Who is covered by the NIS 2 law?

Three criteria determine whether an entity is covered by NIS 2:

  1. The entity belongs to one of the covered sectors.
  2. The entity is categorized as medium-sized or large.
  3. The entity is covered regardless of size due to its societal importance.

You can read more about the criteria on the Danish Resilience Agency’s website.

It is a prerequisite that criterion 1 is met. If the entity also meets either criterion 2 or 3, it will be subject to the NIS 2 law.

Can an entity be subject to NIS 2 in multiple EU Member States?

Entities that are only established and provide services in Denmark are, in principle, only subject to the Danish NIS 2 law.

If an entity is established in multiple countries – for example, with branches under the same CVR (Central Business Register) – the general rule in NIS 2 is that the entity is subject to regulation and supervision in all Member States where it is established. Whether an entity is considered established in a Member State is based, among other things, on an assessment of its activities and whether they are conducted through stable structures, such as a branch.

Special Rules for Entities under the Supervision of the Danish Agency for Digital Government

A significant portion of entities under the responsibility of the Danish Agency for Digital Government are subject only to the regulation of the Member State where their principal place of business is located.

An entity is considered to have its principal place of business in the Member State where decisions on the management of cybersecurity risks are primarily made.

If this cannot be determined, or if such decisions are not made within the EU, the principal place of business is considered to be in the Member State where cybersecurity operations are carried out.
If that also cannot be clearly established, the principal place of business is deemed to be in the Member State where the entity has the highest number of employees within the EU.