Cybersecurity - Denmark

Denmark transposed the NIS2 Directive through the NIS2 Act ('Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau'), which entered into force on 1 July 2025, imposing risk-management measures, governance/management accountability, and incident-reporting duties on essential and important entities.

Instead of a single statute, Denmark layered the general cybersecurity law with sector-specific acts — e.g. the Energy Sector Security and Preparedness Act (Act No. 258 of 6 March 2025) and the Telecom Sector Security and Preparedness Act (Act No. 435 of 6 May 2025) — several of which also implement the EU Critical Entities Resilience (CER) Directive.

The Danish Agency for Societal Security (SAMSIK), under the Ministry of Resilience and Preparedness, coordinates national implementation and supervises certain sectors, while sector-specific regulators (e.g. the Danish Agency for Digital Government for digital services) supervise their own domains.

Covered entities must submit an early warning within 24 hours of becoming aware of a significant incident, a fuller incident notification within 72 hours, and a final report within one month, reported to the relevant sector authority and the national CSIRT (operated by the Danish Defence Intelligence Service / Centre for Cyber Security).

Entities had to self-assess whether they fall within scope and, if covered, register no later than 1 October 2025 (via Virk for SAMSIK-supervised entities).

Financial entities follow the directly-applicable EU DORA Regulation (in application since 17 January 2025) for ICT risk and incident reporting as lex specialis, while personal-data breaches must be notified to the Danish Data Protection Agency (Datatilsynet) within 72 hours under the GDPR.