Is your company ready for the new NIS2 regulations?

A new bill has been submitted for consultation, aimed at strengthening the protection of Denmark's network and information systems against cyberattacks and other security threats. The bill is designed to implement the ambitious EU directive, NIS2, into Danish law, ensuring a consistent and high standard of cybersecurity across the EU.
News
IT and Technology

What is the bill about?

The bill, which includes measures to ensure a high level of cybersecurity, aims to protect Denmark's digital infrastructure from threats. If passed, the law will come into effect on March 1, 2025. It will require companies to secure their systems, report incidents, and cooperate with authorities to create a safer cyberspace.

The law is based on and implements the NIS2 directive, which stands for Network and Information Systems Directive 2. NIS2 is an EU directive designed to strengthen cybersecurity across the EU by introducing stricter requirements for member states' network and information systems.

With this legislation, companies in Denmark will need to comply with the new requirements and prepare to meet them to ensure a higher degree of protection against cyber threats. A list of affected sectors can be found further down in this article.

What is the NIS2 Directive?

The NIS2 Directive expands cybersecurity requirements and sanctions to harmonize the security level across EU countries. This directive mandates that all affected sectors, including energy, transport, healthcare, digital infrastructure, finance, utilities, telecommunications, public institutions, and educational institutions, implement effective risk management systems, protect their digital infrastructure, and comply with new rules to prevent and respond to cyber threats. Compliance with NIS2 is not only a legal requirement but also essential for safeguarding company operations and protecting sensitive data.

The NIS2 Directive sets the framework for how businesses and authorities should handle cyber and information security. This directive will be implemented through national regulations that act as binding legislation. This means your organization is obligated to comply with the requirements laid out in the Danish regulations, which are expected to take effect on March 1, 2025.

Who does the law apply to?

The law applies to companies and organizations that, according to the Commission, perform essential functions in society, as well as public authorities, including central administration, regions, and municipalities.

The following is a non-exhaustive list of sectors and companies affected:

  • Energy: Electricity and gas suppliers, as well as energy producers (e.g., wind farms, solar energy).
  • Transport: Airlines, railway operators, port, and transport infrastructure.
  • Healthcare: Hospitals and clinics, pharmaceutical companies, and medical device suppliers.
  • Digital infrastructure: Internet service providers, cloud services, and data centers.
  • Financial sector: Banks, insurance companies, and investment firms.
  • Utilities: Water supply companies and waste management firms.
  • Telecommunications: Mobile and landline phone providers.
  • Public institutions: State, municipalities, and public administrations.
  • Educational institutions: Universities.

What are the key points of the bill?

  • Security: Companies must have adequate security measures in place to protect their IT systems.
  • Reporting: If a company experiences a serious security incident (such as a cyberattack), it must immediately report it to the relevant authorities.
  • Supervision: Authorities have the right to oversee whether companies comply with the law's requirements. They can issue orders or bans if necessary.
  • Collaboration: There must be cooperation between companies and authorities to improve cybersecurity, including sharing information about threats and incidents.
  • Education: Authorities must work to raise awareness and education about cybersecurity among both companies and the public.
  • Information sharing: Authorities can share cybersecurity information with other EU countries, but only if it does not compromise national security.
  • Sanctions: Violations of the new law can result in fines.
    Enforcement: The law will take effect on 1 march, 2025.
  • Changes to other legislation: The law will repeal several previous laws related to network and information security.

What specific requirements does the bill impose on your company?

The bill sets several important governance requirements for your organization, including management, risk management, and reporting, as summarized here:

Management responsibility

  • Company management must be familiar with the bill's requirements and ensure that cyber risks are identified, managed, and that all requirements are met. This means management must be actively involved in shaping and maintaining the company’s cybersecurity policies. 

Risk management
The new law increases demands on risk management and resilience. Your company must implement preventive and damage-limiting measures to reduce risks and consequences. Minimum requirements include:

  • Incident management: Establishing processes to handle security incidents.
  • Supply chain security: Assessing suppliers' security.
  • Network security: Securing networks against unauthorized access.
  • Access control: Implementing controls to limit access to sensitive information.
  • Encryption: Protecting data using encryption techniques.

Business continuity 

Your company must plan how to ensure business continuity if hit by a major cyber incident. This includes:

  • System recovery: Establishing procedures for the rapid recovery of IT systems.
  • Emergency procedures: Developing emergency procedures to handle incidents.
  • Crisis management: Crisis plans and escalation procedures are required to ensure the company can respond quickly and effectively, and ensure relevant authorities and stakeholders are informed in accordance with the directive’s requirements.

Reporting to authorities

The bill requires, among other things, reporting significant incidents within 24 hours, meaning your company must be prepared to quickly communicate incidents to the relevant authorities.

This way, your company ensures a stronger governance structure concerning cybersecurity, in line with the NIS2 directive.

Do you have questions about the new rules?

At Lund Elmer Sandager, we advise many companies on Danish and international IT, technology, and cybersecurity laws, including the NIS2 directive, and we are dedicated to helping our clients navigate the complex landscape of cybersecurity and information security. Contact partner, attorney Torsten Hylleberg, if we can also assist your company in becoming compliant.

Join our inspiration meeting on the NIS2 rules

Do you need an introduction to the NIS2 rules and inspiration on how to work with them? We are hosting an inspiration meeting on the NIS2 directive and the Danish bill on Wednesday, November 20, together with NorthGRC and ECIT, at Lund Elmer Sandager. Get deeper insight into the upcoming new requirements, practical advice, and concrete solutions from experts. Read more about the event and register here.

Contact
Torsten Hylleberg
Partner
Attorney

Related employees

Torsten is partner and highly specialized in GDPR, IT law and marketing law.

Torsten Hylleberg

Partner
Attorney
As an assistant attorney in our Corporate Commercial team, Daniel advises clients on corporate matters, including intellectual property rights such as design protection, trademarks, and more.

Daniel Benjamin Pedersen

Assistant Attorney

Relaterede nyheder

See all news
News

AI Expert: "AI is a threat to those who sit on their hands"

How can you, as a leader, use AI to drive growth and innovation in your company? We asked AI expert Thomas Terney for his insights. He believes that generative AI is a technology poised to change the way we communicate and work. He also offers advice on ensuring successful implementation of AI tools, which is crucial for staying competitive in a world where the spread of AI is happening at an unprecedented pace.
IT and Technology
News

Lund Elmer Sandager con­tri­bu­tes to the In­ter­na­tio­nal Com­pa­ra­ti­ve Legal Guide – Data Protection 2023

Lund Elmer Sandager has contributed with an enlightening chapter on Data Protection Laws and Regulations, which provides updated insights into the Danish legal Data Protection regulations in this prestigious, international guide.
IT and Technology
News

Are your contracts as adaptable as the rest of the company?

The corona pandemic has shown us how quickly and radically the world can change, and how incredibly important it is that companies can effectively adapt to new situations. It places great demands on the legal contracts, which must provide the necessary flexibility to the parties when new opportunities and risks arise.
IT and Technology
News

New EU Regulation on Artificial Intelligence is on its way

Back in April 2021, the European Commission presented a proposal on what could be the first targeted EU legislation in the field of Artificial Intelligence. This so-called AI (Artificial Intelligence) Regulation aim to ensure the EU citizens’ reliance in the use of AI systems.
IT and Technology
News

The Danish Financial Supervisory Authority extends the deadline for implementing Strong Customer Authentication by 18 months

However, the extension does not change that the rules on strong customer authentication will enter into force on September 14, 2019.
IT and Technology