NIS2 in Denmark

1. Quick SME Applicability Snapshot in Denmark

Does NIS2 apply to SMEs in Denmark?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Denmark and, in certain cases, foreign digital providers offering services in Denmark.

SMEs should assess qualification under Denmark's national cybersecurity framework based on sector classification and statutory size thresholds.

2. Overview of NIS2 Implementation in Denmark

Denmark completed transposition of the NIS2 Directive through the NIS2 Act (L 141 — Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau), adopted on 29 April 2025 and in force since 1 July 2025 with no transitional grace period.

The new framework expands national cybersecurity obligations from approximately 1,000 entities under the previous regime to roughly 6,000 entities across 18 sectors, integrating Directive (EU) 2022/2555 requirements into Denmark's sector-based supervisory model.

Denmark adopted a minimum-transposition approach with three notable national deviations: no gold-plating beyond the Directive baseline; no direct administrative fines (monetary sanctions follow public prosecution); and personal management liability under NIS2 has not been transposed. The European Commission issued a reasoned opinion in May 2025 (pre-enactment); notification completeness remains under review.

3. Scope of Application in Denmark

Denmark's scope reflects Directive minimum categories without confirmed expansion beyond the baseline.

4. Size Thresholds and SME Applicability in Denmark

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors fall automatically within scope.

Small and micro enterprises may be designated if considered critical to societal or economic stability.

Danish authorities retain formal designation powers where systemic risk or national security considerations justify inclusion.

5. Entity Classification Framework in Denmark

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance oversight.
• Important Entities — Primarily subject to reactive supervision, typically triggered by incidents or evidence of non-compliance.

Classification is determined by sector and size. Competent authorities may reclassify entities where risk exposure or operational impact warrants stricter supervision.

Denmark maintains a sectoral supervisory structure aligned with the Directive's two-tier model.

6. Cybersecurity Risk Management Requirements in Denmark

Denmark's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Denmark risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability handling and disclosure
• Staff cybersecurity awareness and training

Measures must reflect state-of-the-art standards and the organization's risk profile. Alignment with ISO/IEC 27001 and Danish cybersecurity guidance is encouraged.

Supply chain risk management requires third-party due diligence and contractual safeguards.

7. Management Liability and Governance in Denmark

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Denmark's framework:

• Boards are accountable for compliance oversight.
• Senior leadership must ensure sufficient cybersecurity competence.
• Administrative sanctions follow criminal prosecution processes — direct administrative fines are not available in Denmark.
• Personal management liability and managerial suspension powers under NIS2 have not been transposed; management obligations are governed by the Danish Companies Act.

Under the Danish Companies Act, board members and executive officers owe duties of care, loyalty and legal compliance to the company, which extend to oversight of cybersecurity risk management and incident response.

8. Incident Reporting Obligations in Denmark

9. Supervisory Authorities and Enforcement Model in Denmark

Coordinating authority: Ministry for Societal Resilience and Contingency (MSSB). The Centre for Cyber Security (CFCS) acts as National CSIRT (not the primary supervisor); sector authorities are the primary supervisors.

Denmark operates a sector-based supervisory model in which sector authorities are the primary supervisors. Key regulators include the Danish Energy Agency, Finanstilsynet (Financial Supervisory Authority), and telecommunications regulators. The MSSB coordinates overall NIS2 policy across sectors.

Supervisory powers include:

• Information requests
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination

Enforcement integrates with Directive-level coordination requirements. Note that direct administrative fines are not available in Denmark — monetary sanctions follow criminal prosecution.

10. NIS2 Fines and Sanctions in Denmark

Denmark has not implemented direct administrative fines under NIS2. Monetary sanctions follow public prosecution. Penalty ceilings remain consistent with the Directive (€10M / 2% global turnover for essential entities; €7M / 1.4% for important entities), but the enforcement pathway differs.

NIS2 fines Denmark enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certifications or authorizations
• Managerial suspension powers have not been transposed and are not available in Denmark.

11. NIS2 Supply Chain and Vendor Security in Denmark

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Denmark's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Denmark

Entities within scope must:

• Self-identify and register with your sector-specific competent authority via the Virk.dk portal — registration deadline was 1 October 2025 (passed; act immediately if not yet registered).
• Provide corporate identification details (CVR number, legal form, contact data).
• Disclose sector classification and the services covered by NIS2.
• Maintain updated contact information; report material changes within two weeks.

Compliance has been fully mandatory since 1 July 2025 with no transitional grace period. Entities must have completed Virk.dk registration and have operational risk management measures and incident reporting workflows in place.

Self-identification is mandatory where entities meet statutory thresholds.

13. Interaction With GDPR and Other Laws in Denmark

The General Data Protection Regulation continues to apply concurrently.

Overlap areas include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Danish cybersecurity legislation

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Denmark are supervised by Danish authorities for cross-border services.

Foreign digital providers offering services in Denmark may be subject to Danish oversight depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving Danish markets.

15. Implementation Timeline in Denmark

• Directive adoption: 2022
• NIS2 Act (L 141) presented 6 February 2025; adopted 29 April 2025.
• Entry into force: 1 July 2025 (no transitional grace period).
• Commission notification: EC reasoned opinion issued May 2025 (pre-enactment); notification completeness under review.
• Compliance milestone: Self-registration deadline 1 October 2025 (passed); full compliance required from 1 July 2025.

Denmark completed transposition on 1 July 2025. Registration via Virk.dk was due 1 October 2025. Full compliance — including risk management measures and incident reporting workflows — was required from 1 July 2025 with no transitional grace period. Active supervision is underway.

16. Key Takeaways for SMEs in Denmark

• Determine your scope status against the essential / important classification.
• Implement the ten Article 21 cybersecurity risk management measures.
• Ensure board-level approval and oversight of cybersecurity governance — note that personal management liability under NIS2 has not been transposed in Denmark; management obligations are governed by the Danish Companies Act duty of care.
• Operationalize incident reporting workflows for the 24h / 72h / 1 month deadlines via the Virk.dk portal.
• Penalties remain consistent with Directive ceilings (€10M / 2% for essential entities), but must be pursued through criminal prosecution — Denmark does not impose direct administrative fines.
• Maintain supply chain due diligence on critical ICT providers.
• Document all cybersecurity decisions, incidents and remediation activities for supervisory review.

FAQ: NIS2 Denmark SME Guide