Denmark's NIS2 Act — Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau — entered into force on 1 July 2025. The CFCS registration portal went live the same day and self-registration was due by 1 October 2025. With CFCS audits beginning in early 2026, your compliance obligations are already live.
CFCS registration deadline passed. In-scope entities were required to self-register with the CFCS by 1 October 2025 using their CVR number and NACE code. If you have not registered, this is now an enforcement risk in itself. The portal is open at cfcs.dk — we fast-track registration and gap analysis simultaneously.
NIS2 in Denmark — at a glance
Denmark transposed NIS2 through the NIS2 Act (L 141), supplemented by separate sector laws for energy, finance and telecom. Here is what defines your obligations.
| Status | In force since 1 July 2025 — audits from early 2026 |
| National law | NIS2 Act (L 141) — Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau — plus separate sector laws for energy, finance & telecom |
| Competent authority | CFCS — Center for Cybersikkerhed (cfcs.dk), with sector regulators |
| Registration deadline | 1 October 2025 — already passed, self-registration via the CFCS portal using CVR number & NACE code |
| Entities in scope | ~6,000 (up from ~1,000 under the previous NIS1 regime) |
| Entity categories | Essential entities (proactive audits) & important entities (ex-post supervision) |
| Maximum fines | Up to €10M or 2% of global turnover (essential); €7M or 1.4% (important) |
Danish NIS2 implementation
Denmark chose a multi-sector model rather than a single statute. These are the distinguishing obligations the CFCS and sector regulators enforce.
The Center for Cybersikkerhed (CFCS) is Denmark's primary NIS2 authority. The CFCS portal is the central registration and incident-reporting hub, while sector regulators retain domain oversight with NIS2-aligned rules.
Unlike most EU states, Denmark implemented NIS2 through separate laws for energy, finance and telecom alongside the general Act. Entities in these sectors must satisfy both the general NIS2 Act and stricter sector rules.
All in-scope entities self-register via the CFCS portal using their CVR company number and NACE activity code. The deadline of 1 October 2025 has passed — missing it is an independent compliance violation.
The CFCS has announced audits of essential entities from early 2026. Essential entities demonstrate compliance via audit, inspection or certification on a three-year cycle; important entities face ex-post supervision triggered by an incident or complaint.
Senior management must approve cybersecurity risk-management measures, oversee their implementation and receive documented periodic training. Accountability for compliance sits with the management body, not just the IT function.
Danish entities must assess the security posture of critical suppliers and embed NIS2-compliant clauses in contracts. A breach originating from a poorly managed supplier remains your organisation's legal responsibility under the Act.
Denmark's multi-sector approach
Denmark's dual-track model means the general NIS2 Act is not the whole picture. If you operate in energy, finance or telecom, sector-specific legislation applies on top — and can be stricter than the general baseline.
Energy operators fall under sector-specific cybersecurity rules overseen by the Danish Energy Agency (Energistyrelsen) in addition to the general NIS2 Act. Electricity, gas, oil and district-heating entities face domain-specific resilience and reporting obligations on top of the Article 21 baseline.
Financial entities are supervised by the Danish Financial Supervisory Authority (Finanstilsynet) under sector rules that interlock with the EU DORA Regulation. Banks, payment institutions and market infrastructure must reconcile NIS2, sector law and DORA into a single control set.
Telecom and digital-infrastructure providers are governed by sector-specific legislation alongside the general Act, with the telecom regulator overseeing network and service security. These entities often face the earliest and most detailed CFCS scrutiny.
Operating across more than one regime? Many Danish organisations are caught by the general NIS2 Act and a sector law at the same time. We map both layers so you do not build duplicate controls — get a sector scoping review.
Webristle is a full cybersecurity agency, not only a compliance advisor. Beyond the NIS2 gap analysis and reports, our engineers deliver the security work the Directive actually requires: system hardening, MFA and identity governance, encryption and PKI, network segmentation, EDR and 24/7 monitoring, backup and disaster recovery, penetration testing and incident response. One team takes you from assessment to a fully implemented, audit-ready and resilient infrastructure.
Article 21 NIS2 · Danish NIS2 Act
Essential entities face proactive CFCS audits from early 2026; important entities face ex-post supervision when incidents occur. Both need these measures fully implemented and documented — and entities in regulated sectors must satisfy sector rules too.
Formal threat assessment, Business Impact Analysis and board-approved risk appetite, documented and reviewed periodically and whenever significant changes occur.
Detection and classification procedures plus CFCS reporting: 24h early warning, 72h full notification, 30-day final report — via the CFCS portal.
Continuity plans, tested disaster recovery, backup management and crisis management with documented RTO and RPO targets approved at board level.
Security assessment of critical suppliers, NIS2-compliant contractual clauses and continuous monitoring, including the ICT products and services used in your infrastructure.
Structured vulnerability management, penetration testing, patch management and infrastructure hardening across networks and information systems.
Policies and procedures to test the effectiveness of risk-management measures, including audits, certification cycles and red-team exercises — central to CFCS audit readiness.
Zero-trust architecture, mandatory MFA on critical systems, IAM governance and Privileged Access Management, with least-privilege principles documented and enforced.
Awareness programmes, secure onboarding/offboarding and insider-risk management. Danish management must receive documented periodic training — evidenced for the CFCS.
Systematic patch management, asset inventory, endpoint security and documented BYOD policies maintained as part of basic cyber hygiene.
Encryption of data at rest and in transit as a minimum standard, key and certificate lifecycle management and digital signatures compliant with Danish and EU standards.
Existing certifications
ISO 27001 covers roughly 70–80% of NIS2 Article 21 requirements. The remaining gaps are specific to NIS2 and the Danish Act — and must be addressed separately.
Risk-management framework, security policies, access control, cryptography, supplier security, incident management and business continuity — all overlap with NIS2 and reduce your remediation effort.
24h/72h CFCS incident reporting timelines, CFCS self-registration, documented management training, NIS2-specific supply chain clauses and — for energy, finance and telecom — the stricter Danish sector-specific obligations.
We map your existing ISMS against the NIS2 delta to avoid duplicating completed work. Most ISO 27001-certified companies need 4–8 weeks of targeted remediation, not a full programme from scratch.
How we work
A structured four-phase process with clear deliverables at each stage. We work alongside your team to minimise operational disruption.
We confirm your entity classification, check whether sector-specific Danish law applies alongside the general Act, and support CFCS registration via the portal if not yet done.
Technical-legal assessment against all 10 NIS2 measures, aligned with CFCS guidance and mapped to your existing controls (ISO 27001, SOC 2). Delivered within 5 working days.
Prioritised plan with effort, cost and timeline, designed to reach audit readiness ahead of CFCS inspections starting in early 2026. Management-training documentation included.
Technical hardening, policy documentation, management training and hands-on support during CFCS audits and sector-specific regulatory reviews.
Start today
The gap analysis is the mandatory starting point. In 5 working days you will have a precise picture of your position against the Danish NIS2 Act and CFCS requirements.
Our senior consultants will respond within 48 hours with a free preliminary assessment of your Danish NIS2 Act exposure.
No commitment · Response in 48h · Trusted by 80+ companies across Europe
Related insights
FAQ
The questions we hear most often from Danish CISOs, CEOs and legal counsel.
~6,000 entities in scope. Free gap analysis in 48 hours — we assess your exposure under the Danish NIS2 Act, map gaps against CFCS and sector requirements, support your registration and give you a clear remediation roadmap.
EN
