NIS2 Denmark: what you need to know about compliance and certification

NIS2 Denmark

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and Council of 6 July 2016 was introduced to strengthen cyber security within the EU. Because of the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and the Council of 14 December 2022, which imposes stricter requirements and applies a broader scope to increase the resilience of critical infrastructures to cyber attacks.

The NIS2 Directive was transposed into Danish law via the NIS2 Act (Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau, which entered into force on 1 July 2025. In addition to the NIS2 Act, sector-specific legislation is being adopted and implemented in Denmark.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how to prepare for the new regulations.

NIS2 Entities

The Danish NIS2 Act is relevant to both legal entities and natural persons (collectively referred to as ‘entities’) registered in Denmark that provide products and/or services in an EU country. The Danish NIS2 Act largely corresponds to the European NIS2 Directive.

The NIS2 Act explicitly defines which public and private entities are subject to cybersecurity obligations. For this purpose, a distinction is made between essential and important entities. The categorisation of entities takes into account the services provided, the size of the entity and the location of the entity.

In principle, your entity falls under the Danish NIS2 Act when:

  • Your organisation provides services within a sector listed in Annex I and Annex II of the NIS2 Act;
  • Your organisation exceeds the thresholds for medium-sized enterprises; and
  • Your organisation is based in Denmark (except providers of public electronic communication networks and providers of public electronic communication services. These are covered by the Danish NIS2 Act if they provide services on Danish territory).

Criteria 1: services provided

Annex I and II of the Danish NIS2 Act describe the sectors that fall within its scope. It is therefore very important to thoroughly analyse your supplied services to third parties by (sub)sector.

Annex I: Highly critical sectorsAnnex II: Other critical sectors
Energy
• Electricity
• District heating and cooling
• Petroleum
• Natural gas
• Hydrogen		Postal and courier services
Transport
• Air
• Rail
• Water
• Road		Waste management
BankingManufacture, production and distribution of chemicals
Financial market infrastructureManufacture, processing and distribution of food products
HealthcareManufacture
• Medical devices and in vitro diagnostic medical devices
• Computer, electronic and optical products
• Electrical equipment
• Machinery and equipment n.e.c.
• Motor vehicles, trailers and semi-trailers
• Other transport equipment
Drinking waterDigital providers
WastewaterResearch
Digital infrastructure 
Management of ICT services (business-to-business 
Government 
Space 

If your organisation provides a service from the above list, your organisation may fall within the scope of the NIS2 Act.

Criteria 2: company size

In addition to the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Danish NIS2 Act. Click here to determine whether your organisation is a small, medium or large enterprise. In principle, medium-sized and large companies must comply with the obligations under the NIS2 Act.

In addition, the Act also applies to the following specific providers, regardless of the size of the entity. They are:

  • Providers of public electronic communication networks or services
  • Central government agencies
  • Providers of trust services
  • Managers of domain name registries
  • DNS providers

Moreover, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:

  • They provide services essential for critical societal or economic functions that are not provided by other providers
  • A disruption of their services would have a significant impact on public order, security or public health
  • An incident at their premises could cause systemic risks with cross-border implications
  • They are of strategic or vital importance on a national or regional level, e.g. due to dependencies in other sectors

Criteria 3: Entity based in Denmark

In principle, the Danish NIS2 Act can only apply to entities with an establishment in Denmark. However, by way of exception, the following entities are subject to the Danish NIS2 Act:

  • Providers of public electronic communication networks or providers of public electronic communication services offering their services in Denmark;
  • DNS service providers, top-level domain name registries, entities that provide domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines or social networking service platforms, if they have their principal place of business in Denmark or if they have their EU legal representative in Denmark in case they do not have an establishment within the EU;
  • Public bodies established by Denmark.

In addition to the 3 criteria above, when analysing the scope of application of the NIS2 Act, one should take into account the fact that, as a non-NIS2 organisation, one may still be affected by the NIS2 Act due to the fact that the national authority designates the entity as an essential or important entity or that the non-NIS2 organisation belongs to the supply chain of an NIS2 organisation.

More information on the scope of the Danish NIS2 Act can be found here.

What does this mean for my company?

1. Registration

The supervisory authority must maintain a list of essential and important entities under its jurisdiction. Essential and important entities must register with the relevant supervisory authority within no later than 2 weeks after the entity falls within the scope of the Danish NIS2 Act. Entities must provide the relevant authority(ies) with the following information:

  • Name of the entity
  • Address, e-mail addresses, telephone numbers and other contact details
  • IP address range
  • Sector and subsector (see Annexes I and II of the NIS2 Act)
  • List of EU Member States where the entity provides services covered by the NIS2 Act

Changes to the above data should be reported immediately and within 2 weeks of the change.

DNS service providers, operators of top-level domain names, entities providing domain name registration services and providers of cloud computing services, data centre services, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, of online search engines and of platforms for social networking services should register with the relevant competent authority within no later than 3 months after the entity falls within the scope of the Danish NIS2 Act. The following information should be provided:

  • Name of the entity
  • Address of headquarters and other branches in the EU or address of representative
  • Sector and subsector (see Annex I and II of the NIS2 Act)
  • Address, e-mail addresses, telephone numbers and other contact details
  • IP address range
  • List of EU Member States where the entity provides services covered by the NIS2 Act.

The above information should be submitted by 1 October 2025.

Register your entity here.

2. Control measures

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cybersecurity management measures cover at least:

  • Risk analysis and security policies for communication networks and information systems
  • Incident management
  • Business continuity and crisis management and, if necessary, the use of secure backup systems
  • Supply chain security
  • Security in the acquisition, development and maintenance of network and information systems, including vulnerability response and disclosure
  • Policies and procedures to assess the effectiveness of cyber security risk management measures
  • Security aspects regarding cyber hygiene and cyber security training
  • Policies and procedures on cryptography and, where appropriate, encryption
  • Personnel security, access control policies and asset management
  • Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communication systems within the entity, where applicable.

The European Commission has elaborated the above minimum cybersecurity measures in the implementing regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers.

More information on management measures can be found here.

3. Reporting obligation for significant incidents

Essential and important entities are required from 1 July 2025 to notify the sectoral authority and the CSIRT when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of services relating to Annex I and II (sub-)sectors.

An incident is considered significant if:

  • The incident has led or may lead to serious disruption of services or financial losses for the affected entity or
  • The incident has affected or may affect other natural or legal persons by causing significant physical or immaterial damage.

The significant incident is reported by the essential and important entities through an online form according to the following procedure:

  1. immediately and within 24 hours of becoming aware of the significant incident, the entity submits an early warning, including notification of probable cause and any transboundary impact;
  2. immediately and within 72 hours of becoming aware of the significant incident, the entity shall communicate an incident notification that includes an information update and an initial assessment of the incident;
  3. at the request of the relevant CSIRT, the entity submits an interim report;
  4. No later than 1 month after the incident notification, the entity submits a final report indicating:
      1. A detailed description of the incident, as well as its severity and consequences;
      2. The type of threat or root cause likely to have led to the incident;
      3. Risk mitigation measures applied and ongoing;
      4. The cross-border impact of the incident, if applicable.

  5. If the incident is still ongoing one month after the incident report, the entity shall submit a preliminary report and a final report shall be submitted within one month of the incident resolution.

The European Commission has defined the criteria for a significant incident in the implementing regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers. These special rules take precedence over national rules in case of inconsistencies.

Finally, all entities, regardless of whether they fall within the scope of the NIS2 Act, can voluntarily report (significant) incidents, cyber threats and near-incidents via the e-service.

More information regarding incident reporting can be found here.

4. Obligations and responsibilities of management

The governing bodies of essential and important entities are responsible for compliance with the NIS2 Act and must fulfil several obligations including:

  • Approving cybersecurity management measures and monitoring their compliance
  • Undergoing training to have sufficient knowledge and skills to identify risks and assess control measures and their impact on their services
  • Ongoing training of the cyber security entity’s employees on cyber security

Governing bodies are liable for non-compliance with the NIS2 Act.

5. Cooperation with authorities

Essential and important entities must cooperate with the national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How can I demonstrate that my company complies with the NIS2 legislation?

As indicated in the ‘Enforcement and sanctions’ section, competent authorities conduct inspections of essential and important entities for compliance with the NIS2 Act.

The competent authority may require the entity to undergo an independent audit by an accredited CAB. On the basis of this independent conformity assessment, the entity can obtain a certificate, demonstrating compliance with the NIS2 Act to stakeholders. An important international standard that can be used for this purpose is ISO/IEC 27001.

If you would like more information regarding certification, you can make an appointment with an expert here.

Enforcement and penalties

The competent authority carries out inspections on cyber security entities’ compliance with the requirements as stipulated in the NIS2 Act. For this purpose, a distinction must be made between essential and important entities:

  • Essential entities are inspected both proactively (ex-ante) and reactively (ex-post), and are required to have regular compliance assessments.
  • Key entities are in principle only monitored reactively, following an incident or suspected non-compliance with the law.

The Danish NIS2 Act provides for specific sanctions for entities that fail to comply with the legal provisions. These sanctions vary according to the nature and severity of the offence and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include issuing warnings, temporarily prohibiting the performance of managerial functions, requiring the entity to take certain measures and so on.

Administrative fines that can be imposed are also laid down by law and can amount to €10,000,000 or 2% of the total annual global turnover of the essential and up to €7,000,000 or 1.4% of the total annual global turnover of the important entity.

Timeline

  • 17 October 2024: initial deadline for EU member states to transpose NIS2 directive into national law
  • 1 July 2025: Danish NIS2 law enters into force
  • 1 October 2025: entity must register with competent authority

Competent authorities

As part of the implementation of the NIS2 Act in Denmark, several competent authorities have been designated to monitor compliance with cybersecurity measures within their respective sectors. The Minister of Civil Protection and Disaster Management, in consultation with other sectoral ministers, determines which body serves as the competent authority for each sector, subsector or type of entity. See the implementing regulation on the designation of competent authorities and digital communications covered by the NIS2 Act. An overview of the supervisory authorities is available via the website of the National Council for Public Security, in Danish Styrelsen for Samfundssikkerhed. It covers:

  • National Council for Public Security
  • Danish Environment Agency
  • Danish Energy Agency
  • Danish Financial Supervisory Authority
  • Danish Digital Agency
  • Danish Social Security Agency
  • Danish Agency for Higher Education and Research
  • Danish Agency for Health Data
  • Danish Transport Authority
  • Danish Food Safety Authority
  • Danish Climate Data Agency
  • Danish Maritime Authority