CRA Compliance in Estonia

RIA serves as Estonia's national competent authority for the CRA, with market surveillance coordinated with the Consumer Protection and Technical Regulatory Authority (TTJA) for physical products and consumer equipment. Estonia's Küberturvalisuse seadus (Cybersecurity Act), which transposes NIS2, provides a comprehensive legislative framework for cybersecurity oversight. RIA has established cybersecurity certification services and participates in the EU's cybersecurity certification scheme framework. Estonian manufacturers benefit from RIA's deep technical expertise and its extensive published guidance, much of which is available in English given Estonia's international digital economy orientation.

Estonian manufacturers submit Article 14 notifications to CERT-EE through RIA's incident reporting portal. CERT-EE operates 24/7 incident response capability and is one of the most technically active national CSIRTs in Europe. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. Estonia's existing incident reporting framework for essential service operators provides a mature model that CRA Article 14 reporting will build upon. CERT-EE participates actively in the EU CSIRTs network and ENISA's vulnerability coordination mechanisms, reflecting Estonia's leadership role in EU cybersecurity cooperation.

Market surveillance for CRA products in Estonia is coordinated between RIA and TTJA (Consumer Protection and Technical Regulatory Authority), which conducts product safety market surveillance. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Estonia's regulatory enforcement tradition is efficient and technically informed, reflecting its e-government capabilities. TTJA has conducted active market surveillance under EU product safety regulations including the Radio Equipment Directive. Estonian manufacturers should expect technically rigorous documentation reviews as part of CRA market surveillance.

RIA publishes extensive free cybersecurity guidance in Estonian and English, including the Estonian Information Security Standard (E-ITS) aligned with ISO 27001 and CRA Annex I requirements. CERT-EE provides threat intelligence sharing through its intelligence bulletins and incident reports. Enterprise Estonia (EAS) supports manufacturer cybersecurity investment through innovation grants. The Tallinn-based Cyber Defence Centre of Excellence (NATO CCDCOE), while primarily NATO-focused, generates publicly available research relevant to CRA compliance. Estonia's Cyber Security Council coordinates national cybersecurity strategy implementation including support programmes for manufacturers.