Estonia’s Computer Emergency Response Team, CERT-EE, forms one of the most critical defensive lines of its digital state. The team operates largely out of sight, seeking to provide solutions rather than attract attention. Its success is measured by how rarely the public needs to be informed about critical cyber incidents.
Two people fending off a cyber campaign
In the 2000s, internet use grew, and attack vectors expanded as more services moved online. While hackers, malware and phishing were not yet everyday terms in Estonia, banks were already facing their first cyberattacks, and various incidents sparked debate about how to secure an increasingly digital information society.
In 2005, Toomas Viira, then head of information security at RIA, was tasked with developing a vision for an Estonian CERT and explaining the need for such a unit to both civil servants and politicians. At a time when Estonia’s digital state was rapidly developing but cybersecurity remained a new and abstract concept for many, Viira spent months answering basic questions about what a cyber incident is and why it requires attention at the state level. It soon became clear that Estonia could not afford digital solutions that were innovative but unprotected. After months of groundwork, a favourable decision followed.
CERT-EE began operations on 1 January 2006. ‘Even then, we were already seeing early, rudimentary forms of phishing and viruses. Banks and their customers were the primary targets, but several other organisations were also affected,’ Viira recalls. Although the start was far from smooth – with processes to be built and trust to be established – he notes that CERT-EE was created at the right moment, just ahead of the 2007 cyberattacks.
The unit’s first head, Hillar Aarelaid, faced a baptism of fire. Following the removal of the Bronze Soldier monument in Tallinn, the world’s first coordinated cyber campaign – also known as Cyber War I – unfolded, disrupting Estonian websites and services. CERT-EE coordinated the response with a team of just two people: Aarelaid and Tarmo Randel.
Randel, who later became head of the unit, wrote in CERT-EE’s annual summary (in Estonian) that the spring of 2007 put Estonia on the global map and that, despite the negative nature of the events, the overall effect was positive. For the public, it was the first time a cyber incident was recognised as a national security issue, prompting many companies and states to seriously analyse and protect their infrastructure.
What is CERT-EE?
CERT-EE is RIA’s incident response department that monitors Estonian cyberspace, provides preventive protection for the public sector and detects cyber incidents in Estonia’s computer networks. When an incident occurs, CERT-EE helps identify its cause and advises on response and remediation.
CERT-EE is a member of the CSIRTs Network coordinated by the European Union Agency for Cybersecurity (ENISA).
The hectic 2010s
During the 2010s, CERT-EE’s workload grew explosively. While around 300 incidents were handled in 2013, the number had increased tenfold just four years later. Klaid Mägi, who led the unit between 2014 and 2018, likens the team at the time to a start-up: ‘It was a group of enthusiasts doing big things with whatever tools were available, often improvised.’
By 2015, it became clear that a 9-to-5 model was insufficient for effective incident response. A round-the-clock duty system was introduced, additional experts were hired, and from the summer of that year, Estonia’s cyberspace was monitored 24/7.
‘Continuous rapid response made it possible to warn the public about major phishing and malware campaigns, notify hosting providers and website owners about compromised sites and share more timely information about vulnerabilities affecting large numbers of users,’ Mägi explains.
This period also saw the launch of CERT-EE’s daily newsletter, which continues to provide up-to-the-minute overviews of developments in cyberspace. Today, it has nearly 2,200 subscribers.
Ready for anniversary attacks
In 2017, CERT-EE achieved SIM3 (Security Incident Management Maturity Model) certification for the first time – the highest international standard for CERTs. Certification assesses documentation, readiness for cooperation, workflows, the effectiveness and professionalism of incident handling, and information sharing, among other aspects that underpin strong response capabilities and cybersecurity. CERT-EE was the fifth organisation globally to reach this level.
The same year, preparations were made for the tenth anniversary of the 2007 cyberattacks, amid expectations of possible repeat attacks from Russia. ‘We assumed that our neighbour might mark the ‘anniversary’ in some way, and we were ready. Fortunately, no such attacks came, but the year did bring two other high-profile incidents – WannaCry and NotPetya – both of which had a major global impact,’ Mägi recalls. As if that were not enough, the Estonian electronic ID card crisis followed later that summer, affecting around 750,000 people. Challenges were plentiful.
Amid these events, the team honed its technical analysis and strengthened its automated detection systems. CERT-EE experts appeared frequently in the media and on social platforms, emphasising the importance of cybersecurity.
To coordinate responses to major international cyber incidents, CERT-EE members established an international Mattermost channel – a secure, controlled communication platform – that connects CERTs across EU member states. This channel, which remains active today, was first used to jointly address the WannaCry crisis.
WannaCry – A ransomware attack that spread worldwide and targeted computers running the Microsoft Windows operating system in May 2017. The malware infected more than 125,000 computer systems in more than 100 countries. While large parts of the healthcare sector in the United Kingdom were brought to a standstill, RIA reported that Estonia saw no spread of crypto-ransomware and its computer systems remained unaffected. Mägi noted that CERT-EE’s preventive work played a role, as significant efforts had been made to strengthen cybersecurity in healthcare institutions.
NotPetya – A cyberattack that first targeted organisations in Ukraine, in which computers were infected with malware designed to sabotage and destroy systems. The malware behaved like conventional ransomware, but its source code revealed that no file-recovery mechanism was included and that its real purpose was to delete files permanently. Its impact quickly became international, affecting several global companies, with total damages estimated at several billion euros, which makes it one of the costliest cyber incidents in history. Two companies in Estonia belonging to the Saint-Gobain group were affected.
The threat landscape begins to shift
Although cyber threats were no longer a novelty by 2019, the frequency, automation and targeting of attacks against Estonia increased.
That year also saw a sharp rise in phishing and fraud schemes linked to Smart-ID, Estonia’s widely used digital authentication service. It became clear that awareness-raising alone was no longer sufficient, prompting CERT to change its approach.
‘Giving advice is easy. But if an organisation cannot implement it, it makes more sense to offer the solution as a service,’ recalls Tõnu Tammer, who was leading the unit at the time.
CERT expanded its portfolio with practical, scalable services that help prevent threats even when organisations lack in-house capacity. One example was the development of a DNS-based solution to filter cyber threats, blocking malicious activity before a connection is even established.
Alongside these substantive developments, important steps were also taken to strengthen Estonia’s internet infrastructure. The national internet exchange point was upgraded, enabling operators to exchange traffic more efficiently and keep domestic traffic within the country. This improved both service continuity and resistance to attacks.
Raising attackers’ costs and cutting returns
In 2022, a new phenomenon emerged: web links that, once opened, caused the user’s browser to participate in denial-of-service attacks automatically. ‘All it took was opening a link, and even a technically unskilled person could unknowingly take part in an attack,’ Tammer explains. In response, Cloudflare’s services were adopted, further strengthening Estonia’s defences.
The aim was to raise attackers’ costs and lower their returns. ‘The more we can achieve this through technical measures, the less incentive there is to attack Estonia,’ Tammer says.
Cooperation with security solution providers was further expanded, with CERT sharing validated threat intelligence. This enabled threats to be added to blocklists more quickly, narrowing attackers’ room for manoeuvre. According to feedback from one major vendor, information shared by CERT-EE accounted for a significant portion of its initial threat intelligence.
Looking back on CERT-EE’s development, Tammer notes that the organisation has become increasingly proactive: ‘The team keeps cyberspace functioning and reduces risks – often without anyone noticing.’
This is the paradox of cyber defence: the better the work, the less visible it is. When users do not need to think about service instability or outages, it means CERT-EE has done its job well.
Every day, all the time
Driven by geopolitical developments, CERT’s workload grew markedly in the following years. Veikko Raasuke, who has led the team since 2023, describes the work as a daily struggle. ‘We are attacked every day, attempting to break into systems or bring services down through denial-of-service attacks. CERT-EE’s task is to push back at all times – on weekends, at night, during school holidays, public holidays and Christmas.
In other words, when most of us are with our families, cyber guards are at work so the rest of the country can enjoy their festive meals,’ Raasuke says.
On 9 March 2024, Estonia experienced the most significant denial-of-service attack in its history against public-sector websites: in just over four hours, nearly three billion malicious requests were recorded. CERT-EE has been, and remains, effective in defence. Attacks rarely have an impact, and when they do, it is usually short-lived.
As CERT-EE continuously develops its defensive tactics, adversaries refine their tools and adjust their attack methods. According to Raasuke, denial-of-service attacks dominated the workload, alongside various phishing campaigns. In one case, criminals exploited a major international event held in Estonia and attended by senior officials from many countries. They sent participants a highly convincing phishing email purporting to come from the organisers.
Where it once took CERT-EE seven to ten working days to shut down a fraudulent financial website, cooperation with the Estonian Police and Border Guard Board, as well as the Banking Association and individual banks, reduced this to under an hour.
The team jokingly refers to the period from October to January as ‘Christmas peace’, a tongue-in-cheek label for a time when fraud posing as logistics companies surges dozens of times. Usually, activity subsides after the holiday season.
In January 2024, however, the lull never came. Fraudsters became even more active, expanding beyond logistics firms to target a wide range of companies and public authorities. ‘Here, too, the development of AI has been a major enabler, helping fraudsters easily produce credible Estonian-language content,’ Raasuke notes.
Looking ahead
Turning from the past to the future, CERT-EE faces increasingly complex challenges. Cybersecurity is no longer a concern for individual organisations alone, but a global issue. Entirely new threats are emerging, including AI-enabled attacks, the potential of quantum computing and vulnerabilities associated with 5G networks.
Taavi Kupper, who currently heads the unit, says that while Estonia’s information systems and e-services are highly secure, the environment is constantly changing.
‘New threats require continuous adaptation. In the coming years, CERT-EE will need to invest even more in strengthening international cooperation and partnerships, as cybersecurity is a collective task on a global scale,’ Kupper says, adding that the team is ready to confront new and evolving threats.
The future also points to a more proactive, data-driven approach.
‘If today the focus is on blocking cyber incidents and attacks, then going forward, CERT-EE will play an increasingly important role in data-driven analysis and prevention. New technologies, such as machine learning and artificial intelligence, enable faster analysis of system behaviour and the detection of even the most complex and covert attack patterns. One thing is certain: CERT-EE has been, and will continue to be, one of the pillars of Estonia’s cybersecurity,’ Kupper said.
We do not settle for yesterday’s standards
Over two decades, CERT-EE has grown into a trusted and credible actor that protects Estonia’s digital ecosystem – from individual citizens to the state’s critical infrastructure. National information security capabilities have strengthened, but as strong and independent teams multiply, the role of a central coordinator becomes increasingly important. Cyber resilience does not emerge from isolated efforts but from well-organised cooperation.
‘If CERT-EE has proven anything over the past 20 years, it is that Estonia’s digital state endures because we do not settle for yesterday’s standards,’ says CERT-EE’s head, Taavi Kupper. ‘The team continues with the same sense of responsibility, commitment and purpose to ensure that Estonia’s digital state remains trustworthy – not only today but also tomorrow.’
Last updated: 11.02.2026
