NIS2 in Denmark

1. Quick SME Applicability Snapshot in Denmark

Does NIS2 apply to SMEs in Denmark?

Yes — depending on size and sector.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Denmark and, in certain cases, foreign digital providers offering services in Denmark.

SMEs should assess qualification under Denmark's national cybersecurity framework based on sector classification and statutory size thresholds.

2. Overview of NIS2 Implementation in Denmark

Denmark is implementing the Directive through amendments to the Act on Network and Information Security, which forms the core of the national cybersecurity framework.

The revised legislation aligns Denmark's regime with Directive (EU) 2022/2555 and strengthens obligations related to governance, risk management, reporting, and sanctions.

The updated framework builds on Denmark's existing sector-based supervision model, integrating Directive requirements into established regulatory structures.

3. Scope of Application in Denmark

Denmark's scope reflects Directive minimum categories without confirmed expansion beyond the baseline.

4. Size Thresholds and SME Applicability in Denmark

The Directive baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors fall automatically within scope.

Small and micro enterprises may be designated if considered critical to societal or economic stability.

Danish authorities retain formal designation powers where systemic risk or national security considerations justify inclusion.

5. Entity Classification Framework in Denmark

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance oversight.
• Important Entities — Primarily subject to reactive supervision, typically triggered by incidents or evidence of non-compliance.

Classification is determined by sector and size. Competent authorities may reclassify entities where risk exposure or operational impact warrants stricter supervision.

Denmark maintains a sectoral supervisory structure aligned with the Directive's two-tier model.

6. Cybersecurity Risk Management Requirements in Denmark

Denmark's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Denmark risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability handling and disclosure
• Staff cybersecurity awareness and training

Measures must reflect state-of-the-art standards and the organization's risk profile. Alignment with ISO/IEC 27001 and Danish cybersecurity guidance is encouraged.

Supply chain risk management requires third-party due diligence and contractual safeguards.

7. Management Liability and Governance in Denmark

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Denmark's framework:

• Boards are accountable for compliance oversight.
• Senior leadership must ensure sufficient cybersecurity competence.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Denmark expectations elevate cybersecurity governance to board level.

8. Incident Reporting Obligations in Denmark

9. Supervisory Authorities and Enforcement Model in Denmark

Primary authority: Danish Centre for Cyber Security (CFCS).

Denmark operates a sector-based supervisory model coordinated through CFCS, with relevant ministries and regulators exercising sector-specific oversight.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity cooperation mechanisms

The enforcement structure integrates Directive-level coordination requirements.

10. NIS2 Fines and Sanctions in Denmark

Denmark applies Directive-aligned administrative penalties.

NIS2 fines Denmark enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certifications or authorizations
• Managerial suspension powers

11. NIS2 Supply Chain and Vendor Security in Denmark

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Denmark's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Denmark

Entities within scope must:

• Register with competent authorities
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts

Procedural deadlines follow Denmark's implementing framework. As of the current transposition status, Denmark follows the NIS2 Directive baseline framework. National implementing details may refine specific obligations.

Self-identification is mandatory where entities meet statutory thresholds.

13. Interaction With GDPR and Other Laws in Denmark

The General Data Protection Regulation continues to apply concurrently.

Overlap areas include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Danish cybersecurity legislation

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Denmark are supervised by Danish authorities for cross-border services.

Foreign digital providers offering services in Denmark may be subject to Danish oversight depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving Danish markets.

15. Implementation Timeline in Denmark

• Directive adoption: 2022
• National legislative amendments: 2024–2025
• Entry into force: Upon national publication
• Commission notification: In accordance with EU procedures
• Compliance milestone: Directive-aligned deadlines

Denmark's transposition timeline aligns with EU implementation requirements.

16. Key Takeaways for SMEs in Denmark

• Medium-sized entities in covered sectors are automatically within scope.
• Small entities may be designated if critical to societal stability.
• Board-level oversight is mandatory.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• Early compliance planning reduces enforcement exposure.

FAQ: NIS2 Denmark SME Guide