Estonia

(a) What is the NIS2 implementation status?

Transposition of NIS2 will be carried out mainly through amending the existing Cybersecurity Act and a number of sector-specific laws. The Ministry of Economic Affairs and Communications (EMEAC) initially led the transposition process and prepared a draft law. Responsibility has now shifted to the Ministry of Justice and Digital Affairs, which presented the government’s bill to the Parliament. The draft passed its first reading on 23 October 2025.

(b) What is the envisaged NIS2 implementation timeline?

The current draft has passed its first reading in the Parliament and must still go through the second and third readings before final adoption.

(c) What does the NIS2 mean for other national cybersecurity legislation?

Estonia has already introduced fairly comprehensive cybersecurity provisions in its Cybersecurity Act of 2018, which has been amended in 2022 and will be supplemented by the provisions set out in NIS2. Therefore, there is not a significant need to amend Estonian law to transpose the NIS2 Directive, as the existing Cybersecurity Act or the regulations issued under it already largely regulate cybersecurity requirements in line with the NIS2 Directive. The most notable change is the expansion of the list of entities covered by the Cybersecurity Act. Already today, about 3,500 entities are subject to the requirements of the Cybersecurity Act, and the draft adds (according to preliminary estimates) another 2,000 entities. There will also be a transition period of three years for new entities to bring their operations into line with the basic requirements of the Cybersecurity Act. Providers of vital services are exempt – they are subject to a five-year time period due to existing legislation.

(d) Who will be the supervisory authority and how are they preparing the market?

The Estonian Information System Authority (RIA), acting as the National Cyber Security Centre (NCSC-EE), will be the central supervisory and coordinating authority under the amended Cybersecurity Act. RIA also acts as the single point of contact, national competent authority and CSIRT for NIS2 purposes, with sectoral regulators continuing to play a role in specific industries.

(e) What should you be doing/on the lookout for?

NIS2 implementation is still going through the Parliament, but the draft law has already been published. Organisations that are likely to fall within scope should now identify whether they qualify as essential or important entities under the NIS2 sectors and size thresholds, map the services, systems and key suppliers that would be covered, review their existing security measures and incident-handling processes against the main NIS2 obligations. Estonia has confirmed that it will implement NIS2 largely at the minimum level and will not introduce significant additional national requirements beyond those set out in the Directive.