The Danish Parliament has adopted regulation to implement the NIS2 Directive and the CER Directive

On April 29 2025, on the day where major parts of France, Spain, and Portugal suffered severe utility breakdowns, the Danish Parliament adopted the bills for implementing the NIS2 Directive [1]  and the CER Directive [2].

The NIS2 and CER directives serve to further strengthen and standardize cybersecurity and resilience to cyber threats across the EU for companies in a wide range of sectors and for public authorities that are considered critical to the economy and society. The Danish NIS2 Act and CER Act will come into force on 1 July 2025 and will affect a wide range of sectors and public authorities that are considered critical to the economy and society.

The NIS2 Act establishes security requirements for entities within critical sectors as defined and listed in the NIS2 Directive in form of “Essential Entities” (Annex I) and “Important Entities” (Annex II). The regulation includes mandatory requirements for measures to manage cyber security risks, such as policies for risk analysis, notification obligations in the event of, among other things, significant incidents, as well as supervisory and enforcement measures.

Companies operating within the critical sectors (either as Essential Entities or Important Entities) must make an assessment of whether they are covered under the NIS2 Act and if covered, they must register no later than 1 October 2025. The Ministry for Societal Resilience and Contingency (Ministeriet for Samfundssikkerhed og Beredskab) has launched a tool to assist companies in their assessment and is found here.

Registration must be performed with the sector responsible authority covering the respective company’s activities. Guidance on the appointed sector responsible authorities is published by the Center for Cyber Security which can be accessed here.

Other companies operating in the supply chains to critical sectors should also assess the relevance to implement security measures as required under the NIS2 Act in order to fulfill contractual terms which the critical entities must adopt into their contract framework.

Following the adoption of the Danish NIS2 Act and CER Act the relevant authorities will issue executive orders and sector-specific executive orders.

The CER Act provides for sectoral ministries to identify entities within critical sectors with the aim of managing risks that could lead to disruption in the provision of essential services. These critical entities will become subject to addition supervision of the authorities, enforcing the rules and supporting the critical entities in increasing their resilience. The essential sectors include energy, transport, banking, health, drinking and wastewater, digital infrastructure and public administration.

The NIS2 Act and the CER Act are closely linked. Entities identified as critical entities under the CER Directive fall within the scope of the NIS2 Directive and will be subject to the cyber security measures regulated under the NIS2 Directive.

The adopted bills to be published are named L 141 the Act on measures for a high level of cybersecurity (the ”NIS2 Act”) and is found here, and L 140 the Act on resilience of critical entities (the “CER Act”) is found here.

 

[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union.

[2] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.

Tags:  CERCritical SectorsCybersecurityNIS2