What to expect in cyberspace in 2026

The development of artificial intelligence (AI) and large language models (LLMs) continues at a breakneck pace. These technologies certainly make everyday life easier by allowing increasingly complex questions to be asked and more informed answers to be obtained. At the same time, they also benefit criminals and aggressive regimes, who can use AI to target their objectives more effectively.

In 2025, our Ukrainian partners observed Russia deploying malware that uses internal AI algorithms. Russian state-backed threat actors also began using malware capable of generating malicious commands autonomously in attacks against foreign governments and armed forces. Last year also saw the market entry of a cost-effective and technically capable Chinese language model, known as DeepSeek. For now, the primary concern is not its use in attacks against neighbours or other states but the sharing of data entered into DeepSeek with various Chinese government and security authorities. We highlighted the risks arising from this repeatedly in 2025 and will continue to do so this year.

Amendments to Estonia’s Cybersecurity Act entered into force on 1 January 2026, incorporating the European Union’s second Directive on the Security of Network and Information Systems (NIS2) into Estonian law. As a result, the number of Estonian companies and institutions required to comply with the new requirements rose from around 3,500 to nearly 6,500. The directive aims to raise cybersecurity standards across the entire European Union.

The new legal framework introduces personal liability for board members for compliance with cybersecurity requirements and significantly higher potential fines for breaches – up to 10 million euros or two per cent of annual turnover. Cybersecurity is therefore moving much higher on the radar of organisational leadership.

Under the previous version of the Estonian Cybersecurity Act, all entities within its scope were required to comply with the Estonian Information Security Standard (E-ITS), which supports larger and more capable organisations in managing information security in a structured way. With the recent amendments, smaller organisations are now met halfway: they are required to implement only the general requirements, or primary information security measures, defined by RIA in 2025. These significantly reduce the administrative burden and focus on a limited set of essential, realistic measures that reflect the size, resources and risk profile of smaller entities. This should lead to a sharp increase in the number of small organisations that genuinely seek to implement information security in practice.

In 2025, yet another all-time high in the number of incidents with an impact was recorded in Estonia’s cyberspace. The total reached 10,185, marking the first time the figure has risen to five digits within a single calendar year. In 2024, the number was around a third lower, and the year before that, it was almost three times smaller.

Given the pace at which increasingly capable cybercriminals continue to devise new and effective fraud schemes, we must unfortunately expect this upward trend to continue in 2026. Growth is unlikely to be as steep as last year, but the basics still apply: do not click every link, and never enter PIN codes in response to an unexpected phone call.

If you do fall victim to a cyber incident, please report it by email at [email protected] or by completing the report form at raport.cert.ee.

RIA’s new operations centre began work on 1 June 2025, taking over responsibility for monitoring Estonia’s cyberspace from CERT-EE and for the real-time oversight and management of RIA’s own services. The operations centre functions as RIA’s central nervous system, acting as an emergency hub when threats arise. It was created to ensure that Estonia’s digital state continues to operate without disruption and is ready to respond immediately to both technical failures and cyber threats.

In 2026, this capability will be extended to other state e-services, with the aim of building a more complete view of activity across Estonia’s cyberspace. User-friendly solutions will be introduced that allow service owners to automatically share service availability and disruption information from their monitoring systems with RIA.

In this role, RIA will increasingly function as a government security operations centre, or GovSOC. The consolidated situational awareness gathered at RIA will enable more effective management and coordination of responses to high-impact cyber incidents, while ensuring round-the-clock oversight of national critical services.

In December 2025, the Nordic Baltic Cyber Consortium (NBCC), launched under Danish leadership, began substantive work. Seven countries are involved: Estonia, represented by RIA, alongside Latvia, Lithuania, Finland, Denmark, Norway and Iceland. Sweden is expected to join the consortium at a later stage.

The purpose of the NBCC is to strengthen regional cooperation and improve the prevention and detection of cyberattacks. This will involve developing shared tools for information sharing and analysis and enhancing cyber threat awareness by drawing on information sources from both the public and private sectors. The consortium also emphasises innovation and public–private cooperation.

This cross-border effort is supported by the European Union through the Digital Europe programme, with a total project budget of around 14 million euros over four years. In the context of the EU Cyber Solidarity Act, the NBCC initiative serves as a cross-border cyber hub. The network is expected to actively exchange information with similar hubs across the EU, forming part of a pan-European cybersecurity early warning system.