The field of information security seems like a labyrinth full of abbreviations lately: NIS2, DORA, ISO 27001, E-ITS, SOC 2. Therefore, I will briefly advise on how to navigate information security regulations, standards, audits, and certifications.
Companies rightfully ask:
- What do we actually need to do?
- What is mandatory and what simply adds business value?
- What adds greater business value?
Below is a brief overview of the main information security requirements and frameworks currently most talked about in Estonia and the European Union.
NIS2: European Union Cybersecurity Directive
What is it?
A mandatory cybersecurity directive in the European Union that sets requirements for providers of critical and essential services. It needs to be transposed into local legislation to take effect. Estonia has not yet transposed NIS2, but there is a draft amendment to the Cybersecurity Act (KÜTS) that plans to do so.
Who does it apply to?
The public sector and private sector companies operating in areas such as energy, healthcare, cloud services, digital infrastructure, etc. The exact information on who these requirements will apply to in Estonia will be finalized after the amendment of KÜTS.
Is it mandatory?
Yes, for institutions and companies listed in the Cybersecurity Act, compliance is mandatory. However, it is important to remember that NIS2 does not directly apply to Estonian companies but through KÜTS.
Is an audit required?
Mostly yes. In addition, the Information System Authority (RIA) conducts supervision, meaning it can also audit, inspect, and request information.
Why is the answer mostly yes? Because it is up to the member state to decide. In Estonia, there are two options for complying with NIS2 requirements:
- Implement the Estonian information security standard E-ITS and audit it. Micro-enterprises are exempt from the audit obligation.
- Implement the information security management standard ISO/IEC 27001 and submit the certificate to RIA. The certificate must show that the scope of ISO 27001 covers the scope of E-ITS, i.e., all business processes necessary for providing essential/important services in the sense of NIS2/KÜTS.
Result: Compliance with requirements that must be demonstrable. If the requirements are not met, fines and injunctions may follow.
DORA: Digital Operational Resilience in the Financial Sector
What is it?
A European Union regulation that governs the assurance of digital operational resilience in the financial sector. Read more here.
Who does it apply to?
Banks, insurers, investment firms, payment service providers, and even some ICT service providers to the financial sector (e.g., cloud service providers).
Is it mandatory?
Yes.
Is an audit required?
DORA does not explicitly require an audit. However, supervision can be conducted by the Financial Supervision Authority and other supervisory authorities. Depending on the company's role and size, DORA may require technical resilience tests (e.g., threat-led penetration testing) and documented assessments by third parties.
Note! For companies providing information and communication technology services to the financial sector, the fact that their client must comply with DORA requirements may mean the need to demonstrate their own compliance. Independent audits and tests, as well as issued reports and/or certificates (e.g., ISO 27001, SOC 2, penetration tests), help in demonstrating compliance.
Result: Compliance with requirements that must be demonstrable.
If the requirements are not met, fines and injunctions may follow.
E-ITS: Estonian Information Security Standard
What is it?
A national standard in Estonia that sets requirements for information security.
Who does it apply to?
Mainly to the public sector and providers of services essential for the functioning of society (healthcare, communications, supply of medicines and fuel, etc.).
Is it mandatory?
Yes. The obligation to implement E-ITS is replaced only by the submission of an ISO 27001 certificate (i.e., implementation and auditing of the standard). The certificate must show that the scope of ISO 27001 covers the scope of E-ITS, i.e., business processes necessary for providing essential/important services in the sense of NIS2/KÜTS.
Is an audit required?
Generally yes. Under the current Cybersecurity Act, E-ITS obligors who have an average of fewer than ten employees during the financial year and whose balance sheet total or annual turnover does not exceed 2 million euros (i.e., micro-enterprises) do not need to conduct an audit.
Result: Audit conclusion and report.
A certificate as such is not issued.
E-ITS is an Estonian standard, so it is not known outside.
ISO/IEC 27001: International Information Security Management System Standard
What is it?
An international standard that specifies requirements for an information security management system (ISMS). ISO 27001 is not a legal requirement but a voluntary standard that helps systematically manage information security. As a bonus, the ISO 27001 certificate is internationally recognized.
Who is it useful for?
All organizations that want to demonstrate security to clients or partners – especially in B2B and highly regulated sectors (e.g., finance, healthcare, IT services).
Is an audit required?
The standard can be applied as good practice without an audit, but if you want a certificate, you need to order an audit from an accredited certification body. The audit cycle is three years and includes the initial certification audit and two interim audits.
Result: An internationally recognized certificate that is usually valid for three years.
SOC 2: Service Provider Security Assessment
What is it?
SOC 2 (System and Organization Controls 2) is a security and compliance framework developed by the American Institute of Certified Public Accountants (AICPA). It is designed to assess how well an organization protects client data – especially when data is stored in the cloud or offered as a service (e.g., SaaS solution). The SOC 2 auditor assesses the service provider's compliance with trust principles (security, availability, confidentiality, etc.). The main goal of SOC 2 is to give clients and partners confidence that the company manages data securely and responsibly, has implemented control measures that ensure continuous privacy, availability, and confidentiality, and follows best practices for internal management and risk management.
Who is it useful for?
Common among companies offering SaaS solutions and service providers operating in the US market or serving global clients. The SOC 2 report includes a fairly detailed assessment of the company's security measures and their implementation, and many large companies require a SOC 2 audit from their partners.
Is an audit required?
Yes. The audit can be either Type 1 (point-in-time) or Type 2 (over six months to a year).
Result: The SOC 2 report (not a certificate) is a confidential document that proves that the service provider's systems meet the selected SOC audit criteria.
How to make a choice?
The world of information security may seem complex at first glance, full of different standards, regulations, audits, reports, and certificates. Navigation becomes easier when understanding each framework by its purpose, target audience, and outcome. Some – like NIS2 (KÜTS) and DORA – are legally binding and affect specific sectors. Others, like ISO 27001, SOC 2, or NIST, offer voluntary but widely accepted frameworks for demonstrating maturity and managing security risks.
Which is the most useful depends on the business sector, the nature and expectations of clients, the specifics and maturity level of the company. If you need more detailed advice or help in deciding what applies or suits your company, contact Grant Thornton Baltic.
