.svg)
.png)
Denmark's Act on the Resilience of Critical Entities (Lov om kritiske enheders modstandsdygtighed, commonly referred to as the Danish CER) entered into force on 1 July 2025. The law implements the EU's Critical Entities Resilience (CER) Directive and establishes requirements for organisations that provide services essential to society.
The purpose of the framework is straightforward: critical services must remain operational even when facing major disruptions. These disruptions may stem from cyberattacks, physical sabotage, extreme weather, supply-chain failures, accidents, public health emergencies, or other threats.
Because the Danish CER entered into force alongside Denmark's implementation of NIS2, organisations often struggle to understand how the two frameworks relate to one another. While both aim to strengthen resilience, they address different types of risk and impose different obligations.
This article explains who may be affected by the Danish CER, what compliance involves, and how the framework differs from NIS2.
Danish CER covers critical entities
The Danish CER applies to organisations operating in sectors that provide essential services to society. These sectors largely follow those listed in the EU CER Directive and include:
- Energy
- Transport
- Banking and financial market infrastructure
- Healthcare
- Drinking water
- Wastewater
- Digital infrastructure
- Public administration
- Space
- Food production, processing, and distribution
Entities are not self-identifying under the Danish CER. The competent minister in each sector formally designates critical entities following national risk assessments. Designation decisions must be completed by 17 July 2026.
When evaluating organisations, authorities consider factors such as:
- The essential services provided
- The potential societal impact of disruption
- Dependencies between sectors
- Geographic reach
- Availability of alternative service providers
Some organisations serving multiple EU Member States may additionally be designated as critical entities of particular European significance.
Energy sector exception
The energy sector follows a separate preparedness framework under the Act on Enhanced Preparedness in the Energy Sector, which implements both CER and NIS2 requirements through dedicated sector-specific legislation. As a result, energy operators are generally not regulated directly under the Danish CER. Sector-specific regulations for energy and telecom are expected to impose requirements above the minimum thresholds of the CER directive.
What does the Danish CER require?
The Danish CER is built around an all-hazards approach to resilience. Rather than focusing solely on cybersecurity, organisations must prepare for a wide range of threats that could disrupt essential services.
Once designated, a critical entity must:
Conduct a risk assessment
Organisations must identify and evaluate risks that could affect their ability to provide essential services. These assessments should consider:
- Natural hazards
- Accidents
- Sabotage and terrorism
- Insider threats
- Public health emergencies
- Hybrid threats
- Supply-chain disruptions
The risk assessment forms the foundation for all subsequent resilience measures.
Develop and maintain a resilience plan
Based on the risk assessment, organisations must establish a resilience plan describing how they will prevent, withstand, respond to, and recover from disruptions.
Implement appropriate resilience measures
The framework requires measures that are proportionate to the organisation's risks and role in society. These typically include:
- Physical security controls
- Incident response procedures
- Crisis management arrangements
- Recovery and continuity measures
- Personnel security measures
- Coordination procedures with authorities
Appoint a liaison officer
Critical entities must designate a point of contact responsible for communication with the competent authority.
Resilience is more than business continuity
One of the most common misconceptions about CER is that it is primarily a business continuity framework.
In reality, business continuity is only one component of resilience.
Under the Danish CER, resilience refers to an organisation's overall ability to:
- Prevent disruptions
- Withstand incidents
- Respond effectively
- Recover operations
- Adapt to future threats
Business continuity planning supports the response and recovery phases, but compliance also requires broader measures such as physical security, personnel security, prevention activities, and crisis management.
A strong business continuity plan alone does not satisfy CER requirements. The required deliverable is a resilience plan that addresses the full lifecycle of disruptions
Danish CER vs NIS2: What's the Difference?
Although the Danish CER and NIS2 are closely related, they address different risks and obligations.
When Must Incidents Be Reported?
Under the Danish CER, critical entities must report incidents that significantly disrupt, or could significantly disrupt, the delivery of essential services.
Reporting generally follows this timeline:
- Initial notification within 24 hours
- Detailed report within one month
NIS2 follows a different process for cyber incidents:
- Early warning within 24 hours
- Incident notification within 72 hours
- Final report within one month
Can Both Frameworks Apply?
Yes.
A cyberattack that disrupts an essential service may trigger obligations under both CER and NIS2.
For example:
- A ransomware attack that interrupts a hospital's services may require reporting under both frameworks.
- A flood damaging a water treatment facility would generally fall under CER only.
- A cyber incident affecting an organisation covered by NIS2 but not designated as a critical entity would only trigger NIS2 reporting obligations.
An important distinction is that critical entities under CER are not the same as essential entities under NIS2. The categories overlap, but they are established through different legal mechanisms and serve different purposes.
Read more about NIS2 incident reporting from our separate blog.
Timeline and Next Steps
The Danish CER entered into force on 1 July 2025, but the designation process continues through 2026.
1 July 2025: Danish CER enters into force
17 July 2026: Authorities complete designation of critical entities
Designation + 9 months: Risk assessment completed
Designation + 10 months: Resilience plan and resilience measures implemented
Organisations that expect to be designated should begin preparations before receiving formal notification. Building a resilience programme, conducting risk assessments, and documenting resilience measures often require significant coordination across security, operations, compliance, and leadership teams.
Key Takeaways
- The Danish CER implements the EU CER Directive and has applied since 1 July 2025.
- The framework focuses on the resilience of essential services against all types of threats, not only cyber threats.
- Critical entities are designated by authorities.
- Organisations must conduct risk assessments, implement resilience measures, and maintain a resilience plan.
- Business continuity is only one component of the broader resilience concept.
- CER and NIS2 operate alongside one another, with separate reporting channels and obligations.
- Organisations expected to be designated should begin preparations well before the July 2026 designation deadline.
Conclusion
The Danish CER introduces a structured approach to protecting essential services against a broad range of threats. While it complements NIS2, it addresses a different challenge: ensuring that critical services remain available regardless of whether disruptions originate from cyber incidents, physical attacks, natural disasters, or operational failures.
For organisations likely to be designated as critical entities, the key priority is to develop a resilience programme that goes beyond business continuity and addresses prevention, protection, response, and recovery as a unified whole.
