Home
Digital Governance
NIS 2
Incident Notifications

Incident notifications

Companies covered by the NIS 2 Law are required to report significant incidents. Here you can read more about what the rules entail.

What is a significant incident?

An incident is considered significant if one of the following conditions is met, according to Section 12 of the NIS 2 Law:

The incident has caused or is capable of causing serious operational disruptions to the services or financial losses for the affected entity.
The incident has affected or is capable of affecting other natural or legal persons by causing substantial physical or non-physical damage.

What does reporting involve?

Once a company becomes aware of a significant incident, it must report the incident within the prescribed timeframes. This is done as follows:

Illustrationen viser en tidslinje med fire punkter. Punkt 1, tidlig varsling inden 24 timer. Punkt 2, hændelsesunderretning inden 72 timer. Punkt 3, eventuel foreløbig rapport. Punkt 4, endelig rapport inden 1 måned.

Reports of significant incidents must be submitted via virk.dk. The report is automatically forwarded to the relevant sectoral authorities and the CSIRT (Computer Security and Incicent Response Team). The CSIRT handles IT-security incidents and reacts on as well as offers support for affected entities in the event of an incident.

The European Commission has adopted an implementing regulation that sets out specific requirements for incident reporting, including definitions of what constitutes a significant incident (Articles 3–14). These requirements are relevant for companies within the digital sector but vary depending on which services the company provides.

You can read more about the implementing regulation on the page NIS 2 – Regulatory Framework

Significant incidents for the digital sector

The NIS 2 Law’s definition of a significant incident is supplemented by Implementing Regulation No. 2024/2690. Here, an incident is considered significant in relation to entities covered within the digital sector if one of the following criteria is met:

The incident has caused or is capable of causing direct financial losses to the relevant entity exceeding EUR 500,000 or 5% of the entity’s total annual turnover in the previous financial year, depending on which number is lower.

The incident has caused or is capable of causing the disclosure of the entity’s trade secrets, as defined in Article 2(1) of Directive (EU) 2016/943.

The incident has caused or is capable of causing the death of a natural person.

The incident has caused or is capable of causing significant harm to a natural person’s health.

There has been a suspected malicious and unauthorised access to network and information systems, which may cause serious operational disruptions.

The incident meets the criteria set out in Article 4 of the Implementing Regulation.

The incident meets one or more of the criteria set out in Articles 5–14 of the Implementing Regulation.

Other criteria for significant incidents by entity type:

If the above-mentioned general criteria for the digital sector is not met, but the entity falls under one of the below categories, and the incident meets one of the specific criteria for the entity category, the incidents is seen as significant.

With regard to DNS service providers, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

A recursive or authoritative domain name resolution service is completely unavailable for more than 30 minutes.

For a period of at least one hour, the average response time for DNS requests of a recursive or authoritative domain name resolution service exceeds 10 seconds.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of the authoritative domain name resolution service has been compromised, except in cases where data concerning fewer than 1,000 domain names managed by the DNS service provider, representing no more than 1% of the total domain names managed by the provider, are incorrect due to misconfiguration.
With regard to top-level domain administrators, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

An authoritative domain name resolution service is completely unavailable.

For a period of at least one hour, the average response time for DNS requests of an authoritative domain name resolution service exceeds 10 seconds.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the technical operation of the top-level domain has been compromised.
With regard to providers of cloud computing services, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

A delivered cloud computing service is completely unavailable for more than 30 minutes.

The availability of a provider’s cloud computing service is limited for more than 5% of users in the Union or for more than 1 million users in the Union, whichever number is lower, for a period of at least one hour.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of a cloud computing service has been compromised as a result of a suspected malicious act.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of a cloud computing service has been compromised to an extent that affects more than 5% of users of the cloud computing service in the Union or more than 1 million users in the Union, whichever is lower.
With regard to providers of data center services, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

A data center service from a data center operated by the provider is completely unavailable.

The availability of a data center service from a data center operated by the provider is limited for a period of at least one hour.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of a data center service has been compromised as a result of a suspected malicious act.

Physical access to a data center operated by the provider has been compromised
With regard to providers of content delivery networks, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

A content delivery network is completely unavailable for more than 30 minutes.

The availability of a content delivery network is limited for more than 5% of users of the network in the Union or for more than 1 million users in the Union, whichever is lower, for a period of at least one hour.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of a content delivery network has been compromised as a result of a suspected malicious act.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of a content delivery network has been compromised to an extent that affects more than 5% of users of the network in the Union or more than 1 million users, whichever is lower.
With regard to providers of managed services and managed security services, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

A managed service or managed security service is completely unavailable for more than 30 minutes.

The availability of a managed service or managed security service is limited for more than 5% of users of the service in the Union or for more than 1 million users in the Union, whichever is lower, for a period of at least one hour.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of a managed service or managed security service has been compromised as a result of a suspected malicious act.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of a managed service or managed security service has been compromised to an extent that affects more than 5% of users of the service in the Union or more than 1 million users, whichever is lower.
With regard to providers of online marketplaces, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

An online marketplace is completely unavailable for more than 5% of users in the Union or for more than 1 million users in the Union, whichever is lower.

More than 5% of users in the Union or more than 1 million users, whichever is lower, are affected by limited availability of the online marketplace.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of the online marketplace has been compromised as a result of a suspected malicious act.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of the online marketplace has been compromised to an extent that affects more than 5% of users in the Union or more than 1 million users, whichever is lower.
With regard to providers of online search engines, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

An online search engine is completely unavailable for more than 5% of users in the Union or for more than 1 million users in the Union, whichever is lower.

More than 5% of users in the Union or more than 1 million users, whichever is lower, are affected by limited availability of the online search engine.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of the online search engine has been compromised as a result of a suspected malicious act.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of the online search engine has been compromised to an extent that affects more than 5% of users in the Union or more than 1 million users, whichever is lower.
With regard to providers of social networking service platforms, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

A social networking service platform is completely unavailable for more than 5% of users in the Union or for more than 1 million users in the Union, whichever is lower.

More than 5% of users in the Union or more than 1 million users, whichever is lower, are affected by limited availability of the social networking service platform.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of the social networking service platform has been compromised as a result of a suspected malicious act.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of the social networking service platform has been compromised to an extent that affects more than 5% of users in the Union or more than 1 million users, whichever is lower.
With regard to trust service providers, an incident is considered significant under Article 3(1)(g) when one or more of the following criteria are met:

A trust service is completely unavailable for more than 20 minutes.

A trust service is unavailable to users or relying parties for more than one hour, calculated on a calendar week basis.

More than 1% of users or relying parties in the Union, or more than 200,000 users or relying parties in the Union, whichever number is lower, are impacted by limited availability of a trust service.

Physical access to an area where network and information systems are located, and to which access is restricted to the trust service provider’s trusted personnel, or the protection of such physical access, has been compromised.

The integrity, confidentiality, or authenticity of data stored, transmitted, or processed in connection with the provision of a trust service has been compromised to an extent that affects more than 0.1% of users of the trust service or relying parties in the Union, or more than 100 users or relying parties in the Union, whichever is lower.

Incident notifications

Companies covered by the NIS 2 Law are required to report significant incidents. Here you can read more about what the rules entail.

What is a significant incident?

What does reporting involve?

Significant incidents for the digital sector

Other criteria for significant incidents by entity type:

Report a significant incident on Virk.dk

Contact

Agency for Digital Government

Shortcuts

Most viewed pages

Ministry of Digital Government

Incident notifications

Companies covered by the NIS 2 Law are required to report significant incidents. Here you can read more about what the rules entail.

What is a significant incident?

What does reporting involve?

Significant incidents for the digital sector

Criteria for significant incidents in the digital sector:

Other criteria for significant incidents by entity type:

DNS service providers

Top-level domain administrators

Providers of cloud computing services

Providers of data center services

Providers of content delivery networks

Providers of managed services and managed security services

Providers of online marketplaces

Providers of online search engines

Providers of social networking service platforms

Trust service providers

Report a significant incident on Virk.dk

Contact

Agency for Digital Government

Shortcuts

Most viewed pages

Ministry of Digital Government