Since 2005, when Estonia held its first nationwide e-elections, the system has continuously evolved and become a model for many countries when considering the digitalisation of their voting processes. Yet, from the very beginning, questions of trust and security have accompanied i-voting, despite its reliability.
We spoke with Alo Einla, Head of the Election Infosystems Development Department at the Estonian Information System Authority (RIA), at the time when local elections were taking place in Estonia, about how the country ensures the security of i-voting, how experts prepare for potential cyberattacks, and what valuable lessons other countries — including those in the Balkans — could take from Estonia’s experience.
I-voting in progress – how has it gone so far?
I-voting is an integral part of Estonia’s election system and could be compared to a digital polling station. It offers a convenient and fast way to cast a vote, especially for those unable to attend a polling station in person or who prefer to vote from home or while travelling abroad. It also helps to stabilise voter turnout and streamline the overall process.
During the elections, minor attempts were made to carry out DDoS attacks, but these had no impact on the systems. The entire national IT infrastructure is under heightened scrutiny, as disruptions in other digital services could also affect public trust in the elections. No significant incidents or attempts have been detected that would have affected the election systems or their operation. (After the elections, no incidents were reported that would have endangered i-voting. – R.K.)
What gives Estonian citizens confidence that their vote is secure, remains unchanged, and stays anonymous?
Estonia’s i-voting system is built on the country’s broader digital ecosystem, which has been developed and audited for many years. A high-quality population register, secure electronic identity, and the X-Road data exchange layer form a strong foundation of trust.
The eID system is the cornerstone of i-voting security — it enables reliable identification of the voter and verification of voting rights while maintaining the secrecy and integrity of each vote. Voters can also verify that their vote has reached the collection service, without revealing how they voted.
A voter may cast multiple i-votes, but only the last one counts — whether cast electronically or on paper. This rule prevents coercion and ensures freedom of choice. The entire process is audited by independent experts to ensure transparency and traceability at every stage.
Many countries have faced cyberattacks during elections. How does Estonia ensure its i-voting process is secure?
Estonia’s key advantage lies in the integration of digital service development and cybersecurity under one authority. This unified structure allows IT developers and security teams to work in close cooperation rather than in isolated silos.
Election IT development is part of Estonia’s overall digital governance framework. The cybersecurity teams handle incident management, prevention, standardisation, and critical infrastructure protection, producing situational reports and analyses for all involved parties.
Preparation for elections is continuous, with more intensive work beginning about six months before election day. This includes testing, system stabilisation, security and usability audits, and public demonstration events. Importantly, this is not a one-off effort — it is an ongoing process, backed by stable state budget funding, ensuring sustainability. Clarity of roles is also crucial, as everyone should focus on their area of expertise and cooperate closely. The entire process must be established in law and in technical cooperation agreements, carried out according to standards, and later audited.
During the elections, an operational IT command centre is set up, bringing together representatives from the Information System Authority (RIA), the State Electoral Office, and development partners. This ensures that all decisions are made swiftly, and that responsibilities are clearly defined. Additionally, the functioning of systems is monitored in real-time to enable an immediate response to any irregular activity. During the elections, increased attention is paid not only to election systems but to the entire national IT infrastructure, as disruptions in other services can undermine public trust.
Today, Estonia’s cyber defence capabilities and tools are strong enough that DDoS attacks and similar attempts pose little real threat. Preparations also include protection against hybrid threats, disinformation, and AI-driven manipulation. This is made possible through highly qualified experts and round-the-clock monitoring, ensuring confidence in the election process.
If the system has a strong foundation, what are the main challenges Estonia faces with i-voting today?
The main challenge is no longer technical but psychological. The most dangerous threats are not direct attacks on systems but those aimed at undermining public trust — through misinformation, false narratives, and disinformation. Technical threats can be detected and stopped; rebuilding trust is far more complex.
That’s why Estonia invests increasingly in public awareness and education — helping citizens understand how i-voting works and why it is secure. In addition to technical protection, RIA focuses on improving cyber hygiene and digital literacy across society.
Montenegro and other states in the Balkans have also faced cyberattacks. How can countries build trust in i-voting before even technical readiness is achieved?
Trust must be built step by step. When citizens can safely identify themselves online, access and manage data, and see that the government operates transparently, trust in digital services naturally follows.
I-voting cannot be introduced overnight — it must be built on a foundation of digital trust that has already been established.
A recent eGA report highlighted that North Macedonia’s election-related digital processes face critical risks due to the lack of a comprehensive cybersecurity framework, shortage of IT personnel, and absence of security audits. Where to start here?
The first step is to establish a strong governance structure — with clear roles, responsibilities, and coordination. Investment in human capital is equally vital, as no system can function without skilled professionals.
Effective cooperation between institutions responsible for election IT, cybersecurity, and administration is essential.
Regular security audits and tests are also necessary. In Estonia, such simulations are conducted not only just before elections but also between them, and that consistency is one of our greatest strengths.
With which countries and organisations does Estonia cooperate to ensure secure elections?
Estonia works closely with the European Union, NATO, and other partners, while also supporting countries in building their digital governance systems. The e-Governance Academy (eGA), for example, has been RIA`s key partner in Moldova, Montenegro, and North Macedonia.
RIA’s role is to provide technical support and guidance on strengthening cyber resilience — from risk assessments to system testing. The goal is not for countries to copy Estonia’s model, but to adapt its lessons to their own national contexts.
What would you say to countries that have not yet implemented i-voting? What mistakes should they avoid?
The biggest mistake is to treat i-voting as an isolated IT project. It must be part of a broader national digital strategy. Without digital identity, reliable registries, and clear accountability, i-voting cannot function. Continuous and stable funding is equally essential — development and maintenance must be ongoing and state-funded.
Considering current technology trends and people’s habits, it’s also worth planning mobile voting solutions from the outset.
I recommend starting small — for instance, with pilots involving the military, diaspora communities, or local municipalities — and conducting public tests well before full-scale implementation.
What are the biggest challenges and opportunities for the future of i-voting?
Artificial intelligence (AI) could, in the future, support risk assessment and automate security monitoring, but it cannot replace human oversight. At the same time, AI introduces new risks, such as the spread of disinformation.
The main challenge will remain maintaining public trust in an environment where false information spreads quickly and deliberately. But this is also an opportunity — to make systems even more transparent, verifiable, and resilient, proving that secure digital democracy is achievable.
Thank you for taking the time for this interview!
