Three criteria determine whether an entity is covered by NIS 2:
You can read more about the criteria on the Danish Resilience Agency’s website.
It is a prerequisite that criterion 1 is met. If the entity also meets either criterion 2 or 3, it will be subject to the NIS 2 law.
Entities that are only established and provide services in Denmark are, in principle, only subject to the Danish NIS 2 law.
If an entity is established in multiple countries – for example, with branches under the same CVR (Central Business Register) – the general rule in NIS 2 is that the entity is subject to regulation and supervision in all Member States where it is established. Whether an entity is considered established in a Member State is based, among other things, on an assessment of its activities and whether they are conducted through stable structures, such as a branch.
A significant portion of entities under the responsibility of the Danish Agency for Digital Government are subject only to the regulation of the Member State where their principal place of business is located.
An entity is considered to have its principal place of business in the Member State where decisions on the management of cybersecurity risks are primarily made.
If this cannot be determined, or if such decisions are not made within the EU, the principal place of business is considered to be in the Member State where cybersecurity operations are carried out.
If that also cannot be clearly established, the principal place of business is deemed to be in the Member State where the entity has the highest number of employees within the EU.
For inquiries regarding NIS 2 registration for entities in the digital sector, please contact the Agency for Digital Government at: NIS@digst.dk