Vastus
| Dokumendiregister | Riigi Infosüsteemi Amet |
| Viit | 1.1-21/261174 |
| Registreeritud | 22.05.2026 |
| Sünkroonitud | 25.05.2026 |
| Liik | Väljaminev kiri |
| Funktsioon | 1.1 Asutuse tegevuse korraldamine |
| Sari | 1.1-21 Õigusalane kirjavahetus ja muu dokumentatsioon |
| Toimik | 1.1-21/2026 |
| Juurdepääsupiirang | Avalik |
| Adressaat | Venipak Eesti OÜ |
| Saabumis/saatmisviis | Venipak Eesti OÜ |
| Vastutaja | Liina Lumiste (RIA, PDA Oigus) |
| Originaal | Ava uues aknas |
Failid
Dear Modestas Milašauskas,
Thank you for your inquiry.
Cybersecurity Act § 3(5)(7) establishes as important enitites also entities which are postal service providers for the purposes of the Postal Act, including a courier service provider, and it has 50 or more employees during the financial year or whose annual
balance sheet total and annual turnover exceed 10 million euros.
According to Section 22(1) of the Postal Act, a postal service provider is “an undertaking that provides one or more postal services” and that “the mere transport of postal items does not constitute the provision of a postal service”. According to Section
2(1) of the Postal Act, the content of a postal service is “forwarding of an addressed postal item as an economic activity” and according to Section 2, forwarding is “a process that includes the collection, sorting, transport and delivery of a postal item
to the recipient”.
Considering the public information available (webpage
https://venipak.com/ee),
Venipak OÜ does seem to operate as a postal service provider or a courier service provider. Therefore, in case the aforementioend financial and personnel criteria are also fulfilled, the entity is considered to fall in the scope of the Cybersecurity Act.
We would like to clarify that the RIA cannot give a definite answer as to whether an undertaking is a subject to the Cybersecurity Act;
the undertaking itself must make the relevant assessment based on all its areas of activity and economic indicators.
If an undertaking meets the above criteria for a service provider, the entity is obliged to notify the RIA in accordance with KüTS § 31 (1) (which can be done via eesti.ee, more details here: https://www.ria.ee/kuberturvalisus/riigi-infoturbe-meetmeet-haldus/teenuseosutaja-eits-auditi-iso-sertifikacija-pilvandmetootluse-teade)
within three months as of the date on which they become compliant with the characteristics of a service provider (initial deadline was 31 March).
Kind regards,
Liina Lumiste
Legal Advisor
liina.lumiste@ria.ee
+372 55617734
Information System Authority
Pärnu mnt 139a, 15169 Tallinn
ria.ee
Saatja: Modestas Milašauskas
Saadetud: teisipäev, 19. mai 2026 09:37
Koopia: Gintaras Dakanis (Venipak); Paulius Palubinskas (Venipak); Modestas Milašauskas
Teema: Vs: KüTS / NIS2 applicability — Venipak Eesti OÜ (12142751)
Saadetud: teisipäev, 19. mai 2026 09:37
Koopia: Gintaras Dakanis (Venipak); Paulius Palubinskas (Venipak); Modestas Milašauskas
Teema: Vs: KüTS / NIS2 applicability — Venipak Eesti OÜ (12142751)
|
You don't often get email from [email protected].
Learn why this is important
|
E-kiri saadeti väljastpoolt RIA-t. Kui Sa ei tunne saatjat, siis ära ava linke ega manuseid!
Dear RIA,
Could you confirm whether Venipak Eesti OÜ falls within the scope of the Cybersecurity Act (KüTS) / NIS2?
- Legal name: Venipak Eesti OÜ
- Registry code: 12142751
- Activity: road freight, courier and parcel delivery (EMTAK 49411)
- Address: Osmussaare tn 8, 13811 Tallinn
If in scope, please advise on the registration procedure and deadline.
Thank you,
Modestas
Seosed
| Nimi | K.p. | Δ | Viit | Tüüp | Org | Osapooled |
|---|