NIS2 is about to become a reality in Denmark: What should your organisation be aware of?

The Danish bill implementing the NIS2 directive was proposed by the Danish Ministry of Defence on July 5, 2024. You can read the bill here (only available in Danish). According to the bill, the implementation law will come into force on March 1, 2025. The deadline for implementing the NIS2 directive is October 17, 2024, meaning Denmark is approximately five months behind in implementing the directive.

NIS2 implementation in Denmark through framework legislation

In Denmark, NIS2 will be implemented through framework legislation, which involves a cross-sectoral main law along with sector-specific legislation for the telecommunications, energy, and financial sectors. Sector-specific regulations (in Danish: Bekendtgørelser) will be issued under the main law. These regulations will include sector-specific requirements for cybersecurity measures, incident reporting, and supervision. The bill proposed by the Ministry of Defense is the cross-sectoral main law.

Currently, there is no sector-specific proposal targeting the telecommunications sector. The implementation law for the energy sector is in the proposal stage and is set to take effect on January 1, 2025 (available here in Danish). The implementation of NIS2 for the financial sector has been integrated through amendments to existing legislation (see § 333 and following sections), and has already entered in force (available here in Danish).

NIS2 directive and implementing acts

The NIS2 directive allows the European Commission to adopt implementing acts concerning the specific and technical implementation of certain obligations under the directive, including security measures (Article 21) and incident reporting (Article 23). These implementing acts are binding EU legal acts that require member states to implement certain provisions in a specified manner. They have direct effect, meaning that Danish organisations may be directly subject to these requirements, regardless of whether they are repeated in Danish implementation laws or exist solely in their original form.

Currently, draft implementing acts exist for digital service providers (cloud services, managed services, data centers, online marketplaces, etc.). These acts contain extensive requirements for security measures and incident reporting that significantly expand on the broad requirements outlined in the directive. Digital service providers should familiarise themselves with these drafts and adjust their implementation efforts accordingly.

Who falls under the scope of NIS2?

Determining whether your organisation is subject to NIS2 cybersecurity requirements depends on several factors. Each ‘entity’ must be evaluated individually (based on its company registration number), and it is subject to NIS2 requirements regardless of the extent to which it provides NIS2 services, whether these services are primary or secondary to its operations.

Firstly, you need to assess whether you provide services covered by the law's Annex 2 and/or 3.

Secondly, you must determine whether your organisation is established in or provides services to the EU. To fall under Danish jurisdiction and have Danish NIS2 legislation apply, the primary determining factor is whether your organisation is established in Denmark, with only a few exceptions. 

Thirdly, the law generally applies only to organisations that exceed the thresholds for small and medium-sized enterprises. You exceed these thresholds if:

1. You employ at least 50 people and
2. You have an annual turnover of at least 10 million EUR OR an annual balance sheet total of 10 million EUR.

It is important to note that in many cases, an entity may still be covered by NIS2 despite falling below these thresholds, as revenue and employee count often need to be assessed at the group level. This is an assessment that depends on the internal dependencies within the group, particularly concerning the use of network and information systems across the group.

If your organisation meets all three conditions, the Danish implementation law applies.

Entities that meet these three conditions, provide services covered by Annex 2, and are considered larged-sized enterprises are considered essential entities. However, certain exceptions apply, such as central governmental authorities, which are considered essential entities regardless of size. 

Other entities that are covered but not classified as essential entities are considered important entities. The difference between whether an organisation is essential or important relates to the extent of supervision and sanctions, but otherwise, the requirements under NIS2 are the same.

Registration requirements

NIS2 requires that organisations assess whether they are subject to the above requirements and, if so, register with the relevant authority responsible for enforcing NIS2 requirements in the specific (sub)sector. This is a significant change from the obligations under the previous NIS 1 directive, where organisations were designated by authorities as being covered by the directive’s obligations.

Therefore, compliance with the implementation law’s obligations first requires that you correctly assess whether you are covered or not - and that you can substantiate your conclusion.
If you provide services covered by multiple (sub)sectors, you will be subject to the requirements of all relevant (sub)sectors, including supervision and various cybersecurity requirements, and may need to register with multiple authorities.

Additionally, for international groups of companies, NIS2 may require registration in several different jurisdictions.

Special considerations for public authorities

Central government authorities and regional authorities are automatically subject to the requirements of the implementation law solely due to their exercise of authority.

Municipalities and universities are covered if they provide services covered by Annex 2 and/or 3 of the NIS2 implementation law. Whether municipalities’ exercise of authority alone will subject them to NIS2 is still unresolved and awaits specific handling in the underlying sectoral regulations.

Reporting significant incidents – when and how?

When an entity covered by NIS2 experiences a "significant security incident" and becomes aware of the incident, it must, without undue delay and within 24 hours, report an early warning to the relevant authority. This report should describe whether the significant incident is suspected to be caused by illegal/malicious actions or could have cross-border effects.

Additionally, the entity must, without undue delay and within 72 hours after becoming aware of the security incident, update the information from the early warning and provide an initial assessment of the significant incident, including its severity and, if possible, indicators of compromise.

It is important to note that the two deadlines run concurrently. The 72-hour deadline does not begin after the 24-hour deadline expires; both start when the entity becomes aware of the security incident.

A final detailed report must be submitted one month after the initial notification of the security incident to the relevant authority.

What constitutes a significant incident will be clarified in the specific regulations and implementing acts, as there may be significant differences in when something is considered a significant security incident from (sub)sector to (sub)sector. It is expected that the specific regulations will clarify this based on factors such as the number of affected users, downtime, and the extent of the damage.

The reporting procedure is expected to take place via virk.dk or a similar portal, similar to how data breach notifications are made under GDPR.

What security measures must be in place?

The implementation law mentions the following measures that must be implemented at a minimum if you are a covered entity:

1. Policies for risk analysis and information system security.
2. Incident management.
3. Operational continuity, such as backup management and disaster recovery, and crisis management.
4. Supply chain security, including security-related aspects concerning relationships between the entity and its direct suppliers or service providers.
5. Security in the acquisition, development, and maintenance of network and information systems, including handling and disclosure of vulnerabilities.
6. Policies and procedures for assessing the effectiveness of cybersecurity risk management measures.
7. Basic cyber hygiene practices and cybersecurity training.
8. Policies and procedures for the use of cryptography and, where relevant, encryption.
9. Personnel security, access control policies, and asset management.
10. Use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communication, and secure emergency communication systems within the entity, where relevant.

The described measures are not detailed beyond this, but it is expected that the specific regulations will further elaborate on the extent of each measure. The security measures are also significantly expanded in the implementing acts for digital service providers.

Sanctions and management responsibility

The directive states that:

• Essential entities can be sanctioned with either 2% of their total global turnover or 10 million EUR—whichever amount is higher.
• Important entities can be sanctioned with either 1.4% of their total global turnover or 7 million EUR - whichever amount is higher. Public authorities can also be sanctioned, but it is up to each member state to establish specific rules for this.

Denmark, however, does not have administrative fines, so fines will be imposed through the filing of a police report, after which the prosecution can bring charges, potentially referencing the directive’s fine levels.

The Danish implementation law does not introduce an enhanced personal management responsibility that goes beyond ordinary management liability, unlike the directive. Therefore, personal charges will only be brought against management members if they act with gross negligence or intent.

The management body is responsible for approving the security measures, overseeing their implementation, and ensuring their effectiveness. Management must also participate in courses on cybersecurity risks and potentially offer these courses to employees.

Our recommendations

You can already follow the implementing acts that the Commission will issue regarding the implementation of NIS2. Even though Denmark is behind in its implementation, the implementing acts are still binding on how Denmark must implement NIS2, and they will give an indication of the standards and requirements to follow when implementing cybersecurity in your organisation.

Furthermore, your organisation should already start considering whether it is covered by the implementation law and needs to register as an essential or important entity. Digital service providers must register no later than January 17, 2025, while other actors must register by April 17, 2025.

Moreover, international organisations will need to consider the status and content of local implementation laws in other member states, as there may also be requirements for local registration. The progress of NIS2 implementation varies significantly across EU member states. Currently, it appears that most countries are implementing the directive in line with its requirements, but there is considerable variation in when local NIS2 laws will come into effect. Some have already been enacted, several are set to take effect in October, and others are expected to be delayed, similar to Denmark.

Bird & Bird is an international law firm specialising in global NIS2 implementation projects, leveraging local expertise and global experience. Contact us to learn how the NIS2 requirements will impact your organisation - in Denmark or anywhere else in the world - and how we can help you prepare.