Estonia

(a) What is the NIS2 implementation status?

The state of implementation of the NIS2 Directive is the same as in November. The Estonian Ministry of Economic Affairs and Communications (EMEAC) is still in the process of drafting legislation to transpose NIS2 into national law. So far, still no preview of the draft legislation has been published. Although Member States have to transpose the Directive into national law by 17 October 2024, the Commission is still in the process of preparing the NIS2 proposal.

(b) What is the envisaged NIS2 implementation timeline?

The EMEAC intends to publish the Act amending the Cybersecurity Act and other Acts, draft regulation transposing Directive (EU)2022/2555 (14 December 2022) in April 2024. The Act should enter into force from 18 October 2024.

(c) What does the NIS2 mean for other national cybersecurity legislation?

Estonia has already introduced quite extensive cybersecurity provisions under its 2018 Cybersecurity Act, which has been amended in 2022 and will be amended with the provisions that NIS2 sets forth.

The 2018 Act already provides for a duty to analyse threats posed to network or information systems and adopt apposite technical and/or organisational measures to prevent such threats from materialising. The Act also sets out an obligation to notify the competent authority of cyber incidents immediately but no later than within 24 hours. The amendments made in 2022 modernise the legal framework for information security and emphasise the approach already introduced to implement information security in a holistic and institution-wide manner, covering all network and information systems. It follows changes related to risk management and incident reporting will likely be rather nominal in Estonia.

At present, we cannot determine for certain what effect the introduction of NIS2 will have on other national cybersecurity legislation, since the domestic implementing act has not yet been published.

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authority will be the Estonian Information System Authority, which falls under the competence of the EMEAC.

In preparing the draft legislation transposing NIS2 into domestic law, the EMEAC has already carried out one round of public consultation in June 2023, asking interested parties to provide their perspectives on the upcoming amendments. The EMEAC has completed rounds of consultation. The EMEAC has collected proposals from various national institutions, including the National Security and Defence Coordination Unit.

The National Security and Defence Coordination Unit suggests that information sharing on NIS2 is an area of concern. Article 22 of NIS2 creates a reporting obligation for sectors under the NIS2 scope. ENISA will create and operate a register of entities and competent authorities’ access. However, the sharing of information has so far not been harmonised across the EU Member States. The Authority also proposed to apply an all-hazards approach under Directive (EU) 2022/2555, which covers the continuous operation of network and information systems and their physical components and the physical environment. Estonia expressed reporting of cyber incidents should therefore remain a matter of cooperation between the competent national authorities of the Member States.

A cybersecurity conference was also organised in Estonia to prepare the market, focusing on changes to cybersecurity requirements facing Estonian businesses.

(e) What should you be doing/on the lookout for?

As the NIS2 Directive provides only a minimum standard of cybersecurity, we advise clients to keep a close eye on what further changes the Estonian legislator may propose on its own initiative. More information on the NIS2 implementation process will be available in a few months’ time, in April 2024 at the latest.