, .xlsx, .xml, .msg, .csv,

.ods, .txt, .jpg, .png, .ppt, .pptx, .eml, .zip. Impossibility to convert files into these formats will be discussed

case by case.

15

During the visit, for the operations/final recipient selected for the audit, a comprehensive file (including

all the relevant working papers on the milestone/target and related indicators data processing), should be

made available to the audit team.

6. Expected time of audit team at the Intermediate body level site

Between one and a half and two days at each Intermediate level site – a more detailed planning of the

audit mission will be communicated at a later stage. Depending on the complexity of the verification

mechanism and number of milestones and targets associated to the same body, this timing could be

prolonged.

WARNING: In no circumstances should reports be fabricated for the purpose of the audit.

16

Annex IV - Information sheet for all Final recipients selected for the Audit on milestones and

targets

In this case, the intermediate bodies are the final recipients of the measures as well and,

therefore, Annex III applies.

Electronically signed on 30/04/2025 11:17 (UTC+02) in accordance with Article 11 of Commission Decision (EU) 2021/2121