NIS2 entered into force on 1 July 2025 – and it changes everything
The Danish NIS2 Act entered into force on 1 July 2025. From that moment, cybersecurity became a direct management responsibility for up to 1,500 Danish companies – and potentially 6,000 when including supply chains. The law is administered by the Danish Agency for Civil Protection, with CFCS (Centre for Cyber Security) as the national cyber authority.
The self-registration deadline via the CFCS portal was 1 October 2025, and the first audits are already underway in 2026. If you have not yet acted, you are already behind.
Is your company in scope?
NIS2 distinguishes between essential and important entities:
Essential entities (large companies in critical sectors):
- Energy, transport, finance and healthcare
- Drinking water and wastewater
- Digital infrastructure (data centres, cloud, DNS)
- Public administration
- Postal and courier services, waste management
- Manufacturing (medical devices, electronics, machinery, vehicles)
- Chemicals and food
- Digital services (marketplaces, search engines)
The 10 requirements you must meet
NIS2 Article 21 sets 10 minimum requirements for all entities in scope:
- Risk analysis and security policies – not a one-off assessment, but ongoing
- Incident handling – detection, analysis, response and reporting
- Business continuity and crisis management – backup, disaster recovery
- Supply chain security – your suppliers' cybersecurity is your responsibility
- Security in system development – vulnerability handling and disclosure
- Effectiveness assessment – testing and evaluation of security measures
- Cyber hygiene and training – all employees, regularly
- Encryption – policies for use of encryption
- Access control and HR security – role-based access, personnel screening
- Multi-factor authentication (MFA) – on all critical systems
24-72-30: Reporting deadlines you cannot ignore
When an incident occurs, the clock is ticking:
- 24 hours: Early warning to authorities – even with incomplete information
- 72 hours: Full incident notification with severity assessment
- 30 days: Final report with root cause analysis
Fines and consequences
The fines are significant and differentiated:
- Essential entities: Up to EUR 10 million or 2% of global turnover – whichever is higher
- Important entities: Up to EUR 7 million or 1.4% of global turnover
- Management liability: Board members and executives can be held personally liable. In the worst case, leaders can be temporarily suspended for gross NIS2 neglect
Insurance and NIS2: They reinforce each other
NIS2 does not mandate cyber insurance – but it significantly increases the need:
- Cyber insurance covers the costs an incident entails: IT forensics, legal assistance, business interruption and regulatory fines
- D&O insurance protects management against personal liability claims arising from NIS2 responsibilities
- Insurers are setting requirements: Many now demand CIS 18 compliance or equivalent security frameworks before offering coverage
- Compliance means better terms: Companies that can demonstrate NIS2 compliance become easier to insure and achieve better pricing
What you should do now
- Determine if you are in scope – check size and sector requirements at samsik.dk/nis2
- Conduct a GAP analysis – how far are you from the 10 minimum requirements?
- Establish incident response – the 24-hour deadline requires preparation today
- Involve the board – NIS2 is a management responsibility, not an IT project
- Review your insurance – do you have cyber and D&O coverage that matches the new risks?
