NIS2 Country Guide

NIS2 Estonia: Cybersecurity Act Amendments (2025)

Estonia has updated its Cybersecurity Act to align with the EU NIS2 Directive, expanding the scope of regulated entities, strengthening requirements for essential and important sectors, and enhancing national supervision under the Estonian Information System Authority (RIA).

Get Ready Checklist Get Consultation
Estonia NIS2 implementation: 2025 Competent authority: RIA

1 Introduction: NIS2 Directive & the Estonian context

Estonia is one of the most digitally advanced EU Member States, known for its electronic governance framework and robust cybersecurity infrastructure. To align with NIS2, Estonia amended its existing Cybersecurity Act, expanding obligations and strengthening security governance for both public and private sectors.

The updated framework increases requirements for risk management, incident reporting, supply chain security, and oversight across essential and important entities.

New to NIS2? Start with our guides: What is NIS2? and NIS vs NIS2.

2 NIS2 implementation in Estonia

Estonia implemented NIS2 through amendments to its Cybersecurity Act in 2025. These amendments broaden the list of regulated sectors, introduce the NIS2 essential/important entity model, and reinforce supervisory powers of the Estonian Information System Authority (RIA).

Status

The NIS2 Directive has been transposed into Estonian law through amendments to the Cybersecurity Act, which entered into force on 1 January 2026.

Legal structure

The amended Cybersecurity Act defines obligations for essential and important entities, requirements for cybersecurity risk management, reporting rules, and supervisory mechanisms.

Supervisory approach

RIA oversees enforcement, coordinates with sector regulators, and operates the national CSIRT for incident and threat-handling.

3 NIS2 Estonia: what you need to know about compliance

Estonia applies the NIS2 essential/important model, with obligations corresponding to sector, service criticality, and organisational size thresholds.

Who is in scope?

  • Entities in NIS2 Annex I sectors (energy, health, water, digital infrastructure, public administration, etc.).
  • Entities in Annex II sectors (food, postal/courier services, manufacturing of critical goods, research, etc.).
  • Medium and large enterprises meeting NIS2 thresholds.
  • Entities covered regardless of size: DNS, TLD registries, trust-service providers, major cloud and data-centre operators.

Core obligations

  • Implement risk-management measures aligned with NIS2 Annex I.
  • Ensure monitoring, detection, and reporting of significant incidents to RIA/CSIRT.
  • Develop and maintain cybersecurity documentation and incident-response plans.
  • Implement supply-chain and third-party cybersecurity controls.
  • Ensure management-level cybersecurity oversight and training.

Framework alignment

While not mandatory, using ISO/IEC 27001 or NIST CSF supports readiness and structured compliance.

Designation: Entities may be officially designated essential or important by RIA based on sector and criticality.

4 Competent authorities & CSIRTs

Estonia operates a coordinated national cybersecurity model, with RIA as the main supervisory authority.

Role Authority Notes
National competent authority & Single Point of Contact RIA — Estonian Information System Authority Responsible for oversight, enforcement, strategic coordination, and EU-level reporting.
National CSIRT Estonian CSIRT (CERT-EE) Receives incident notifications, provides guidance, and supports response efforts.
Sectoral regulators Various authorities Shared oversight where sector-specific rules apply (energy, telecom, finance, etc.).

5 NIS2 timeline & key dates (Estonia)

27 Dec 2022 — Directive (EU) 2022/2555 (NIS2) is published in the Official Journal of the European Union.
17 Oct 2024 — EU deadline for Member States to transpose NIS2 into national law (Estonia did not meet this deadline).
2023–2024 — Drafting and consultation on amendments to the Estonian Cybersecurity Act in preparation for NIS2 alignment.
2025 — Amendments to the Cybersecurity Act are adopted to align with NIS2 (transposition law approved).
1 Jan 2026 — The amended Cybersecurity Act enters into force, expanding scope and activating NIS2-aligned obligations, with registration required by 1 April 2026
2025–2027 — Registration, legal classification, supervisory rollout, initial audits and full compliance implementation phases continue under RIA oversight

6 Sector-specific notes for Estonia

  • Energy: electricity and gas infrastructure classified as essential.
  • Digital infrastructure: Estonia prioritises e-government and digital identity services.
  • Finance: close supervision through joint oversight with financial regulators.
  • Healthcare: hospitals and medical data processors face strict requirements.
  • Public services: strong focus on continuity of digital public services (X-Road ecosystem).

7 Penalties for non-compliance

Estonia applies NIS2-aligned penalties, including significant administrative fines, corrective measures, and possible management accountability for severe compliance failures.

  • High administrative fines aligned with EU NIS2 ceilings.
  • Binding orders and mandatory remediation plans.
  • Enhanced supervision for repeated non-compliance.
  • Leadership accountability for governance failures.

8 How to prepare for NIS2 in Estonia

  1. Confirm scope: Determine if you qualify as an essential or important entity.
  2. Understand obligations: Review obligations under the amended Cybersecurity Act.
  3. Perform a gap assessment: Compare your current cybersecurity controls against NIS2-aligned obligations and prioritise remediation measures.
  4. Strengthen incident readiness: Strengthen detection, response, and reporting processes.
  5. Secure the supply chain: Implement third-party risk management procedures and update contractual cybersecurity clauses where necessary.
  6. Align with a recognised framework: Align with an ISMS (e.g., ISO 27001) for structured governance.
  7. Train leadership & staff: Provide management and staff training on cybersecurity responsibilities.
Run Eligibility Check Start Readiness Test

9 Official links & resources

🇪🇪 Estonian Information System Authority (RIA)
📊 European Commission — NIS2 Directive
📄 Guide: What is NIS2? · NIS vs NIS2

10 FAQ: NIS2 in Estonia

Has Estonia fully transposed NIS2?
Yes. Estonia implemented NIS2 through amendments to the Cybersecurity Act in 2025.
Who is the competent authority?
RIA (Estonian Information System Authority) oversees NIS2 compliance and supervision.
Are ISO certifications mandatory?
No, but ISO 27001 is strongly recommended for structured compliance.
Do entities need to register?
Essential and important entities may be required to register with RIA and submit relevant documentation.
Information provided for general guidance; always consult the Estonian Cybersecurity Act, RIA publications and legal counsel for definitive NIS2 compliance requirements.