12 March 2026 Update - The transposition of NIS 2 in Denmark
The Kingdom of Denmark has completed the legislative transposition of Directive (EU) 2022/2555 into its national legal order, although the process occurred after the European Union deadline of 17 October 2024.
Denmark adopted a different legislative strategy compared with many other Member States. Instead of implementing the directive through a single comprehensive cybersecurity statute, the Danish legislature chose a multi sector implementation model, consisting of a general cross sector cybersecurity framework supplemented by sector specific statutes and regulations governing particular industries such as energy, telecommunications, and financial digital infrastructure. This approach reflects the structure of Denmark’s existing cybersecurity governance system, which historically relies on sectoral supervision and specialized competent authorities.
Under the NIS 2 Directive, Member States were required to adopt national implementing measures by 17 October 2024. Denmark did not meet this deadline. As a consequence, the European Commission included Denmark among the Member States that had not fully notified their transposition measures and issued a reasoned opinion on 7 May 2025 as part of the EU infringement procedure concerning incomplete implementation of the directive.
The central Danish implementing legislation is commonly referred to as the NIS 2 Act, formally titled the Law on Measures to Ensure a High Level of Cybersecurity. This act establishes the fundamental obligations applicable to entities falling within the directive’s scope.
The legislation entered into force on 1 July 2025, formally incorporating the requirements of the NIS 2 Directive into Danish law.
The Danish implementation is supplemented by several additional legislative instruments and executive regulations, including implementing orders that define the technical and operational cybersecurity requirements for regulated entities.
For example, the Act on Security and Preparedness in the Energy Sector (Act No. 258 of 6 March 2025) entered into force on 7 March 2025, implementing both NIS 2 and the Critical Entities Resilience (CER) Directive for energy infrastructure operators.
The Act on Security and Preparedness in the Telecommunications Sector (Act No. 435 of 6 May 2025) entered into force on 1 July 2025, establishing cybersecurity obligations for telecommunications providers and other digital infrastructure actors.
These statutes are complemented by several ministerial orders that specify requirements relating to organizational resilience, incident reporting, cybersecurity governance, personnel security, and supply-chain risk management.
Responsibility for supervising the NIS 2 framework in Denmark is distributed among several competent authorities depending on the sector concerned. The Danish Civil Contingency Agency (Styrelsen for Samfundssikkerhed) plays a central role in supervising compliance and coordinating national cybersecurity resilience. This multi-authority supervisory structure reflects Denmark’s longstanding approach to cybersecurity governance, which relies on sector regulators working in coordination with national cybersecurity institutions.
EU - Transposition, Member States