Cybersecurity · Denmark
Cybersecurity regulation in Denmark (2026)
Denmark shaded by its cybersecurity status
As an EU member state, Denmark applies the EU cybersecurity baseline (NIS2, plus DORA for finance, GDPR for personal-data breaches) and transposed NIS2 into national law via the NIS2 Act, which entered into force on 1 July 2025. Rather than one single statute, Denmark uses a multi-sector model: a general cross-sector cybersecurity law plus dedicated sector laws for energy and telecommunications, with supervision split between SAMSIK and sector-specific competent authorities. Covered entities had to register by 1 October 2025 and must report significant incidents under the EU 24h/72h/1-month timeline.
Key points
Denmark transposed the NIS2 Directive through the NIS2 Act ('Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau'), which entered into force on 1 July 2025, imposing risk-management measures, governance/management accountability, and incident-reporting duties on essential and important entities.
Instead of a single statute, Denmark layered the general cybersecurity law with sector-specific acts — e.g. the Energy Sector Security and Preparedness Act (Act No. 258 of 6 March 2025) and the Telecom Sector Security and Preparedness Act (Act No. 435 of 6 May 2025) — several of which also implement the EU Critical Entities Resilience (CER) Directive.
The Danish Agency for Societal Security (SAMSIK), under the Ministry of Resilience and Preparedness, coordinates national implementation and supervises certain sectors, while sector-specific regulators (e.g. the Danish Agency for Digital Government for digital services) supervise their own domains.
Covered entities must submit an early warning within 24 hours of becoming aware of a significant incident, a fuller incident notification within 72 hours, and a final report within one month, reported to the relevant sector authority and the national CSIRT (operated by the Danish Defence Intelligence Service / Centre for Cyber Security).
Entities had to self-assess whether they fall within scope and, if covered, register no later than 1 October 2025 (via Virk for SAMSIK-supervised entities).
Financial entities follow the directly-applicable EU DORA Regulation (in application since 17 January 2025) for ICT risk and incident reporting as lex specialis, while personal-data breaches must be notified to the Danish Data Protection Agency (Datatilsynet) within 72 hours under the GDPR.
Timeline - major decisions & events
Denmark's general cross-sector NIS2 statute (LOV nr. 434, 'Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau') takes effect, imposing risk-management, governance and incident-reporting duties on essential/important entities; covered entities had to self-register by 1 October 2025.
Retsinformation (Danish official legislation portal) ↗Denmark missed the 17 October 2024 EU deadline to transpose NIS2, prompting Commission infringement action; the delay is why Danish cyber obligations only became binding from mid-2025.
European Commission (Shaping Europe's digital future) ↗A dedicated act on security and preparedness in the telecommunications and digital-infrastructure sector (LOV nr. 435) is enacted alongside the main law, reflecting Denmark's multi-statute, sector-responsibility implementation model rather than a single cyber code.
Retsinformation ↗LOV nr. 258 consolidates security and emergency-preparedness rules for electricity, gas, oil, heating and hydrogen operators, implementing both NIS2 and the Critical Entities Resilience directive and more than doubling the number of regulated energy companies to ~160.
Retsinformation ↗The EU Digital Operational Resilience Act starts applying, setting ICT risk-management, incident-reporting and third-party (cloud) oversight rules for banks, insurers and other financial firms, supervised in Denmark by Finanstilsynet.
ESMA ↗The Danish Data Protection Agency reported Netcompany to police and recommended a record ~DKK 15m fine after a coding flaw in the mit.dk digital-post authentication component briefly exposed citizens' confidential data, faulting inadequate security and a missing impact assessment.
Datatilsynet ↗SektorCERT's report details a May 2023 wave of attacks compromising ~22 energy companies via Zyxel firewall flaw CVE-2023-28771 (with possible GRU/Sandworm links), the largest such incident in Danish history and a key driver of tougher energy-sector rules.
SektorCERT ↗The government's third national cyber strategy, funded with ~DKK 270m across 34 initiatives, continues Denmark's 'sector responsibility principle' approach where each ministry secures its own domain.
Danish Agency for Digital Government (Digitaliseringsstyrelsen) ↗Act no. 502 of 23 May 2018 (Databeskyttelsesloven) supplements the GDPR and applies from the same day, establishing Datatilsynet's supervisory role and the security/breach-notification regime underpinning data-related cyber obligations.
Datatilsynet ↗LOV nr. 713 regulates the Centre for Cyber Security (CFCS) within the Defence Intelligence Service as Denmark's national IT-security authority, network-security service and centre of excellence — the foundational institution of today's framework.
Retsinformation ↗Denmark - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →