In general, there are no infrastructural limitations to internet access in Estonia. According to data from Statistics Estonia, the state statistics agency, 92.9 percent of households had internet connections in 2024.1 According to the EU’s Digital Economy and Society Index (DESI), 77 percent of households were covered by a fixed-line Very High Capacity Network (VHCN) providing fiber-optic or equivalent service in 2023, slightly below the EU average, while mobile broadband uptake reached 90 percent of individuals, in line with the EU average.2

Internet speeds are reliable in Estonia. According to Ookla’s Speedtest Global Index, the median fixed-line broadband download speed stood at 84.65 megabits per second (Mbps) in May 2024, while the median mobile download speed was 104.08 Mbps.3

The government continues to enhance information and communication technology (ICT) infrastructure. The Estonian Recovery and Resilience Plan (RRP) allotted €24 million ($26.2 million) to launching VHCNs in rural areas. These funds are part of a €208 million ($227.3 million) investment project to improve ICT services between 2021 and 2026.4

The availability of 5G mobile service has expanded considerably in recent years. According to the latest DESI statistics, 5G coverage was available to 87 percent of households in 2023,5 compared to 43 percent in 2022.6 Radio frequencies for 5G mobile services were distributed at a series of public auctions after amendments to the Electronic Communications Act were passed by the parliament in November 2021 (see A4).7 Telia, a leading internet service provider (ISP), reported that it had installed more than 500 5G base stations by October 2023.8

• 1“Information and communication technologies: Share of households with internet connection,” Statistics Estonia, accessed October 2024, https://www.stat.ee/en/find-statistics/statistics-theme/technology-inno….
• 2European Commission, “DESI indicators: Fixed Very High Capacity Network (VHCN) coverage,” DESI 2024, https://digital-decade-desi.digital-strategy.ec.europa.eu/s/N3eo419a4dy…; European Commission, “DESI indicators: Mobile broadband take-up,” DESI 2024, https://digital-decade-desi.digital-strategy.ec.europa.eu/s/poq34jGw5DX….
• 3“Speedtest Global Index: Estonia Median Country Speeds,” Ookla, accessed October 2024, https://www.speedtest.net/global-index/estonia.
• 4European Commission, “Country reports - Digital Decade report 2023: EE Country report,” September 27, 2023, https://digital-strategy.ec.europa.eu/en/library/country-reports-digita….
• 5European Commission, “DESI indicators: 5G coverage,” DESI 2024, https://digital-decade-desi.digital-strategy.ec.europa.eu/s/YwGMPne8520….
• 6European Commission, “DESI indicators: 5G coverage,” DESI 2023, https://digital-decade-desi.digital-strategy.ec.europa.eu/s/O0N74WA2Ppx….
• 7“Estonia to put three 5G frequency authorizations up for auction,” ERR, December 16, 2021, https://news.err.ee/1608438140/estonia-to-put-three-5g-frequency-author…; “Second 5G license auction in Estonia starts Friday, “ ERR News, June 10, 2022, https://news.err.ee/1608625831/second-5g-license-auction-in-estonia-sta….
• 8“Telia 5G levi katab 75% Eesti elanikkonnast [Telia's 5G coverage covers 75% of the Estonian population],” Telia, October 25, 2023, https://www.telia.ee/uudised/telia-5g-levi-katab-75-eesti-elanikkonnast.

There are no significant digital divides in the country. According to DESI, Estonia has one of the highest shares of individuals who use e-government services in Europe (95 percent of internet users),1 and scores 96 out of 100 points for digital public services for citizens, meaning that almost all public services have been digitized.2

In general, internet connections are affordable, though some concerns persist. Estonia’s leading service providers have responded to high inflation and other rising costs by implementing price increases for customers and discontinuing some cheaper service packages.3 In 2023, the International Telecommunication Union (ITU) put the cost of a monthly fixed-line broadband subscription at 0.72 percent of the gross national income (GNI) per capita,4 while 2 gigabytes (GB) of mobile data cost 0.18 percent of the GNI per capita.5 According to the World Bank, Estonia’s GNI per capita was $27,240 as of 2023.6

While there are a variety of packages offering internet service at affordable prices, authorities have acknowledged that very high-speed connections remain relatively unaffordable,7 contributing to low uptake of these services. As of 2023, only 36 percent of all fixed-line broadband subscriptions were for speeds of at least 100 Mbps, which was well below the EU average of 66 percent.8 The market power of Telia, which owns much of the physical infrastructure, has also contributed to higher consumer prices by raising operating costs for independent wholesale ISPs (see A4).9

There is no significant urban-rural digital divide. According to Statistics Estonia, 92.7 percent of households in urban areas had internet connections in 2024, while 93.4 percent of those in rural areas were connected.10

In 2024, slightly fewer men (91.6 percent) used the internet than women (92.9 percent), according to Statistics Estonia.11 There is a larger gap in usage in terms of age: 99.6 percent of 16-to-24–year-olds use the internet, while just 69.7 percent of 65-to-74–year-olds do, per 2024 figures.12

• 1European Commission, “DESI indicators: e-Government users,” DESI 2024, https://digital-decade-desi.digital-strategy.ec.europa.eu/s/zW7mPXapEKZ….
• 2European Commission, “DESI indicators: Digital public services for citizens,” DESI 2024, https://digital-decade-desi.digital-strategy.ec.europa.eu/s/KnrkE0ao4DO….
• 3“Telecoms firms in Estonia either hiking tariffs or considering doing so,“ ERR News, June 29, 2022, https://news.err.ee/1608643525/telecoms-firms-in-estonia-either-hiking-…; “Estonian telecom companies to raise prices from next year,” ERR, December 21, 2022, https://news.err.ee/1608833116/estonian-telecom-companies-to-raise-pric…; Johannes Tralla, “Telecoms say need for investments necessitating price hikes,” ERR, August 9, 2024, https://news.err.ee/1609420144/telecoms-say-need-for-investments-necess….
• 4International Telecommunication Union, “Fixed-broadband Internet basket: Estonia,” ITU DataHub, accessed October 2024, https://datahub.itu.int/data/?e=EST&c=701&i=34616&v=chart.
• 5International Telecommunication Union, “Data-only mobile broadband basket,” ITU DataHub, accessed October 2024, https://datahub.itu.int/data/?e=EST&c=701&i=34617&v=chart.
• 6The World Bank, “GNI per capita, Atlas method (current US$),” accessed October 2, 2024, https://data.worldbank.org/indicator/NY.GNP.PCAP.CD?locations=EE.
• 7“TTJA investigates why fast internet is so expensive in Estonia,” ERR, January 19, 2023, https://www.err.ee/1608855638/ttja-uurib-miks-eestis-on-kiire-internet-….
• 8European Commission, “DESI indicators: Share of fixed broadband subscriptions >= 100 Mbps,” DESI 2024, https://digital-decade-desi.digital-strategy.ec.europa.eu/s/qnDbPZqm5g0….
• 9“All three major telecoms firms in Estonia enjoyed healthy profits in 2023,” ERR, January 31, 2024, https://news.err.ee/1609238292/all-three-major-telecoms-firms-in-estoni….
• 10Statistics Estonia, “IT20: Households having a computer and internet connection at home by type of household and place of residence,” accessed October 2024, https://andmed.stat.ee/en/stat/majandus__infotehnoloogia__infotehnoloog….
• 11Statistics Estonia, “IT32: Computer and internet users aged 16-74 by group of individuals,” accessed October 2024, https://andmed.stat.ee/en/stat/majandus__infotehnoloogia__infotehnoloog….
• 12Statistics Estonia, “IT32: Computer and internet users aged 16-74 by group of individuals,” accessed October 2024, https://andmed.stat.ee/en/stat/majandus__infotehnoloogia__infotehnoloog….

The government does not exercise technical or legal control over the domestic internet, although the Cybersecurity Act,1 which implemented the EU Network and Information System Directive (2016/1148),2 gives it limited powers to restrict the use of or access to information systems in the event of a cybersecurity incident. As an exceptional and temporary measure, the government can also restrict internet connections in “emergency situations”3 and “states of emergency,”4 though this would not necessarily entail a total shutdown of internet connections. There were no government-imposed restrictions or disruptions to connectivity during the coverage period.

• 1Riigi Teataja, “Cybersecurity Act,” May 9, 2018, https://www.riigiteataja.ee/en/eli/ee/523052018003/consolide/current.
• 2“Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union,” European Union Law, 1–30, July 19, 2016, https://eur-lex.europa.eu/eli/dir/2016/1148/oj.
• 3Riigi Teataja, “Emergency Act,” February 8, 2017, https://www.riigiteataja.ee/en/eli/ee/513062017001/consolide/current.
• 4Riigi Teataja, “State of Emergency Act,” accessed September 29, 2020, https://www.riigiteataja.ee/en/eli/ee/530122013002/consolide/current.

There are no undue legal, regulatory, or economic restrictions on Estonia’s ICT market. The Electronic Communications Act aims to develop and promote a free market and fair competition in telecommunications services.1 Information society services, meaning economic or professional activities involving the processing, storing, or transmitting of information by electronic means upon a recipient’s request, are regulated by the Information Society Services Act (see B3).2

The ICT market is relatively diverse, though in practice it is led by certain large providers. Sweden’s Telia is the largest fixed-line broadband and mobile service provider in Estonia, according to its 2023 annual report.3 Legally, service providers are required to register with the Consumer Protection and Technical Regulatory Authority (TTJA). There is a registration fee depending on the service provided; the amount is regulated by the State Fees Act.4

In recent years, concerns have emerged that the dominance of a few large ISPs has contributed to telecommunications price increases (see A2). In a June 2023 report, the TTJA suggested that Telia be classified as “an undertaking with significant market power in the broadband access wholesale market” in parts of the country, citing wholesale providers’ reliance on Telia’s network infrastructure.5 In July 2024, after the coverage period, the TTJA rejected the notion that it could intervene in the market to counteract price increases by telecommunications companies.6

The distribution of radio frequencies for 5G mobile services was initiated at a public auction in May 2022 after the parliament passed amendments to the Electronic Communications Act in November 2021 (see A1).7 The legislation bans the use of technology from the Chinese company Huawei in Estonian networks and harmonizes consumer rights regulations.8

• 1Riigi Teataja, “Electronic Communications Act,” December 12, 2004, https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/521082017008/consol….
• 2Riigi Teataja, “Information Society Service Act,” April 14, 2004, https://www.riigiteataja.ee/en/eli/504112013008/consolide.
• 3Telia Company, “2023 Annual and Sustainability Report,” 2023, p. 6, https://www.teliacompany.com/assets/u5c1v3pt22v8/sdSKIw4u0YrvJ6N6vxNQ7/….
• 4Riigi Teataja, “State Fees Act,” December 10, 2014, https://www.riigiteataja.ee/en/eli/507012020005/consolide.
• 5“Kindlaksmääratud asukohas masstoodete keskse juurdepääsu hulgituru piiritlemine, analüüs, märkimisväärse turujõuga ettevõtja tunnistamise Kavand,” report by TTJA, June 16, 2023, https://ttja.ee/media/3630/download.
• 6“Watchdog authorities say hands tied on telecom firms' price hikes,” ERR, July 11, 2024, https://news.err.ee/1609394059/watchdog-authorities-say-hands-tied-on-t….
• 7“Estonia to put three 5G frequency authorizations up for auction,” ERR News, December 16, 2021, https://news.err.ee/1608438140/estonia-to-put-three-5g-frequency-author…; Laura Laaster, “Täna algab 5G sageduslubade oksjon [The auction of 5G frequency licenses starts today],” Majandus- ja Kommunikatsiooniministeerium, May 3, 2022, https://www.mkm.ee/uudised/tana-algab-5g-sageduslubade-oksjon.
• 8BNS, ERR News, “Legislation barring Huawei 5G tech passes Riigikogu,” ERR, November 25, 2021, https://news.err.ee/1608414737/legislation-barring-huawei-5g-tech-passe….

The main regulatory bodies for the Estonian ICT sector, the TTJA and the Information System Authority (RIA), have a reputation for professionalism and independence. Both bodies operate under the Ministry of Economic Affairs and Communications. The TTJA monitors the fixed-line and mobile broadband markets,1 ensuring compliance with the EU Net Neutrality Regulation (2015/2120),2 which outlines open internet access requirements and user rights relating to electronic communications networks and services. Meanwhile, the RIA manages state ICT resources.3 There were no reported cases of undue interference in the ICT sector or abuse of power by these bodies during the coverage period.

The TTJA has extended its oversight and enforcement mandate in recent years due to EU sanctions on Russian state media (see B1) and other EU regulations that have been transposed into national laws. In March 2024, the parliament introduced amendments to three laws, including the Information Society Services Act, that implement the EU’s Digital Services Act (DSA), designating the TTJA as Estonia’s digital services coordinator (DSC).4 In this role, the TTJA will receive complaints for alleged violations of the DSA, which aims to counteract the spread of illegal content on digital platforms.5 The amendments were enacted in June 2024,6 after the coverage period, and the TTJA officially became Estonia’s DSC on July 1.7

The Estonian Internet Foundation, which represents a broad group of stakeholders in the Estonian internet community, manages Estonia’s top-level domain (.ee).8

• 1The Consumer Protection and Regulation Authority, “Ameti tutvustus [Introduction to the Agency],” accessed March 1, 2022, https://www.ttja.ee/.
• 2“Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015,” European Union Law, November 26, 2015, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015R2120.
• 3Information System Authority, “Introduction and structure,” accessed March 1, 2022, https://www.ria.ee/en/information-system-authority/introduction-and-str….
• 4Riigikogu document register, “Infoühiskonna teenuse seaduse, autoriõiguse seaduse ja maksukorralduse seaduse muutmise seadus 390 SE [Act amending the Information Society Service Act, the Copyright Act and the Tax Administration Act 390 SE],” accessed October 2024, https://www.riigikogu.ee/tegevus/eelnoud/eelnou/c49dabcd-bf38-410a-8eed….
• 5European Commission, “The Digital Services Act,” accessed October 2024, https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/e….
• 6Riigikogu document register, “Infoühiskonna teenuse seaduse, autoriõiguse seaduse ja maksukorralduse seaduse muutmise seadus 390 SE [Act amending the Information Society Service Act, the Copyright Act and the Tax Administration Act 390 SE],” accessed October 2024, https://www.riigikogu.ee/tegevus/eelnoud/eelnou/c49dabcd-bf38-410a-8eed….
• 7“Meta takistas kapot puudutava ERR-i artikli levitamist, riik eitab seotust [Meta prevented the distribution of the ERR article, the state denies involvement],” ERR, July 8, 2024, https://www.err.ee/1609391524/meta-takistas-kapot-puudutava-err-i-artik….
• 8Estonian Internet Foundation, “Public portal,” accessed March 1, 2022 http://www.internet.ee/en/.

The vast majority of political, social, and cultural content is freely available to users. However, during the coverage period, hundreds of websites remained blocked due to EU sanctions imposed in response to Russia’s brutal invasion of Ukraine, which targeted Russian broadcasting activities and licenses.1 According to information provided by the TTJA, 307 websites and 53 television channels remained blocked in Estonia as of May 2024.2

In March 2022, the EU issued Regulation 2022/350, ordering member states to “urgently suspend the broadcasting activities” of the Russian state-controlled network RT and its RT France, RT Germany, RT Spanish, and RT UK channels, as well as the Russian government’s Sputnik news agency, and block their websites because they “engaged in continuous and concerted propaganda actions targeted at civil society.”3 As of February 2024, two years after the Russian invasion, the EU had adopted 13 packages of sanctions.4 Prolonged sanctions include suspending the distribution of a number of Russian news outlets, including RTR-Planeta, Russia 24, and TV Centre International.5

Restrictions on internet content also include a ban on unlicensed gambling websites (see B3). As of March 2024, the Tax and Customs Board (MTA) had more than 1,800 URLs on its list of illegal online gambling sites that Estonian ISPs are required to block.6

• 1European Council, EU sanctions against Russia explained, accessed June 15, 2023, https://www.consilium.europa.eu/en/policies/sanctions/restrictive-measu…
• 2Official website of the Consumer Protection and Technical Regulatory Authority, accessed June 1, 2024, https://ttja.ee/ariklient.
• 3“COUNCIL REGULATION (EU) 2022/350 of 1 March 2022 amending Regulation (EU) No 833/2014 concerning restrictive measures in view of Russia's actions destabilising the situation in Ukraine,” Official Journal of the European Union, Volume 65, March 2, 2022, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2022:065:F….
• 4“Russia: two years after the full-scale invasion and war of aggression against Ukraine, EU adopts 13th package of individual and economic sanctions, European Council, press release February 23, 2024, https://www.consilium.europa.eu/en/press/press-releases/2024/02/23/russ….
• 5European Commission, “Russia's war on Ukraine: EU adopts sixth package of sanctions against Russia,” June 3, 2022, https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2802.
• 6Tax and Customs Board, “Blokeeritud hasartmängu internetileheküljed [Blocked gambling internet pages],” accessed March 18, 2024, https://www.emta.ee/ariklient/registreerimine-ettevotlus/hasartmangukor….

Online content is sometimes removed following a court order, although this is not a widespread issue. Comments on news websites and discussion boards are also sometimes removed by website administrators. Most popular websites have codes of conduct for the responsible and ethical use of their services and enforcement policies that allow certain content to be taken down.

At times, social media content is removed. Between July and December 2023, Facebook restricted access in Estonia to 82 items for alleged violations of local laws and 100 items that violated EU sanctions on Russian state-controlled media.1 Google received five requests from the Estonian government to remove a total of nine pieces of content during that same period, and removed eight of the requested items.2

Russian social media platforms Odnoklassniki (OK) and Vkontakte (VK) are also popular in Estonia, but their parent companies do not release data about content removal requests.

• 1Facebook Transparency Report, “Content restrictions based on local law: Estonia,” accessed March 18, 2024, https://transparency.facebook.com/content-restrictions/country/EE
• 2Google Transparency Report, “Government requests to remove content: Estonia,” accessed March 13, 2023, https://transparencyreport.google.com/government-removals/government-re….

Restrictions on online content are generally transparent and grounded in the law. The Gambling Act, one of the few laws that imposes restrictions, requires domestic and foreign gambling websites to obtain a special license.1 Unlicensed websites are subject to blocking by the MTA (see B1). The MTA’s list of blocked websites is transparent and available to the public.

Under the Information Society Services Act and pursuant to the DSA, which fully entered into force in February 2024,2 service providers are generally not liable for illegal content transmitted by users, with limited exceptions. Online platforms are liable for illegal content if they fail to remove or restrict access to such content once they become aware of it.3

Previous actions have reinforced intermediary liability in certain circumstances. In 2015, the European Court of Human Rights (EctHR) upheld a controversial 2009 Estonian Supreme Court decision in the case of Delfi v. Estonia, which established intermediary liability for third-party defamatory comments on news sites.4 In December 2021, the EU Directive on Copyright in the Digital Single Market (2019/790) was adopted into Estonian law.5 The directive, among other things, establishes ancillary copyright for digital publishers and makes “online content sharing service providers” partially liable for copyright violations on their platforms.6

In January 2024, it was reported that the Ministry of Justice sought to amend Estonian copyright law to allow the TTJA, under certain circumstances, to order ISPs to block websites in Estonia that violate intellectual property rights, even if such content is hosted outside the country.7 The proposal was not enacted by the end of the coverage period.

Estonia adopted the EU Audio-Visual Media Services Directive (AVMSD) (2018/1808)8 in March 2022.9 The AVMSD requires “video-sharing platform services” to take “appropriate measures” to protect minors from content “which may impair their physical, mental or moral development,” and the general public from content involving child sexual abuse, racism, or xenophobia as well as content inciting hatred, terrorism, or violence.10 According to the AVMSD, service providers must apply for a license to operate, submit reports on the structure of the program, and disclose their ownership structure. The regulatory changes mainly affect Estonian audiovisual media service providers.11

The Information Society Services Act, originally enacted in 2004, allows the government to impose unspecified restrictions on foreign-based information society services. Under the law, restrictions on such services are allowed in cases “justified by morality, public order, national security, public health and consumer protection.”12 The law places further conditions on these restrictions, including that they be imposed on a specific service, that they are “proportionate to its purpose,” and that Estonian authorities appeal to the applicable country to impose a restriction before doing so themselves.

The Information Society Services Act permits authorities to block online content in certain circumstances, particularly in the context of Russia’s invasion of Ukraine. Amendments to the act that took effect in August 2022 empower the TTJA to order service providers to block domains containing material that “incites hatred, violence or discrimination” or “incites or justifies war crimes” when such measures are necessary for national security and no other avenues to counter the spread of the information exist.13 According to a government press release, the amendments were meant to “ensure the existence of domestic measures” to restrict content that “is used to shape the attitudes of people living or staying in Estonia as part of informational influence activities directed against Estonia.”14 The law also amended the Cybersecurity Act to update Estonia’s cybersecurity framework (see C8).

Decisions to restrict content can be appealed to the courts. In July 2023, the Administrative Court of Tallinn ruled that the TTJA had the legal mandate to block Russian state-linked domains and television stations, and that the constitutional right to free expression was not harmed by the decision.15

According to Section 51 of Estonia's Media Services Act, the TTJA has the right to prevent the retransmission of a foreign audiovisual media service if it has “harmed the public health and the security of society, including national security and defense.”16 An audiovisual media service is defined by the law as one “with the main purpose of providing informative, educational or entertainment programs to the public via an electronic communication network.”

• 1Riigi Teataja, “Gambling Act,” October 15, 2008, https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/507122016002/consol…
• 2European Commission, “The Digital Services Act,” accessed October 2024, https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/e….
• 3Official Journal of the European Union, “Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act),” European Union law, October 27, 2022, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2065.
• 4Columbia University: Global Freedom of Expression, “Delfi AS v. Estonia,” accessed September 30, 2020, https://globalfreedomofexpression.columbia.edu/cases/delfi-as-v-estonia/.
• 5“Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019,” European Union Law, May 17, 2019, https://eur-lex.europa.eu/eli/dir/2019/790/oj; “Autoriõiguse seaduse muutmise seadus (autoriõiguse direktiivide ülevõtmine),” State Gazette (Riigi Teataja) https://www.riigiteataja.ee/akt/128122021001
• 6“Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019,” European Union Law.
• 7“Amendment would allow watchdog to block access to websites in Estonia,” January 3, 2024, ERR News, https://news.err.ee/1609210951/amendment-would-allow-watchdog-to-block-…
• 8“Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2018,” European Union Law, November 28, 2018, https://eur-lex.europa.eu/eli/dir/2018/1808/oj.
• 9State Gazette (Riigi Teataja), https://www.riigiteataja.ee/akt/127022022001.
• 10“Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2018,” European Union Law.
• 11Introduction of regulation proposal at the Parliament, accessed May 30, 2022, riigikogu.ee/tegevus/eelnoud/eelnou/4ba650d7-565f-425c-960b-2ed72b05857c/Meediateenuste%20seaduse%20muutmise%20ja%20sellega%20seonduvalt%20teiste%20seaduste%20muutmise%20seadus.
• 12Infoühiskonna teenuse seadus [Information Society Service Act], Parliament of Estonia, revised August 16, 2022, https://www.riigiteataja.ee/akt/InfoTS.
• 13Küberturvalisuse seaduse ja teiste seaduste muutmise seadus [Act to amend the Cybersecurity Act and other Acts], Parliament of Estonia, July 19, 2022, https://www.riigiteataja.ee/akt/106082022002.
• 14“The Riigikogu adopted 12 laws,” Parliament of Estonia, July 19, 2022, https://www.riigikogu.ee/istungi-ulevaated/riigikogu-vottis-vastu-12-se….
• 15BNS, “Kohus jättis Venemaa telekanalitele Eestis seatud keelu kehtima [The court upheld the ban on Russian TV channels in Estonia],” Postimees, July 28, 2023, https://www.postimees.ee/7823383/kohus-jattis-venemaa-telekanalitele-ee….
• 16Riigi Teataja, “Media Services Act,” December 16, 2010, https://www.riigiteataja.ee/akt/115062022003.

In general, self-censorship is not prevalent, and online debates are active and open.

Estonians value freedom of speech highly. According to a Eurobarometer survey conducted in March 2023, Estonians believe that protecting freedom of speech should be one of the most important priorities of the European Parliament.1

Reporters Without Borders’ 2024 Press Freedom Index ranks Estonia as the sixth freest country out of 180 measured. Press freedom is guaranteed in both legal and political spheres. However, journalists may self-censor in response to cyberbullying or because of potential penalties from antidefamation legislation (see C2). According to the report, online threats by private individuals have increased, though police tend to be notified of and investigate the most serious instances.2

• 1Eurobarometer, “EP Spring 2023 Survey: Democracy in action - One year before the European elections: Estonia,” published June 2023, https://europa.eu/eurobarometer/surveys/detail/3093.
• 2Reporters Without Borders, “Estonia”, accessed June 2024, https://rsf.org/en/country/estonia.

Manipulation of the online information landscape continued during the coverage period, especially concerning Russia’s full-scale invasion of Ukraine. Soon after the invasion, false information about Ukrainians attacking Russians in Estonia was shared across Facebook and Instagram.1 In August 2022, Estonian authorities acknowledged that the spread of disinformation, which often sought to stigmatize Ukrainian refugees living in the country, had increased significantly since the invasion, particularly on Telegram.2

Russian information campaigns have historically sought to manipulate public opinion in Estonia.3 A post spread on social media in March 2024 used statistics published on the Russian Ministry of Defence’s Telegram channel to falsely claim that Estonia had sent 190 “mercenaries” to fight in Ukraine. Though the post had limited reach, fact-checkers labelled it as “Russian propaganda.”4

Generally, disinformation is evident in online channels. In September 2020, the Global Disinformation Index (GDI) found that one quarter of Estonian media sites presented a high risk of spreading disinformation to their online readers. Some of these sites were based in Russia, and they were not part of Estonia’s mainstream media market.5

• 1Silver Tambur and Sten Hankewitz, “Fake news about Ukrainians attacking Russians in Estonia circulate in social media, while Russia warns the Baltics,” Estonian World, March 5, 2022, https://estonianworld.com/security/fake-news-about-ukrainians-attacking….
• 2Ervin Hainla, “Police in Estonia fending off info operations targeting Ukrainian,” ERR, August 27, 2022, https://news.err.ee/1608697378/police-in-estonia-fending-off-info-opera….
• 3Estonian Internal Security Service (KAPO), “Annual Review 2019/20,” accessed September 30, 2020, https://www.kapo.ee/sites/default/files/public/content_page/Annual%20Re….
• 4Kaili Malts, “FAKTIKONTROLL | Eesti ei ole sõdureid Ukrainasse saatnud - tegemist on Vene propagandaga [FACT CHECK | Estonia has not sent soldiers to Ukraine - this is Russian propaganda],” Delfi, March 25, 2024, https://epl.delfi.ee/artikkel/120280462/faktikontroll-eesti-ei-ole-sodu….
• 5“The Online News Market in Estonia ,” Global Disinformation Index, September 30, 2020, https://www.disinformationindex.org/country-studies/2020-9-30-the-onlin….

There are few economic or regulatory barriers to posting content online. News websites do not need to register with the government to operate.1

In line with the EU, Estonia supports net neutrality. Providers found to be in violation can be fined up to €9,600 ($10,492).2 Estonia has not implemented separate rules on net neutrality and follows the EU’s regulatory framework on open internet access and user rights relating to electronic communications networks and services.3 The TTJA regularly analyzes the ICT market for zero-rating plans exempting certain websites or applications from data charges that may violate net neutrality, along with other net neutrality infractions; the TTJA’s latest report, in 2022, did not identify any violations.4

• 1Halliki Harro-Loit and Urmas Loit, “Estonia,” Centre for Media Pluralism and Freedom, December 2016, http://cmpf.eui.eu/media-pluralism-monitor/mpm-2016-results/estonia/.
• 2Ali Al-Awadi, Andreas Czák, Ludger Benedikt Deffaa, Benedikt Gollatz, Cornelia Hoffmann, Thomas Lohninger, and Erwin Ernst Steinhammer, “The Net Neutrality Situation in the EU: Evaluation of the First Two Years of Enforcement,” Epicenter Works, January 29, 2019 https://epicenter.works/sites/default/files/2019_netneutrality_in_eu-ep….
• 3European Commission, “Annual country reports on Open internet from national regulatory authorities – 2022,” September 22, 2022, https://digital-strategy.ec.europa.eu/en/library/annual-country-reports….
• 4Ibid.

A diverse range of content is available online. While journalists have raised concerns that media ownership in Estonia remains concentrated, which could limit the diversity of online content, they have also noted that Estonia’s information landscape remains robust for a country of its size.1

In recent years, Estonians have formed initiatives to counteract false narratives and improve the reliability of the online information space (see B5). Propastop, a volunteer-led effort established in 2016,2 aims to improve Estonia’s “information space security” by publicly correcting false and biased information in the media, including inaccurate information shared online.3 While such outlets do commendable work, they have yet to become part of mainstream media consumption in Estonia.

Knowledge of foreign languages among Estonians is high, which facilitates access to diverse content.4

• 1Maxence Grunfogel, “Feature: Estonian media landscape and freedom of the press over the years,” ERR News, June 22, 2022, https://news.err.ee/1608636865/feature-estonian-media-landscape-and-fre….
• 2BNS, “Propastop awarded European Citizen's Prize,” Postimees, June 29, 2023, https://news.postimees.ee/7805189/propastop-awarded-european-citizen-s-….
• 3“What is Propastop?” Propastop, accessed October 2024, https://www.propastop.org/eng/2017/03/06/what-is-propastop/.
• 4“Estonia Ranks High for English Proficiency,” Study In Estonia, November 9, 2015, https://web.archive.org/web/20180411095606/http://www.studyinestonia.ee…

Estonians use social media platforms to share news and information, as well as to generate public discussion about current political issues. No restrictions to online mobilization tools were put in place during the coverage period.

In 2014, the official platform Rahvaalgatus.ee was launched, enabling people to compile petitions, send them to the parliament if they gather at least 1,000 digital signatures, and monitor lawmakers’ responses.1 As of March 2024, 471 petitions had been launched, of which 223 gathered the necessary support to be sent to the parliament or local governments.2 By law, petitions aimed at local governments must gather signatures from at least 1 percent of residents in a given locality to warrant official consideration by the local council.3 By March 2024, over 750,000 authenticated digital signatures had been collected in support of petitions.4

• 1“Sul on mõte, kuidas ühiskonnaelu parandada? [Do you have an idea how to improve society?],” Rahvaalgatus, accessed March 1, 2023, https://rahvaalgatus.ee/.
• 2“Sul on mõte, kuidas ühiskonnaelu parandada? [Do you have an idea how to improve society?],” Rahvaalgatus, accessed March 7, 2024, https://web.archive.org/web/20240307214431/https://rahvaalgatus.ee/.
• 3Kohaliku omavalitsuse korralduse seadus, https://www.riigiteataja.ee/akt/130122015082.
• 4“Sul on mõte, kuidas ühiskonnaelu parandada? [Do you have an idea how to improve society?],” Rahvaalgatus, accessed March 7, 2024, https://web.archive.org/web/20240307214431/https://rahvaalgatus.ee/.

All citizens have the constitutional rights to freely obtain information and to freely disseminate ideas, beliefs, and facts.1 There are no obstacles to people exercising their right to freedom of expression online.

The judiciary in Estonia is independent, and there have not been any instances of political interference with the judiciary. According to the 2023 EU Justice Scoreboard, 64 percent of Estonians trust the independence of the judiciary, an increase from the 60 percent recorded in the previous year’s survey.2

In June 2023, the Estonian Supreme Court ruled that it was unconstitutional for an Estonian detention center to ban detained asylum seekers from using personal communications devices, confirming a March 2023 administrative court decision. The Estonian Human Rights Centre, which initiated the case, argued that the restrictions on internet access violated the asylum seekers’ rights to freedom of expression and access to information.3

In March 2022, the parliament adopted amendments to the Public Sector Information Act submitted by the Ministry of Justice. The amendments align Estonian law with the EU’s revised Public Sector Information Directive (2019/1024), which governs public access to state data.4

Protections for journalists, which include the right to the confidentiality of sources, are strong.5

• 1“Constitution of the Republic of Estonia,” Republic of Estonia, accessed February 7, 2022, https://www.president.ee/en/republic-of-estonia/the-constitution/.
• 2European Commission, “The 2023 EU Justice Scoreboard,” 2023, https://commission.europa.eu/document/download/db44e228-db4e-43f5-99ce-….
• 3Kertu Tuuling, Mari-Liis Vähi, and Uljana Ponomarjova, “Fundamental rights must be ensured for international protection applicants,” Estonian Human Rights Centre, June 20, 2023, https://humanrights.ee/en/2023/03/fundamental-rghts-must-be-ensured-for….
• 4Parliament of Estonia, ”Avaliku teabe seaduse muutmise seadus 409 SE", 2021, https://www.riigiteataja.ee/akt/110032022004?leiaKehtiv; Riigi Teataja, “Public Sector Information Act,” November 15, 2000, https://www.riigiteataja.ee/en/eli/ee/514112013001/consolide/current; “Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019,” European Union Law, June 26, 2019, https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1561563110433&uri=C….
• 5Ieva Azanda, Mogens Blicher Bjerregård, Jüri Estam, Ilze Jaunalksne, Allen-Illimar Putnik, “Of the Rights and Responsibilities of the Journalist,” Re:Baltica and the Centre for Media Studies of the Stockholm School of Economics, 2018, https://www.sseriga.edu/sites/default/files/inline-files/estonian_legal….

On paper, there are few limits on freedom of expression online. Speech that publicly incites hatred, violence, or discrimination on the basis of nationality, race, color, gender, language, origin, religion, sexual orientation, political opinion, or financial or social status, and that results in danger to the life, health, or property of a person, is punishable by a fine of up to €3,200 ($3,497) under the penal code.1 Such speech is also punishable by up to three years in prison if it leads to the “death of a person or results in damage to health or other serious consequences.”

Defamation was decriminalized in 2002.2 Civil defamation cases can be brought under the Law of Obligations Act,3 though damages are usually moderate (see C3).4

Following Estonia’s March 2023 parliamentary elections, the new governing coalition said that it planned to implement stronger legal penalties for hate speech as part of its coalition agreement.5 A bill to do so, which would broaden the conditions under which hate speech would be criminalized in the penal code,6 was introduced in the parliament in June 2023 and passed its first reading in September 2023.7 The European Commission had brought infringement proceedings against Estonia in January 2023 because, in its view, the country had not transposed EU hate speech regulations into national law.8 Debate on the so-called hate speech bill remained ongoing after the end of the coverage period.9

• 1Riigi Teataja, “Penal Code,” Article 151, June 6, 2001, https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/519012017002/consol….
• 2The amended penal code was adopted in 2001 and entered into force in 2002.
• 3Riigi Teataja, “Law of Obligations Act,” September 26, 2001, https://www.riigiteataja.ee/en/eli/524012017002/consolide.
• 4Cases from the Estonian Supreme Court are available here: http://www.nc.ee/?id=194.
• 5“Läbirääkijad tahavad karmistada vaenukõne ja konkurentsireegleid [Negotiators want to tighten the rules on hate speech and competition],” ERR News, March 13, 2023, https://www.err.ee/1608913613/labiraakijad-tahavad-karmistada-vaenukone….
• 6“Government approves hate speech draft bill,” ERR News, June 8, 2023, https://news.err.ee/1609001696/government-approves-hate-speech-draft-bi….
• 7“Hate speech law will not come up for second reading before spring,” ERR News, December 21, 2023, https://news.err.ee/1609201735/hate-speech-law-will-not-come-up-for-sec….
• 8Johannes Tralla, “Jourova: Estonia, EU must find a common hate speech definition together,” ERR News, January 30, 2023, https://news.err.ee/1608868607/jourova-estonia-eu-must-find-a-common-ha….
• 9“Vox populi of political parties ⟩ Liisa Pakosta on hate speech: these descriptors have also historically been used to inflame people to kill one another [Vox populi of political parties ⟩ Liisa Pakosta on hate speech: these descriptors have also historically been used to inflame people to kill one another],” Postimees, August 28, 2024, https://news.postimees.ee/8085735/vox-populi-of-political-parties-liisa….

There were no criminal convictions or detentions for online activities reported during the coverage period.

In January 2024, it was reported that Tarmo Tamm, a member of the parliament, had sued the digital outlet Äripäev in 2023 for allegedly publishing false accusations about him. The outlet had reported on several allegations involving Tamm, including his work on a parliamentary environmental committee and his alleged involvement in conservation-related scandals.1 There were no additional updates on the case reported before the end of the coverage period.

Previously, in April 2022, two Eesti Ekspress journalists, Tarmo Vahter and Sulev Vedler, were fined €1,000 ($1,093) each for publishing an article about alleged money laundering conducted by managers of a major Swedish bank. Eesti Ekspress was also fined.2 The decision prompted pushback from both private and public media organizations in Estonia, as well as from several public officials.3 In June 2022, the fines were dismissed by an appeals court,4 a decision that was later upheld by the Supreme Court in January 2023.5

A previous defamation case concerning two journalists in 2018 prompted the Estonian Data Protection Inspectorate (AKI) to call for “all authors operating in the public sphere,” including social media users, to abide by journalistic principles “when publishing current, social or other public interest texts.”6

• 1“Eesti 200 poliitik läks Äripäeva vastu kohtusse [Estonia's 200 politicians went to court against Äripää],” Äripäev, January 6, 2024, https://www.aripaev.ee/saated/2024/01/07/eesti-200-poliitik-laks-aripae….
• 2“Journalists fined over Swedbank piece raises Estonia press freedoms worries,” ERR News, May 5, 2022, https://news.err.ee/1608587308/journalists-fined-over-swedbank-piece-ra….
• 3“Journalists fined over Swedbank piece raises Estonia press freedoms worries”, ERR News, May 5, 2022, https://news.err.ee/1608587308/journalists-fined-over-swedbank-piece-ra…; “Kallas: the press must be able to work freely” [in Estonian], ERR News, May 5, 2022, https://www.err.ee/1608587611/kallas-ajakirjandus-peab-saama-vabalt-too….
• 4Committee to Protect Journalists, “Two Estonian journalists fined over article on money laundering,” May 18, 2022 (updated June 14, 2022), https://cpj.org/2022/05/two-estonian-journalists-fined-over-article-on-….
• 5”Riigikohus keeldus Ekspressi ajakirjanike trahvimisest [Supreme Court refuses to fine Ekspress journalists],” Eesti Ekspress, January 31, 2023, https://ekspress.delfi.ee/artikkel/120136226/riigikohus-keeldus-ekspres….
• 6“Kohtuotsus sõnavabaduse vastutusest” [Judgment on liability for freedom of expression], Data Protection Inspectorate, November 19, 2019, https://www.aki.ee/et/uudised/kohtuotsus-sonavabaduse-vastutusest.

There are no governmental restrictions on anonymous communication or encryption, and no SIM card registration requirements.1 The Ministry of the Interior shelved plans to mandate real-name registration for prepaid SIM cards in December 2023 after the proposal raised privacy concerns, with the ministry’s internal security undersecretary saying that it was not “justified at this stage.”2

Some major news sites have limited anonymous commenting on their articles in reaction to the establishment of intermediary liability for third-party defamatory comments on internet news portals (see B3).

• 1Privacy International, “Timeline of SIM Card Registration Laws,” June 11, 2019, https://privacyinternational.org/long-read/3018/timeline-sim-card-regis….
• 2“Interior abandons plan to ban non-personalized prepaid SIM cards,” ERR News, December 21, 2023, https://news.err.ee/1609202272/interior-abandons-plan-to-ban-non-person….

Score Change: The score declined from 6 to 5 due to a lack of transparency about the government’s procurement and use of commercial products that allow for intrusive surveillance.

Historically, government surveillance has not been intrusive, and the constitution guarantees the right to the confidentiality of messages sent or received.1 Reporting has indicated that authorities have acquired invasive surveillance technologies in recent years, though the extent to which these technologies are used remains unclear.

The Estonian legal framework includes robust safeguards against intrusive surveillance. Parliament’s Security Authorities Surveillance Select Committee oversees surveillance and security agencies. The committee monitors the activities of these bodies to ensure conformity with the constitution, the Security Authorities Act,2 and other regulations, which include necessity and proportionality requirements. Additionally, Chancellor of Justice Ülle Madise, who serves as the state ombudsperson, verifies the lawful operation of state agencies that organize the interception of phone calls and conversations, surveil correspondence, and otherwise covertly collect, process, and use personal data. The chancellor’s most recent annual report, analyzing surveillance files opened by the Estonian Internal Security Service (KAPO) between 2020 and 2022, found that the agency’s surveillance activities were conducted with due authorization and in accordance with the law.3

The Office of the Prosecutor General monitors surveillance activities and reports regularly to the parliamentary select committee. In its annual report for 2023, the prosecutor’s office disclosed that law enforcement bodies had been granted permission to use surveillance tools in 999 cases; 47 percent were granted by courts and 53 percent by the prosecutor’s office. Wiretapping was authorized in 378 cases.4

While the Estonian Defence Forces are legally authorized to conduct surveillance in certain circumstances,5 the Chancellor of Justice reported that the Military Police have not done so in recent years because “there has been no need for this.”6

It is suspected that the Estonian government has access to Pegasus spyware, a surveillance tool developed by the Israel-based company NSO Group. The New York Times reported that the government began negotiations to purchase Pegasus in 2018. The following year, the Israeli Ministry of Defense prohibited Estonian authorities from using Pegasus to target Russian devices, but there is no indication that Israel prevented the spyware’s sale to Estonia altogether.7

During the coverage period, a May 2024 joint investigation by Access Now, the Citizen Lab, and independent expert Nikolai Kvantaliani served as further confirmation that Estonian authorities had acquired Pegasus. The investigation documented seven EU-based Belarusian, Israeli, Latvian, and Russian journalists and activists who were targeted with Pegasus. While the report did not confirm that the Estonian government was responsible, the Citizen Lab noted that “Estonia does appear to use Pegasus extensively outside their borders, including within multiple European countries.”8

Responding to the May 2024 investigation, Ants Frosch, the former head of the Estonian Foreign Intelligence Service (VLA), said it was “conceivable” that foreign intelligence agencies would ask Estonian authorities to conduct surveillance on their behalf, but claimed that the allegations were “pure speculation.”9 Harrys Puusepp, the head of bureau at KAPO, would neither confirm nor deny that Estonia is a Pegasus user, instead emphasizing “that Estonia is a state governed by the rule of law.”10

A December 2020 investigation by Citizen Lab identified the Estonian government as a likely client of Circles, a surveillance company that allows customers to monitor calls, texts, and cell phone geolocation by exploiting weaknesses in mobile telecommunications infrastructure.11 Following the revelation, the Ministry of Defence refused to comment.12

• 1“Constitution of the Republic of Estonia,” Republic of Estonia.
• 2Riigi Teataja, “Security Authorities Act,” December 20, 2000, https://www.riigiteataja.ee/en/eli/ee/522032019003/consolide/current.
• 3Chancellor of Justice, “Chancellor’s Year in Review 2022/2023: Security,” accessed October 2024, https://www.oiguskantsler.ee/annual-report-2023/security.
• 4Prokuratuuri aastaraamatud, “Kriminaalmenetluste statistika” [Statistics of criminal proceedings], 2023, https://aastaraamat.prokuratuur.ee/prokuratuuri-aastaraamat-2023/krimin….
• 5Riigi Teataja, “Estonian Defence Forces Organisation Act,” as amended July 1, 2024, https://www.riigiteataja.ee/en/eli/ee/512062020001/consolide/current.
• 6Chancellor of Justice, “Chancellor’s Year in Review 2022/2023: Security,” accessed October 2024, https://www.oiguskantsler.ee/annual-report-2023/security.
• 7Ronen Bergman and Mark Mazzetti, “Israel, Fearing Russian Reaction, Blocked Spyware for Ukraine and Estonia,” The New York Times, March 23, 2022, https://www.nytimes.com/2022/03/23/us/politics/pegasus-israel-ukraine-r….
• 8Natalia Krapiva, Anastasiya, Rand, “Exiled, then spied on: Civil society in Latvia, Lithuania, and Poland targeted with Pegasus spyware,” Access Now, May 30, 2024, https://www.accessnow.org/publication/civil-society-in-exile-pegasus/.
• 9“No evidence Estonian state monitoring Russian dissidents via Israeli-made spyware,” ERR, June 1, 2024, https://news.err.ee/1609359143/no-evidence-estonian-state-monitoring-ru….
• 10Ibid.
• 11Bill Marczak, John Scott-Railton, Siddharth Prakash Rao1, Siena Anstis, and Ron Deibert, “Running in Circles: Uncovering the Clients of Cyberespionage Firm Circles,” The Citizen Lab, December 1, 2020, https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients….
• 12Vijar Voog, “LUURESÜSTEEM PALJASTATUD? Eestist leiti jälg programmist, mis positsioneerib su telefoni sekunditega! [INTELLIGENCE SYSTEM DISCOVERED? A trace was found in Estonia from a program that positions your phone in seconds!],” Digileht, December 3, 2020, https://digileht.ohtuleht.ee/1019480/luuresusteem-paljastatud-eestist-l….

Estonia has strong laws protecting citizens’ personal information, although service providers are mandated to retain user data. The General Data Protection Regulation (GDPR) (2016/679), which came into force in all EU member states in May 2018,1 puts limits on how interested parties can use and store Estonians’ data.

Estonia’s Personal Data Protection Act (PDPA) was amended in 2018 and entered into force in January 2019.2 The law contains the provisions left by the GDPR to EU member states' legislation, which includes certain exceptions like those identifying instances when the media can use personal data if it is in the public interest. Laws regulating databases and data collection by public and private registries were also updated during this process. The AKI is the supervisory authority for the PDPA.3 A February 2023 assessment by the National Audit Office found that officials’ access to two databases operated by the Social Insurance Board, which oversees social security benefits, was too broad, creating potential for misuse.4

Service providers are required to collect and retain a substantial amount of metadata. These requirements were established under the Electronic Communications Act, which aligned with EU legislation. They were cast into doubt by the Court of Justice of the European Union (CJEU) in 2014, when the court found the European Data Retention Directive (2006/24/EC) to be invalid.5 More recently, an April 2022 ruling by the CJEU found that the “general and indiscriminate retention” of communications data to combat “serious crime” is against EU law.6 Though Estonian telecommunications companies have continued to store metadata within the confines of existing law, the Ministry of the Interior has said that judicial authorization is now required for investigators to access such data.7

Article 111 of the Electronic Communications Act outlines various restrictions on how this data can be stored and used.8 It requires data to be kept for one year, unless there are special circumstances determined by the government that justify keeping it longer, such as maintaining public order and national security. Article 112 regulates how requests by law enforcement authorities or other agencies can be made in relevant situations, such as criminal investigations, as provided by law. These requests for data are kept by the requesting agency for two years. Article 112 also stipulates that operators shall inform the TTJA of requests made and measures undertaken.

The Electronic Communications Act has been criticized for allowing requests for metadata in too many situations. While Estonia’s chancellor of justice has found that the system does not contradict constitutional guarantees, the office has questioned the proportionality of the law.9 Pursuant to the Electronic Communications Act, the Cybersecurity Act also requires companies to monitor communications, mainly to ensure the security of their own systems; companies are required to inform the RIA of “actions or software compromising the security of the system.”10

The chancellor of justice can make suggestions regarding data protection. In her 2022 annual report, the chancellor of justice noted that her office’s earlier proposals to better protect the fundamental rights of Estonians during surveillance operations had been implemented by authorities (see C5).11

• 1Riigi Teataja, “Isikuandmete kaite seadus [Personal Data Protection Act],” December 12, 2018, https://www.riigiteataja.ee/akt/104012019011.
• 2Publications Office of the European Union, “Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016,” April 27, 2016, https://publications.europa.eu/en/publication-detail/-/publication/3e48…
• 3Republic of Estonia: Data Protection Inspectorate, “1 year GDPR – taking stock,” accessed September 30, 2020, https://www.aki.ee/en.
• 4“Riigikontroll: ametnikud saavad SKA andmekogudes liiga vabalt surfata [National Audit Office: officials can surf SKA datasets too freely],” ERR News, February 9, 2023, https://www.err.ee/1608878741/riigikontroll-ametnikud-saavad-ska-andmek….
• 5European Court of Justice, “Digital Rights Ireland Ltd (C-293/12) and Kärntner Landesregierung (C-594/12),” InfoCuria Case-law, April 8, 2014, http://curia.europa.eu/juris/document/document.jsf?docid=150642&doclang….
• 6Court of Justice of the European Union, Press Release No 58/22, April 5, 2022, https://curia.europa.eu/jcms/upload/docs/application/pdf/2022-04/cp2200….
• 7“Estonian state continuing to collect personal telecoms data,” ERR News, August 4, 2023, https://news.err.ee/1609052825/estonian-state-continuing-to-collect-per….
• 8Riigi Teataja, “Electronic Communications Act,” December 8, 2004, https://www.riigiteataja.ee/en/eli/ee/Riigikogu/act/521052020003/consol….
• 9Chancellor of Justice, “Elektroonilise side seaduse § 1111 alusel sideandmete töötlemise põhiseaduspärasus” [Constitutionality of processing of communications data under § 1111 of the Electronic Communications Act], April 22, 2016, https://www.oiguskantsler.ee/sites/default/files/field_document2/elektr….
• 10Riigi Teataja, “Cybersecurity Act,” May 9, 2018, https://www.riigiteataja.ee/en/eli/523052018003/consolide.
• 11Chancellor of Justice, “Chancellor*s Year in Review 2021/2022: Security,” accessed March 13, 2023, https://www.oiguskantsler.ee/annual-report-2022/security.

There have been no registered physical attacks against users or online journalists, though online discussions are sometimes inflammatory. Both critics and supporters of the far-right Conservative People’s Party of Estonia (EKRE) have faced online harassment, including threats of violence, for their views.1 Online harassment can be reported to social media administrators or to the police, which has a designated web patrol unit with a presence on Facebook.2 Cyberbullying remains a particular concern for young people in Estonia.3

In recent years, several defamation cases have incited public debate on the accepted code of conduct in the digital space and the appropriate sanctioning for breaches such as verbal threats, intimidation, and harassment.4

In October 2020, the European Commission launched infringement proceedings against Estonia, as the country had not criminalized public incitement to violence or hatred directed at vulnerable groups.5 After the Commission sent another notice to Estonia in January 2023,6 a proposal to broaden the criminalization of hate speech remained under consideration during the current coverage period (see C2).

• 1Shaun Walker, “Racism, sexism, Nazi economics: Estonia's far right in power,” Guardian, May 21, 2019, https://www.theguardian.com/world/2019/may/21/racism-sexism-nazi-econom…; “Police: We take threats very seriously,” ERR News, 21 November 2019, https://news.err.ee/1005278/police-we-take-threats-very-seriously.
• 2Council of Europe, “Reporting in Estonia: National reporting procedures for cyberbullying, hate speech and hate crime,” accessed September 30, 2020, https://rm.coe.int/estonia-nationalreporting-en/pdf/16808a36c3.
• 3Andres Reimann, “In Estonia, almost every tenth child suffers from repeated bullying,” ERR, April 18, 2024, https://novaator.err.ee/1609317114/eestis-kannatab-korduvkiusamise-all-….
• 4“Court to hear radio presenter's slander claim against petition organizer,” ERR News, August 12, 2020, https://news.err.ee/1123055/court-to-hear-radio-presenter-s-slander-cla….
• 5“Prosecutor general: I oppose the criminalization of hate speech,” ERR News, February 17, 2021, https://news.err.ee/1608112696/prosecutor-general-i-oppose-the-criminal….
• 6European Commission, “January Infringements package: key decisions,” January 25, 2023, https://ec.europa.eu/commission/presscorner/detail/en/inf_23_142.

Estonia is well-regarded for its commitment to cybersecurity and has developed effective resilience strategies in recent years.1 Despite this, cyberattacks pose an ongoing threat to government agencies and private entities.

Cyberattacks originating from Russia have intensified following Russia’s full-scale invasion of Ukraine,2 though the attacks’ impact has been limited by their low level of sophistication and by countermeasures taken by Estonian cybersecurity specialists. In March 2024, a few dozen websites belonging to governmental entities, including the Ministry of Justice and the Police and Border Guard Board, were targeted by what was reportedly “the largest wave” of distributed denial-of-service (DDoS) attacks that Estonia had experienced to that point. According to the RIA, successful countermeasures limited the impact of the cyberattack, which authorities attributed to pro-Kremlin actors, to only “brief disruptions” or slower connections to the targeted sites.3

During the previous coverage period, in August 2022, the Russian hacker group Killnet claimed responsibility for a DDoS attack against more than 200 public and private institutions in Estonia. Estonian authorities said the cyberattack was repelled and targeted websites remained available “with some brief and minor exceptions.”4 In March 2024, the RIA warned that DDoS attacks, many of them politically motivated, were likely to continue over the next year and were becoming more technically sophisticated.5

Private entities, including in the health-care sector, have also been targeted by recent cyberattacks. In November 2023, the genetic testing company Asper Biogene reported to authorities that 33 GB of personal data—encompassing 100,000 data items belonging to 10,000 people, including paternity and fertility tests—had been compromised in a cyberattack.6 It was reported in October 2023 that one quarter of family medical centers in Estonia have faced cyberattacks, with an even greater number failing to meet cybersecurity requirements.7

Estonia’s cybersecurity strategy is built on strong private-public collaboration and a unique voluntary structure through the Estonian Defence League’s Cyber Defence Unit.8 In November 2023, members of the RIA’s “cyber reserve”—which includes the Estonian Defence League’s unit—held a training exercise that simulated a cyberattack against a telecommunications company and an electricity provider.9

As an additional measure to ensure the security of public electronic data, Estonia established the first of several planned “data embassies” in 2019. This first embassy, based in Luxembourg, stores servers containing public data and information systems critical to the functioning of the state, including Estonia’s state gazette, land registry, and business register, that are accessible via the cloud. This enables the Estonian state to function in the event of a cyberattack or other political crisis within the country that could endanger data stored on servers within its national borders.10 The bilateral agreement between the two governments to establish the embassy was signed in June 2017 and it was ratified by both parliaments. The data embassy is granted the same privileges bestowed upon traditional embassies.11

The Cybersecurity Act implements the Network and Information System Directive on measures for a high common level of security of network and information systems.12 It includes requirements to have a computer security incident response team (CSIRT) and a competent national network and information security (NIS) authority (which Estonia already had) and strengthens cooperation among EU member states. Businesses identified as operators of essential services are required to take appropriate security measures and to notify relevant national authorities of serious incidents.13

In July 2022, the parliament approved amendments to the Cybersecurity Act that designate the TTJA as the national cybersecurity certification authority and allow the government to implement additional cybersecurity regulations,14 including the Estonian Information Security Standard (E-ITS).15 The law, which entered into force in August 2022, also amends the Information Society Services Act to enable the TTJA to restrict online content (see B3).

The North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Center of Excellence (CCDCOE) is located in Tallinn.16 Since its founding in 2008, the center has supported awareness campaigns and academic research and has hosted several high-profile conferences, among other activities. The center organizes an annual International Conference on Cyber Conflict (CyCon), bringing together international experts from governments, the private sector, and academia with the goal of ensuring the development of a free and secure internet.

• 1”National Cyber Security Index,” e-Governance Academy, accessed May 19, 2023, https://ncsi.ega.ee/ncsi-index/?order=rank.
• 2“Luukas Ilves: Vene kübervõimekus on kõva, aga mitte võitmatu [Luukas Ilves: Russian cyber capability is strong, but not invincible],” ERR News, April 27, 2022, https://www.err.ee/1608579442/luukas-ilves-vene-kubervoimekus-on-kova-a….
• 3“Estonia's state institutions hit by largest cyberattack to date,” Postimees, March 11, 2024, https://news.postimees.ee/7977286/estonia-s-state-institutions-hit-by-l….
• 4Andrius Sytas, “Estonia says it repelled major cyber attack after removing Soviet monuments,” Reuters, August 18, 2022, https://www.reuters.com/world/europe/estonia-says-it-repelled-major-cyb…; Pascale Davies, “Estonia hit by 'most extensive' cyberattack since 2007 amid tensions with Russia over Ukraine war,” Euronews, August 18, 2022, https://www.euronews.com/next/2022/08/18/estonia-hit-by-most-extensive-….
• 5Valner Väino and Reene Leas, “Watchdog forecasts uptick in cyberattacks in Estonia,” ERR News, March 6, 2024, https://news.err.ee/1609273686/watchdog-forecasts-uptick-in-cyberattack….
• 6“Paternity and fertility tests among data stolen in Asper Biogene cyberattack,” ERR News, December 15, 2023, https://news.err.ee/1609195705/paternity-and-fertility-tests-among-data….
• 7Rene Kundla, “Estonia’s family medicine centers struggle to meet cybersecurity standards,” ERR News, October 23, 2023, https://news.err.ee/1609142291/estonia-s-family-medicine-centers-strugg….
• 8Ministry of Economic Affairs and Communication, “Cyber Security Strategy 2014-2017,” 2013, https://www.mkm.ee/sites/default/files/cyber_security_strategy_2014-201….
• 9“Major cyber exercise tested country’s cyber reserve”, November 11, 2023, https://news.err.ee/1609162126/major-cyber-exercise-tested-country-s-cy…
• 10e-Estonia, “Data Embassy,” accessed October 2023, https://e-estonia.com/solutions/e-governance/data-embassy/.
• 11Riigikogu, “Majanduskomisjon toetab andmesaatkonna rajamist Luksemburgi” [The Committee of Economic Affairs supports the establishment of a data embassy in Luxembourg], February 13, 2018, https://www.riigikogu.ee/pressiteated/majanduskomisjon-et-et/majandusko….
• 12Riigikogu, “Küberturvalisuse seadus 597 SE” [Cybersecurity Act 597 SE], May 9, 2018, https://www.riigikogu.ee/tegevus/eelnoud/eelnou/61815f7a-1025-4aea-9b0e….
• 13“The Directive on security of network and information systems (NIS Directive),” European Commission, July 15, 2019 https://ec.europa.eu/digital-single-market/en/network-and-information-s….
• 14Küberturvalisuse seaduse ja teiste seaduste muutmise seadus [Act to amend the Cyber ​​Security Act and other Acts], Parliament of Estonia, July 19, 2022, https://www.riigiteataja.ee/akt/106082022002.
• 15“Estonian information security standard (E-ITS),” Republic of Estonia, accessed October 2023, https://www.ria.ee/en/cyber-security/management-state-information-secur….
• 16“About us,” Cooperative Cyber Defence Center of Excellence, accessed October 2024, https://ccdcoe.org/about-us/.