NIS 2 Status Dänemark

NIS 2 status in Denmark

What the directive requires, how Denmark transposes it, and why supervision does not sit with a single authority.

Simon OrzelSimon Orzel·

Overview

The NIS 2 directive is the EU layer. It binds every member state, including Denmark, with one cybersecurity floor for essential and important entities. Denmark must put that floor into Danish law and run a supervision regime under it.

Denmark transposed late. The deadline under Article 41 was 17 October 2024. The Folketing adopted the NIS 2-loven (Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau) only on 29 April 2025. It entered into force as Act No. 434 of 6 May 2025 on 1 July 2025. The self-registration window through virk.dk ran until 1 October 2025.

Denmark uses a sectoral supervision model. Styrelsen for Samfundssikkerhed (SAMSIK), under the Ministry for Societal Security and Emergency Preparedness, coordinates and acts as supervisor for telecoms, central government, municipalities and parts of manufacturing. Energy, finance, transport, maritime, health and water each have their own sector-responsible authority. Center for Cybersikkerhed (CFCS) has been organisationally part of SAMSIK since 1 January 2025 and continues to operate the national CSIRT under Forsvarets Efterretningstjeneste.

Where the rules live
Three layers that anyone reading the Danish version of NIS 2 needs to keep apart.

EU directive

Directive (EU) 2022/2555 (NIS 2)

The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.

EU implementation

Commission Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in Denmark without national transposition.

Danish transposition

Act No. 434 of 6 May 2025 (NIS 2-loven)

The Danish NIS 2 transposition. A cross-sector framework act on one side, plus sectoral statutes on the other. The energy sector follows Act No. 258 of 6 March 2025; telecoms follows Act No. 435 of 6 May 2025. Operational detail is delegated to executive orders (bekendtgørelser) and guidance from the relevant authority.

Three things to know
What changes for entities operating in Denmark.
Transposition

The NIS 2 Act plus sectoral statutes

The NIS 2-loven (Act No. 434 of 6 May 2025) carries the NIS 2 obligations into Danish law and applies from 1 July 2025. It is supplemented by sector-specific statutes, notably for energy (Act No. 258 of 6 March 2025) and telecoms. Most operational detail is delegated to executive orders (bekendtgørelser) issued by the responsible authority.

Authority

SAMSIK coordinates, sector authorities supervise

Styrelsen for Samfundssikkerhed (SAMSIK), inside the Ministry for Societal Security and Emergency Preparedness, is the central coordinator and supervisor for telecoms, central government, municipalities and parts of manufacturing. Energistyrelsen, Finanstilsynet, Trafikstyrelsen, Søfartsstyrelsen and Sundhedsdatastyrelsen each supervise their own sectors. CFCS remains the national CSIRT.

Deadlines

Registration via virk.dk, reporting via CFCS

Self-registration of in-scope entities ran on virk.dk with MitID until 1 October 2025. Significant incidents follow the directive's 24h early warning, 72h notification and one-month final report cadence. The reporting channel is CFCS as national CSIRT, with parallel notification to the sector-responsible authority.

Two principles that decide every edge case
Use these before reading a Danish commentary on NIS 2.

Local law applies inside Denmark, spread across several authorities

Operations on Danish territory follow the Danish transposition. A German Geschäftsführer running a Danish subsidiary reads the NIS 2-loven and the relevant sectoral statute for that subsidiary, not the German BSIG. Unlike Germany with the BSI, Denmark has no single central cyber supervisor. Which Tilsynsmyndighed has competence depends on the entity's primary sector.

Denmark cannot go below the EU floor

The directive is a minimum harmonisation instrument. Denmark can go stricter and does in parts, in particular for the energy sector via its own resilience duties. Denmark cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability under Article 20 NIS 2.

Who does what in Denmark
Three nodes that appear in almost every Danish NIS 2 question.
DK

CFCS

Center for Cybersikkerhed. Organisationally part of SAMSIK since 1 January 2025, operationally still inside Forsvarets Efterretningstjeneste (FE, the Defence Intelligence Service). Runs the national CSIRT, is the 24/7 contact point for incident reports and the single point of contact in the EU CSIRTs network. CFCS is not the general NIS 2 supervisor; it is the technical authority for situational awareness and response.

DK

SAMSIK and sector authorities

Styrelsen for Samfundssikkerhed (SAMSIK) coordinates NIS 2 supervision and is itself supervisor for telecoms, central government, municipalities and parts of manufacturing. Energistyrelsen supervises energy, Finanstilsynet finance (with DORA as lex specialis), Trafikstyrelsen transport, Søfartsstyrelsen maritime, Sundhedsdatastyrelsen health. Registration runs sector by sector through the common entry point virk.dk.

EU

ENISA

The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Danish entities; that sits with the sector authorities, coordinated by SAMSIK.

Pitfalls
Mistakes we see when Danish entities first read NIS 2.

  • Denmark has one central cyber supervisor like the German BSI.

    It does not. Denmark runs NIS 2 through a sectoral model. SAMSIK coordinates and supervises some sectors. Energy, finance, transport, maritime and health sit with their own sector-responsible authorities. An entity active in several sectors can have several supervisors at once. The German BSI logic does not transfer one to one.

  • We do not need to register; the authority does it for us.

    Wrong. Self-registration runs on virk.dk with MitID and was mandatory by 1 October 2025 for every entity in scope of the NIS 2-loven. Late registration is still required and carries the risk of sanctions. There is no automatic classification without an active entry.

  • We are a small supplier, the sector supervisor will not look at us.

    The size test caps at medium and large enterprises by default, but the directive captures small entities where they are the sole provider, where disruption has cross-border impact, or where Danish law adds them. Telecoms operators, trust service providers, DNS providers and parts of public administration are in regardless of size. The applicability check must be done case by case, not by company size alone.

Practitioner view

Most Danish mid-market operators we see look instinctively for one single point of contact. There is none. If you sit in a regulated sector, you talk primarily to your own sector-responsible authority. If you sit outside the regulated sectors or you have cross-cutting questions, you go to SAMSIK. Incident reporting technically goes through CFCS in parallel with the sector authority. The CEO or direktør is personally on the hook for risk-management approval and own training under Article 20 NIS 2.

The practical move is the same as everywhere else in the EU: confirm scope under the directive, clarify the primary sector, register through virk.dk, set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight) and document the minimum. An entity active in several sectors documents per sector, because supervisors ask per sector.

How the platform helps

We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Danish subsidiary using the NIS 2-loven, a German parent using BSIG, and a Dutch sister using the Cyberbeveiligingswet. Article references switch per locale; the substantive obligations do not.

For Danish scope you start with the applicability check, clarify your primary sector and the sector-responsible authority, then move to incident reporting cadence, supply chain clauses and management body sign-off. Where SAMSIK or a sector authority publishes guidance, we reference it; we do not duplicate it.

Sources
  • Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
  • Commission Implementing Regulation (EU) 2024/2690
  • Act No. 434 of 6 May 2025 on measures to ensure a high level of cybersecurity (NIS 2-loven) — Retsinformation
  • Act No. 258 of 6 March 2025 on security and preparedness in the energy sector — Retsinformation
  • Styrelsen for Samfundssikkerhed (SAMSIK) — official site samsik.dk
  • Center for Cybersikkerhed (CFCS) — national CSIRT, cfcs.dk
  • virk.dk — Danish business portal for NIS 2 registration
  • European Commission, reasoned opinion on Denmark's incomplete NIS 2 transposition of 7 May 2025
Check your Danish scope in under five minutes
The applicability check applies the directive's size and sector test. If your Danish subsidiary is in scope, the next steps are registration on virk.dk and contact with the sector-responsible authority.
Run the applicability check