Estonia
(a) What is the NIS2 implementation status?
Estonia has completed legislative transposition of the NIS2 directive. The transposition was carried out through amending the existing 2018 Cybersecurity Act and related sector-specific laws. The legislative instrument for implementing the directive was the bill titled “Amendments to the Cybersecurity Act and Other Acts (Transposition of the NIS2 Directive)”, which was passed on December 10th, 2025. The amendments implementing NIS2 entered into force on January 1st, 2026.
(b) What is the envisaged NIS2 implementation timeline?
Following the legal implementation of NIS2, Estonia began the operational phase, during which organisations falling under the scope of NIS2 are obliged to self-register within three months of entry into force, meaning by April 1st, 2026. Organisations are required to phase in security controls following self-registration. The legislative amendments foresee a time period of up to 3 years to achieve compliance with the directive.
(c) What does the NIS2 mean for other national cybersecurity legislation?
Estonia already had a relatively advanced regulatory framework under the Cybersecurity Act of 2018, compared to many other EU Member States. This meant that NIS2 expanded rather than replaced existing regulations. NIS2 broadened the scope of the act, increasing covered entities from roughly 3,500 to 6,500. NIS2 labels and differentiates entities as “essential” and “important” across a variety of sectors. The newly in force legislation also strengthens enforcement powers available to supervisory authorities.
(d) Who will be the supervisory authority and how are they preparing the market?
The Estonian Information System Authority (RIA), acting as the National Cyber Security Centre (NCSC-EE), will be the central supervisory and coordinating authority under the amended Cybersecurity Act. RIA also acts as the single point of contact, national competent authority and CSIRT for NIS2 purposes, with sectoral regulators continuing to play a role in specific industries. RIA is preparing the market through the self-registration phase, offering access to guidance materials and employee training/testing.
(e) What should you be doing/on the lookout for?
The deadline for self-registration by in-scope entities has elapsed. Any organisation labeled as an “essential” or “important” entity under NIS2 must prioritize registration without delay to limit exposure. Going forward, the focus should shift to using the three-year transition period to ensure compliance with the NIS2 requirements. An important element to note are the mandatory incident-reporting procedures, which should match the 24-hour, 72-hour and one-month deadlines.
Contact
Tambet Toomela E: tambet.toomela@eversheds-sutherland.ee
Ädu Kuusik E: adu.arvisto@eversheds-sutherland.ee
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page