NIS2 Country Guide

NIS2 Denmark: Compliance, Authorities & Key Requirements

Understand how Denmark implements the NIS2 Directive (EU) 2022/2555, what counts as an essential or important entity, how registration works, who supervises compliance, and what steps to take to get ready.

Get Ready Checklist Get Consultation
Denmark Came into force: 1 Jul 2025 Registration by: 1 Oct 2025

Introduction: NIS2 Directive & the Danish context

The NIS2 Directive strengthens cybersecurity requirements across the EU. In Denmark, NIS2 is implemented through a general framework law and sector-specific acts. If you operate in Denmark (or offer services there), assess whether you are an essential or important entity and prepare accordingly.

Quick link: Read our overview “What is NIS2?” and “NIS vs NIS2” for background before diving into Denmark’s specifics.

NIS2 Directive implementation in Denmark

Denmark transposed NIS2 via the NIS-2-lovenLov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (Act on measures to ensure a high level of cybersecurity). The Act entered into force on 1 July 2025.

Status

Transposed; in force since 1 July 2025.

Official law

Retsinformation: 2025/434

Registration

Covered organisations register via Virk.dk (MitID). Deadline: 1 October 2025.

SectorDanish note
EnergySector law in force since 7 March 2025; implements elements of the CER Directive. Stricter requirements may apply based on risk classification.
TelecomIn force since 1 July 2025. Providers with limited/ancillary public access (e.g., cafés, hotels) are generally exempt from most NIS2 requirements.
FinanceAligned with the DORA Regulation; in force. Supervision by sector authority.

Public sector: most administrative bodies (incl. municipalities) are covered, with exclusions (e.g., Parliament, Ombudsman, courts). Defence, law enforcement and certain security bodies are exempt.

Chemicals: entities not subject to REACH registration for hazardous industrial chemicals are considered out of scope.

NIS2 Denmark: what you need to know about compliance & certification

Denmark follows NIS2’s two-tier model (Essential / Important) and applies size criteria in line with the directive.

Scope criteria

  • Operate in Annex I or II sector (services matter).
  • Meet medium-size thresholds (≥50 employees or ≥€10m turnover/balance total). (Some sectors apply regardless of size.)
  • Established in Denmark or provide relevant services on Danish territory.

Obligations

  • Risk management & security policy (IT/OT)
  • Incident handling & reporting
  • Business continuity & crisis management
  • Supply-chain security & vendor risk
  • Network segmentation, access control, encryption
  • Executive/board accountability & training

Standards & certification

The Act does not mandate a specific standard. Official guidance references ISO/IEC 27001:2023, NIST CSF 2.0, and IEC 62443 as useful alignment frameworks.

Incident reporting: Significant NIS2 incidents and GDPR personal-data breaches can be reported through the same online platform. Reports are handled by the national CSIRT under the Danish Defence Intelligence Service.

Competent authorities & CSIRT

Supervision is shared between the national cybersecurity bodies and sectoral authorities.

RoleAuthorityNotes
National CSIRT / Single Point of ContactDanish Centre for Cyber Security (CFCS)Handles incident reports; operates 24/7.
Registration portalVirk.dk (MitID)Registration available from 1 July 2025; deadline 1 Oct 2025.
Sectoral listSAMSIK – sector authoritiesFind the correct supervising body per sector.

National NIS2 timeline & key dates

27 Dec 2022 — NIS2 published in the EU Official Journal.
17 Oct 2024 — EU transposition deadline for Member States.
1 Jul 2025 — Danish NIS-2 Act enters into force; sectoral acts (energy, telecom, finance) in force.
1 Oct 2025 — Registration deadline for covered organisations via Virk.dk.

Sector-specific requirements (Denmark)

  • Telecom: entities with limited, ancillary public access (e.g., cafés, hotels, housing associations) are generally exempt from most NIS2 obligations.
  • Energy: sub-sector thresholds apply; stricter duties may be imposed based on risk classification.
  • Finance: aligned with DORA requirements; supervised by the financial authority.

Penalties for non-compliance

Denmark does not apply administrative fines in the same way as some EU Member States. Instead, sanctions are imposed by competent national courts as criminal penalties, typically following su pervisory authority’s recommendation. The maximum penalty levels are aligned with the turnover-based caps established under NIS2.

How to prepare for NIS2 in Denmark

  1. Determine scope: confirm your Annex I/II services and size thresholds; classify EE/IE.
  2. Register: submit your details on Virk.dk by 1 Oct 2025.
  3. Governance: secure board-level approval and accountability for cybersecurity.
  4. Risk management: implement/upscale ISO 27001/NIST CSF aligned controls across IT/OT.
  5. Supply chain: assess MSPs/MSSPs and critical suppliers; build contractual security requirements.
  6. Incident readiness: build detection, escalation and 24/7 reporting workflow to CSIRT.
  7. Continuity & crisis: document BCP/DR, run exercises and penetration tests.
  8. Train & prove: management training, staff awareness, and auditable evidence.
Run Eligibility Check Start Readiness Test

Official links & resources

📘 NIS-2-loven — Retsinformation (2025/434)
🏛️ Sector-responsible authorities — SAMSIK
📚 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Denmark

When did NIS2 enter into force in Denmark?
On 1 July 2025 the Danish NIS-2 Act entered into force.
Who do I register with and by when?
Register via Virk.dk (MitID) by 1 October 2025.
Does NIS2 apply regardless of size?
Size thresholds apply in general (≥50 employees or ≥€10m). Certain providers (telecom, DNS, trust services) may be covered regardless of size.
Are there specific standards I must certify against?
No single certification is mandated. Aligning with ISO/IEC 27001:2023, NIST CSF 2.0, or IEC 62443 is recommended.
How are fines issued in Denmark?
Denmark uses court-imposed fines (criminal penalties) following supervisory recommendations, rather than administrative fines.
Information provided for general guidance; consult official national sources for updates.