Registration is done via a form on virk.dk (in Danish) using MitID. If an entity operates in multiple sectors, it must select all relevant sectors, after which the registration will automatically be distributed to the appropriate authorities.
After registration, the company receives confirmation both on screen and via Digital Post.
-> Foreign entities registering in Denmark can do so here.
Companies that are covered by NIS 2 must be registered before October 1, 2025.
For several companies covered by NIS 2, the general rule is that they must register in the country where the company is established. However, different rules apply to most companies that provide digital services and thus fall under the responsibility of the Danish Agency for Digital Government. In these cases, the general rule is that the company must register in the Member State where its main establishment is located.
Read more about the main establishment rule and types of entities under the responsibility of the Danish Agency for Digital Government here.
Register your company at Virk.dk (in Danish)
See guidelines for registration on the Danish Resilience Agency's website
All companies covered by NIS 2 must report significant incidents to the competent sectoral authority and the Computer Security Incident Response Teams (CSIRT). The notification obligation entered into force on 1 July 2025. Notifications of significant incidents must be submitted via virk.dk (in Danish). The notification will automatically be forwarded to the relevant authorities and the CSIRT.
The European Commission has adopted an Implementing Regulation that includes specific requirements for incident notifications, including definitions of what constitutes a significant incident (Articles 3–14). These requirements are relevant for companies operating in the digital sector but vary depending on the services provided. You can read more about the Implementing Regulation here.
Report a significant incident at Virk.dk
Once a company becomes aware of a significant incident, it must report it within specific timeframes, as follows:
An early warning must be submitted without undue delay and no later than 24 hours. It should indicate whether the incident is suspected to be caused by unlawful or malicious acts or if it could have cross-border impact.
An updated notification must be submitted without undue delay and no later than 72 hours, updating the information from the early warning and providing an initial assessment of the incident — including its severity, impact, and any indicators of compromise.
A preliminary report must be provided containing relevant status updates.
No later than one month after the incident, a detailed report must be submitted. This report should describe the severity and impact of the incident, the type of threat or likely cause, and any mitigating measures taken or still ongoing. The report must also cover any cross-border effects.
If the incident is still ongoing one month after the early warning, the entity must instead submit a status report at that point, followed by a final report no later than one month after the incident has been resolved.
For providers of trust services, both the early warning and the incident notification must be submitted without undue delay and no later than 24 hours after the company becomes aware of the incident.
For inquiries regarding NIS 2 for entities providing digital services, please contact the Danish Agency for Digital Government at: NIS2@digst.dk
