Who is covered by the NIS 2 law?

You can find the list of covered sectors and entity types in Annexes 1 and 2 of the NIS 2 law (in Danish).

The Danish Agency for Digital Government is the competent sector authority for entities providing the following services:

• DNS service providers (excluding root name server operators)
• TLD name registries
• Cloud computing service providers
• Data centre service providers
• Content delivery network providers
• Managed service providers and managed security service providers
• Providers of online market places, online search engines, and social networking platforms
• Trust service providers

If your entity does not fall within these categories, you can contact The Ministry of Resilience and Preparedness for guidance on which sector you belong to.

Even if an entity falls within one of the covered sectors, it is not necessarily subject to the NIS 2 law. For most sectors, it is also required that the entity meets a specific size threshold based on the number of employees or annual turnover. An entity is therefore covered if one of the following conditions is met:

• The entity employs 50 or more people.
• The entity has an annual turnover exceeding EUR 10 million and an annual balance sheet total exceeding EUR 10 million.

When determining the size of an entity, all connections the entity has with other entities — whether direct or indirect — must be considered, as these may affect the calculation of number of employees, turnover, and total annual balance. ¹

¹ The size criteria are based on the general definition of medium-sized enterprises. See Article 2 of the Annex to the European Commission Recommendation 2003/361/EC of 6 May. Articles 3–6 of the Recommendation set out further rules on the types of enterprises to be considered when calculating the number of employees and financial thresholds, the data to be used in these calculations, the reference period, and how to determine information about the enterprise. For more information, see the European Commission’s User Guide to the SME Definition

Some entities under the responsibility of the Danish Agency for Digital Government are covered by NIS 2, even if they do not meet the size requirement. This applies to:

• Trust service providers
• Top-level domain name administrators
• DNS service providers

Other types of service providers may also be covered regardless of size, for example, if the entity is the sole provider of an essential service, or if disruptions to the service could have serious societal consequences.