When shutdown is no option: Identifying the notion of the digital government continuity paradox in Estonia's eID crisis

States must increasingly manage cybersecurity threats and disruptions in their digital government infrastructures. However, the digital government literature lacks a systematic, more rigorous understanding of how states respond to such risks and crises and what factors can explain these responses. This article addresses this research gap by identifying explanatory mechanisms of cyber risk and crisis governance in a critical and, to date, unique case: the Estonian government's management of the ‘ROCA’ vulnerability, which rendered two-thirds of its national electronic identity cards vulnerable to a major security risk. The case provides one of few examples in which a digitally highly advanced state publicly dealt with a large-scale cyber risk at the heart of its digital government. Estonia overcame the crisis without constraining the affected infrastructures' functionality, while other countries did not. The article examines a seeming paradox of 'digital government continuity': Crisis managers can not afford to shut down widely adopted, yet vulnerable, digital systems. However, the vulnerable systems' continued operation contributes to their resilience. The article identifies five constructs that help explain digital government resilience: 1) technology management, 2) networked cooperation, 3) collaboration capital, 4) risk management capacity, and 5) legitimacy building.