Denmark

(a) What is the NIS2 implementation status?

An analysis phase is still ongoing to determine how NIS2 should be specifically implemented in Denmark. Denmark will not be complying with the deadline of national implementation of the NIS2 Directive.

However, the Danish Parliament has recently proposed a new act – the Danish Act on Measures to Ensure a High Level of Cybersecurity – which will implement main parts of the directive. Other acts have also been proposed or in the pipeline to implement the remaining provisions of the directive.

(b) What is the envisaged NIS2 implementation timeline?

The Ministry of Defence – who will be responsible for the implementation and oversight of the NIS2 directive in Danish law – on Monday, 5 February 2024 announced that work to implement the EU’s directives on cybersecurity (the NIS2 Directive) and resilience (the CER Directive) into Danish legislation is delayed.

The proposed legislation was originally scheduled to be presented to the Danish Parliament (Folketing) in the first quarter of 2024, but due to the complexity and scope of the legislative work, it has become necessary to postpone the presentation to the next parliamentary session in October 2024. This means that Denmark will exceed the implementation deadline set in the directives for 17 October 2024.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The NIS2 Directive is expected to replace the current Danish NIS legislation. However, some of the provisions of the NIS2 Directive may also be implemented in other related Danish legislation, such as the Danish Data Protection Act and other sector specific cyber legislation.

Denmark has not proposed specific legislation yet. However, it follows from the Bill Program for 2023-2024 that the NIS2 will be implemented in various laws, including:

A specific implementation acts under the Danish Defense Ministry:

The proposed law will, among other things, establish requirements for the implementation of cybersecurity measures, incident reporting, as well as supervisory and enforcement powers, including rules on sanctions.

Amendments to various financial acts under the Danish Ministry of Commerce The proposed bill suggests, among other things, imposing stricter requirements for risk management and reporting for financial data centers and IT operators of retail payment systems, including as a result of the NIS2 directive.

New act on Enhanced Preparedness in the Energy Sector under the Danish Ministry of Climate, Energy, and Utilities The proposed bill aims to strengthen the preparedness level to prevent and withstand incidents that threaten the energy supply and ensure the implementation of EU directives NIS2 and CER in the energy sector.

(d) Who will be the supervisory authority and how are they preparing the market?

Currently, the Danish Business Authority is the supervisory authority for the Danish NIS Act. It is still unclear whether this will be the case under NIS2, and depends on whether there will be a centralized or a purely sectoral implementation with sector-specific legislation and supervisory authorities.

(e) What should you be doing/on the lookout for?

Clients should start familiarizing themselves with the NIS2 Directive and:

• Identify whether they are subject to the NIS2 Directive.
• Assess their current cybersecurity program and identify any gaps in compliance with the NIS2 Directive.
• Develop a plan for implementing the necessary changes to their cybersecurity program.
• Implement the necessary technical and organizational measures to comply with the NIS2 Directive.
• Test their cybersecurity program regularly to ensure that it is effective in mitigating cybersecurity risks.