.svg)
.png)
The Danish Executive Order on Resilience and Preparedness in the Energy Sector (Bekendtgørelse om modstandsdygtighed og beredskab i energisektoren) establishes binding requirements for how critical energy companies manage resilience, preparedness and crisis response. It constitutes Denmark’s sector specific implementation of the EU Network and Information Systems Directive 2 (NIS2) and the Critical Entities Resilience Act (CER) for energy.
Rather than transposing NIS2 and CER through a single act, Denmark embeds the obligations through existing energy legislation and dedicated executive orders administered by the Danish Energy Agency. This approach integrates cyber security, physical protection and operational preparedness into a unified regulatory framework tailored to the energy system.
The order applies primarily to transmission and distribution system operators, major producers and operators of critical energy infrastructure. It imposes clear governance duties on management, requires structured risk assessments and preparedness planning, mandates technical and organisational measures and establishes incident handling and reporting obligations. Supervision is risk based and enforcement powers are available where compliance is insufficient.
Scope and covered functions
The order applies to infrastructure and activities that form part of the Danish energy system, regardless of ownership. This includes cross border interconnectors and shared assets, to the extent that Danish entities operate or are responsible for them. Energy systems are understood to be interconnected and that incidents can propagate across borders.
The framework also considers the interface between energy companies and other critical sectors such as telecommunications, finance and transport. Companies must understand dependencies on external networks and services that support control systems and market operations. This perspective influences risk assessments and continuity planning. It also informs cooperation with authorities in national and regional emergency planning structures.
Organizations outside direct scope can use the order as a benchmark for resilience and for alignment with NIS2 and ISO 22301.
Objectives and principles
The executive order builds on the Danish Electricity Supply Act and related gas and district heating legislation. It assigns duties to covered entities and clarifies the role of the Danish Energy Agency and the system operators. It links traditional emergency preparedness with cyber and hybrid threats.
The order has five core aims:
- requires clear governance and management accountability
- mandates systematic risk and vulnerability assessments
- requires realistic preparedness and continuity plans
- sets expectations for technical and organizational safeguards
- defines incident handling, notification and continuous improvement across the sector.
Management responsibility and governance
Boards and executive teams hold ultimate responsibility. Management must approve policies, risk assessments and emergency plans. They must allocate resources for prevention, preparedness, exercises and training. Reporting lines from operations to management must be defined and used.
Companies must assign a preparedness lead and name system owners for critical installations. Crisis management teams must be documented with roles, deputies and contact paths. Policies and procedures must cover risk, continuity, readiness and authority cooperation. Training must ensure staff know their roles in both daily operations and crises.
Risk and vulnerability assessment
Companies must run structured risk and vulnerability assessments. Scope includes equipment failure, natural hazards, cyber attacks, sabotage and cascading failures from other sectors. Assessments must consider likelihood and consequence for critical services.
Critical assets and single points of failure must be identified. Cyber and physical aspects must be assessed together for control systems and field devices. Results must drive investment and control selection. Authorities may request access to assessments to support supervision and sector risk analysis.
Preparedness and continuity planning
Companies must maintain up-to-date preparedness and continuity plans. Plans must define activation criteria, roles, communication paths and coordination with system operators and authorities. They must describe how to keep a minimum level of service and how to restore normal operation.
Plans must address loss of primary control systems, damage to key substations or pipelines, large-scale outages and significant cyber incidents. Plans must include fallback procedures such as local control or manual operation and must identify alternative supply routes where possible. Plans must be realistic, tested and aligned with regional and national concepts.
Technical protection of critical assets and systems
Companies must protect critical sites with appropriate physical security and robust design. This includes perimeter controls, access management, surveillance and intrusion detection. Protection levels must match asset importance and current threat levels.
Operational technology needs secure architectures and segmentation from enterprise IT. Strong authentication, logging and monitored communications are required for control systems. Backups and redundancy must exist for critical control and communication functions. Spare parts and repair capacity must be available where lead times are long.
Organizational readiness and cooperation
Crisis management must be ready to activate at any time. Companies need up-to-date contact lists, call-out procedures and 24x7 response where necessary. Strategic, operational and communication roles must be clear.
Cooperation is expected. Companies should participate in sector preparedness forums, share relevant threat information and join joint exercises. Coordination across grid boundaries and regions is essential for wide-area disturbances. Cooperation with public authorities supports consistent public communication and resource allocation.
Incident handling and notification
Companies must detect and manage incidents quickly. Monitoring, alarms and staff reporting must support early detection. Incidents must be classified, stabilized and escalated to crisis management when thresholds are met.
Serious incidents must be notified to the Danish Energy Agency or designated system operators. Criteria relate to scale, duration, impact on critical customers and risk of escalation. Initial alerts must be followed by status updates and a final report. Notifications must describe what happened, affected areas, expected development, measures taken and support needs.
Continuous improvement
Exercises are mandatory. Companies must run internal drills and take part in sector or national exercises when invited. A mix of tabletop simulations, communication drills and live operational exercises is recommended.
Scenarios should be realistic and include multi-day events, combined physical and cyber incidents and loss of key staff or facilities. Every exercise needs objectives, evaluation and improvement actions. Lessons must update plans, clarify roles and refine technical and organizational measures.
Documentation, improvement and alignment
Preparedness work must be documented. This includes risk assessments, plans, exercise reports and incident reviews. Companies must check if measures remain adequate as threats, technologies and systems evolve.
The order aligns with related frameworks like the EU Network Code on Emergency and Restoration and the EU Network and Information Systems 2 Directive (NIS2). Harmonize internal frameworks so resilience, cybersecurity and operational risk management support each other. This reduces duplication and strengthens security of supply.
How to implement the Energy Resilience Order in your organization
Most companies can operationalize the order using a three-step path. This builds the artifacts authorities expect and improves real resilience. A good approach is to use a dedicated ISMS like Cyberday to manage the work.
Scope and map
Define which assets, systems and processes are in scope. Map critical services, control centers, substations, pipelines, telecom links and cross-border assets. Identify dependencies on telecom, IT and key suppliers. Name system owners and crisis roles. This becomes your governance and asset backbone.
Assess and plan
Run a structured risk and vulnerability assessment across cyber and physical threats. Identify single points of failure and high-consequence scenarios. Draft or update preparedness and continuity plans with activation criteria, fallback modes, communication paths and restoration objectives. Define technical and organizational control upgrades with owners and deadlines.
Exercise and evidence
Run targeted drills to test decision-making, communications and technical failover. Fix gaps and update runbooks. Establish an incident log and a lessons-learned workflow. Keep documents versioned and accessible. Prepare a notification playbook with criteria, templates and contact trees.
Cyberday can help during these steps with ready-made task libraries, risk and plan templates, role-based workflows and centralized evidence collection. It also supports mapping your work to NIS2 or ISO 22301 so you avoid duplicate effort.
Why the Energy Resilience Order matters for cyber resilience and compliance
Energy operations depend on accurate situational awareness and repeatable response. The order forces clarity on critical assets, dependencies and fallback modes. That clarity reduces outage likelihood and impact. It also improves recovery by defining roles, communication paths and technical runbooks.
Strong implementation supports contract negotiations, interconnector operations and regulator confidence. It builds trust with customers, partners and investors. It also aligns with NIS2 and the EU emergency and restoration rules. That alignment reduces duplicated audits and improves the quality of decisions during stress events.
FAQs
Here are questions that organizations often ask:
Which entities are directly covered by the order?
Transmission and distribution system operators, large power and heat producers and critical gas infrastructure operators are typically in scope. Specific control center and market functions can also be covered. Check the order text and sector guidance for exact categories.
How should we treat dependencies on telecom or IT providers?
Identify telecom and IT links that support control centers and field sites. Include them in risk assessments and plans. Set contractual requirements for availability, incident notification and participation in drills.
What level of detail do preparedness plans need?
Plans must be actionable. Include activation criteria, roles, decision rights, communication paths and fallback procedures. Attach technical runbooks for local control, manual operation and system restoration.
How often should we exercise?
Run at least one structured exercise per year. Increase frequency for major changes or after significant incidents. Use a mix of tabletop, communication and live technical drills. Track lessons and close actions.
What triggers notification to the Danish Energy Agency or system operators?
Notify for serious or escalating incidents with material impact on security of supply or critical customers. Use pre-defined criteria and contact paths. Send an initial alert quickly, then follow with updates and a final report.
How does this relate to NIS2?
The order focuses on sector resilience and security of supply. NIS2 focuses on network and information systems security and incident reporting across sectors. Align controls and processes so one set of evidence supports both regimes.
Operationalize energy resilience with less effort
If you are building or maturing your program, Cyberday helps you move faster with fewer spreadsheets. Use Energy Resilience Order task sets, risk and plan templates, role workflows and centralized evidence to stay audit-ready while improving real resilience. Map once and reuse across NIS2 and ISO 22301 to save time.
