Under the EU Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws that implemented the Directive have been overturned.
In Estonia, the Electronic Communications Act continues to mandate traffic and location data retention. Arts. 111 and 112 of the Act require communications undertakings to retain various categories of communications metadata (including, but not limited to, location data) for a period of one year from the date of the communication.

Art. 112 of the Electronic Communications Act mandates that electronic communications providers furnish the communication data retained under Art. 111 within 10 hours for urgent requests, and within 10 days for other requests, made by the relevant agencies specified in the Act. Additionally, mobile telephone service providers are obliged to supply real-time identification of the location of the mobile device in use. Requests from the agencies may be made either in writing or orally. Notably, this provision does not require prior judicial authorisation. Art. 111 stipulates that internet and telecommunication service providers must retain a broad spectrum of communication data for the purposes of identifying, inter alia, the source, destination, time, duration, and location of the communication.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
The Information Society Services Act (ISSA) is based on the EU e-Commerce Directive (Directive 2000/31/EC).

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
The Information Society Services Act (ISSA) is based on the EU e-Commerce Directive (Directive 2000/31/EC).

Art. 17 of Directive 2019/790 on Copyright in the Digital Single Market (DSM Directive) mandates that providers of content-sharing services seek authorisation from rights holders and implement technical solutions to remove and prevent unauthorised uploads by their users (so-called upload filters), under penalty of losing their liability safe harbour. Further arrangements are envisaged for complaints and dispute resolution mechanisms. Such upload filters are reported to be a significant cost for online platforms. Graduated exemptions are expected to be put in place for new providers active in the EU for less than three years with a turnover under EUR 10 million and with fewer than five million users. The provision is subject to a challenge in the Court of Justice by Poland (C-401/19).
To implement Directive 2019/790, the Parliament has adopted the Act amending the Copyright Act (transposition of copyright directives) 368 SE, therefore making online content-sharing service providers partially liable for copyright violations on their platforms.

Current tensions with Russia have induced the Estonian regulatory authority to block Russian websites for geo-political reasons. It is reported that in February 2022, the Consumer Protection and Technical Regulatory Authority (TTJA) ordered telecommunications operators to restrict the online broadcasting of six pro-Kremlin TV channels, including RTR-Planeta, RTVI, Rossiya 24, REN TV, NTV Mir, and PBK, for twelve months in an effort to limit Russian war propaganda. In March 2022, the TTJA ordered the blocking of another TV channel RBK (RBC TV), seven websites (ntv.ru, ren.tv, 5-tv.ru, 78.ru, 1tv.com, lenta.ru, and tass.ru.), and 12 internet channels, whose “content incites to commit offences towards national security and national defence, to the detriment of the security of society,” according to a TTJA press release.

The European Union and Estonia have adopted the World Intellectual Property Organization (WIPO) Copyright Treaty. The treaty was ratified on 14 December 2009 and came into effect on 14 March 2010.

The European Union and Estonia have adopted the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty. The treaty was ratified on 14 December 2009 and came into effect on 14 March 2010.

The Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) is key in harmonising national laws concerning trade secrets. Estonia transposed the Directive through the Restriction of Unfair Competition and Protection of Business Secrets Act and a number of amendments to the Penal Code, the Code of Criminal Procedure and the Code of Civil Procedure.

It is reported that passive sharing is mandated in Estonia, and it is practised on mobile devices based on commercial agreements. In addition, Directive 2014/61/EU (Art. 3.2) establishes that Member States shall ensure that, upon written request of an undertaking providing or authorised to provide public communications networks, any network operator must meet all reasonable requests for access to its physical infrastructure under fair and reasonable terms and conditions, including price, with a view to deploying elements of high-speed electronic communications networks. Such written request shall specify the elements of the project for which the access is requested, including a specific time frame.

It is reported that the government of Estonia owns 51% shares of Levira AS. Levira AS is a media and telecommunications company based in Estonia. It provides a range of services in the fields of broadcasting, media, and IT infrastructure.

Art. 85 of the Utilities Directive (2014/25/EU) contains provisions allowing contracting public entities to reject foreign goods not covered by any EU international commitments from its tender procedures. In these cases, a tender submitted for the award of a supply contract may be rejected where the proportion of the products originating in third countries exceeds 50% of the total value of the products constituting the tender (Art. 85.2). Additionally, in cases of equivalent offers, the provisions provide for a preference for European tenders and tenders covered by EU's international obligations. In practice, this possibility has rarely been used. In Estonia, the Directive has been transposed with the Public Procurement Act.

The Public Procurement Act (PPA) 2017 § 11.1 provides for a general principle (2) that the contracting authority treats the following entities equally: all persons whose place of residence or seat is in: Estonia, in another Member State of the European Union, in another contracting state of the European Economic Area, or signatory of the WTO Government Procurement Agreement. Therefore, other countries are not given the same treatment.
Moreover, subchapter 3 of the Act stipulates that the contracting authority is not required to apply the rules of the Act if the main purpose of awarding a public contract is to provide or exploit public communications networks or to provide to the public an electronic communications service.

It is reported that Estonia’s government has not set limitations on foreign ownership.

In January 2023, the Estonian Parliament adopted the Foreign Investment Reliability Assessment Act, introducing an FDI screening regime. This new legislation applies to non-EU foreign investments in strategic and sensitive areas vital to the state's functioning, including the telecom sector, as well as to specific companies like media companies, providers of digital identification and signing services, providers of on-demand audiovisual media services, and operators of internet-based services critical to national security. According to Art. 5 of the Act, to acquire 10% or more of the share capital or gain direct or indirect control over a target company, approval from the Consumer Protection and Technical Regulatory Authority is required. Before granting permission, the authority will evaluate the potential impact of foreign investment on the security and public order of Estonia or another EU member state.