A world first: Estonia opens a ‘data embassy’ in Luxembourg

By Emma Savouroux

1. Introduction: Estonia, a ‘digital state’

Estonia, a small country with a population of 1.3 million, decided as soon as it became independent in 1991 to invest massively in information and communication technologies (ICTs).^[1] One of the main objectives was to combine the quality of public services with cost control. Because of its small size and low population density, the digitisation of the State was seen as a strategic opportunity to limit the costs associated with setting up public services. The use of ICTs was intended to connect all government departments to civil society, making services and information accessible to all citizens as well as to economic actors.^[2]

Today, Estonia is regarded as a pioneer in e-governance. Indeed, 100% of public services can be accessed online at any time.^[3] This approach is based on a combination of e-administration, which guarantees the efficiency of state services, e-services for the entire population, and e-participation, which places citizens at the heart of democratic life.^[4]

Such a system is based both on a high level of transparency in public action and on a high level of trust on the part of citizens, particularly with regard to the management of their personal data.^[5] To guarantee this trust, Estonia has adopted a rigorous legal framework, backed up by advanced technologies designed to ensure data security. The Estonian system is now recognised as one of the most secure in the world, and it continues to evolve, thanks in particular to the innovation of data embassies.

This article sets out to analyse how ICTs can be both a vulnerability, through cyber attacks, and an opportunity to respond to them. The case of Estonia, which radically rethought its cybersecurity architecture in the wake of the major cyberattack in 2007, will serve as a point of reference for this reflection.

2. The 2007 cyber attack, the trigger for the project

On 27 April 2007, Estonia was the target of a massive cyber attack that lasted for twenty-two days. This offensive targeted information systems with remarkable intensity, both in terms of the scale and diversity of the attacks, resulting in around fifty websites being taken offline.^[6] Some attacks, although not critical, mainly affected institutional sites or e-mail addresses. Others, more serious, targeted the domain name system (DNS) and banking infrastructures, compromising personal and sensitive data.

The almost total digitisation of public services meant that the whole country was affected, affecting both citizens and businesses. The attack was seen as a direct threat to national security.^[7]

Although the formal attribution of the cyber attacks remains complex and no group has claimed responsibility for them, several direct and indirect elements link them to Russia. Shortly before the attacks, the removal of a Soviet statue in Tallinn had caused tensions between the Estonian authorities and part of the country’s Russian-speaking minority. This event is considered to be one of the triggers for the attack.^[8] Analyses of encrypted communications have also strengthened suspicions that the Russian state was involved in this operation, in particular through the discovery of messages that leave little doubt as to their origin, such as the one depicted in Figure 1 below.

Figure 1: Example of an instruction found on a website affected by the attack

This message (Figure 1) is representative of the majority of instructions distributed on Russian websites and forums.^[9] Although these were relatively simple manoeuvres from a technical point of view, their impact was significant because of their volume and coordination. These instructions specified the motives for the attacks, the intended targets, the exact time they were to be launched and the practical details of how they were to be carried out. The main targets were state institutions such as the government, presidency, parliament, police forces, banks, internet service providers and the media.^[10] The majority of attacks were of the ‘denial of service’ (DoS) or ‘distributed denial of service’ (DDoS) type, using well-known techniques such as ping flood, UDP flood and massive spam campaigns.^[11] The major vulnerability exploited was the Estonian government’s high level of digitalisation: in the event of a large-scale attack, all the country’s administrative and digital services could be paralysed. This is precisely what happened during those twenty-two days, during which Estonia found itself with no effective means of containing or countering the attacks. Secure access to strategic data, hosted outside the national territory, would have made it possible to ensure the continuity of the State, maintain some of the operational services and organise a more structured response to the cyber attack.

The repercussions of the attack

The repercussions of these cyber attacks are manifold, insofar as they are not isolated acts but appear to have the implicit, or even explicit, support of the Russian State. This state dimension considerably increases the level of threat to Estonia. Faced with these recurring pressures, Estonia has been forced to anticipate a wide range of scenarios and to engage in strategic reflection on enhanced data protection, particularly for data deemed sensitive to national security.^[12]

In this context, information and communication technologies (ICTs) have become essential tools for preventing and responding to cyber threats.^[13] They enable the development of projects and innovations that were previously unthinkable. This is why, in response to the cyber attack in 2007, Estonia stepped up its investment in the digital sector to consolidate and develop strategic defence tools.

One of the most emblematic results of this drive is the creation of the NATO Cooperative Cyber Defence Centre of Excellence^[14] in Tallinn. Every year, this centre hosts the world’s largest cyber defence exercise, Locked Shields.^[15] Estonia has also forged a number of partnerships with countries engaged in digital transformation, such as Colombia,^[16] Vietnam^[17] and Morocco,^[18] reinforcing its role as a model for cybersecurity on the international stage.

Data embassies, created in the wake of cyber attacks to ensure the security of government data outside national territory, also illustrate the way in which ICTs can be used to enhance the digital resilience of governments. Having become an integral part of defence policies, they help to strengthen digital sovereignty and consolidate the state apparatus as a whole.

3. Setting up the data embassy, an investment by the European Union

The partnership between Estonia and Luxembourg began in 2015 and was finalised in 2017, ten years after the cyber attack in 2007. The project has a total budget of €2.2 million, including €1 million to set up the digital embassy and €236,000 in annual costs over a five-year period. Estonia is covering only 15% of this cost, with the European Union funding the remaining 85% through the European Regional Development Fund (ERDF).^[19]

The European Union’s financial support for this project demonstrates its growing commitment to the digital sector, and in particular to issues of resilience and sovereignty. The aim is clear: to reduce dependence on the major technological powers, particularly the US, in order to guarantee autonomous control over critical data and infrastructures. Several Member States, including Finland and Germany, are therefore calling for a strengthening of Europe’s strategic autonomy through targeted investment in digital sovereignty.^[20] The partnership between Estonia and Luxembourg is fully in line with this dynamic. While initiatives such as Gaia-X^[21] and EUCS have been launched with this in mind, their implementation is still only partial.^[22] The data embassy therefore represents a concrete, operational model that is likely to achieve the same objectives of resilience and sovereignty.

Between setting a precedent and legal uncertainty

Located on the territory of a third country, data embassies have a dual purpose: on the one hand, to strengthen digital security in the event of a cyber attack; on the other, to ensure the continuity of public action in crisis situations, particularly in the event of war or natural disaster. They enable sensitive data to be hosted in a secure environment with guaranteed immunity.^[23] Although the Vienna Convention does not explicitly govern digital infrastructures, a bilateral agreement has been concluded between Estonia and Luxembourg so that the protections provided by this convention apply to data embassies.^[24] In the absence of such an agreement, recognition of these infrastructures as diplomatic entities would not be legally guaranteed.

This precedent paves the way for an international debate on the recognition and regulation of digital diplomatic infrastructures. There are two possible approaches: either an explicit extension of the scope of the Vienna Convention to digital environments, or the development of a new international legal instrument specifically dedicated to digital issues. The European Union could thus play a leading role by defining a normative framework facilitating the implementation of similar projects between Member States.

4. How the project works and its limitations

Luxembourg was chosen for a number of reasons. The Grand Duchy has advanced technical expertise in data management and cybersecurity, backed up by substantial investment in the digital sector. Its main data centre, inaugurated in 2016, offers hosting capacity of 5,500 m².^[25] The country also has 23 high-tech data centres and already provides secure hosting for NATO and EU data.^[26] The Estonian data embassy has also been awarded Tier IV certification by the Uptime Institute, guaranteeing the highest level of security, with an availability rate of 99.995% and total fault tolerance.^[27]

Estonia keeps ten sets of data deemed strategic: land registers, tax registers, company registers, population registers, identity registers, pension registers, the official gazette, the information systems of the public treasury and those of the judiciary.^[28] This data is updated continuously, by real-time synchronisation or periodic back-ups.^[29] Integrated into the Estonian government cloud, the data embassy ensures the continuity of digital public services, strengthening the country’s resilience in the face of growing cyber security threats.^[30]

However, this innovative partnership is not without its risks and limitations, not least because of its pioneering legal nature. In the absence of a clearly defined international framework, the project rests on a fragile foundation, despite the signing of a bilateral agreement. By transferring part of its digital infrastructure abroad, Estonia is exposing itself to a form of technical and political dependency. Institutional instability in Luxembourg, a deterioration in bilateral or European relations, or even a simple major technical failure, could compromise the security of the data hosted. In addition, a large-scale cyber attack on the data embassy would potentially engage the joint responsibility of the two States.

Although the data embassy represents an innovative and promising solution today, its effectiveness remains hypothetical. Since it was set up, it has not been affected by any direct threat or targeted cyber attack. Consequently, this model has not yet proved its worth in a real crisis context, and its effectiveness remains, for the time being, theoretical.

5. Conclusion

Estonia has succeeded in integrating information and communication technologies (ICTs) at all levels of its administration, placing efficiency, transparency and trust at the heart of its digital project. This approach is part of an ongoing dynamic: every decade, the Estonian government sets itself ambitious new targets. In particular, the Digital Agenda 2030 aims to provide nationwide access to very high-speed broadband and to strengthen the country’s cyber defence capabilities.^[31]

Aware of the changing threats, particularly since the outbreak of war in Ukraine, Estonia is continuing to invest in innovative projects to increase its resilience in the face of multiple risks. With this in mind, the Republic of Estonia is considering establishing new partnerships with other States to diversify the locations where its strategic data is hosted.^[32] These new sites could store either redundant copies of the data hosted in Luxembourg, or additional data, thereby helping to raise the overall level of security.

The “data embassy” concept is attracting growing interest from many countries, particularly those exposed to recurring cyber threats, but also to other forms of vulnerability such as armed conflict or natural disasters.^[33] The case of Monaco, which in 2021 signed an agreement with Luxembourg based on the Estonian model, illustrates the attractiveness of this solution.^[34] Luxembourg, for its part, has declared itself ready to host other similar projects, thereby consolidating its role as a European platform for digital security.^[35]

The data embassy represents a pioneering initiative, offering the European Union a concrete opportunity to drive a genuine digital transition. By strengthening digital sovereignty and resilience, this model also fosters solidarity and cohesion between Member States. However, its replicability remains limited: such a system is based on a set of complex technical, political and legal conditions, specific to each State. It can therefore only be implemented on a case-by-case basis, or through mechanisms at supranational level.

With this in mind, there are several possible approaches. On the one hand, the creation of a European sovereign cloud could offer an infrastructure shared by several Member States, meeting common security and pooling requirements. On the other hand, the European Union could support smaller countries – such as Latvia, Lithuania and Cyprus – in developing similar bilateral partnerships, while providing a regulatory and technical framework.

However, before such initiatives can be implemented at EU level, the legal framework needs to be clarified, inter-state digital cooperation strengthened and a common strategic vision defined. These conditions are now essential prerequisites for developing a coherent and effective European model for digital sovereignty.

​​Endnotes

1. Picron, A. (2018). E-estonia: Model of an e-governed Platform State. https://www.institutsapiens.fr/wp-content/uploads/2018/07/LE-stonie.pdf ↑
2. Data embassy. e-estonia. (2025, February 13). https://e-estonia.com/solutions/e-governance/data-embassy/ ↑
3. Data embassy. e-estonia. (2025, February 13). https://e-estonia.com/solutions/e-governance/data-embassy/ ↑
4. Data embassy. e-estonia. (2025, February 13). https://e-estonia.com/solutions/e-governance/data-embassy/ ↑
5. De Pommereau, I. (2017, June 8). World’s first “data embassy.” dw.com. https://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 ↑
6. Ottis, R. (n.d.). Analysis of the 2007 cyber attacks against Estonia from the Information Warfare Perspective. Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf ↑
7. Ottis, R. (n.d.). Analysis of the 2007 cyber attacks against Estonia from the Information Warfare Perspective. Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf ↑
8. Ottis, R. (n.d.). Analysis of the 2007 cyber attacks against Estonia from the Information Warfare Perspective. Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf ↑
9. Ottis, R. (n.d.). Analysis of the 2007 cyber attacks against Estonia from the Information Warfare Perspective. Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf ↑
10. Ottis, R. (n.d.). Analysis of the 2007 cyber attacks against Estonia from the Information Warfare Perspective. Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf ↑
11. Ottis, R. (n.d.). Analysis of the 2007 cyber attacks against Estonia from the Information Warfare Perspective. Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf ↑
12. De Pommereau, I. (2017, June 8). World’s first “data embassy.” dw.com. https://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011 ↑
13. Picron, A. (2018). E-stonia: Model of an e-governed Platform State. https://www.institutsapiens.fr/wp-content/uploads/2018/07/LE-stonie.pdf ↑
14. NATO Cooperative Cyber Defence Center of Excellence. (n.d.). https://ccdcoe.org/about-us/ ↑
15. Morel, T. (2024, May 30). Estonia: A Digital Giant. L’IHEDN: Institut des hautes études de défense nationale. https://ihedn.fr/notre-selection/lestonie-un-geant-numerique/ ↑
16. Political consultations between Estonia and Colombia held in Tallinn. Välisministeerium. (n.d.-c). https://www.vm.ee/en/news/political-consultations-between-estonia-and-colombia-held-tallinn ↑
17. Foreign minister Tsahkna meets with the foreign minister of Vietnam in Tallinn. Välisministeerium. (n.d.-a). https://www.vm.ee/en/news/foreign-minister-tsahkna-meets-foreign-minister-vietnam-tallinn ↑
18. Foreign minister Tsahkna to his Moroccan counterpart: Estonia-Morocco relations have gained new momentum. Välisministeerium. (n.d.). https://www.vm.ee/en/news/foreign-minister-tsahkna-his-moroccan-counterpart-estonia-morocco-relations-have-gained-new ↑
19. Cavegn, D. (Ed.). (2017, August 24). Data Embassy in Luxembourg to cost €2.2 million over five years. ERR. https://news.err.ee/614646/data-embassy-in-luxembourg-to-cost-2-2-million-over-five-years ↑
20. Digital sovereignty for Europe – european parliament. (n.d.-b). https://www.europarl.europa.eu/RegData/etudes/BRIE/2020/651992/EPRS_BRI(2020)651992_EN.pdf ↑
21. Caliman, L. (2025, June 19). Gaia-X: The challenge of a sovereign European cloud. Polytechnique Insights. https://www.polytechnique-insights.com/tribunes/digital/gaia-x-le-pari-dun-cloud-europeen-souverain/#:~:text=En%202020%2C%20l’EU%20has,hegemony%20of%20North%202American%20actors. ↑
22. Geffray, M. (2025, May 20). EUCS – a European cloud certification aligned secnum cloud. Oodrive. https://www.oodrive.com/fr/blog/secnumcloud/souverainete/eucs/ ↑
23. E-ambassades AU luxembourg. Luxembourg. (n.d.). https://luxembourg.public.lu/fr/investir/innovation/e-ambassades-au-luxembourg.html ↑
24. E-ambassades AU luxembourg. Luxembourg. (n.d.). https://luxembourg.public.lu/fr/investir/innovation/e-ambassades-au-luxembourg.html ↑
25. E-ambassades AU luxembourg. Luxembourg. (n.d.). https://luxembourg.public.lu/fr/investir/innovation/e-ambassades-au-luxembourg.html ↑
26. Talmazan, Y. (2019). Why this tiny Baltic Nation is building a digital embassy half a continent away. euronews.https://www.euronews.com/2019/06/25/data-security-meets-diplomacy-why-estonia-storing-its-data-luxembourg-n1018171? ↑
27. Pritchard, H. (2017). Estonian data embassy in Luxembourg to cost €2.2M. Luxembourg Times. https://www.luxtimes.lu/luxembourg/estonian-data-embassy-in-luxembourg-to-cost-2-2m/1215968.htm l ↑
28. AFP. (2017, July 15). Estonia: Une e-ambassade au Luxembourg pour protéger ses données. Challenges. https://ml.decouverte.challenges.fr/monde/estonie-une-e-ambassade-au-luxembourg-pour-proteger-ses-donnees_487462 ↑
29. Data Embassy. (n.d.). https://e-estonia.com/wp-content/uploads/factsheet_data_embassy.pdf ↑
30. Data embassy. e-estonia. (2025, February 13). https://e-estonia.com/solutions/e-governance/data-embassy/ ↑
31. Digital Connectivity in Estonia. Shaping Europe’s digital future. (n.d.). https://digital-strategy.ec.europa.eu/en/policies/digital-connectivity-estonia#:~:text=The%20Estonian%20Digital%20Agenda%202030,the%20Estonia’s%20Digital%20Agenda%202030. ↑
32. Talmazan, Y. (2019). Why this tiny Baltic Nation is building a digital embassy half a continent away. euronews. https://www.euronews.com/2019/06/25/data-security-meets-diplomacy-why-estonia-storing-its-data-luxembourg-n1018171? ↑
33. ​​Ottis, R. (n.d.). Analysis of the 2007 cyber attacks against Estonia from the Information Warfare Perspective. Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf ↑
34. E-ambassades AU luxembourg. Luxembourg. (n.d.). https://luxembourg.public.lu/fr/investir/innovation/e-ambassades-au-luxembourg.html ↑
35. Talmazan, Y. (2019). Why this tiny Baltic Nation is building a digital embassy half a continent away. euronews. https://www.euronews.com/2019/06/25/data-security-meets-diplomacy-why-estonia-storing-its-data-luxembourg-n1018171? ↑

Bibliography

AFP. (2017, July 15). Estonia: An e-ambassy in Luxembourg to protect its data. Challenges. https://ml.decouverte.challenges.fr/monde/estonie-une-e-ambassade-au-luxembourg-pour-proteger-ses-donnees_487462

AFP. (2017, July 16). Estonia to open world’s first Virtual Data Embassy. RFI. https://www.rfi.fr/en/contenu/20170716-estonia-open-worlds-first-virtual-data-embassy

Agreement between the Republic of Estonia and the grand Duchy of Luxembourg on the hosting of data and information systems. Riigiteataja (2017). https://www.riigiteataja.ee/aktilisa/2280/3201/8002/Lux_Info_Agreement.pdf

Caliman, L. (2025, June 19). Gaia-X: The challenge of a sovereign European cloud. Polytechnique Insights. https://www.polytechnique-insights.com/tribunes/digital/gaia-x-le-pari-dun-cloud-europeen-souverain/#:~:text=En%202020%2C%20l’EU%20a,hegemony%20of%20north%20American%20actors%20.

Cavegn, D. (Ed.). (2017, August 24). Data Embassy in Luxembourg to cost €2.2 million over five years. ERR. https://news.err.ee/614646/data-embassy-in-luxembourg-to-cost-2-2-million-over-five-years

Data Embassy (n.d.-a). https://e-estonia.com/wp-content/uploads/factsheet_data_embassy.pdf

Data embassy. e-estonia. (2025, February 13). https://e-estonia.com/solutions/e-governance/data-embassy/

De Pommereau, I. (2017, June 8). World’s first “data embassy.” dw.com. https://www.dw.com/en/estonia-buoys-cyber-security-with-worlds-first-data-embassy/a-39168011

Digital Connectivity in Estonia. Shaping Europe’s digital future. (n.d.). https://digital-strategy.ec.europa.eu/en/policies/digital-connectivity-estonia#:~:text=The%20Estonian%20Digital%20Agenda%202030,the%20Estonia’s%20Digital%20Agenda%202030.

Digital sovereignty for Europe – european parliament. (n.d.-b). https://www.europarl.europa.eu/RegData/etudes/BRIE/2020/651992/EPRS_BRI(2020)651992_EN.pdf

E-ambassades AU luxembourg. Luxembourg. (n.d.). https://luxembourg.public.lu/fr/investir/innovation/e-ambassades-au-luxembourg.html

Foreign minister Tsahkna to his Moroccan counterpart: Estonia-Morocco relations have gained new momentum. Välisministeerium. (n.d.). https://www.vm.ee/en/news/foreign-minister-tsahkna-his-moroccan-counterpart-estonia-morocco-relations-have-gained-new Geffray, M. (2025, May 20). EUCS – a European cloud certification aligned with secnumcloud. Oodrive. https://www.oodrive.com/fr/blog/secnumcloud/souverainete/eucs/

Foreign minister Tsahkna meets with the foreign minister of Vietnam in Tallinn. Välisministeerium. (n.d.-a). https://www.vm.ee/en/news/foreign-minister-tsahkna-meets-foreign-minister-vietnam-tallinn

Morel, T. (2024, May 30). Estonia: A Digital Giant. L’IHEDN: Institut des hautes études de défense nationale. https://ihedn.fr/notre-selection/lestonie-un-geant-numerique/

NATO Cooperative Cyber Defence Center of Excellence. (n.d.). https://ccdcoe.org/about-us/

Ottis, R. (n.d.). Analysis of the 2007 cyber attacks against Estonia from the Information Warfare Perspective. Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf

Political consultations between Estonia and Colombia held in Tallinn. Välisministeerium. (n.d.-c). https://www.vm.ee/en/news/political-consultations-between-estonia-and-colombia-held-tallinn

Picron, A. (2018). E-stonia: Model of an e-governed platform state. https://www.institutsapiens.fr/wp-content/uploads/2018/07/LE-stonie.pdf

Pikulicka-Wilczewska, A. (2017, June 27). Estonia combats hacking with world’s first Data Embassy. New Eastern Europe. https://neweasterneurope.eu/2017/06/27/estonia-combats-hacking-with-world-s-first-data-embassy/

Pritchard, H. (2017). Estonian data embassy in Luxembourg to cost €2.2M. Luxembourg Times. https://www.luxtimes.lu/luxembourg/estonian-data-embassy-in-luxembourg-to-cost-2-2m/1215968.html

Talmazan, Y. (2019). Why this tiny Baltic Nation is building a digital embassy half a continent away. euronews. https://www.euronews.com/2019/06/25/data-security-meets-diplomacy-why-estonia-storing-its-data-luxembourg-n1018171?

What are data center tiers: Glossary. HPE. (n.d.). https://www.hpe.com/us/en/what-is/data-center-tiers.html#:~:text=Tier%204:%20A%20Tier%204,26.3%20minutes%20of%20downtime%20annually).