On 1 January 2026, amendments to Estonia’s Cybersecurity Act entered into force, transposing the NIS2 Directive into Estonian law. According to the Estonian Information System Authority (RIA), this increased the number of companies and institutions required to comply with cybersecurity obligations from around 3,500 to nearly 6,500.
At the same time, responsibility for cybersecurity shifted more clearly to the management level of organisations, reinforcing the understanding that information security is not solely an IT issue. Companies must appoint at least one board member who approves security measures, monitors their implementation, and takes responsibility for them. If no specific board member is appointed, these obligations apply to the entire management board.
Are you a regulated entity or not?
In practice, many businesses have struggled to interpret the law. A common uncertainty is whether their sector falls within the scope of NIS2 and whether they qualify as regulated entities under the Cybersecurity Act.
If they do, they are required to notify RIA of their status within three months from the moment the obligation arises. For example, companies that qualified as entities on 1 January 2026 had to notify RIA by 31 March 2026 at the latest.
Notifications can be submitted through the state portal eesti.ee, including at least the company name, registration code, address and contact details, IP address ranges, and in some cases the sector in which the essential service is provided.
RIA has confirmed to us that approximately one thousand entities have submitted their initial notifications. This figure does not distinguish previously regulated entities from newly added ones. This means that out of the roughly 3,000 newly included entities, more than 2,000 have likely failed to submit the required notification.
Where should companies start?
Companies must first familiarise themselves with the Cybersecurity Act and assess whether they qualify as providers of essential or important services. However, applicability depends not only on the sector but also on the nature of the activities and the size of the company. In the case of companies belonging to a group, group size may also be taken into account.
It is also important to determine whether the company operates independently in IT matters or relies on the parent company’s IT and information security structure.
In general, entities are subject to the Cybersecurity Act if they provide important services, employ at least 50 people, and either have annual turnover exceeding EUR 10 million or a balance sheet total of at least EUR 10 million. Companies with more than 250 employees and turnover exceeding EUR 50 million are considered essential entities.
The law applies to qualifying companies and institutions operating in sectors such as:
- energy,
- transport,
- financial services,
- healthcare and pharmaceuticals,
- ICT management and cybersecurity services,
- water and wastewater,
- waste management,
- chemicals,
- food production and processing,
- manufacturing,
- postal and courier services,
- digital platforms, and
- research institutions.
Regardless of size, the law also applies to providers of vital services, public legal entities, critical communications network operators, domain name service providers, trust service providers, and family medical practices, among others.
Does the group share IT governance?
Another important consideration concerns group companies. A company operating in a regulated sector may individually fall below the employee and turnover thresholds, but if it shares IT systems and information security governance with other group companies, the group’s combined size must be considered.
If IT investments, systems, and security arrangements are managed centrally at group level, the total number of employees, turnover, and balance sheet volume across the group become relevant for determining whether the company qualifies as a regulated entity.
Real-life examples
We recently had an extensive discussion with a healthcare-sector company following a question raised during Grant Thornton Baltic’s seminar on 26 March this year: “Cybersecurity Act in practice – is your company ready?”
The participant asked whether a company manufacturing medical supplies qualifies as a medical device manufacturer under the Cybersecurity Act and whether it therefore needs to register with RIA. The matter was time-sensitive because the law requires notification within three months of becoming subject to the regulation.
Under the Act, manufacturers of critical medical devices used in public health emergencies are considered essential entities, provided they have at least 250 employees and annual turnover above EUR 50 million or a balance sheet exceeding EUR 43 million. Manufacturers of medical devices and in vitro diagnostic devices are considered important entities if they have at least 50 employees and turnover or balance sheet totals above EUR 10 million.
The key question for the client was therefore not whether their products could colloquially be described as “supplies” or “devices,” but whether they legally qualified as a manufacturer referenced in the Act. The Cybersecurity Act itself does not define the term but instead refers directly to definitions in medical device regulations.
We resolved the issue by confirming that the company did not manufacture emergency medical devices and by reviewing the definitions of products and accessories in the Regulation. The client then learned that while the Act would apply to its parent company in another European country, it would not apply to the Estonian subsidiary manufacturing accessories as a separate entity.
Another example involved a large industrial group with dozens of manufacturing and service companies. The parent company received a notification from RIA regarding the need to assess whether the group companies qualified as regulated entities.
We assisted the client with a self-assessment, mapping all business activities across the group and evaluating whether the companies fell within the scope of the Cybersecurity Act. We then consulted with RIA regarding the results and received a clear response.
According to RIA, the group companies operated in sectors covered by the Act, but none of the individual companies were large enough on their own to qualify. However, because the group shared common IT and information security governance, the assessment had to be based on the entire group. As a result, the companies qualified as regulated entities. The alternative would have been to separate IT governance and make the companies operationally independent in IT matters.
Following the analysis, the group decided to remain within the scope of the regulation and pursue ISO 27001 certification to secure a competitive advantage and meet client expectations in information security.
Companies can seek guidance from RIA
Although the situation is new and often complex in practice, RIA deserves recognition. The authority has responded promptly to practical client questions and provided constructive guidance regarding communication, entity assessment, and supervisory priorities.
RIA has not abandoned plans to develop a subjectivity assessment tool, although implementation will take time. According to Ilmar Toom, Head of RIA’s Supervision Department:
“Under the new Cybersecurity Act, assessing whether an organisation qualifies as a regulated entity is more complex than before, which is why the previous application was removed from the eesti.ee portal earlier this year. Such assessments involve multiple interconnected factors, and fully automating the process is not realistic. Different decision trees and calculators may provide an initial indication, but they cannot deliver a final legally binding assessment. In addition, interpretations of several criteria are still evolving.”
According to Toom, a collection of frequently asked questions is currently being prepared and is expected to be published soon.
RIA has also emphasised the need to raise awareness and continues to organise seminars, publish guidance materials, and conduct sector-based outreach activities. This year, supervisory focus is primarily on educational institutions, local governments, providers of vital services, and selected public sector organisations.
What should companies do first?
Current practice shows that implementing the regulation has raised many questions for businesses. Nevertheless, ultimate responsibility for assessing applicability, notifying RIA on time, and ensuring compliance remains with the company itself. This makes early preparation essential.
Companies should not wait until the three-year compliance deadline approaches. Instead, they should immediately begin assessing applicability, assigning responsibilities, and planning their information security management system.
The key priorities are:
- immediately assess whether the company qualifies as a regulated entity based on sector and size;
- if the company belongs to a group, analyse whether IT and information security governance are genuinely independent or must be assessed at group level;
- ensure management makes timely decisions and appoint responsible persons, as notification obligations arise much earlier than full compliance requirements;
- begin preparing management training, risk assessments, an information security management system, and a compliance roadmap to reduce both regulatory and business risks.
