Is your company ready for the new NIS2 regulation?
What is the bill about?
The bill, which includes measures to ensure a high level of cybersecurity, aims to protect Denmark's digital infrastructure from threats. If passed, the law will come into effect on March 1, 2025. It will require companies to secure their systems, report incidents, and cooperate with authorities to create a safer cyberspace.
The law is based on and implements the NIS2 directive, which stands for Network and Information Systems Directive 2. NIS2 is an EU directive designed to strengthen cybersecurity across the EU by introducing stricter requirements for member states' network and information systems.
With this legislation, companies in Denmark will need to comply with the new requirements and prepare to meet them to ensure a higher degree of protection against cyber threats. A list of affected sectors can be found further down in this article.
What is the NIS2 Directive?
The NIS2 Directive expands cybersecurity requirements and sanctions to harmonize the security level across EU countries. This directive mandates that all affected sectors, including energy, transport, healthcare, digital infrastructure, finance, utilities, telecommunications, public institutions, and educational institutions, implement effective risk management systems, protect their digital infrastructure, and comply with new rules to prevent and respond to cyber threats. Compliance with NIS2 is not only a legal requirement but also essential for safeguarding company operations and protecting sensitive data.
The NIS2 Directive sets the framework for how businesses and authorities should handle cyber and information security. This directive will be implemented through national regulations that act as binding legislation. This means your organization is obligated to comply with the requirements laid out in the Danish regulations, which are expected to take effect on March 1, 2025.
Who does the rules apply to?
The new rules apply to companies and organizations that, according to the Commission, perform essential functions in society, as well as public authorities, including central administration, regions, and municipalities.
The following is a non-exhaustive list of sectors and companies affected:
- Energy: Electricity and gas suppliers, as well as energy producers (e.g., wind farms, solar energy).
- Transport: Airlines, railway operators, port, and transport infrastructure.
- Healthcare: Hospitals and clinics, pharmaceutical companies, and medical device suppliers.
- Digital infrastructure: Internet service providers, cloud services, and data centers.
- Financial sector: Banks, insurance companies, and investment firms.
- Utilities: Water supply companies and waste management firms.
- Telecommunications: Mobile and landline phone providers.
- Public institutions: State, municipalities, and public administrations.
- Educational institutions: Universities.
What are the key points of the bill?
- Security: Companies must have adequate security measures in place to protect their IT systems.
- Reporting: If a company experiences a serious security incident (such as a cyberattack), it must immediately report it to the relevant authorities.
- Supervision: Authorities have the right to oversee whether companies comply with the law's requirements. They can issue orders or bans if necessary.
- Collaboration: There must be cooperation between companies and authorities to improve cybersecurity, including sharing information about threats and incidents.
- Education: Authorities must work to raise awareness and education about cybersecurity among both companies and the public.
- Information sharing: Authorities can share cybersecurity information with other EU countries, but only if it does not compromise national security.
- Sanctions: Violations of the new law can result in fines.
Enforcement: The law will take effect on 1 march, 2025. - Changes to other legislation: The law will repeal several previous laws related to network and information security.
What specific requirements does the bill impose on your company?
The bill sets several important governance requirements for your organization, including management, risk management, and reporting, as summarized here:
Management responsibility
- Company management must be familiar with the bill's requirements and ensure that cyber risks are identified, managed, and that all requirements are met. This means management must be actively involved in shaping and maintaining the company’s cybersecurity policies.
Risk management
The new law increases demands on risk management and resilience. Your company must implement preventive and damage-limiting measures to reduce risks and consequences. Minimum requirements include:
- Incident management: Establishing processes to handle security incidents.
- Supply chain security: Assessing suppliers' security.
- Network security: Securing networks against unauthorized access.
- Access control: Implementing controls to limit access to sensitive information.
- Encryption: Protecting data using encryption techniques.
Business continuity
Your company must plan how to ensure business continuity if hit by a major cyber incident. This includes:
- System recovery: Establishing procedures for the rapid recovery of IT systems.
- Emergency procedures: Developing emergency procedures to handle incidents.
- Crisis management: Crisis plans and escalation procedures are required to ensure the company can respond quickly and effectively, and ensure relevant authorities and stakeholders are informed in accordance with the directive’s requirements.
Reporting to authorities
The bill requires, among other things, reporting significant incidents within 24 hours, meaning your company must be prepared to quickly communicate incidents to the relevant authorities.
This way, your company ensures a stronger governance structure concerning cybersecurity, in line with the NIS2 directive.
Do you have questions about the new rules?
At Lund Elmer Sandager, we advise many companies on Danish and international IT, technology, and cybersecurity laws, including the NIS2 directive, and we are dedicated to helping our clients navigate the complex landscape of cybersecurity and information security. Contact Partner, Attorney Torsten Hylleberg, if we can also assist your company in becoming compliant.
Join our inspiration meeting on the NIS2 rules
Do you need an introduction to the NIS2 rules and inspiration on how to work with them? We are hosting an event on the NIS2 directive and the Danish bill on Wednesday 20 November together with NorthGRC and ECIT at Lund Elmer Sandager. Get deeper insights into the upcoming new requirements, practical advice, and concrete tools from experts. Read more about the event and register here.