Cybersecurity · Estonia
Cybersecurity - Estonia
Estonia operates under a dedicated Cybersecurity Act originally enacted in 2018, which was substantively amended effective 1 January 2026 to transpose the EU NIS2 Directive (EU 2022/2555), expanding scope from approximately 3,500 to 5,500–7,000 regulated entities across critical sectors. The Information System Authority (RIA), operating the national CERT (CERT-EE), serves as the primary regulator and incident coordinator. Estonia's approach is underpinned by its 2024–2030 National Cybersecurity Strategy 'Cyber-Conscious Estonia', one of the EU's most mature digital governance frameworks.
Amendments to the Cybersecurity Act implementing NIS2 Directive (EU) 2022/2555 entered into force on 1 January 2026. Estonia layered NIS2 obligations onto the existing 2018 Act rather than enacting new primary legislation, covering energy, transport, health, digital infrastructure, and public administration.
Regulated entities must submit an early alert to CERT-EE within 24 hours of becoming aware of a significant incident, a full notification within 72 hours, and a final incident report within 30 days. Reports are submitted through the CERT-EE/NCSC portal. Separately, personal data breaches must be reported to the Data Protection Inspectorate (AKI) within 72 hours under GDPR.
The Estonian Information System Authority (RIA) is the sole national competent authority for cybersecurity, combining regulatory supervision, policy coordination, and incident response via CERT-EE. RIA carries out supervision over state and local government network/information systems and providers of digital services, with powers to impose corrective measures.
Entities newly in scope must self-register with CERT-EE by 1 April 2026; governance and management controls are required by 1 January 2027; full technical security measures and first audits are mandated by 1 January 2028. Entities are classified as 'essential' or 'important' in line with NIS2 criteria.
Estonia's fourth national cybersecurity strategy, 'Cyber-Conscious Estonia' (2024–2030), sets policy objectives across four domains: resilient digital infrastructure, capable workforce, international cooperation, and managing national cybersecurity development. Cybersecurity funding grew from €3.9 million (2020) to €16.1 million (2024). In 2024, CERT-EE registered a record 6,515 cyber incidents.
RIA maintains the Estonian Information Security Standard (E-ITS), a national baseline security framework applicable to public sector bodies and critical infrastructure operators, requiring risk-based security measures including supply-chain controls, vulnerability management, and business continuity planning consistent with NIS2 requirements.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →