NIS2 readiness for Danish companies

What NIS2 actually requires

The NIS2 Directive (EU 2022/2555) replaces the original NIS Directive and significantly expands the scope of cybersecurity obligations across the EU. Denmark is transposing it into national law, which means the specifics will be shaped by Danish legislation, but the core requirements are clear.

Who it applies to

NIS2 applies to "essential" and "important" entities across specific sectors. The sectors include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. It also covers postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research.

Size matters: generally, medium-sized enterprises (50+ employees or 10M+ EUR turnover) and large enterprises in these sectors fall within scope. Some entities are in scope regardless of size if they meet certain criteria.

Core obligations

NIS2 requires covered entities to take appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. Specifically:

• Risk management: Policies on risk analysis and information system security
• Incident handling: Procedures for detecting, responding to, and reporting incidents
• Business continuity: Backup management, disaster recovery, and crisis management
• Supply chain security: Security measures for supplier and service provider relationships
• Network and information systems security: Secure acquisition, development, and maintenance of network and information systems
• Vulnerability management: Handling and disclosure of vulnerabilities
• Cyber hygiene and training: Basic cyber hygiene practices and security awareness
• Cryptography and encryption: Policies and procedures for appropriate use
• Human resources security: Access control and asset management

Management accountability

NIS2 places explicit responsibility on management bodies. Management must approve cybersecurity risk-management measures, oversee their implementation, and can be held liable for infringements. They must also undergo cybersecurity training. This is not something that can be fully delegated to IT.

Incident reporting

Significant incidents must be reported to the relevant authority. The timeline is tight:

• Early warning: Within 24 hours of becoming aware of a significant incident
• Incident notification: Within 72 hours with an initial assessment
• Final report: Within one month, including root cause analysis

Penalties

Essential entities face fines of at least 10M EUR or 2% of global annual turnover (whichever is higher). Important entities face fines of at least 7M EUR or 1.4% of global annual turnover (whichever is higher). Management can also face personal consequences.

Danish context

Denmark transposed NIS2 through the NIS 2-loven (LOV nr 434 af 06/05/2025), in force from 1 July 2025 with a 1 October 2025 registration deadline for covered entities. Styrelsen for Samfundssikkerhed (SAMSIK) is the national single point of contact and coordinates with sector regulators (Energistyrelsen, Finanstilsynet, Sundhedsdatastyrelsen and others) who supervise in-scope entities. If you're in scope, knowing which regulator supervises your sector is step one.

For many Danish companies, customer assurance or ISO 27001 readiness will still be the more immediate operating priority. NIS2 matters most when your company falls clearly within a covered sector and meets the size thresholds, or when your customers or partners require evidence of NIS2 compliance as part of their own supply chain obligations.

How support usually starts

1. A short conversation to understand the business, the trigger, and why NIS2 is on the table now.
2. A focused view on applicability, urgency, and what needs attention first.
3. A practical recommendation on whether the next step is internal action, a Baseline assessment, or a more focused readiness effort.

When this page is most useful

This page is most useful for Danish companies that have a concrete reason to think NIS2 may apply and want a grounded first decision rather than generic policy talk. If you're unsure whether NIS2 applies to your company, that question alone is worth a 30-minute conversation.