NIS2 in Estonia

1. Quick SME Applicability Snapshot in Estonia

Does NIS2 apply to SMEs in Estonia?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Estonia and, in certain cases, foreign digital providers serving the Estonian market.

SMEs should evaluate whether they meet sectoral and size criteria under Estonia's national cybersecurity regime.

2. Overview of NIS2 Implementation in Estonia

Estonia transposed the Directive through the Act Amending the Cybersecurity Act and Other Acts, in force 1 January 2026. The amendment updates the existing 2018 Cybersecurity Act rather than introducing a new statute.

The reform expands the regulated population from approximately 3,500 to about 6,500 entities across NIS2 sector categories, strengthening risk management, governance, supervision, and sanctions obligations.

Two national specifics stand out: research institutions are added as a national sector beyond the Directive baseline, and risk management is aligned with the E-ITS (Estonian Information Security Standard) baseline controls. The European Commission issued a reasoned opinion in May 2025 (pre-enactment); notification completeness remains under review.

3. Scope of Application in Estonia

Estonia's scope reflects all Directive sector categories and adds research institutions as a national sector beyond the Directive baseline.

4. Size Thresholds and SME Applicability in Estonia

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors fall automatically within scope.

Small and micro enterprises may be designated if considered critical to economic stability, public security, or essential service continuity.

Estonian authorities retain formal designation powers where systemic risk or national security considerations justify inclusion.

5. Entity Classification Framework in Estonia

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including audits and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Competent authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Estonia follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Estonia

Estonia's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Estonia risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability handling procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Estonian cybersecurity guidance is encouraged.

Supply chain risk management includes vendor due diligence and contractual security requirements.

7. Management Liability and Governance in Estonia

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Estonia's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure adequate cybersecurity competence.
• Administrative sanctions may address governance failures.
• A three-year management ban may be imposed under the Estonian Commercial Code on directors found responsible for serious cybersecurity governance failures — more prescriptive than the Directive baseline.

NIS2 management liability Estonia expectations elevate cybersecurity governance to executive-level responsibility.

8. Incident Reporting Obligations in Estonia

9. Supervisory Authorities and Enforcement Model in Estonia

Primary authority: Estonian Information System Authority (RIA).

Estonia operates a centralized supervisory model coordinated by RIA, with sector-specific regulators involved where necessary.

Supervisory powers include:

• Information requests
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Estonia

Estonia applies Directive-aligned administrative penalties.

NIS2 fines Estonia enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certification or authorization
• Managerial suspension powers

11. NIS2 Supply Chain and Vendor Security in Estonia

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Estonia's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Estonia

Entities within scope must:

• Self-register with RIA via the CERT-EE / NCSC portal within 3 months of entry into force — initial deadline approximately 1 April 2026.
• Provide corporate identification details.
• Disclose sector classification and the services covered by NIS2.
• Maintain updated contact information; report material changes to RIA within two weeks.

Phased compliance applies: self-registration by approximately 1 April 2026; governance controls by 1 January 2027; full technical compliance and first audits by 1 January 2028. Risk management is aligned with E-ITS baseline controls.

Self-identification is mandatory where entities meet statutory thresholds.

13. Interaction With GDPR and Other Laws in Estonia

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Estonian cybersecurity legislation

A single cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Estonia are supervised by Estonian authorities for cross-border services.

Foreign digital providers offering services in Estonia may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving Estonian markets.

15. Implementation Timeline in Estonia

• Directive adoption: 2022
• National legislative amendments: Omnibus amendment act adopted by the Riigikogu; published 30 December 2025.
• Entry into force: 1 January 2026.
• Commission notification: EC reasoned opinion issued May 2025 (pre-enactment); notification completeness under Commission review.
• Compliance milestones: Self-registration by approximately 1 April 2026; governance controls by 1 January 2027; full technical compliance and first audits by 1 January 2028.

Estonia completed transposition on 1 January 2026. Phased compliance applies: self-registration by approximately 1 April 2026, governance controls by 1 January 2027, and full technical compliance with first audits by 1 January 2028.

16. Key Takeaways for SMEs in Estonia

• Medium-sized entities in covered sectors are automatically in scope.
• Small entities may be designated if operationally critical.
• Board-level governance oversight is mandatory.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is a core obligation.
• Early compliance planning reduces enforcement exposure.

FAQ: NIS2 Estonia SME Guide