Estonia (EE)

Estonia's latest cybersecurity stategy, Cybersecurity Strategy - Republic of Estonia (EN) was implemented in 2019. Covering the period 2019-2022, it defines the long-term vision, objectives, priority action areas, roles and tasks as the basis for activity planning and resource allocation. As a horizontal strategy, it involves all contributing stakeholders in Estonia: the public sector (both civilian and defence), essential service providers, sectoral entrepreneurs, and academia. The aim of this document is to agree on and create conditions for the implementation of a comprehensive, systematic and inclusive sectoral policy

It is the country's third national strategy document, having moved early in defining one of the world's first strategies (2008-2013) with a second one coming in 2014 (2014-2017), drawing on the lessons learned from the two previous strategy periods.

The Cybersecurity Strategy was prepared in a coherent process with Estonia’s Digital Agenda 2020. The role of cybersecurity in the information society is to ensure conditions for efficient and secure use of opportunities offered by ICTs. The objectives and key indicators of the cybersecurity strategy are planned in a four-year perspective, with an interim review at the end of the current Digital Agenda in 2020.

The new strategy covers 13 of the 15 strategic goals in the ENISA self-assessment classification. These strategic goals are: Cybercrime; security and privacy balance; citizen awareness; critical information infrastructure protection; national cyber contingency plans; international cooperation; incident response capability; institutionalised form of cooperation between public agencies; baseline security requirements; incident reporting mechanisms; R&D; cybersecurity exercises; training and educational programmes. 


Role of education on cybersecurity

The measures for cybersecurity research fall under "A cyber-literate society" (Activity 4). 

Knowledge and skills of students and teachers will be measured systematically and a supply of training in the field of cybersecurity will be provided for general educational school and vocational school teachers. Documenting the level of knowledge and skills is a key prerequisite and input for planning cybersecurity trainings, while also aiming to overcome the lack of systematic comparable measurable results among teachers and students. 
The state curricula in the context of digital competence describes the cybersecurity knowledge and skills young people should receive as part of their education. Curricula have been prepared at both the basic school and upper secondary school level along with corresponding materials that include methodological materials, making them a good basis for training. However, there is a nationwide shortage of motivated and competent teachers and cybersecurity it not often seen as a co-responsibility of school and teacher. 

It is important that the skills in digital competency of students and teachers are kept up to date with systematic measurirng of the competences. This would enable comparable data on elementary levels across the various target groups over time and porvide input into thematic training and the creation of curricula and materials. 

Development of talent corresponding to state and private sector demand (Activity 4.2)

2018 data shows that national defence studies are taught in 127 upper secondary schools and 22 vocational schools. While cyber and internal security are viewed as a natural part of national defence studies, the volume of lessons planned for conveying these topics is not sufficient for an in-depth approach. 

The strategy therefore includes the development of cyber defence studies in general education schools with effort to raise the potential of talented youths. The goal is to integrate cybersecurity with information science syllabi and facilitate in-depth cyber defence studies reaching as many upper secondary schools as possible and laying the groundwork for training a future supply of cyber specialists through the formal educational system.
While youth with an interest in ICT can participate in robotics and programming clubs, hobbyist/extracurricular activity in the field of cybersecurity is nearly non-existent. At the moment, Estonia also lacks a clear expectation and view of how and with what content to incite interest in cybersecurity among young people and thus create a rising generation of cybersecurity specialists. The format of compulsory military service as a targeted way of developing workforce in the cyber field is not being used. At the same time, through the contribution of the Ministry of Defence and the rest of the state sector, “cyber conscription” could be used as a primary recruitment platform.
To unleash these opportunities described, a programme of extracurricular activities for talented youths interested in cybersecurity will be created based on the KüberNaaskel (competition) model. This in turn will create a pool for finding people who will complete their military service in a cybersecurity field and conscription
would become a part of the cyber defence educational path and a state recruitment platform.
A systematic overview of workforce needs for cyber defence specialists will also be created, drawing on the findings of the OSKA report on the need for cyber competences within ICT core professions. However, the report does not map the workforce needs for cybersecurity specialists specifically sought by the state and private sector, which is important for planning student places, determining academic areas with greater potential and the need for continuing education for top specialists, including external trainings and industrial PhD studies. Systematic research will ensure an overview of the workforce needs for cybersecurity specialists, which will be linked with policy recommendations. The studies will be a basis for strengthening cooperation in the field of talent development between companies and universities, which will ensure the up-to-dateness of curricula and the necessary competencies among university graduates.

Role of research on cybersecurity

The measures for cybersecurity research fall under "Cybersecurity, Industry, Research and Development": Objective 2.

Estonia has strong, innovative, research-based and globally competitive enterprise and R&D in the cybersecurity sector, covering the key competences that are important for the state.
In universities, private companies and public sector alike, Estonia has outstanding competence in different spheres of cybersecurity, above all in the fields of secure
digital identity cryptography, data integrity, cybersecurity skills, education and exercises. To develop internationally successful research and development and enterprise in the sector, Estonia needs to focus on its unique strengths, which are above all its ecosystem based on electronic identity and the secure architecture of the X-road data layer along with its trust services. Strong sectoral competence in the private sector and research institutions means that Estonia
has the potential for economic growth as the sector grows as well as readiness for coping in crisis situations as hiring all of the competence needed in the public
sector is not a feasible option. 

Supporting and promoting cybersecurity R&D and research-based enterprise: Objective 2.0 - Creating effective cooperation and better cohesiveness between research, enterprise and government to improve the capacity to take developments in universities to applications in private sector and state services. Estonia’s small market can be seen as an advantage in the incubator phase, where a product working at the level of society can be rapidly taken to completion. The most important prerequisite for achieving the strategic goal is ensuring functioning cooperation mechanisms between academia, private business and government
institutions, which will ensure that strategic priorities will guide the focus of R&D in academia as well as in the private sector, thus ensuring the existence of key competences for the state.

Leveraging productive cooperation between private sector, state and academia (PPP) 
The information and cybersecurity cluster, Estonian Information Security Association – EISA, supports cooperation between universities, business and government.

The strategy highlights the need for an optimal launch of a new cooperation based on relevant competences with an administrative support mechanism for cross-sectorial participation in bidding on international contracts and competition to create the preconditions for extending export and raising funding doe research. Another step is enabling the defence industry to take part on the EU's defence initiatives, e.g. the European Defence Fund and the European Defence Industrial Development Programme.

Preparation of a nationwide cybersecurity R&D plan that defines priority focus areas
Estonia lacks a uniform R&D plan that deals with information society and cybersecurity and their technical solutions. The ICT development programme initiated by the cabinet covers the corresponding measures to a limited extent and specifies the primary cybersecurity research areas. Also providing impetus for research in
the field of ICT is the research measure launched as part of the IT Academy programme in 2018. The next step in light of the broader strategic plan is to establish a coordination mechanism and define the focus areas for R&D in the field of cybersecurity. Based on priority research issues for the state corresponding to them, guidelines can be provided in future for R&D conducted at universities and companies, for providing substance to support measures for companies and educational projects and scholarships. 

Performance Indicators

A fairly unique feature of the Estonian strategy is the inclusion of performance indicators related to its measures for research and development (activity for objective 2)

Export volume of companies in the sector
Starting level: 15,86 million (with the caveat that this data can only be extrapolated from surveys)
Target level: Not defined in the strategy. 
Sources: Cyber sector workforce need study (Praxis 2018) and and the growth area promotion study (TÜ, TalTech, Technopolis Group Eesti OÜ, 2018)

Number of new start-ups in the cybersecurity sector
Starting level: 22
Target level:   42
Source: Start-up Estonia

Number of doctorates defended in the cybersecurity sector
Starting level: 1.7 doctorates per year (during the period 2014-2017)
Target level:    2.5 doctorates per year (2019-2022)
Source: TalTech, University of Tartu

Higher Education Courses on Cybersecurity
  • Tallinn University of Technology – Master in Cyber Security, jointly coordinated with the University of Tartu. Year established: 2009. Student intake: 60. European Credit Transfer System (ECTS): 60. Focus: System security, network security, component security, SW security.

Public-private Partnerships

Leveraging productive cooperation between private sector, state and academia (PPP) 
The information and cybersecurity cluster, Estonian Information Security Association – EISA, supports cooperation between universities, business and government.

The strategy highlights the need for an optimal launch of a new cooperation based on relevant competences with an administrative support mechanism for cross-sectorial participation in bidding on international contracts and competition to create the preconditions for extending export and raising funding doe research. Another step is enabling the defence industry to take part on the EU's defence initiatives, e.g. the European Defence Fund and the European Defence Industrial Development Programme.

In the new strategy period, Startup Estonia will continue developing the community of cyber tech companies in cooperation with the Ministry of Economic Affairs and Communications to support initiatives for organising regular seminars and events, launch regular mentorship programmes and move ahead upon reaching a sufficient development level with creating an accelerator for companies in the cyber sector to offer value for global growth of companies that are past the first development phase.


IT/Cybersecurity Clusters

EISA (Estonian Information Security Association) is Estonia's main information and cybersecurity cluster. 

Other key players in the ICT space include:

ITL (Estonian Association of Information Technology and Telecommunications) brings together both sides to support cooperation on the development of the digital economy, the economy, education and labour. It is a member of Digital Europe.

Estonian Defence Industry Association


EU Cyber Professional Register for national stakeholders

The CyPR is all about boosting opportunities in the cybersecurity marketplace. 

This European Cybersecurity Professional Register is the place where professionals of any age can promote their specific skill sets and experiences in cybersecurity, courses taken and qualifications.

Organisations of any size or sector, from SMEs to large companies and public institutions can find and contact the right skills and experiences they need to improve their IT security posture.


Latest update & Disclaimer

January 2021

The information contained here is based on desk research carried out by, including the ENISA interactive maps on national strategies and educational courses. 



CYBERSECURITY RESPONSE TEAMS: GDPR and NIS Directive: Compliance and Notification

National Computer Security Information Response Team (CSIRT) / Computer Emergency Response Team (CERT)

Notification obligations in the event of a data breach
NIS Directive (operators of essential services and digital service providers): actual, adverse and significant impact on the continuity of essential services. Actual, adverse and substantial impact on the provision of enumerated digital services.
GDPR (any organisation dealing with the data of EU citizens): accidental or unlawful destruction, loss, altercation, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

National contact(s)


Guidance and Updates

CERT EE provides regular updates on the threat landscape and other related news through its website:

It also provides information about the protection of critical infrastructures,, raising public awareness through EU structural funding,, and other topics related to cyber security.

Languages Estonian, English
Latest Update & Disclaimer

January 2021

The information contained here is the result of desk research carried out by


Contact us for more info


Estonia (EE) | Cyber Range & Capacity Building in Cybersecurity


The website encountered an unexpected error. Please try again later.