What are the requirements?

What requirements must be met if an entity is covered by the NIS 2 law?

Entities covered by the NIS 2 law must comply with a range of cybersecurity requirements, including:

  • Registration with the authorities
  • The management taking on responsibility for cybersecurity
  • Reporting of security incidents
  • Implementation of adequate security measures

The purpose of these requirements is to enhance resilience against cyber threats and protect critical infrastructure.

Registration Obligation and Incident Reporting

You can read more about the general requirements for entities covered by the NIS 2 on the Danish Resilience Agency’s website (in Danish).

Are there special rules for entities providing digital services?

The European Commission has adopted Implementing Regulation (EU) 2024/2690 with specific rules for a range of service providers to establish a harmonized framework and ensure a common approach to cybersecurity. The regulation clarifies when an incident should be considered significant and sets out the technical and methodological requirements for managing cybersecurity risks.

Guidance on the NIS 2 Implementing Regulation

The EU Agency for Cybersecurity (ENISA) has published a guide to support entities in complying with the requirements of the Commission’s Implementing Regulation (EU) 2024/2690. It provides technical and methodological guidance on how organizations can implement risk management measures, document compliance, and carry out relevant security actions. The guidance includes concrete examples of documentation, interpretation of requirements, and links to both international standards and national frameworks.

Find the guidance here.

Download the mapping of security requirements to international standards and national frameworks here.

Who is covered by the special rules for entities?

These rules apply to:

  • DNS service providers
  • TLD name registries
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network providers
  • Managed service providers
  • Managed security service providers
  • Providers of online marketplaces
  • Providers of online search engines
  • Providers of social networking platforms
  • Trust service providers

The rules are set out in the Commission’s Implementing Regulation, which can be read here.

If an entity provides a service covered by the Implementing Regulation, the entire entity (the CVR/ Central Business Register) is subject to the rules – even if the service only constitutes a minor secondary activity. However, the mentioned entities are not subject to the general cybersecurity requirements or incident reporting obligations under the NIS 2 law. Instead, they must follow the Implementing Regulation.

In § 11 of the Danish NIS 2 law (in Danish), there are also specific requirements for TLD name registries and entities providing domain name registration services to maintain a database of TLD name registry data.