From the ministry’s perspective, 2025 was a turning point in Estonia’s cybersecurity evolution. Our focus was on ensuring that the digital state remains reliable, resilient and aligned with the rapidly evolving legal framework of the European Union. This involved both strategic frameworks and practical steps that help organisations better understand security requirements and put them into practice.
Primary security measures for small organisations
One of the most significant steps was the introduction of a framework of primary security measures for small and micro-enterprises. The Estonian Information Security Standard (E-ITS) is a robust and comprehensive framework that establishes clear principles for cybersecurity management. Still, it is best suited to larger organisations with the capacity to assess and implement security requirements systematically. For smaller organisations, the situation is different. They often lack the expertise, time and human resources needed to navigate complex requirements independently or to assess where to start and which measures matter most for them.
Small and micro organisations primarily need clear, practical and unambiguous guidance – a concrete understanding of what they need to do to ensure an adequate level of cybersecurity that matches their size and resources.
It was precisely this need that led us to develop the framework of primary security measures. These help organisations focus on what is essential, reduce administrative burden and deliver tangible improvements in security. The practical value of the primary security measures framework was recognised by the Estonian Society of Family Doctors, who awarded it their “initiative of the year” distinction.
Cybersecurity legislation updated
Another significant milestone was the amendment of the Estonian Cybersecurity Act, which entered into force at the beginning of 2026 and incorporated the EU’s NIS2 Directive into Estonian law. Our work does not end with the adoption of the act. The next steps include implementing the relevant regulations and further reviewing several proposals with stakeholders.
To avoid over-regulation, we assessed each provision to determine whether it met or exceeded the directive’s minimum requirements. We used a simple but visually effective analytical approach to quickly identify the directive’s mandatory requirements, specific obligations arising from existing national legislation, and potential risks of over-regulation, overly rigid rule-setting that limits flexibility, and outright non-compliance.
This approach gave decision-makers and stakeholders a clear overview of which elements strictly followed the EU framework and where Estonia was making deliberate national policy choices. It is a practice that should be applied more broadly in the incorporation of EU directives into national law and in legislative drafting generally. It enhances transparency, legal clarity, and trust throughout the process.
Preparing for the arrival of quantum computing
Another key focus has been tracking advances in quantum computing, which threaten to make today’s cryptographic solutions obsolete and weaken the protection of data and services. In 2025, we began developing a roadmap for post-quantum cryptography. This provides clear guidance on preparing for the transition to new cryptographic algorithms as advances in quantum computing render existing solutions inadequate. The aim is to avoid rushed solutions and instead pursue a deliberate, well-timed transition that considers technological dependencies, priorities and organisational readiness.
Moving into the next phase of development
Looking ahead, we aim to move towards a more user-centred and effective system, supported by tools and capabilities designed to prevent incidents before they occur.
Cybersecurity must be part of business operations and everyday life. This means that security requirements must become more user-friendly, so that they are easier to understand and implement, including for small organisations and for non-expert technology users.
One important new capability under development is a national cyber operations centre, which will enhance nationwide situational awareness, response capacity and cooperation in preventing and managing cyber incidents.
On the legislative front, 2026 will see the incorporation into national law, at the minimum necessary level, of the directly applicable EU Cyber Resilience Act (CRA) and the Cybersecurity Act (CSA). Our objective is to meet the requirements in a reasonable and proportionate manner, without an excessive administrative burden, while ensuring that safer digital products reach the market.
Overall, we are moving steadily into the next phase of the digital state’s development, where the focus is not only on requirements and technology but also on clarity, cooperation and trust.
Last updated: 11.02.2026
