Detailed overview
Estonia is regulated by the EU AI Act. AI systems placed on the Estonian market or used professionally in Estonia must be classified under the EU AI Act and assessed for prohibited, high-risk, transparency, general-purpose AI or lower-risk status.
Estonia is also important because of its digital-state and public-sector AI practice. Estonian materials on AI and digital public services refer to the Kratt Strategy and state that AI has become an essential and unavoidable part of digital-state development. By 2021, Estonia had around 80 AI use cases in the public sector.
Estonia's Digital Agenda 2030 also refers to public-sector AI and the national virtual-assistant ecosystem known as Bürokratt. Public-sector AI in Estonia is therefore not merely theoretical; it is part of the state's digital-service architecture.
Estonia does not have a separate national AI Act equivalent to the EU AI Act. Binding obligations come mainly from the EU AI Act, GDPR, cybersecurity law, public-sector digital rules, data governance, consumer law, employment law, financial regulation, healthcare regulation and other sector-specific rules.
For businesses, the main compliance question is whether the AI system is high-risk under the EU AI Act or whether it processes personal data. High-risk AI requires risk management, documentation, conformity assessment, human oversight and post-market monitoring. AI involving personal data must satisfy GDPR requirements, including lawful basis, transparency, security and data-subject rights.
Practical requirements & details
Sourced from Regulation (EU) 2024/1689 (the AI Act), the Estonian Kratt Strategy, Bürokratt and the Digital Agenda 2030.
EU AI Act core duties (in Estonia)
- Prohibited AI — banned.
- High-risk AI — risk management, documentation, conformity assessment, human oversight and post-market monitoring.
- Transparency-risk AI — disclosure duties.
- GPAI models — EU documentation, transparency and copyright-policy rules.
Estonian public-sector AI
- Kratt Strategy — Estonian AI strategy.
- ~80 AI use cases in the public sector by 2021.
- Bürokratt — national virtual-assistant ecosystem in the digital-service architecture.
- Public-sector AI is part of the digital state, not just theoretical.
Business compliance
- Classify AI system under the EU AI Act.
- AI processing personal data must satisfy GDPR — lawful basis, transparency, security and data-subject rights.
Penalties
- EUR 35m / 7% of worldwide annual turnover — prohibited AI.
- EUR 15m / 3% — many other AI Act operator obligations.
- EUR 7.5m / 1% — incorrect, incomplete or misleading information to authorities.
Related entries
See also the European Union entry, which covers the EU AI Act (Regulation (EU) 2024/1689) — the substantive framework that this jurisdiction implements and supervises domestically.