NIS2 Implementation in the EU |
|
Estonia |
|
(Europe)
Firm
COBALT Law Firm
Contributors
Egon Talur |
|
Status | On hold |
Status of the NIS2 Implementation Act | The Act Amending the Cybersecurity Act and Other Acts (Transposition of the NIS2 Directive) was published on 9 December 2024, and coordination is currently awaited both at the public sector level and through opinions from various stakeholders no later than 31 January 2025. |
If available, foreseeable significant deviations of the National Implementation Act from the NIS2 Directive | No significant deviations from the NIS2 Directive are expected. According to the explanatory memorandum for the draft law, its wording primarily focuses on what the NIS2 Directive has specified in a narrower sense. Additionally, the explanatory memorandum notes that, as Directive 2016/1148 ("NIS 1 Directive") was transposed more broadly than required and due to the establishment of the Estonian Information Security Standard in 2022 along with the obligation to comply with it, the transposition of the NIS2 Directive into Estonian law is easier, as many of its requirements are already fulfilled under Estonia's existing legislation. The draft law mainly aims to clarify provisions in the current legislation and establish a few new norms. According to the authors of the draft, the primary change is the expansion of the list of entities subject to the Cybersecurity Act. Currently, approximately 3,500 organizations are required to comply with the Act, and an estimated 2,000 additional organizations will be included under the draft. |
Expected date of entry into force of the Implementation Act | The implementation law is currently planned to enter into force on 1 July 2025. |
NIS2 Implementation in the EU
On hold
The Act Amending the Cybersecurity Act and Other Acts (Transposition of the NIS2 Directive) was published on 9 December 2024, and coordination is currently awaited both at the public sector level and through opinions from various stakeholders no later than 31 January 2025.
No significant deviations from the NIS2 Directive are expected. According to the explanatory memorandum for the draft law, its wording primarily focuses on what the NIS2 Directive has specified in a narrower sense.
Additionally, the explanatory memorandum notes that, as Directive 2016/1148 ("NIS 1 Directive") was transposed more broadly than required and due to the establishment of the Estonian Information Security Standard in 2022 along with the obligation to comply with it, the transposition of the NIS2 Directive into Estonian law is easier, as many of its requirements are already fulfilled under Estonia's existing legislation.
The draft law mainly aims to clarify provisions in the current legislation and establish a few new norms. According to the authors of the draft, the primary change is the expansion of the list of entities subject to the Cybersecurity Act. Currently, approximately 3,500 organizations are required to comply with the Act, and an estimated 2,000 additional organizations will be included under the draft.
The implementation law is currently planned to enter into force on 1 July 2025.