NIS2 for Estonian Business Leaders: Compliance, Liability, and First Steps (with Andres Järv)

NIS2 is one of those regulations that can feel like “background noise” right up until the moment you realize it applies to you. And in Estonia, that moment is happening to a lot of company leaders at once. 

In this NeverHack Cybercast episode, host Louis Zezeran sits down with Andres Järv—Security Advisor at NEVERHACK Estonia—to demystify what NIS2 actually is, how Estonia has implemented it locally, and what practical steps small and medium businesses should take first. The conversation is intentionally grounded: less theory, more “what do we do on Monday morning?”  

NIS2: directive vs regulation (and why that matters)

A key early clarification Andres makes is that NIS2 is a directive, not a regulation. That difference matters. A regulation (like GDPR) applies directly across the EU. A directive sets requirements, and then each EU country implements those requirements in its own national laws. 

So when people say “NIS2 in Estonia,” what they really mean is Estonia’s local implementation of NIS2 requirements—and the obligations that now exist in Estonian law.  

Estonia’s implementation: the Cybersecurity Act (Küberjulgeoleku seadus / “KüTS”)

In Estonia, NIS2 has been implemented through amendments to the Cybersecurity Act (often referred to as “KüTS”). Andres explains it simply: the law is the mechanism that mandates action, and then organizations comply through recognized frameworks and measures.  

This is where the conversation becomes very practical: Estonia’s approach isn’t “figure it out yourself from scratch.” The Cybersecurity Act gives the legal foundation, and then there are approved ways to implement security measures in a structured way—primarily E-ITS or ISO 27001 (with a simplified path for micro/small entities).  

The scope expansion: why so many more companies are affected

One of the most important takeaways for Estonian SMEs is that the scope has expanded significantly. Andres describes how Estonia moved from roughly 2–3k organizations under the earlier regime to roughly 5–6k organizations now—effectively doubling the affected population.  

That jump creates a predictable problem: many organizations still don’t realize they are in scope. And even when leaders have heard of NIS2, they may not be sure which category they fall into or what exactly they must implement. 

“Spaghetti law”: why it’s confusing to self-identify

A recurring theme in the episode is that determining scope can be messy. Andres compares it to “spaghetti code”—lots of cross-references, conditions, and dependencies across legal texts. He shares a concrete example: a company looked at one part of the law and concluded they weren’t subject, but a later paragraph extended those requirements to smaller enterprises as well. The result: they thought they were out—until they weren’t.  

This matters because the system relies heavily on self-identification: the company has to determine whether it is in scope and then notify the regulator. 

Self-reporting to RIA: a hidden risk for businesses

Unlike some other regulatory frameworks where authorities directly notify regulated entities, Andres notes that with the Cybersecurity Act/NIS2, organizations may need to report themselves to RIA (the Estonian Information System Authority). That creates an awkward reality: some companies might still be unaware, not because they’re malicious, but because they simply haven’t connected the dots.  

Louis pushes on the obvious question: if a company doesn’t self-report, how does it come out later? Andres suggests two realistic scenarios: 

1. a future enforcement wave where RIA checks a subset of companies, or 

1. an incident happens and the spotlight turns to whether the company complied. 

The “why now” urgency: early-year reporting + leadership responsibility

The episode highlights why the timing feels urgent. Andres explains that organizations in scope have a limited time window (he references three months) to report their status to the authorities at the beginning of the year.  

The second urgency driver is leadership accountability: NIS2 explicitly ties responsibility to management, requiring a named management member responsible for information security, along with training requirements so leadership understands governance, ISMS concepts, and risk management.  

E-ITS vs ISO 27001: two main compliance paths

A central portion of the conversation focuses on the practical choice most mid-sized organizations face: E-ITS or ISO 27001. 

E-ITS (Estonian Information Security Standard) Andres describes E-ITS as a structured standard developed in Estonia (with roots in the German BSI tradition), designed to be very detailed and prescriptive. It gives you a methodology to determine your required security level and then effectively tells you what measures to implement. It’s also freely accessible online.  

With E-ITS, compliance is demonstrated by implementing the framework and then sending the audit report to RIA.  

ISO 27001 ISO 27001 is the internationally recognized standard. The big difference Andres stresses: ISO tends to be more risk-assessment-driven and less prescriptive. You identify risks, select controls accordingly, and the controls are written more as recommendations that you implement and tailor.  

With ISO, you typically go through certification, obtain a certificate, and submit that to RIA as evidence of compliance.  

Why two options? The podcast makes this easy to understand: E-ITS is “do this, do that” (hand-holding); ISO is “assess risk, choose controls” (flexibility). ISO also has a major advantage for private-sector organizations: it’s easier to explain to partners internationally—an ISO certificate is widely recognized, while an E-ITS audit report often requires additional explanation outside Estonia.  

The third path: simplified measures for micro/small entities

For micro/small entities in scope, Andres describes a simplified option: preliminary/basic security measures (a smaller subset mapped to E-ITS). These entities still implement measures but can rely on self-assessment rather than ordering full audits and sending audit results to RIA.  

This is a big deal for “small but regulated” entities—particularly in sectors like healthcare where there may be single-doctor practices that can’t realistically run full certification cycles.  

What companies actually need to implement (real examples)

The most valuable part for listeners is where Louis pushes for concrete examples: “What is the meat of this thing? What are auditors actually looking for?” 

Andres’ answer is refreshingly direct. Examples include: 

• Do you have an information security policy? 

• Is someone formally responsible for information security? 

• Do you have a risk management framework and do you assess IT risks? 

• Do you register and manage incidents? 

• Do you have asset management (do you even know where your computers are and what’s installed)? 

• Do you do vulnerability management (e.g., are you running unpatched, outdated operating systems)? 

• Do you provide employee cybersecurity education and onboarding procedures? 

This isn’t “enterprise-only” work. It’s basic operational maturity that many SMEs have partially, but not systematically. 

The common weakness: security management process (not tools)

Andres makes a key observation: even companies that have some security tooling (antivirus, passwords, etc.) often neglect the management process side—how risks are tracked, how metrics are reported to leadership, how decisions are made, and how improvements are driven.  

This is exactly what NIS2 is trying to force into reality: cybersecurity governance isn’t “something IT does,” it’s a business management process that leadership must own. 

How NEVERHACK approaches implementation (gap analysis → plan → delivery)

The episode also gives a helpful view of how a typical compliance project runs. 

Andres explains that many projects begin with a gap analysis—understanding what exists and what doesn’t. This usually takes up to about a month. Then comes the heavier phase: implementing processes, writing documents, getting management approvals, and supporting technical controls. That phase can take months (often up to half a year depending on readiness), followed by audit support and possible assistance communicating with auditors or the regulator.  

This is useful for listeners because it resets expectations: compliance doesn’t happen in a week, and it can’t be outsourced entirely. The company must participate. 

The timeline trap: “you have 3 years” is not the same as “you can wait”

Louis and Andres close in on a practical risk for Estonian companies: thinking “we have time” and then getting stuck in a last-minute scramble. 

Andres uses a simple exam analogy: if the exam is in three months, do you study now or in the last month? The same logic applies here: as deadlines approach, everyone will be chasing the same limited pool of consultants and auditors—especially with E-ITS being Estonia-specific and therefore constrained by local capacity.  

Even if consultants are available, organizations often underestimate how long it takes to change internal processes—because security touches HR, IT, facilities, vendors, leadership meetings, reporting rhythms, and more.  

Is NIS2 “good” for Estonia? The pragmatic view

The conversation ends with a realistic tone. Andres acknowledges there was criticism during drafting and that industry groups may push for adjustments. But the overall direction is clear: Europe is regulating cybersecurity, Estonia is part of the EU, and this is not going away.  

Louis frames the bigger picture for SMEs: “we’re too small to get hacked” is no longer a defensible assumption. Attackers regularly target small and medium businesses, and the goal is to improve baseline resilience across the economy. 

The takeaway: what listeners should do next

If you remember one thing from this episode, make it this: 

1. Confirm if you’re in scope (and don’t assume you aren’t). 
2. Assign responsibility at management level and start building governance. 
3. Pick your path: E-ITS (prescriptive) or ISO 27001 (risk-based + globally recognized). 
4. Start early—because changing processes, producing evidence, and preparing for audits takes time. 

And if you’re unsure, the episode makes a practical invitation: speak with professionals who do this work daily and can help you interpret scope, design a roadmap, and implement the required measures in a way that actually improves security—not just paperwork.  

Listen now, subscribe for more episodes, and reach out via NEVERHACK if you need help navigating NIS2 implementation in Estonia.