Three new laws enter into force: Denmark strengthens preparedness and security in critical infrastructure

On 1 July, three new laws will come into force, which together will strengthen Denmark's digital and physical resilience. The laws implement the EU's NIS 2 Directive and CER Directive and impose new requirements on both cybersecurity and physical security in critical sectors.

New standard for cybersecurity in critical sectors

The NIS 2 Act implements the EU Directive on measures to ensure a high common level of cybersecurity across the EU. The Act tightens the requirements for information security in a wide range of sectors, including transport, health and digital infrastructure.

The purpose of the Act is to strengthen society's overall cyber security by ensuring that critical and important entities work systematically with risk management, incident management and security measures.

The Danish Civil Protection Agency supports the implementation of the Act with four cross-cutting guidelines that explain the key concepts and requirements of the Act. The guidelines have been prepared in close collaboration with the business community and the sector-responsible authorities, which have played an important role in ensuring that the material is relevant, usable and adapted to the reality of the many entities that will have to comply with the law in the future. The guides can be found here.

In the period from the entry into force of the NIS 2 Act on 1 July until 1 October, the covered entities must register via Virk.dk.

From 1 July, NIS 2-covered companies and authorities must report significant incidents via Virk.dk. Reports are handled by the Danish Defence Intelligence Service, which is responsible for the task of being a national CSIRT.

Further information about NIS 2 can be found here: www.samsik.dk/nis2

CER Act – requirements for physical resilience in critical infrastructure

The CER Act implements the EU's Directive on the Physical Resilience of Critical Entities. The Act covers entities in 11 sectors of critical importance, including the energy, transport, food and health sectors, and requires them to protect themselves against a wide range of threats and incidents.

The purpose of the Act is to ensure that socially important functions can be maintained to the best possible extent – also in the event of serious incidents such as natural disasters, terrorism or technical breakdowns.

The Danish Civil Protection Agency has the overall responsibility for coordination and supervision of the implementation and will work closely with the sector-responsible authorities on guidance and support for the covered units.

Entities that will be covered by the CER Act are designated by the competent authorities set by the Ministry of Civil Protection and Emergency Preparedness. The designation of entities shall: by 17 July 2026 at the latest. Once the critical entities have been notified of their designation, they have nine and ten months respectively to meet the material CER requirements.

Strengthened security in the telecommunications sector

The Act on Security and Emergency Preparedness in the Telecommunications Sector and the associated executive orders update the regulation in the area and at the same time implement the NIS 2 Directive specifically for the telecommunications sector.

The purpose is to ensure that society's digital communication – such as telephony, internet and data services – functions stably and securely, even under pressure or in the event of attacks.

As a result of the NIS2 implementation, the telecommunications providers' obligation to notify the Danish Civil Protection Agency in the event of significant security incidents will change. Notification of security incidents will continue to be made via Virk.dk, but in the future, telecom providers will have to submit both an early warning within 24 hours, an update of this within 72 hours and a final report no later than one month after the early warning. The security incident notification form is adapted to the changing requirements. See also guidelines on incident notification here.

In addition, telecommunications providers covered by the Act on Security and Preparedness in the Telecommunications Sector must register. This is also done through Virk.dk.

The Danish Civil Protection Authority supervises telecommunications providers' compliance with the Act on Security and Preparedness in the Telecommunications Sector and the rules issued pursuant to the Act.