Järelepärimine

Dokumendiregister	Riigi Infosüsteemi Amet
Viit	1.1-21/262019
Registreeritud	22.01.2026
Sünkroonitud	23.01.2026
Liik	Sissetulev kiri
Funktsioon	1.1 Asutuse tegevuse korraldamine
Sari	1.1-21 Õigusalane kirjavahetus ja muu dokumentatsioon
Toimik	1.1-21/2025
Juurdepääsupiirang	Avalik
Juurdepääsupiirang
Adressaat	SupportHost OÜ
Saabumis/saatmisviis	SupportHost OÜ
Vastutaja	Sander Pelisaar (RIA, PDA Oigus)
Originaal	Ava uues aknas

Failid

SupportHost OÜ_täiendavad küsimused.eml

E-kiri saadeti väljastpoolt RIA-t. Kui Sa ei tunne saatjat, siis ära ava linke ega manuseid!

Hello Sander,

Thank you for the clarification. I have some follow-up questions:

Registration:

Where exactly should I register SupportHost OÜ by 1 March 2026? I went on ria.ee/en but was not able to find anything there.

Is there a specific portal or should I contact CERT-EE directly? Can you provide details?

ISO 27001 Certificate:

3. Regarding the ISO/IEC 27001 certificate submission - where should I send it and in what format?

We are certified: https://www.iafcertsearch.org/certified-entity/F658bXS6I8j6SIC8433rEyGj but it's not clear how and to whom to send the certificate.

Compliance Requirements:

4. You mentioned we only need to implement "esmased turvameetmed" (basic security measures) per § 51. Does our ISO 27001 certification satisfy these requirements, or do we need to implement additional Estonian-specific measures? If not, can you share a link to the relevant article(s)

Regarding the Commission Implementing Regulation (EU) 2024/2690 - what specific obligations does this create for us as a domain registrar/reseller? Are there WHOIS/registration data requirements we must comply with?

Incident Reporting:

6. For the 24-hour incident reporting requirement - is there a specific platform/portal where incidents should be reported, or should we email CERT-EE directly?

Transition Period:

7. You mentioned a three-year compliance period. Does this mean we have until March 2029 to fully implement all technical requirements, while only registration is required by March 2026?

During this transition period, which obligations are immediate (besides registration) and which can be implemented gradually?

Practical Guidance:

9. Do you have a compliance checklist or implementation guide specifically for domain registrars/SMEs that we can follow?

Are there any official templates, guidelines, or best practice documents from RIA/CERT-EE that would help us ensure full compliance?

Will there be any training sessions, webinars, or workshops organized by RIA for newly in-scope entities?

Best regards,

Ivan Messina

Founder & Owner

SupportHost OÜ

On 19 Jan 2026, at 12:51, Sander Pelisaar <[email protected]> wrote:

Dear Mr. Messina,

Thank you for your enquiry. I apologize for the delay in responding.

Because your company provides domain registration services (NIS2 Art. 2(4)), it falls within the scope of NIS2 regardless of company size and is therefore subject to the Estonian Cybersecurity Act (see § 3(2)).
You are required to register the company by 1 March 2026.
ISO/IEC 27001 certification is acceptable. To rely on the exemption, you must submit a valid ISO/IEC 27001 conformity certificate to the Information System Authority (Riigi Infosüsteemi Amet). As your company qualifies as an SME, you are required to implement only the basic security measures (“esmased turvameetmed”) set out in the Network and Information Systems Cybersecurity Requirements Act § 5¹. Nevertheless, I recommend obtaining ISO/IEC 27001 certification because the Commission Implementing Regulation (EU) 2024/2690 is relevant to domain registration services and may make certification advantageous for compliance and supply‑chain assurance.
Entities subject to the Estonian Cybersecurity Act must implement basic security measures (\"esmased turvameetmed\") as set out in the Network and Information Systems Cybersecurity Requirements Act § 5¹.Implementation of ISO/IEC 27001 will in most cases satisfy these measures. Because your company provides domain registration services, the Commission Implementing Regulation (EU) 2024/2690 is also relevant - https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R2690.
As a NIS2 and Cybersecurity Act subject, you must report cyber incidents no later than 24 hours after becoming aware of an incident, where the reporting threshold is met.
The staff headcount criterion covers full‑time, part‑time, temporary and seasonal staff and includes employees, secondees who are treated as employees under national law, owner‑managers and partners engaged in regular activity and deriving financial advantage from the enterprise. See the European Commission User guide to the SME definition.
If you host clients that are NIS2 entities, they will likely require you to comply with NIS2 obligations (or at least certain security controls) as part of supply‑chain security requirements.
Transition periods: entities that were in scope as of 31 December 2025 have a three‑year period to comply with the new requirements; newly in‑scope entities also have a three‑year compliance period. All in‑scope entities must register by 1 March 2026.

Best regards,

Sander Pelisaar

Legal Adviser

+372 5366 7126

[email protected]

Information System Authority of Estonia

Legal Department

Pärnu maantee 139a, Tallinn 15169

www.ria.ee

Saatja: Ivan - SupportHost <[email protected]>
Saatmisaeg: reede, 16. jaanuar 2026 00:38
Adressaat: Riigi Infosüsteemi Amet <[email protected]>
Koopia: cert üld <[email protected]>
Teema: NIS2 Directive Applicability Query - Estonian Hosting Company (SupportHost OÜ)

[email protected] ei saada teile sageli meilisõnumeid. Lugege teavet selle kohta, miks see on oluline

E-kiri saadeti väljastpoolt RIA-t. Kui Sa ei tunne saatjat, siis ära ava linke ega manuseid!

Dear RIA Cybersecurity Team,

I am writing to seek official clarification regarding the applicability of the NIS2 Directive requirements to our Estonian company under the recently amended Cybersecurity Act.

Company Information:

Company name: SupportHost OÜ
Registry code: 16285499
EMTAK code: 63102 (Web hosting services)
Legal address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551
Annual revenue: Approximately €1 million
Workforce: 1 formal employee (owner) + 8 independent contractors
Average total workforce: 9 people

Business Activities: We provide web hosting services (shared hosting) and domain registration services to approximately 6,000 clients across various sectors (small businesses, professionals, agencies, e-commerce). Our servers are physically located in Germany and the Netherlands.

Current Compliance Status: We obtained ISO/IEC 27001 certification approximately one month ago (November 2024).

Questions:

Based on the recent amendments to the Cybersecurity Act (particularly the September 2025 regulation establishing thresholds of 50 employees and €10 million revenue for E-ITS exemption), I would appreciate your clarification on the following points:

NIS2 Applicability: Given our company size (under 50 employees and under €10M revenue), are we subject to NIS2 Directive requirements under Estonian law?
Registration Obligation: Are we required to register with CERT-EE by April 1, 2026?
E-ITS Requirements: Does our ISO 27001 certification fulfill the E-ITS requirements, or are we exempt from E-ITS obligations due to our company size?
Minimum Security Obligations: If we are exempt from full NIS2/E-ITS requirements, are there any basic security measures ("esmased turvameetmed" per §51) that we must implement?
Incident Reporting: Are we obligated to report cybersecurity incidents to RIA/CERT-EE even if below the size thresholds?
Workforce Calculation: For the purpose of the 50-employee threshold, how should we count independent contractors working under partita IVA arrangements? Are they considered employees?
Supply Chain Requirements: If we host clients who are themselves subject to NIS2 (essential or important entities), does this create any compliance obligations for us as their service provider?
Transition Period: If we are determined to be subject to NIS2 requirements, what is the exact timeline for achieving compliance?

Background for Question: We want to ensure full compliance with Estonian cybersecurity regulations and provide accurate information to our clients. Additionally, as we plan to grow our business toward €300K monthly revenue in the next few years, we want to understand at what point we would become subject to NIS2 requirements.

Could you please provide written confirmation of our obligations (or exemption) under the current Estonian implementation of the NIS2 Directive? This will help us plan our compliance strategy appropriately.

I am available for any follow-up questions or to provide additional information if needed.

Thank you for your assistance.

Best regards,

Ivan Messina

Founder & Owner SupportHost OÜ

Registry Code: 16285499

Email: [email protected]

Seosed

Nimi	K.p.	Δ	Viit	Tüüp	Org	Osapooled