NIS 2 status in Estonia
What the directive requires, how Estonia transposes it through the Cybersecurity Act, and where RIA sits inside the picture.
Overview
The NIS 2 directive is the EU layer. It binds every member state, including Estonia, with one cybersecurity floor for essential and important entities. Estonia must put that floor into Estonian law and run a supervision regime under it.
Estonia transposed NIS 2 through amendments to the existing Küberturvalisuse seadus (Cybersecurity Act) rather than a brand-new statute. The amendments were passed by the Riigikogu in December 2025 and entered into force on 1 January 2026. The EU transposition deadline of 17 October 2024 was missed, which is why the European Commission sent Estonia a reasoned opinion in May 2025.
The Information System Authority (Riigi Infosüsteemi Amet, RIA) is the national competent authority and single point of contact. CERT-EE, Estonia's national CSIRT, operates inside RIA. Self-registration is performed through RIA, with reports indicating an initial self-registration window running into the spring of 2026.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.
EU implementation
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Estonia without national transposition.
Estonian transposition
Küberturvalisuse seadus, NIS 2 amendments in force from 1 January 2026
The Estonian NIS 2 transposition is an amendment package to the existing Cybersecurity Act, supplemented by implementing regulations and RIA guidance. The amendments extend the regulated perimeter from roughly 3,500 to a substantially larger group of entities across energy, transport, health, digital infrastructure and public administration.
Küberturvalisuse seadus, amended for NIS 2
Estonia did not draft a new cybersecurity statute. The existing Cybersecurity Act was amended to carry the NIS 2 obligations: the essential and important entity categories, the supervision powers of RIA, incident reporting duties, and sanctions. Operational detail is filled in by implementing regulations and RIA guidance.
RIA as competent authority, CERT-EE as CSIRT
RIA (Riigi Infosüsteemi Amet, the Information System Authority) is the national competent authority and single point of contact under NIS 2. CERT-EE, the national CSIRT, sits inside RIA and handles incident handling and coordination. Sector regulators retain their existing roles where lex specialis applies.
Registration and reporting
The Cybersecurity Act amendments entered into force on 1 January 2026. Reports indicate an initial self-registration window of roughly three months from that date for entities falling into the expanded scope; companies should confirm the precise window against current RIA guidance. Significant incidents follow the directive's 24 hour early warning, 72 hour notification and one-month final report cadence.
Local law applies inside Estonia
Operations on Estonian territory follow the Estonian transposition. A German Geschäftsführer running an Estonian subsidiary reads the Küberturvalisuse seadus for that subsidiary, not the German BSIG. The directive obligations are the same; the procedure, the portal and the sanctions live in Estonian law and are supervised by RIA.
Estonia cannot go below the EU floor
The directive is a minimum harmonisation instrument. Estonia can go stricter, and historically has done so in selected sectors given its digital-government posture. It cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.
RIA
Riigi Infosüsteemi Amet, the Information System Authority. National competent authority, single point of contact and cybersecurity regulator under NIS 2. Operates the national cybersecurity centre, issues guidance, runs supervision and coordinates incident response through CERT-EE.
CERT-EE
The Estonian national CSIRT, organisationally part of RIA. Receives incident notifications, coordinates response across public sector and critical infrastructure operators, and connects to the EU CSIRTs network.
ENISA
The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Estonian entities; RIA is.
Estonia is in the EU, so the German NIS2UmsuCG applies here too.
Each member state transposes the directive into its own law. An Estonian subsidiary follows the Küberturvalisuse seadus, supervised by RIA, even if the parent company sits in Germany. Reporting goes through CERT-EE, not through the German BSI. The substantive obligations are aligned at the directive level, but the procedure and supervisor are Estonian.
There is no public NIS 2 register in Estonia, so we can wait.
The Cybersecurity Act amendments require in-scope entities to self-register with RIA after entry into force on 1 January 2026. Whether or not a public registry is visible to outsiders is a separate question; the duty to register applies once an entity meets the size and sector test. Waiting until enforcement is visible is the most common mistake.
We are not in a critical sector, so NIS 2 does not apply.
The NIS 2 perimeter is wider than the old NIS 1 OES list. Sectors such as waste management, postal and courier services, manufacturing of certain products, food production and digital providers are now in scope under Annex II if the size test is met. Public administrations and certain digital providers are in regardless of size. The check has to be done against the directive's sector annex, not against the entity's perception of being critical.
Estonia entered NIS 2 from a high digital-government baseline. RIA was already running the national cybersecurity centre, CERT-EE was already operational, and the Cybersecurity Act already existed. The NIS 2 step was not a new architecture, it was a broader scope and tighter governance: more sectors in, management body accountability formalised, and incident reporting deadlines aligned to the directive.
The practical move is the same as everywhere else in the EU: confirm scope under the directive, self-register with RIA, set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight), and document the minimum. The Estonian baseline helps with technical maturity, but it does not substitute for the NIS 2 obligation register.
We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for an Estonian entity under the Küberturvalisuse seadus, a German parent under BSIG, and a French sister under Ordonnance n° 2024-1093. Article references switch per locale; the substantive obligations do not.
For Estonian scope you start with the applicability check, then move to RIA self-registration, incident reporting cadence into CERT-EE, supply chain clauses and management body sign-off. Where RIA publishes sector guidance, we reference it; we do not duplicate it.
- Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- Küberturvalisuse seadus (Cybersecurity Act) — Riigi Teataja
- European Commission, NIS 2 directive transposition tracker — Estonia (digital-strategy.ec.europa.eu)
- RIA — Riigi Infosüsteemi Amet, official site (ria.ee)
- CERT-EE — Estonian national CSIRT, inside RIA
- Riigikogu press releases on the NIS 2 transposition bill