Cybersecurity Β· Denmark
Cybersecurity law in Denmark: NIS2 compliance (2026)
Denmark shaded by its cybersecurity status
Cybersecurity in Denmark: comprehensive law, anchored by Act on measures to ensure a high level of cybersecurity ('NIS2-loven', in force 1 July 2025), transposing the EU NIS2 Directive, supplemented by sector-specific statutes (energy, telecoms) implementing NIS2 and the CER Directive. Coordinated by the Danish Agency for Societal Security (Styrelsen for Samfundssikkerhed / SAMSIK)..
As an EU member state, Denmark applies the EU cybersecurity baseline (NIS2, plus DORA for finance, GDPR for personal-data breaches) and transposed NIS2 into national law via the NIS2 Act, which entered into force on 1 July 2025. Rather than one single statute, Denmark uses a multi-sector model: a general cross-sector cybersecurity law plus dedicated sector laws for energy and telecommunications, with supervision split between SAMSIK and sector-specific competent authorities. Covered entities had to register by 1 October 2025 and must report significant incidents under the EU 24h/72h/1-month timeline.
NIS2 & cybersecurity law in Denmark
In Denmark, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to β¬10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Denmark implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Denmark: FAQ
Yes. As an EU member, Denmark has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to β¬10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
Denmark transposed the NIS2 Directive through the NIS2 Act ('Lov om foranstaltninger til sikring af et hΓΈjt cybersikkerhedsniveau'), which entered into force on 1 July 2025, imposing risk-management measures, governance/management accountability, and incident-reporting duties on essential and important entities.
Instead of a single statute, Denmark layered the general cybersecurity law with sector-specific acts, e.g. the Energy Sector Security and Preparedness Act (Act No. 258 of 6 March 2025) and the Telecom Sector Security and Preparedness Act (Act No. 435 of 6 May 2025), several of which also implement the EU Critical Entities Resilience (CER) Directive.
The Danish Agency for Societal Security (SAMSIK), under the Ministry of Resilience and Preparedness, coordinates national implementation and supervises certain sectors, while sector-specific regulators (e.g. the Danish Agency for Digital Government for digital services) supervise their own domains.
Covered entities must submit an early warning within 24 hours of becoming aware of a significant incident, a fuller incident notification within 72 hours, and a final report within one month, reported to the relevant sector authority and the national CSIRT (operated by the Danish Defence Intelligence Service / Centre for Cyber Security).
Entities had to self-assess whether they fall within scope and, if covered, register no later than 1 October 2025 (via Virk for SAMSIK-supervised entities).
Financial entities follow the directly-applicable EU DORA Regulation (in application since 17 January 2025) for ICT risk and incident reporting as lex specialis, while personal-data breaches must be notified to the Danish Data Protection Agency (Datatilsynet) within 72 hours under the GDPR.
Timeline - major decisions & events
Denmark's general cross-sector NIS2 statute (LOV nr. 434, 'Lov om foranstaltninger til sikring af et hΓΈjt cybersikkerhedsniveau') takes effect, imposing risk-management, governance and incident-reporting duties on essential/important entities; covered entities had to self-register by 1 October 2025.
Retsinformation (Danish official legislation portal) βDenmark missed the 17 October 2024 EU deadline to transpose NIS2, prompting Commission infringement action; the delay is why Danish cyber obligations only became binding from mid-2025.
European Commission (Shaping Europe's digital future) βA dedicated act on security and preparedness in the telecommunications and digital-infrastructure sector (LOV nr. 435) is enacted alongside the main law, reflecting Denmark's multi-statute, sector-responsibility implementation model rather than a single cyber code.
Retsinformation βLOV nr. 258 consolidates security and emergency-preparedness rules for electricity, gas, oil, heating and hydrogen operators, implementing both NIS2 and the Critical Entities Resilience directive and more than doubling the number of regulated energy companies to ~160.
Retsinformation βThe EU Digital Operational Resilience Act starts applying, setting ICT risk-management, incident-reporting and third-party (cloud) oversight rules for banks, insurers and other financial firms, supervised in Denmark by Finanstilsynet.
ESMA βThe Danish Data Protection Agency reported Netcompany to police and recommended a record ~DKK 15m fine after a coding flaw in the mit.dk digital-post authentication component briefly exposed citizens' confidential data, faulting inadequate security and a missing impact assessment.
Datatilsynet βSektorCERT's report details a May 2023 wave of attacks compromising ~22 energy companies via Zyxel firewall flaw CVE-2023-28771 (with possible GRU/Sandworm links), the largest such incident in Danish history and a key driver of tougher energy-sector rules.
SektorCERT βThe government's third national cyber strategy, funded with ~DKK 270m across 34 initiatives, continues Denmark's 'sector responsibility principle' approach where each ministry secures its own domain.
Danish Agency for Digital Government (Digitaliseringsstyrelsen) βAct no. 502 of 23 May 2018 (Databeskyttelsesloven) supplements the GDPR and applies from the same day, establishing Datatilsynet's supervisory role and the security/breach-notification regime underpinning data-related cyber obligations.
Datatilsynet βLOV nr. 713 regulates the Centre for Cyber Security (CFCS) within the Defence Intelligence Service as Denmark's national IT-security authority, network-security service and centre of excellence, the foundational institution of today's framework.
Retsinformation βDenmark - other topics
Cybersecurity in other countries
Last verified 5/23/2026 Β· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Β· Explore the full world map β