Are you covered by the Danish NIS 2 Law?

The Danish NIS 2 law applies to a wide range of sectors - including the digital sector. The Danish Agency for Digital Government is the competent authority for the digital sector, which includes entities that provide the following types of services:

If your entity provides a service that corresponds to one of the above-mentioned types and meets the Danish NIS 2 law’s definition, you are considered part of the digital sector. The definitions of entity types within the digital sector can be found in Section 3 of the NIS 2 law.

The Danish Agency for Digital Government also supervises compliance with Section 11 of the NIS 2 law for top-level-domain (TLD) name registries and domain name system (DNS) services.

If your entity does not fall within these categories, you can contact The Ministry of Resilience and Preparedness for guidance on which sector you belong to.

An entity is generally covered if it meets at least one of the size criteria for either essential or important entities:

Other entities may also be covered even if they do not meet the size criteria, for example, if they are the sole provider of an essential service, or if a disruption could have serious societal consequences. More specifically, entities that are considered essential under the NIS 2 Law regardless of size, according to Section 4 of the NIS 2 Law, include, among others:

• Entities identified as critical entities under the CER Law.
• Other entities where at least one of the following conditions is met, subject to Section 5(2) of the NIS 2 Law:
  • The entity is the only provider in Denmark of a service essential for maintaining critical societal or economic activities.
  • A disruption of the service provided by the entity could have a significant impact on public safety or public health.
  • A disruption of the service provided by the entity could lead to a significant systemic risk, particularly in sectors where such a disruption could have cross-border effects.
  • The entity is critical due to its specific importance at the national or regional level for the relevant sector or type of service, or for other interdependent sectors in Denmark.

If you are part of the digital sector and meet the definition of either an essential or important entity, you must determine which EU Member State you fall under.

To identify the EU Member State under which your entity is covered, and thus your main establishment, you need to consider three questions. These three questions should be addressed in the following order:

1. Where does the entity predominantly make decisions regarding measures to manage cybersecurity risks?

2. Where does the entity carry out cybersecurity operations?

3. Where is the entity’s establishment with the largest number of employees in the European Union located?

By answering question 1, it is possible to determine the entity’s main establishment. If question 1 cannot be answered, question 2 can be considered. If question 2 also cannot be answered, question 3 can be used to assess the location of the main establishment.

Example: If a company has the most employees in Germany, but cybersecurity decisions are made in Denmark, the main establishment would be Denmark.

If question 1 can be answered, questions 2 and 3 are not decisive for determining the main establishment. If question 2 can be answered, question 3 is not decisive for determining the main establishment.

Your main establishment determines where you must register your entity and under which jurisdiction you fall.

If your main establishment is in Denmark, you must register on virk.dk and are subject to Danish jurisdiction. Danish jurisdiction includes the Danish NIS 2 Law and its implementing regulation.

When registering your entity, you must explain how you reached the decision regarding the location of your main establishment.