NIS 2 – Regulatory Framework

The Danish NIS 2 Law is the primary piece of legislation that businesses should consult. In addition to the law, there are three other key regulatory instruments related to NIS 2: the NIS 2 Implementing Regulation, the NIS 2 Directive, and Bekendtgørelsen om udpegning af kompetente myndigheder (The Regulation on the Designation of Competent Authorities).


The NIS 2 law (Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau / Law on Measures to Ensure a High Level of Cybersecurity)

The Danish NIS 2 law forms the core of the national implementation of the NIS 2 Directive. It sets out specific requirements for entities covered by the legislation such as measures to strengthen cybersecurity, obligations for management, and mandatory reporting of significant incidents to the authorities.

The NIS 2 law (retsinformation.dk)

NIS 2 Implementing Regulation

The Implementing Regulation supplements the NIS 2 law for most entities within the digital sectors. It clarifies when an incident should be considered significant and outlines the technical and methodological requirements for managing cybersecurity risks.

NIS 2 Implementing Regulation on Critical Entities and Networks (European Commission)

For further support, ENISA has published guidelines to help entities comply with the regulation: ENISA guidelines

The NIS 2 Directive (EU Directive 2022/2555)

The NIS 2 Directive refers to the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union. The Danish NIS 2 law implements the obligations from this directive.

The directive aims to enhance and harmonize cybersecurity and resilience across the EU for businesses in a wide range of sectors, as well as for public authorities deemed critical to the economy and society.

 

NIS 2 Directive on EUR-lex.europa.eu

The Regulation on the Designation of Competent Authorities

This regulation covers two main aspects: 1) Designating which Danish authorities are responsible for supervising compliance with NIS 2 requirements. 2) Defining how companies must register and report incidents in the event of security incidents — serving as a supplement to the framework outlined in the NIS 2 law.

Regulation on Designation (retsinformation.dk)