Estonia
(a) What is the NIS2 implementation status?
The Ministry of Economic Affairs and Communications (EMEAC) initially led the transposition process and prepared a draft law. Responsibility has now shifted to the Ministry of Justice and Digital Affairs, which is currently developing a new draft internally.
(b) What is the envisaged NIS2 implementation timeline?
The Ministry of Justice and Digital Affairs is in the process of preparing a new draft law. No official timeline for the implementation has been announced at this stage.
(c) What does the NIS2 mean for other national cybersecurity legislation?
Estonia has already introduced fairly comprehensive cybersecurity provisions in its Cybersecurity Act of 2018, which has been amended in 2022 and will be supplemented by the provisions set out in NIS2. Therefore, there is not a significant need to amend Estonian law to transpose the NIS2 Directive, as the existing Cybersecurity Act or the regulations issued under it already largely regulate cybersecurity requirements in line with the NIS2 Directive.
The most notable change is the expansion of the list of entities covered by the Cybersecurity Act. Already today, about 3,500 entities are subject to the requirements of the Cybersecurity Act, and the draft adds (according to preliminary estimates) another 2,000 entities. There will also be a transition period of three years for new entities to bring their operations into line with the basic requirements of the Cybersecurity Act. Providers of vital services are exempt – they are subject to a five-year time period due to existing legislation.
(d) Who will be the supervisory authority and how are they preparing the market?
During the earlier drafting phase, the EMEAC conducted several rounds of public consultation, including one in January 2025. A cybersecurity conference was also organised in Estonia to prepare the market, focusing on changes to cybersecurity requirements facing Estonian businesses. The Ministry of Justice and Digital Affairs is now preparing a new draft, but no further public engagement has been announced yet.
(e) What should you be doing/on the lookout for?
As the new draft is still in development, no definitive conclusions can be drawn. However, companies may review the earlier draft published by the EMEAC to gain a general understanding of the anticipated changes.
Contact
Tambet Toomela E: tambet.toomela@eversheds-sutherland.ee
Ädu Arvisto E: adu.arvisto@eversheds-sutherland.ee
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page