Industrial group BLRT recently learned that it must comply with Estonia’s new Cybersecurity Act, which entered into force this year. Based on the company’s experience so far, BLRT Group IT Director Marek Trautmann has a clear message: “Compliance should not be left to chance.”
The greatest risk of delaying compliance is business disruption. Companies may also face substantial fines. However, the consequences extend beyond regulatory penalties. For example, organisations without ISO 27001 certification may be excluded from certain tenders and procurement processes.
Companies that postpone reviewing their systems may also find that qualified consultants and specialists become increasingly difficult to secure, making it challenging to complete all necessary work within the three-year transition period. These topics were discussed in the programme On the Growth Path.
Hiring an information security manager
“Given the size of our group and its turnover, it is obvious that the criminal world has an interest in us. That is why cybersecurity became a priority more than five years ago,” explained Marek Trautmann when discussing BLRT’s cybersecurity journey.
BLRT appointed a dedicated person responsible for cybersecurity who was already familiar with the European NIS2 Directive. As a result, the company knew several years in advance that Estonia would soon adopt implementing legislation. International customers also played an important role, frequently asking whether BLRT had obtained ISO 27001 certification.
In February, BLRT received a letter from the Estonian Information System Authority (RIA), prompting the company to determine which of its many subsidiaries qualified as entities under the Cybersecurity Act.
Trautmann admitted that understanding the requirements was not straightforward. He began by reading the legislation and explanatory memorandum several times, making notes and consulting specialists.
It soon became clear that the law does not automatically apply to an entire corporate group. Applicability depends on specific business activities, one of which is shipbuilding.
“In Estonia, none of our companies actually build ships – we repair them. These are entirely different activities. However, because shipbuilding is specifically listed as a regulated activity, we are required to implement the regulation within that company,” Trautmann explained.
The assessment ultimately identified two subsidiaries that clearly needed to pursue information security certification. This conclusion was later confirmed by RIA. Obtaining certification provides automatic compliance with the requirements established under the Cybersecurity Act.
What companies should know
The Cybersecurity Act applies to approximately 6,500 companies and institutions in Estonia, including nearly 3,000 newly added entities this year.
The law covers providers of essential services, government institutions, public legal entities, and many companies depending on their size and sector.
The scope includes numerous organisations in the energy, healthcare, transport, communications, and manufacturing sectors.
The full list of regulated entities and the complete text of the law are available in the Riigi Teataja.
Because BLRT’s parent company provides centralised IT services across the group, the organisation faced two options: either align the entire group with Estonia’s national information security standard or adopt the international ISO 27001 standard.
The latter was considered more advantageous from a business perspective because BLRT has subsidiaries and partners outside the European Union. The group is currently finalising an agreement with Grant Thornton Baltic to establish the necessary management system and documentation. At the same time, BLRT is working with a certification partner that will eventually issue its ISO certificate.
Trautmann acknowledged that, in the future, participating in international tenders without certification may become impossible. Likewise, foreign business partners that currently accept BLRT’s security measures without requiring certification may not continue to do so.
The Cybersecurity Act also requires organisations to assess the cybersecurity maturity of their suppliers and partners. Trautmann recalled an incident three years ago when attackers attempted to gain access to BLRT’s systems through a partner organisation. Fortunately, the attack failed because the company had already implemented appropriate security software.
BLRT also avoids maintaining permanent VPN connections with partners. When software updates are required for production equipment, service providers must perform the work on-site because the systems are isolated from external networks.
“The risk that someone can access your systems remotely from their kitchen table simply is not worth the convenience,” Trautmann said.
The process takes at least a year
Although the legislation grants newly regulated entities a three-year transition period to achieve compliance and obtain the required audits or certifications, experts warn that waiting until the last moment is highly risky.
According to Artti Aston, Head of Information Security Services at Grant Thornton Baltic, implementing an information security management system takes at least six months. To obtain certification or formal assurance, the system must then operate for approximately another six months.
“It will take at least a year, even if you start immediately,” Aston noted.
Key changes introduced by the law
Incident reporting. Significant cybersecurity incidents must be reported to RIA within 24 hours of becoming aware of the incident.
Board responsibility. Companies must designate a board member responsible for cybersecurity. If no specific board member is appointed, responsibility rests with the entire board. Employees must also receive regular cybersecurity training.
Supply chain security. Organisations must ensure that their suppliers and service providers maintain adequate security measures. Responsibility for cybersecurity cannot be delegated to third parties.
Certification and risk management. Most regulated entities must align their systems and documentation with either the Estonian Information Security Standard (E-ITS) or the international ISO 27001 standard. They must conduct risk assessments and map critical business processes and assets. Depending on the organisation’s size, either an audit or formal certification may be required.
The legislation is difficult to navigate
Henri Ratnik, Partner at law firm WIDEN, explained that Estonia’s Cybersecurity Act is based on the EU NIS2 Directive and has been drafted in significant detail to minimise future disputes. This has resulted in extensive cross-referencing to other regulations and registers.
“In an ideal world, laws would be written so that everyone could understand them. In reality, that is not how things work,” Ratnik said. Including all relevant references directly in the law would have turned a 20-section act into a document six times longer.
According to Artti Aston, one of the biggest challenges concerns manufacturing classifications. The legislation explicitly lists five manufacturing sectors but also includes manufacturers of machinery and equipment not classified elsewhere. As a result, the list of affected companies is significantly broader than many organisations realise.
The scope ranges from computer manufacturers to producers of bicycles, ships and even aircraft. Consequently, many businesses may already fall within the scope of the law without being aware of it.
This issue was repeatedly highlighted during the programme. Many organisations that are required to comply simply do not realise it. Entities covered by the law were required to notify RIA by the end of March, yet Ratnik believes many have failed to do so.
This raises an obvious question: why must every company conduct its own analysis and hire expensive advisers to determine whether it falls within the scope of the law? Why cannot the supervisory authority simply tell them, as is done in Lithuania?
According to Ratnik, the answer lies in balancing administrative efficiency with regulatory oversight. “We also want a lean state. We cannot have both.”
Why companies should not ignore the requirements
Business disruption. If systems are inadequately protected and attackers gain access – for example by encrypting critical data – operations may be interrupted for a prolonged period.
Significant fines. If a company clearly falls within the scope of the law but fails to comply, RIA has the authority to impose penalties. Fines can reach up to EUR 10 million or 2% of the company’s global annual turnover. Failure to report a significant cyber incident within 24 hours is also considered a violation.
Personal liability for board members. If a company ignores its obligations and the board fails to exercise sufficient care, board members may face personal liability claims. Such claims may be brought by the company itself or, in insolvency situations, by creditors. If no individual has been formally appointed to oversee cybersecurity, all board members share responsibility for any violations.
Shortage of auditors. Auditing capacity may become limited. Estonia currently has only two certification bodies authorised to issue ISO certificates. If thousands of organisations postpone compliance until the final stages of the transition period, companies may be forced to seek auditors abroad, significantly increasing costs.
Time pressure. Implementing security controls and obtaining certification cannot happen overnight. Achieving compliance typically takes at least six months, followed by another six months of operation before certification can be granted. In practice, the entire process requires a minimum of one year, despite the three-year deadline established by law.
From left on the cover banner: Artti Aston, Henri Ratnik, Marek Trautmann
Photo: Andras Kralla
