WIDEN Attorneys Advised the Republic of Estonia on the Transposition of the NIS2 Directive

Related to

The European Union’s new NIS2 Directive imposes extensive requirements on Member States to ensure cybersecurity and network security. The directive’s aim is to raise the overall level of digital resilience across Europe, harmonize national rules, and ensure that providers of critical services and infrastructure are better protected. For Estonia, this means that many companies and institutions will face new obligations – from risk management and reporting to stricter penalties in the event of breaches.

WIDEN advised the Ministry of Justice and Digital Affairs by analyzing the draft bill prepared by the ministry to assess whether the draft transposing the NIS2 Directive complies with EU law and the Government of the Republic’s legal policy guidelines. During the project, WIDEN’s team provided a thorough legal opinion, focusing both on the precision of the directive’s wording and on avoiding overregulation.

WIDEN’s Team and the Results of the Draft Bill Analysis

The project was led by Attorney-at-Law Henri Ratnik, Co-Head of IP/IT and Data Protection, with the team also including Attorney Oliver Grauberg, Attorney-at-Law and Partner Rauno Kinkar, and Lawyer Sten-Marten Pukka. The team’s task was to combine in-depth EU law analysis with a practical assessment of Estonian legislative drafting.

WIDEN provided the ministries with an overview of which aspects of the draft bill align with the NIS2 Directive, where there are risks of overregulation, and how those risks could be mitigated.

The purpose of requesting the legal opinion was to ensure that Estonian law remains competitive, legally balanced, and practically applicable.

Why is the NIS2 Directive Important?

The NIS2 Directive affects a very broad range of companies and institutions. While the previous regulation mainly targeted large infrastructure and service providers, the new directive also extends to medium-sized enterprises operating in critical fields such as:

energy and transport,
healthcare and drinking water,
digital services and cloud technologies,
financial services and banking.

Implementing the directive means greater emphasis on risk management, documentation and reporting of cybersecurity measures, as well as stricter sanctions – companies may face significant fines in the event of violations.

For this reason, it is crucial that Estonia’s transposition of the directive does not go beyond its scope and does not impose disproportionate additional burdens on businesses.

Summary and Acknowledgment

The transposition of the NIS2 Directive is a milestone for Estonia, affecting a wide range of businesses and public sector institutions. The objective of WIDEN’s work was to assess the compliance of the draft with EU law, help the Republic of Estonia avoid overregulation, and ensure the legal framework’s practical applicability.

We express our sincere gratitude to the Ministry of Justice and the Ministry of Economic Affairs and Communications for the smooth cooperation and professional communication throughout the project. We are grateful for the opportunity to contribute and support the development of Estonia’s digital security and legal environment in line with Europe’s best practices.