Denmark

(a) What is the NIS2 implementation status?

The Ministry of Civil Protection and Emergency Management is responsible for coordinating the implementation of the NIS2 Directive in Denmark. The implementation process is underway, with the Ministry preparing a law that will establish a common basic framework for NIS2 across the covered sectors. While the Ministry is overseeing the overall implementation, sectoral authorities will retain responsibility for cybersecurity and for supervising compliance with NIS2 requirements in their respective sectors.

(b) What is the envisaged NIS2 implementation timeline?

The draft bill for implementing NIS2 in Denmark was introduced on 6 February 2025. It is expected to enter into force on 1 July 2025. In the meantime, the bill is undergoing consultation in the Danish Parliament, and its progress will be reviewed before its final adoption.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The bill that covers the implementation of NIS2 applies to the majority of the Directive’s sectors except for the energy, telecommunications and financial sector. The implementation of NIS2 in these sectors will be done through amending several sector-specific laws:

1. Energy Sector: A primary bill for the energy sector, which implements both NIS2 and the Cybersecurity Energy Regulation (CER), comes into force in March 2025. This bill will be supplemented by at least three Ministerial Orders, which will detail requirements for organizational resilience, physical security, cybersecurity, personnel approvals, incident reporting, and supply chain security, among other areas.
2. Telecommunications Sector: A separate bill for the telecommunications sector, implementing NIS2, was presented to Parliament on 6 February 2025, with an expected entry into force on 1 July 2025.
3. Financial Sector: Changes to the Danish Financial Business Act for certain IT providers, aligning with both NIS2 and the Digital Operational Resilience Act (DORA), were implemented on 18 October 2024, further integrating NIS2 provisions into the financial sector.

(d) Who will be the supervisory authority and how are they preparing the market?

It is the task of the sector-responsible authorities to supervise that the companies and authorities in their sector comply with the NIS2 requirements.

(e) What should you be doing/on the lookout for?

Although NIS2 has not yet been fully implemented into national legislation, organizations can begin preparing for its requirements. First, they should focus on key cybersecurity areas, including protecting network and information systems, ensuring leadership involvement in cybersecurity management, and establishing processes for reporting incidents. Additionally, organizations should start developing cybersecurity risk management plans, including risk analysis, incident management procedures, business continuity plans, and supply chain security measures. They should also focus on securing the acquisition, development, and maintenance of systems, as well as managing vulnerabilities.

It is also essential for organizations to implement foundational cybersecurity measures, such as basic cyber hygiene practices, employee cybersecurity training, encryption policies, and access control procedures. The use of multi-factor authentication (MFA) and secure communication tools should also be prioritized.

As sector-specific guidelines are expected soon, organizations should stay updated on these to ensure full compliance with NIS2 once the legislation is finalized. By taking these preparatory steps, organizations can better align themselves with NIS2 and ensure a smoother transition once the final law is enacted. For more information, see the NIS2 page of the Danish government.