NIS2 Compliance Denmark: The 2026 Guide to NIS-2-loven
Everything Danish companies need to know about NIS2 implementation: NIS-2-loven (L 141), CFCS registration, the 6,000 in-scope entities, and how Denmark deviates from the directive.
Denmark transposed NIS2 later than the directive's deadline — but earlier and more cleanly than most member states.
The result: roughly 6,000 Danish entities are now in scope, audits started in Q1 2026, and most companies are still working out what compliance actually requires under Danish supervision.
This page is a practitioner's reference for NIS2 in Denmark — what the Danish law (NIS-2-loven) requires, where it deviates from the directive, who CFCS is, and what to expect when an audit notice lands.
For the EU baseline, see the complete NIS2 and DORA compliance guide.
Remember: this is not legal advice. Danish secondary legislation continues to evolve. Always verify against CFCS published guidance and Retsinformation.dk before audit.
Denmark's NIS2 implementation at a glance
| Field | Value |
|---|---|
| Status | ✅ Transposed |
| National law | NIS-2-loven (Bill L 141) — Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau |
| Entered into force | 1 July 2025 |
| Estimated entities in scope | ~6,000 |
| Primary competent authority | Centre for Cybersecurity (CFCS / Center for Cybersikkerhed) |
| Self-registration deadline | 1 October 2025 |
| First audits | Q1 2026 |
| Penalty cap (essential) | €10M / 2% turnover |
| Penalty cap (important) | €7M / 1.4% turnover |
| Notable deviation | Management body personal liability not transposed |
Two characteristic choices define Denmark's approach:
Multi-sector implementation. Denmark didn't pass a single comprehensive cybersecurity statute. The general framework in NIS-2-loven is supplemented by sector-specific bekendtgørelser (executive orders) for energy, telecoms, and financial digital infrastructure.
No gold-plating. Where many member states added obligations beyond the directive, Denmark followed the EU baseline. Practitioner sources describe this as a "minimalistic" approach.
These two choices mean Danish compliance is more navigable than, for example, Hungarian compliance — but they also mean ongoing vigilance for new sector-specific bekendtgørelser as they're issued.
The legislative history — how Denmark got here
From NIS1 to NIS-2-loven
NIS1 (2016) covered a narrow band of Danish operators in essential services. Estimated NIS1 scope: around 1,000 Danish entities. NIS2 scope: roughly 6,000 — a six-fold expansion. The earlier Danish NIS regulations are partially superseded; some sector-specific NIS1-derived rules remain in force as transitional measures during 2025-2026.
The transposition timeline
The directive's deadline of 17 October 2024 came and went without Danish transposition. On 7 May 2025 the European Commission issued a reasoned opinion as part of the formal infringement process — Denmark was one of 19 member states cited for failing to notify full transposition.
NIS-2-loven (Bill L 141) was adopted in mid-2025 and entered into force on 1 July 2025. Compliance was effective immediately on entry into force — Denmark did not provide a grace period for entities to come into compliance, unlike Finland, which gave newly in-scope entities three months.
Self-registration via the CFCS portal had a deadline of 1 October 2025. CFCS audits commenced in Q1 2026.
As of mid-2026, secondary legislation (executive orders) is still being issued for some sectors. Entities should subscribe to CFCS and sector regulator notification channels.
Who supervises what — CFCS and sectoral authorities
Centre for Cybersecurity (CFCS) — the primary authority
CFCS sits under the Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste). It plays three roles in the NIS2 context:
- Competent authority for essential and important entities under NIS-2-loven
- National CSIRT — the target for incident reporting under Article 23 NIS2
- Single point of contact for cross-border coordination
CFCS's role profile is technical and intelligence-rooted, less administratively process-heavy than (for example) the German BSI. Resources include published guidance pages, the NIS2 self-registration portal, and an emerging library of sector-specific guidance.
Sectoral competent authorities
Where Denmark differs from a single-authority model: domain-specific oversight is preserved. The relevant authorities by sector:
- Energy — Danish Energy Agency (Energistyrelsen)
- Financial sector — Danish Financial Supervisory Authority (Finanstilsynet); note that DORA is lex specialis for most NIS2 obligations on financial entities
- Telecoms — split between Energistyrelsen and Erhvervsstyrelsen depending on sub-sector
For a typical SME outside these sectors, CFCS is the primary contact. For energy, financial, or telecoms entities, both CFCS and the sector authority apply.
The practical implication: audit preparation must consider sector regulator expectations alongside CFCS expectations. Energy and financial entities face the most layered oversight.
Registration with CFCS — what's required
Who must register
- Essential and important entities meeting NIS2 size thresholds (medium-sized enterprises and above)
- Specific entity types regardless of size: trust service providers, TLD name registries, DNS service providers, and similar (per the directive's annexes)
- Self-classification is the entity's responsibility — CFCS does not pre-screen
How to register
The CFCS NIS2 portal (linked from cfcs.dk) is the registration interface. Required information includes:
- Company identification (CVR number)
- Sector classification (NACE code)
- Entity type (essential or important)
- Contact details
- Scope of activities under NIS-2-loven
Approximate time to complete: one to two hours if information is pre-collected. Re-registration is triggered by changes in scope, material organisational changes, mergers, or acquisitions.
What happens after registration
CFCS adds the entity to its supervisory register. Notification of an audit cycle does not necessarily mean immediate audit, but ongoing reporting obligations under Article 23 NIS2 commence. CFCS may issue clarification requests or scope challenges based on the registration data.
📨 Tracking secondary legislation across CFCS, Energistyrelsen, and Finanstilsynet is a part-time job. Risk Letters does it for you — free weekly briefing on NIS2 across all 27 EU member states.
Where Denmark deviates from the directive
This is the section that matters most for compliance leads. The deviations are precise.
The big deviation — no personal liability for management
Article 20 of the directive provides for personal liability of management body members in defined circumstances. Denmark's transposition did not include this provision.
The practical consequence: Danish CISOs, CIOs, and management body members cannot face the personal financial liability or temporary management bans that, for example, German or Hungarian counterparts can face under the same directive.
This does not relax the management body's operational obligations. They must still approve risk management measures, oversee implementation, and undergo training under Article 20(1) and 20(2) — Denmark transposed these obligations. What Denmark did not transpose was the personal sanction regime that the directive optionally permits.
For the country-by-country picture, see NIS2 Board-Level Accountability: Personal Liability Explained.
Sector-specific bekendtgørelser
Where the general law (L 141) sets the baseline, sector-specific executive orders may impose additional or specific obligations. As of mid-2026, executive orders have been issued for some sectors and are still pending for others. The practical advice: do not rely solely on L 141 — check Retsinformation.dk for any bekendtgørelse referencing your sector and NIS-2.
What Denmark did not gold-plate
- No expanded scope beyond the directive's 18 sectors
- No additional measures beyond Article 21's ten
- No shortened reporting timelines
- No public-sector-only carve-outs adding burden
Compared to Hungary, Belgium, or Italy, Danish compliance is closer to the directive baseline.
Penalties — what's actually enforced
Maximum penalties
- Essential entities: up to €10 million or 2% of total worldwide annual turnover, whichever is higher
- Important entities: up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher
Denmark mirrors the directive maxima — no national gold-plating on penalty levels, unlike some member states that raised the ceiling.
Non-monetary sanctions
CFCS can issue compliance orders, public reprimands, and remediation deadlines. Certification suspensions are technically available under the directive but are rare in practice for the early enforcement period.
Enforcement reality 2026
As of May 2026, no public enforcement actions have been reported under NIS-2-loven. CFCS has signalled an early-cycle focus on remediation over fines — typical regulator behaviour in the first audit year.
Commercial pressure from in-scope customer audits is currently the larger compliance driver for Danish SMEs. Procurement teams at large in-scope organisations now treat NIS2 attestation as a precondition for new supplier contracts, regardless of supplier size.
A 60-day compliance roadmap for Danish SMEs
A pragmatic close-out, calibrated to Danish specifics:
- Confirm scope — CVR plus NACE check against L 141 Annex sector list
- Register with CFCS if not already done — overdue from October 2025 deadline; do it now with a stated reason for the delay
- Map bekendtgørelser for your sector — search Retsinformation.dk for any executive order tagged "NIS-2"
- Conduct gap assessment against Article 21 — see NIS2 Article 21: All 10 Risk Management Measures Explained
- Document a proportionality memo — defends your control depth based on size, exposure, and sector
- Prepare incident response capability — CFCS reporting portal, 24-hour early warning capability, named on-call contact
- Map your direct suppliers — supply chain due diligence under Article 21(2)(d)
- Train the management body — even without personal liability, Article 20 training obligations apply
- Run a tabletop — measure time-to-CFCS-early-warning
- Document everything — bilingual evidence pack (Danish and English) for cross-border audits
For the SME-scaled framework see Minimum Viable NIS2 Compliance for SMEs.
Frequently asked questions
Does NIS-2-loven apply to me if I have only 30 employees? Generally no. The Danish transposition follows the directive's medium-enterprise threshold. The directive's same exceptions for trust service providers, DNS providers, TLD registries, and similar entity types apply.
What's the difference between NIS-2-loven and the previous Danish NIS law? Six-fold expansion in scope from around 1,000 to roughly 6,000 entities. Supervisory authority is consolidated under CFCS for most sectors, with specialist authorities retained for energy, financial, and telecoms.
Can my management board be personally fined under Danish NIS2? No. Personal liability for management body members was not transposed in Danish law, unlike, for example, Germany's transposition.
Where do I report a cybersecurity incident? CFCS, via the dedicated NIS2 reporting portal. The 24-72-30 timeline of the directive applies without modification.
Are CFCS audits already happening? Yes — they commenced Q1 2026. Early-cycle focus is on remediation rather than penalties.
What if I'm a financial entity in Denmark — DORA or NIS-2-loven? DORA is lex specialis under Article 4 NIS2. Finanstilsynet supervises DORA compliance. NIS-2-loven catches activities not covered by DORA. See NIS2 vs DORA.
Did I miss the registration deadline? The deadline was 1 October 2025. If you missed it, register now and document the delay reason. Late registration with a stated reason is preferable to no registration.
Where to go next
- Complete NIS2 and DORA compliance guide (Pillar)
- NIS2 Article 21: All 10 Measures Explained
- NIS2 vs DORA Key Differences
- Minimum Viable NIS2 Compliance for SMEs
Other countries: Germany, Sweden, Finland, Norway, Netherlands, France, and others publishing weekly.
Sources & further reading
Danish primary sources:
- Retsinformation.dk — full text of L 141 (NIS-2-loven)
- Center for Cybersikkerhed (CFCS) — NIS2 page and registration portal
- Folketinget — Bill L 141 legislative history
- Sector-specific bekendtgørelser via Retsinformation.dk
EU sources:
- European Commission — Digital Strategy: NIS2 directive — including Denmark transposition state-of-play
- Commission infringement decisions register — reasoned opinion of 7 May 2025
- Directive (EU) 2022/2555 — NIS2 — full text on EUR-Lex
Practitioner cross-references:
- Bird & Bird insights — Nordic NIS2 updates
- ECSO — NIS2 Transposition Tracker