Denmark

(a) What is the NIS2 implementation status?

Denmark implemented NIS2 through the Danish NIS2 Act, which entered into force on 1 July 2025. The main act applies to most sectors covered by the Directive. Denmark has chosen a sector-based approach, meaning that certain sectors, including energy, telecoms and finance, are subject to sector-specific legislation rather than the main NIS2 Act. Entities covered by such sector-specific legislation are not subject to the main NIS2 Act in respect of those activities.

Where an entity also carries out activities falling within the scope of the main NIS2 Act these activities are subject to the main NIS2 regime.

The NIS2 Act does not reference specific standards. Certification according to ISO 27001 or implementation of the European Commission's implementing regulations may cover a significant portion of the technical cybersecurity requirements but is not sufficient on its own to achieve full compliance, as registration, governance, and incident-reporting obligations are not addressed by these frameworks.

Entities are themselves responsible for assessing whether they fall within scope and have to register accordingly.

(b) What is the envisaged NIS2 implementation timeline?

The NIS2 registration process in Denmark has been open since 1 July 2025 via the Virk.dk portal. Registration is carried out using MitID Erhverv, while foreign entities must register via a designated registration form or through a third‑party representative.

Entities subject to the Danish NIS2 Act were required to register by 1 October 2025. Failure to comply with this obligation may result in enforcement measures and fines under the Danish NIS2 framework. Entities that become subject to the NIS2 Act after that date are required to register no later than two weeks after becoming subject to the Act.

Following registration, sector‑specific transitional periods apply. For example, transition periods of nine or ten months may apply to CER‑related obligations once an entity has been formally designated.

(c) What does the NIS2 mean for other national cybersecurity legislation?

Instead of merging NIS2 into a single comprehensive law, Denmark has chosen a sector-based approach to implementation. This means that the requirements of the NIS2 Directive are reflected across several different laws, depending on the type of organization or sector involved.

For most sectors, the NIS2 Act (L141) now provides the general rules on cybersecurity, risk management, and incident reporting. The Telecommunications Security Act (L142) implements NIS2 specifically for telecom operators and introduces stricter reporting and preparedness standards tailored to that sector. For the energy sector, a separate law incorporating both NIS2 and the EU’s Cybersecurity of the Energy Sector Regulation (CER) entered into force in March 2025, supported by several executive orders that provide technical details.

In the financial sector, relevant provisions of NIS2 were integrated into the Danish Financial Business Act through amendments that entered into force on 18 October 2024, aligning with the requirements of both NIS2 and the Digital Operational Resilience Act (DORA).

Lastly, the CER Act (L140) focuses on physical resilience, requiring designated critical infrastructure entities to prepare for disruptions such as natural disasters, terrorism, or technical failures. These entities will be formally notified of their designation no later than 17 July 2026, after which they must comply with all relevant obligations within 9 to 10 months.

(d) Who will be the supervisory authority and how are they preparing the market?

It is the task of the sector-responsible authorities to supervise that the companies and authorities in their sector comply with the NIS2 requirements.

(e) What should you be doing/on the lookout for?

Even though the NIS2 laws are now in force, organizations still have time to prepare. The first step is to determine whether your organization is covered under the new law. This involves conducting a self-assessment to see if you qualify as an “essential” or “important” entity based on the services you provide. If so, you are required to register with the authorities via Virk.dk.

Once registered, you should begin implementing a structured cybersecurity risk management framework. This includes identifying your critical systems and services, mapping your dependencies (including third-party suppliers), and updating relevant security documentation.

You should also put in place a process for incident reporting, ensuring that your team can meet the 24-hour, 72-hour, and 1-month reporting deadlines in the event of a cyber incident.

In terms of technical measures, organizations are expected to adopt basic cybersecurity controls such as multi-factor authentication (MFA), encryption, vulnerability management, secure software development, and access controls. Equally important are organizational measures, including employee training, clear security policies, and executive-level oversight.

Finally, organizations should monitor updates from the DCPA and relevant sector authorities. Additional rules may be introduced via executive orders, and staying informed will be key to maintaining compliance.

To stay up to date, visit the DCPA’s official NIS2 page: samsik.dk/nis2.