← Back to home NIS2 Guide

NIS2 in Estonia 2026 — The Complete Guide

NIS2 is the EU's cybersecurity directive that brings the biggest changes to information security requirements in a decade. Estonia is behind on transposing the directive — the European Commission sent Estonia a reasoned opinion on 7 May 2026 for failure to transpose. The message is clear: the law is coming, and soon.

If you don't have time to read 30 pages of directive text, you're in the right place. This guide covers everything that matters — honestly, practically, and without unnecessary complexity.

What is NIS2 and why does it matter?

NIS2 (Network and Information Security Directive 2) replaces the 2016 NIS1 directive. Its goal is to raise the baseline of cybersecurity across Europe — especially in sectors that society depends on.

NIS1 covered only the largest operators. NIS2 significantly expands the scope: over 160,000 companies across the EU must comply. In Estonia, this affects thousands of organisations.

Why does this matter now? The number of cyberattacks against Estonian companies has grown every year. The 2025 CERT-EE annual report documented a record number of incidents. NIS2 isn't bureaucratic noise — it's a response to a real and growing threat.

Does NIS2 apply to your company?

This is the first question everyone asks. The answer depends on two things: sector and size.

Sectors covered by NIS2:

Highly critical sectors (Annex I): energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (including cloud and data centres, internet exchange points), ICT service management, space, public administration.

Other critical sectors (Annex II): postal and courier services, waste management, chemicals, food, digital services (online marketplaces, search engines, social networks), manufacturing (medical devices, computers, transport equipment, electrical/electronic equipment).

Size thresholds:
- Important entity: 50–249 employees OR turnover €10–50m — NIS2 applies
- Essential entity: 250+ employees OR turnover over €50m — NIS2 applies with stricter obligations
- Micro-enterprise (<10 employees, <€2m): generally excluded
- Exception: smaller companies may be in scope if they are the sole provider of a critical service

Practical rule of thumb: if your company provides IT, security, or cloud services, or acts as a subcontractor to larger organisations — check carefully, even if you technically fall below the size thresholds. NIS2 extends requirements through the supply chain.

What does NIS2 require? The 10 core obligations

NIS2 Article 21 sets out ten mandatory categories of measures. Here they are, explained plainly:

1. Cybersecurity risk management policy
You need a written risk management framework. It doesn't have to be a 200-page document — what matters is that decisions are documented and regularly reviewed.

2. Incident handling
You must be able to detect, respond to, and report significant incidents. The timelines are strict: initial notification within 24 hours, interim report within 72 hours, final report within 30 days.

3. Business continuity
A BCP (Business Continuity Plan) and DRP (Disaster Recovery Plan) must exist and be tested.

4. Supply chain security
You must assess the security of your suppliers. If your cloud provider or IT partner gets attacked — you need to be prepared.

5. Network and information system security
Vulnerability management, patching, hardening. A proper asset inventory.

6. Cybersecurity training
Both employees and management must receive regular training. Management training is specifically emphasised — NIS2 puts personal liability on leadership.

7. Cryptography and encryption
Sensitive data must be encrypted both in transit and at rest.

8. Access control and identity management
MFA (multi-factor authentication) on all critical systems. Least-privilege principle.

9. Security in software development
If you develop software in-house — DevSecOps principles must be applied.

10. Cybersecurity in procurement
When buying new IT solutions, security must be assessed as part of the purchase decision.

Management liability — the part most people overlook

NIS2 is the first EU cybersecurity directive to place direct personal liability on management. This is not a minor detail.

Direktiiv sätestab, et juhid peavad:
- Have sufficient knowledge of cybersecurity (or complete training)
- Approve cybersecurity risk management measures
- Be personally accountable for compliance

Sanctions: for important entities, fines can reach €10 million or 2% of global turnover (whichever is higher). For essential entities, up to €20 million or 4% of turnover. Personal disqualification of managers is also possible.

In other words: "our IT department didn't tell me" is no longer an acceptable answer.

NIS2 timeline for Estonia (As of June 2026)

Estonia is officially late in transposing the NIS2 directive into national law. As we are currently in June 2026, the legal and political pressure on the Estonian state is at its peak.

How we got here:
- October 2024: The official deadline for transposing the EU NIS2 directive passed.
- February 2025: The European Commission launched formal infringement proceedings against Estonia.
- May 2025: The Commission sent Estonia a reasoned opinion for failing to transpose the directive.
- June 2026 (Now): The Estonian state is still under infringement proceedings because the legislator has not yet been able to pass the final implementing act in the Riigikogu. The risk of being taken to the European Court of Justice is a real, daily threat.

What does this mean for your company?
The delay in legislation does not mean the requirements can be ignored. International clients and EU procurements are demanding NIS2 compliance right now, regardless of the delay in Estonia's national law. When the law is finally passed in the coming months, Estonian companies will likely not be given a long transition period (instead of the usual 12 months, it could be significantly shorter, as the original EU deadline has long passed).

Practical advice: Do not wait for the Riigikogu vote. The substantive requirements of NIS2 (Article 21 risk management measures) are set in stone and will not change. Companies that map their gaps today can do so with a reasonable budget. Those who wait for the law to be enacted will face a shortage of security consultants and exponentially higher prices.

How to prepare for NIS2 — a practical action plan

Here is what I recommend to my clients:

Step 1 — Assess applicability (1 day)
Confirm whether NIS2 applies to you. Review the sector and size criteria. If in doubt, check — better to know now than later.

Step 2 — Gap analysis (1–2 weeks)
Compare your current position against NIS2 requirements. Where are the gaps? This is the most important step — without it, you don't know where to start.

Step 3 — Prioritise and plan (1 week)
You don't have to do everything at once. Start with high-risk gaps — typically incident handling, MFA, and supply chain risk assessment.

Step 4 — Implement measures (2–4 months)
Document policies, deploy technical controls, train management and staff.

Step 5 — Test and improve (ongoing)
NIS2 compliance is not a one-time checkbox — it is a continuous process. Plan regular reviews and tests.

How long does it take? For a well-prepared company with an existing security culture — 3 months. Starting from scratch — 6–9 months. Our experience shows that 6 months is a realistic target when work is done consistently.

NIS2 vs ISO 27001 — what is the difference?

This is a question I hear often. The short answer: they complement each other.

NIS2 is a legal obligation — compliance is required, non-compliance has sanctions. It defines what you must do, but doesn't always prescribe exactly how.

ISO 27001 is an international standard that gives you a structured how. ISO 27001 certification does not automatically guarantee NIS2 compliance, but if you have the certificate, achieving NIS2 compliance becomes significantly easier.

Practical recommendation: if you are considering ISO 27001 certification — start with NIS2 compliance. It is faster and cheaper, and creates a solid foundation for later certification. If you are already ISO 27001 certified — you need to align your ISMS with NIS2 requirements, but much of the work is already done.

Summary — what to do today

NIS2 is not a distant future risk. Infringement proceedings are ongoing and European clients expect compliance.

Three things I recommend doing today:

1. Determine whether NIS2 applies to your company — use our free NIS2 readiness assessment
2. Talk to your leadership — NIS2 responsibility sits with management, not just the IT department
3. Consult a specialist — a gap analysis gives you a precise picture of what needs to be done and what it will cost

If you want a clear, honest view of where your company stands — I am here to help. Book a free 30-minute NIS2 review and let's find out together.

Book a free NIS2 review

Free 30 minutes. A concrete picture of where to start.

Book a free NIS2 review
or email directly: Heikki@HoneyLake.eu