Cybersecurity regulation in Greenland (2026)

Greenland left the European Communities in 1985 and holds OCT status. EU directives, including NIS2 (EU 2022/2555) and Denmark's transposing NIS2 Act (in force 1 July 2025), do not extend to Greenland. Greenland therefore has no NIS2-style mandatory incident-reporting or security-measure regime.

Greenland's Agency for Digitisation (Digitaliseringskontoret) holds overall responsibility for Greenland's cyber defence and has established an internal cyber- and information-security team. It operates under Naalakkersuisut (the Government of Greenland) rather than under any statutory cybersecurity framework.

In October 2022 the Agency for Digitisation and Denmark's Centre for Cyber Security (CFCS) signed a cooperation agreement covering staff training, regular threat assessments and briefings for Greenland, and joint mapping of critical infrastructure requiring enhanced protection — a direct response to rising cyberattack volumes against Greenlandic public authorities and businesses.

Greenland has enacted its own Personal Data Act (substantially mirroring Danish law), which imposes data-security obligations and breach-notification requirements on data controllers. The Danish Data Protection Agency exercises supervisory authority over the Greenlandic law, providing the primary statutory channel for incident disclosure obligations.

Denmark's CFCS publishes cyberthreat assessments that explicitly cover Greenland, reflecting the island's growing Arctic strategic significance. A dedicated assessment for Greenland was published in 2024, signalling institutionalised threat-intelligence sharing even absent domestic legislation.

As of May 2026, Greenland's parliament (Inatsisartut) has not passed dedicated cybersecurity legislation, nor is any bill publicly in legislative progress. Sector-specific cyber obligations — beyond data-protection security requirements — are absent; incident-reporting duties outside the personal-data context have no statutory basis.