NIS2 Estonia Compliance Guide: Cybersecurity Act Amendments and RIA Requirements for 2026

Estonia has transposed the EU NIS2 Directive into national law by amending its existing Cybersecurity Act (Küberturvalisuse seadus), which entered into force on 1 January 2026. While Estonia missed the original EU transposition deadline of October 2024, its approach is one of the most comprehensive in the EU — expanding regulated entities from approximately 3,500 to 6,500+ organizations and introducing a phased 3-year transition period running through the end of 2029.

This guide covers Estonia’s NIS2 transposition, the role of RIA (Riigi Infosüsteemi Amet — Estonian Information System Authority), CERT-EE incident reporting, entity classification, sector-specific requirements, penalties, implementation milestones, and practical steps for compliance.

Estonia’s NIS2 Transposition: Where Things Stand

The Legal Framework

Estonia implemented NIS2 not through a standalone law but by amending its existing 2018 Cybersecurity Act via an omnibus bill:

• Cybersecurity Act (Küberturvalisuse seadus) — original 2018: Implemented the NIS1 Directive, establishing Estonia’s national cybersecurity framework, CSIRT structures, and operator obligations
• Amending Act (“Küberturvalisuse seaduse ja teiste seaduste muutmise seadus”): Expanded scope to all NIS2 sectors, strengthened incident reporting, introduced personal liability for management, increased penalties, and added a national extension for research institutions
• Estonian Information Security Standard (E-ITS): The primary security baseline referenced in the Act, aligned with ISO/IEC 27001 and Germany’s IT-Grundschutz. Compliance with E-ITS or ISO 27001 is considered fulfilling NIS2 security obligations
• National Cybersecurity Strategy 2024–2030 (“Cyber-conscious Estonia”): Sets broader strategic objectives aligned with NIS2 principles

Key Dates and Timeline

Milestone	Status
NIS2 Directive adopted	January 2023
NIS2 transposition deadline	October 17, 2024
Draft amendments published	December 2024
Cabinet endorsed bill	April 3, 2025
Parliament (Riigikogu) adopted	December 10, 2025
Law entered into force	January 1, 2026
Self-registration deadline	April 1, 2026
Organizational governance controls required	January 1, 2027
Full technical controls and first audits	January 1, 2028
Full compliance deadline	December 31, 2029

Important: Estonia missed the October 2024 EU transposition deadline. The European Commission opened infringement procedures and sent a reasoned opinion on May 7, 2025 for failure to notify full transposition. However, the law is now in force and Estonian entities must comply with the phased implementation milestones.

Comparison with Other EU Countries

Estonia’s approach is comparable to other EU states in our country guide series:

• Finland (Traficom): Nordic neighbor, similar phased approach with existing cybersecurity law amendments
• Sweden (MSB): Nordic neighbor, comparable digital infrastructure focus
• Denmark (CFCS): Nordic cybersecurity model, similar entity classification
• Germany (BSI): E-ITS baseline aligned with German IT-Grundschutz — cross-reference for security controls
• Czech Republic (NUKIB): Central European neighbor, similar timeline
• Poland (NCSA): Regional neighbor, comparable scope expansion

Key Regulatory Bodies

RIA — Riigi Infosüsteemi Amet (Estonian Information System Authority)

RIA serves as Estonia’s central cybersecurity authority under NIS2, combining multiple roles:

• National competent authority for cybersecurity supervision and enforcement
• CSIRT operator — runs CERT-EE (Computer Emergency Response Team Estonia)
• Single Point of Contact (SPOC) for EU-level NIS2 coordination
• Security baseline developer — maintains the E-ITS standard (Estonian Information Security Standard)
• Entity registry operator — manages the national NIS2 entity registration portal

Contact: nis_spoc@ria.ee | cert@cert.ee

CERT-EE — Computer Emergency Response Team Estonia

CERT-EE is the national CSIRT operated by RIA:

• Coordinates incident response across government and critical infrastructure
• Provides threat intelligence sharing with EU counterparts via the CSIRTs Network
• Manages the national cybersecurity incident reporting portal
• Issues vulnerability alerts and security advisories for Estonian entities

Ministry of Justice and Digital Affairs (formerly MKM)

The Ministry (restructured from the Ministry of Economic Affairs and Communications) drives NIS2 policy and oversees the legislative framework, while RIA handles operational supervision and enforcement.

Other Relevant Authorities

Authority	Role
Eesti Pank (Bank of Estonia)	Financial sector supervision (overlaps with DORA)
Finantsinspektsioon (FSA)	Financial supervision and enforcement
Tarbijakaitse ja Tehnilise Järelevalve Amet (TTJA)	Technical regulatory oversight
Andmekaitse Inspektsioon (DPA)	Data protection (GDPR coordination)
Politsei- ja Piirivalveamet (PPA)	Law enforcement for cybercrime

Which Entities Are Affected?

Essential Entities

Under NIS2, Estonia designates essential entities in these sectors:

Sectors without alternative legislation:

• Energy (electricity, hydrogen, district heating, petroleum, natural gas)
• Transport (air, rail, water, road)
• Health (hospitals, laboratories, medical device manufacturers)
• Drinking water supply and distribution
• Wastewater management
• Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs)
• ICT service management (managed security, managed IT)
• Public administration (ministries, municipalities with 50,000+ population)

Size exemptions: Certain entities in specific sectors are covered regardless of size (e.g., digital infrastructure providers, TLD registries).

Important Entities

Estonia also identifies important entities based on thresholds:

Criterion	Essential Entity	Important Entity
Employees	250+	50–249
Turnover	€50M+	€10M–€49.9M
OR: Designated by Estonia	Yes (sector-specific)	Yes (sector-specific)
OR: Critical due to impact	Yes (case-by-case)	Yes (case-by-case)

Estonian entities in these additional sectors qualify as important:

• Postal and courier services
• Waste management
• Chemicals (production and distribution)
• Food production and distribution
• Manufacturing of critical products (pharmaceuticals, medical devices)
• Digital providers (online marketplaces, search engines, social networks)
• Research institutions (Estonia-specific national addition beyond NIS2 Annex sectors)

Entity Registration

Estonian entities must register with RIA within 3 months of the law entering into force (by April 1, 2026). The registration process requires:

1. Self-assessment of NIS2 scope (essential or important entity)
2. Submission via RIA’s online portal providing: organization name, registration code, address, contact details, IP ranges, sector/subsector, and countries of service
3. Verification by RIA (may request additional documentation)
4. Confirmation of entity classification
5. Ongoing updates when significant changes occur (mergers, sector changes, threshold crossings)

Sector-Specific Requirements

Energy Sector

Estonia’s energy sector faces particular scrutiny given its strategic position:

• Elering (national electricity transmission system operator) — essential entity
• Eesti Energia (national energy company) — essential entity
• Gasoleduklid OÜ (gas transmission) — essential entity
• District heating providers in major cities — essential/important entities

Energy entities must implement ICS/SCADA security measures aligned with NIS2 Article 21 and meet continuous monitoring requirements.

Transport Sector

Estonia’s transport infrastructure as an EU gateway state:

• Tallinn Airport (Lennart Meri) — essential entity (air transport)
• Eesti Raudtee (Estonian Railways) — essential entity
• Port of Tallinn — essential entity (major Baltic Sea ferry and cargo hub)
• Tallinn public transport — intelligent transport systems coverage

Healthcare Sector

Estonia’s advanced e-health system makes this sector particularly significant:

• Estonian Health Board (Terviseamet) — essential entity
• Estonian Health Insurance Fund (Haigekassa) — essential entity
• Major hospital networks (North Estonia Medical Centre, Tartu University Hospital) — essential entities
• TEHIK (Health and Welfare Information Systems Centre) — e-health infrastructure, essential entity

Estonia’s healthcare sector expanded from ~30 to 150+ regulated providers under NIS2, requiring ISO 27001 or E-ITS compliance.

Digital Infrastructure

Estonia’s strong digital government and IT sector:

• .ee TLD registry (EIS) — essential entity
• DNS providers operating in Estonia — essential entities
• Cloud service providers — based on thresholds
• Data centers — based on thresholds
• Managed service providers (MSPs) — essential regardless of size

Digital infrastructure entities must maintain 24/7 EU-based security operations, zero-trust architecture, and vendor risk management programs.

Public Administration

Estonia’s globally recognized e-government systems:

• Government ministries — essential entities
• Municipalities with 50,000+ population (Tallinn, Tartu, etc.) — essential entities
• Must appoint CISO and demonstrate baseline cybersecurity compliance

Penalties and Enforcement

NIS2-Aligned Penalties

Estonia’s penalties are fully aligned with NIS2 maximum thresholds:

Violation Type	Maximum Penalty
Essential entity — infringement of risk management measures	Up to €10,000,000 or 2% of total worldwide annual turnover
Important entity — infringement of risk management measures	Up to €7,000,000 or 1.4% of total worldwide annual turnover
Lesser breaches	€300,000 to €2,000,000
Failure to comply with an RIA order	Up to €70,000

Personal Liability for Management

NIS2 requires Estonia to hold management bodies personally liable for cybersecurity failures:

• Failure to approve and oversee cybersecurity risk management measures
• Failure to undergo cybersecurity training
• Repeated negligence can lead to a 3-year management ban under the Estonian Commercial Code
• Personal fines for individual violations

Enforcement Powers

RIA has broad enforcement powers under the amended Cybersecurity Act:

• On-site and remote inspections without prior notice
• Requests for information and documentation
• Compulsory penetration tests at the entity’s expense
• Compliance orders with binding deadlines
• Cost-recovery for supervisory activities
• Public naming for serious violations
• Limiting system access and orders to stop illegal activities

Compliance Requirements

Article 21 Risk Management Measures

Estonian essential and important entities must implement measures covering all 10 NIS2 Article 21 areas:

1. Risk analysis and information system security policies
2. Incident handling (detection, response, recovery)
3. Business continuity (crisis management, disaster recovery)
4. Supply chain security (vendor risk management)
5. Security in network and information systems (acquisition, development, maintenance)
6. Vulnerability handling and disclosure
7. Cryptography (encryption, key management)
8. Employee training and cybersecurity awareness
9. Access control including multi-factor authentication for privileged users
10. Physical security of premises and data centers

Estonia-specific: RIA’s E-ITS baseline controls map directly to these requirements. Organizations certified to ISO 27001 are considered compliant with the security measures framework.

Incident Reporting Requirements

Estonian entities must report significant incidents through CERT-EE:

Reporting Stage	Timeline	Content
Early Warning	Within 24 hours	Initial assessment, severity indication, suspected cross-border impact
Incident Notification	Within 72 hours	Updated assessment, indicators of compromise, preliminary root cause
Final Report	Within 1 month	Full incident analysis, impact assessment, remediation measures, lessons learned

Supply Chain Security

NIS2 requires Estonian entities to assess and manage cybersecurity risks across their supply chain:

• Supplier audit rights in contracts
• Security requirements for critical vendors
• Concentration risk assessment (single-vendor dependencies)
• Supply chain incident reporting obligations

This aligns with our guide on NIS2 supply chain and third-party risk management.

Phased Implementation Milestones

Estonia’s approach is uniquely structured with phased implementation running through 2029:

Date	Milestone
January 1, 2026	Law enters force; CERT-EE reporting portal opens
April 1, 2026	Self-registration deadline — all entities must register with RIA
January 1, 2027	Organizational governance controls required (CISO appointment, board training, policies)
January 1, 2028	Full technical controls and first audits required
December 31, 2029	Full compliance deadline — all security measures must be implemented

This phased approach gives Estonian entities 3 years to achieve full compliance, but early milestones require action within months.

Cyber Insurance Implications for Estonian Entities

Why Estonian Entities Need Cyber Insurance

NIS2 creates significant new liability exposure for Estonian organizations:

• Fines up to €10M for essential entities — insurance can cover defense costs and regulatory investigation expenses
• 3-year management ban for repeated negligence — D&O insurance must be reviewed for cyber exclusions
• Business interruption from mandatory system shutdowns during incident response
• Third-party claims from customers affected by data breaches or service disruptions
• Compulsory penetration test costs — RIA can mandate tests at the entity’s expense

What Underwriters Should Ask About Estonian Entities

Cyber insurance underwriters assessing Estonian risks should ask:

1. Entity classification — Is the insured an essential or important entity under NIS2?
2. Registration status — Has the entity registered with RIA by the April 2026 deadline?
3. E-ITS or ISO 27001 compliance — Which security baseline is the entity following?
4. Incident history — Any incidents reported to CERT-EE in the past 3 years?
5. Supply chain audit program — Does the entity audit critical vendors?
6. Management training — Has leadership completed cybersecurity training?
7. Business continuity testing — When was the last BCP/DR test?
8. Phased compliance status — Which milestone (2027 governance, 2028 technical, 2029 full) has been achieved?

Coverage Considerations

For Estonian entities, ensure the policy covers:

• Regulatory investigation costs under NIS2 enforcement actions
• Business interruption during RIA-mandated system reviews
• Notification costs for multi-stage incident reporting (24h/72h/1-month)
• Crisis management and reputational harm
• Penetration test costs when mandated by RIA
• Supply chain losses from vendor incidents (see supply chain attack loss scenarios)
• Management liability — D&O coverage for 3-year ban exposure

Use our cyber insurance buying guide to compare coverage options and our coverage comparison tool for policy evaluation.

Implementation Roadmap for Estonian Entities

Phase 1: Assessment (January–March 2026)

• Determine entity classification (essential or important)
• Register with RIA via the online portal by April 1, 2026
• Conduct gap analysis against Article 21 requirements (see our NIS2 gap analysis guide)
• Map supply chain dependencies
• Assess current E-ITS or ISO 27001 compliance status

Phase 2: Foundation (April–December 2026)

• Appoint CISO or designate cybersecurity governance responsibility
• Begin management cybersecurity training program
• Establish incident reporting procedures aligned with CERT-EE timelines
• Deploy baseline security controls (access management, encryption, logging)
• Develop cybersecurity risk management policies

Phase 3: Technical Controls (2027–2028)

• Implement full technical security controls per E-ITS baseline
• Complete supply chain security assessments
• Conduct business continuity and disaster recovery testing
• Implement vulnerability disclosure process
• Prepare for RIA audit readiness (see our NIS2 audit preparation guide)
• Achieve January 1, 2028 milestone — technical controls and first audits

Phase 4: Full Compliance (2028–2029)

• Complete all remaining security measures
• Achieve full E-ITS or ISO 27001 certification
• Conduct comprehensive penetration testing
• Validate supply chain security across all critical vendors
• Meet December 31, 2029 full compliance deadline

Key Takeaways

1. Estonia transposed NIS2 by amending its existing Cybersecurity Act, which entered into force on January 1, 2026 — approximately 15 months after the EU deadline
2. RIA (Estonian Information System Authority) is the central competent authority combining supervision, CSIRT operations, and SPOC functions
3. CERT-EE handles incident reporting with strict 24-hour, 72-hour, and 1-month timelines
4. Scope expanded massively from ~3,500 to 6,500+ regulated entities, including a national addition for research institutions
5. Phased implementation runs through 2029 — governance controls by 2027, technical controls and audits by 2028, full compliance by end of 2029
6. Penalties align with NIS2 maximums — up to €10M or 2% global turnover for essential entities, plus 3-year management bans for repeated negligence
7. E-ITS or ISO 27001 compliance fulfills the security measures framework — Estonian entities can follow either path
8. Cyber insurance is essential for Estonian entities facing new NIS2 liability exposure, including compulsory penetration test costs and management liability

---

For more NIS2 compliance resources, explore our NIS2 compliance checklist, penalties guide, and technical measures requirements. Compare your country’s approach with our essential vs important entity classification guide.