Denmark

(a) What is the NIS2 implementation status?

Two implementing acts entered into force on 1 July 2025:

• L141 – Act on Measures to Ensure a High Level of Cyber-security (the “NIS 2 Act”) – horizontal rules for most sectors.
• L142 – Act on Security and Emergency Preparedness in the Telecommunications Sector – NIS 2 for telecoms.

The Ministry of Civil Protection and Emergency Management still coordinates national transposition, but day-to-day guidance and oversight sit with the Danish Civil Protection Agency (Styrelsen for Samfundssikkerhed), while each sector authority keeps enforcement responsibility in its own domain.

(b) What is the envisaged NIS2 implementation timeline?

• 1 July 2025: All three acts took effect.
• 1 July – 1 October 2025: Entities in scope must self-register via Virk.dk.
• From 1 July 2025 onward: Significant incidents must be reported via Virk.dk (early warning ≤ 24 h, update ≤ 72 h, final report ≤ 1 month).
• After registration: Sector-specific transition periods apply (e.g., nine / ten months for CER obligations once an entity is formally designated).

(c) What does the NIS2 mean for other national cybersecurity legislation?

Instead of merging NIS2 into a single comprehensive law, Denmark has chosen a sector-based approach to implementation. This means that the requirements of the NIS2 Directive are reflected across several different laws, depending on the type of organization or sector involved.

For most sectors, the NIS2 Act (L141) now provides the general rules on cybersecurity, risk management, and incident reporting. The Telecommunications Security Act (L142) implements NIS2 specifically for telecom operators and introduces stricter reporting and preparedness standards tailored to that sector. For the energy sector, a separate law incorporating both NIS2 and the EU’s Cybersecurity of the Energy Sector Regulation (CER) entered into force in March 2025, supported by several executive orders that provide technical details.

In the financial sector, relevant provisions of NIS2 were integrated into the Danish Financial Business Act through amendments that entered into force on 18 October 2024, aligning with the requirements of both NIS2 and the Digital Operational Resilience Act (DORA).

Lastly, the CER Act (L140) focuses on physical resilience, requiring designated critical infrastructure entities to prepare for disruptions such as natural disasters, terrorism, or technical failures. These entities will be formally notified of their designation no later than 17 July 2026, after which they must comply with all relevant obligations within 9 to 10 months.

(d) Who will be the supervisory authority and how are they preparing the market?

It is the task of the sector-responsible authorities to supervise that the companies and authorities in their sector comply with the NIS2 requirements.

(e) What should you be doing/on the lookout for?

Even though the NIS2 laws are now in force, organizations still have time to prepare. The first step is to determine whether your organization is covered under the new law. This involves conducting a self-assessment to see if you qualify as an “essential” or “important” entity based on the services you provide. If so, you are required to register with the authorities via Virk.dk.

Once registered, you should begin implementing a structured cybersecurity risk management framework. This includes identifying your critical systems and services, mapping your dependencies (including third-party suppliers), and updating relevant security documentation.

You should also put in place a process for incident reporting, ensuring that your team can meet the 24-hour, 72-hour, and 1-month reporting deadlines in the event of a cyber incident.

In terms of technical measures, organizations are expected to adopt basic cybersecurity controls such as multi-factor authentication (MFA), encryption, vulnerability management, secure software development, and access controls. Equally important are organizational measures, including employee training, clear security policies, and executive-level oversight.

Finally, organizations should monitor updates from the DCPA and relevant sector authorities. Additional rules may be introduced via executive orders, and staying informed will be key to maintaining compliance.

To stay up to date, visit the DCPA’s official NIS2 page: samsik.dk/nis2.