About the Danish Cyber and Information Security Strategy 2022-2024

The strategy focuses on government and critical infrastructure, as well as citizens and businesses. External cyber threats demand a joint effort if we are to protect Denmark from malicious cybercrime and cyber espionage. With the strategy, the government has set four strategic objectives, which sets the framework for the development of a stronger and more secure digital Denmark.

The Danish Cyber and Information Security Strategy must strengthen the digital security and robustness throughout the Danish society to keep up with developments of the cyber threat.

The strategy establishes a number of new security requirements for ministries that are responsible of vital societal ICT systems or functions. It is important that the requirements contribute to a plan within the ministries for the security of the ICT systems that supports vital societal functions.

The demand for cyber and information security skills is high. However, both public authorities and private companies find it difficult to obtain the right profiles for the tasks. Therefore, the new strategy initiates different initiatives that focus on raising management commitment and competencies in the field of cyber and information security through education.

Strategic objectives

The strategy sets out four strategic objectives for work over the years to come.

1. Robust protection of vital societal functions

Maturity in working with cyber and information security is generally increasing in Denmark, including among government authorities. However, several key challenges remain, including a lack of understanding of the cyber threat, and complex IT systems that make the work difficult.

Vital societal functions, such as energy supply, rail transport and research, are increasingly digitised, requiring a focus on the critical ICT infrastructure that supports them. There is a need for a better overview of the critical ICT infrastructure and dependencies between the ICT systems that support vital societal functions. Therefore, ministerial areas with responsibility for vital societal functions must have a clear plan for cyber security work and be part of operational cooperation.

Many government agencies lack basic technical security measures and continue not to comply with the established technical minimum requirements. Likewise, the level of security for a large part of the ICT systems critical for society in the central government is currently inadequate.

Since 2016, government agencies have been required to follow the international security standard ISO/IEC 27001, which sets best practices for information security management. Over a third of the agencies have yet to complete the implementation of the standard.

2. Increased level of skills and management commitment

Danes are becoming increasingly aware of cyber and information security. However, there is a challenge in translating awareness into knowledge, skills, and action to boost cyber and information security.

Cyber security requires top management commitment to make security a more integral part of the management function, and this requires the possession of the right skills.

However, small and medium-sized enterprises, in particular, lack the skills and resources to implement appropriate security measures. Moreover, there is a cross-cutting challenge in recruiting and retaining relevant cyber and information security skills.

The demand for cyber and information security competencies is great, but both authorities and companies find it difficult to obtain the right profiles for the tasks. Thus, there is a need to strengthen the supply of skills if security is to be raised across the board.

Finally, there is also a need for initiatives to promote better competencies within the Danish population.

3. Strengthening cooperation betwen the public and private sectors

The ability to share knowledge and experience on cyber and information security incidents is essential to achieve a high cyber and information security level. Therefore, there is a need to strengthen collaboration across sectors so that we can become even better at sharing knowledge and learning from each other. Government agencies also need to be better at using data from reports to disseminate knowledge about threats and vulnerabilities.

There is a high demand for centralised consultancy, and there is a need to strengthen capacity and the overall advisory support of government agencies to meet this demand.

Also, citizens and businesses exposed to phishing attempts and hacking, for example, may today find it difficult to know where to turn and what advice they need. Citizens can currently get advice from the identity theft hotline, but there is a need for broader help and consultancy for both businesses and citizens: this also includes basic cyber and information security.

In the business sector, stronger and closer cooperation is needed. In general, initiatives targeted at SMEs remain fragmented and often only take the form of awareness-raising activities and guidance initiatives. If cyber and information security is to be boosted in the entire business sector, it is crucial that the overall business effort for cyber and information security is coordinated and coherent. Concrete tools are needed to keep Danish companies competitive.

4. Active participation in the international fight against the cyber threat

International cooperation in the EU, UN, NATO and with like-minded countries must be strengthened. Conducting cyber-attacks against Denmark has to be difficult and have consequences.

The digital domain is an integral part of 21st century international politics, and it has become one of the front lines in the defence of law-based international order, which too has come under strain.

Denmark is continuously under attack from other states. Malicious actors want to steal valuable information and high-tech knowledge or deploy malware that can later be used in tense situations. Although Denmark can do much on its own, there is also a need for strengthening international cooperation with the organisations that can develop norms and define standards for cyberspace if the underlying causes of cyber-attacks are to be fought.

In order to face the challenges, but also take advantage of the opportunities that exist on the international cyber and information security scene, the strategy initiates a number of efforts in order to strengthen Denmark’s international profile, build stronger bridges to the international tech and cyber security industry and ensure that it remains expensive and costly to conduct cyber-attacks and espionage against Denmark and our allies.