Estonia

(a) What is the NIS2 implementation status?

The initial implementation draft was submitted by the Ministry of Economic Affairs and Communications (EMEAC) on 31 January 2025. The EMEAC is currently reviewing feedback from other ministries and institutions and will then forward the updated draft to the Government of Estonia.

(b) What is the envisaged NIS2 implementation timeline?

It is stated in the initial implementation draft that the law will enter into force on 1 July 2025.

(c) What does the NIS2 mean for other national cybersecurity legislation?

Estonia has already introduced fairly comprehensive cybersecurity provisions in its Cybersecurity Act of 2018, which has been amended in 2022 and will be supplemented by the provisions set out in NIS2. Therefore, there is not a significant need to amend Estonian law to transpose the NIS2 Directive, as the existing Cybersecurity Act or the regulations issued under it already largely regulate cybersecurity requirements in line with the NIS2 Directive.

The most notable change is the expansion of the list of entities covered by the Cybersecurity Act. Already today, about 3,500 entities are subject to the requirements of the Cybersecurity Act, and the draft adds (according to preliminary estimates) another 2,000 entities. There will also be a transition period of three years for new entities to bring their operations into line with the basic requirements of the Cybersecurity Act. Providers of vital services are exempt – they are subject to a five-year time period due to existing legislation.

(d) Who will be the supervisory authority and how are they preparing the market?

The draft was prepared by the EMEAC, in cooperation with the Estonian Information System Authority and the National Cyber Security Centre.

In preparing the draft law transposing NIS2 into national law, the EMEAC has already conducted several rounds of public consultations, the latest of which took place in January 2025, where interested parties were invited to give their views on the forthcoming changes. The EMEAC is still in process with consultation with various national institutions. A cybersecurity conference was also organised in Estonia to prepare the market, focusing on changes to cybersecurity requirements facing Estonian businesses.

(e) What should you be doing/on the lookout for?

Companies should first of all determine whether they fall under any subject category of the Cybersecurity Act, based on the initial implementation draft. As the NIS2 Directive provides only a minimum standard of cybersecurity, we advise clients to keep a close eye on what further changes the Estonian legislator may propose during the coordination phase and the legislative process. It is also important to be aware of the fines that the legislator intends to impose in the event of non-compliance.