The Cybersikkerhedsloven (Danish Cybersecurity Act) is Denmark’s national law implementing the EU’s NIS2 Directive. Officially enacted as Lov nr. 434 af 6. maj 2025 and effective from 1 July 2025, it establishes binding cybersecurity obligations for public authorities and private companies in essential and important sectors.
Its purpose is to ensure a high and consistent level of cybersecurity across Denmark. The law aims to protect critical services such as energy, healthcare, transport, water supply, and digital infrastructure from cyber threats, strengthen resilience, and promote faster incident response and coordination across sectors. It marks a major step in making cybersecurity a leadership and governance issue — not just an IT concern.
How does Cybersikkerhedsloven relate to NIS2?
Cybersikkerhedsloven is Denmark’s direct implementation of the EU’s NIS2 Directive, officially titled the Directive on measures for a high common level of cybersecurity across the Union (EU 2022/2555).
It translates the EU-wide NIS2 requirements into Danish law without adding national extras, a so-called minimum implementation. This ensures that Danish companies and public organizations follow the same baseline standards as their European counterparts.
The law replaces Denmark’s earlier NIS1 implementation, which only applied to a few critical sectors. Under Cybersikkerhedsloven, many more organizations are now covered, including healthcare providers, manufacturing firms, online platforms, and managed service providers.
In short, NIS2 defines the EU’s cybersecurity goals, and Cybersikkerhedsloven is the mechanism that makes them legally enforceable in Denmark, setting the same expectations, enforcement powers, and penalties.
Read more: Cybersecurity frameworks in Denmark
What does Cybersikkerhedsloven require?
Organizations in scope must follow extensive cybersecurity and risk management obligations. Key requirements include:
- Risk management: Establish and maintain documented cybersecurity policies, perform regular risk assessments, and ensure proper governance over network and information systems.
- Incident reporting: Notify authorities of significant incidents within strict deadlines — an initial alert within 24 hours, a detailed report within 72 hours, and a final report within one month
- Business continuity: Maintain crisis management and recovery plans to ensure operational continuity after cyber incidents.
- Supply chain security: Identify and manage cybersecurity risks posed by suppliers and third-party IT providers.
- Access control and cryptography: Enforce least-privilege access, apply encryption, and use multi-factor authentication.
- Training and governance: Require top management to approve cybersecurity measures and complete relevant training in cyber risk management.
- Testing and continuous improvement: Perform regular audits, security testing, and vulnerability management.
- Registration: Certain digital service providers (e.g. DNS, cloud, social media, managed service providers) must register with authorities via virk.dk within three months of becoming covered — for most, this was by 1 October 2025.
How does Cybersikkerhedsloven provide security?
The law shifts cybersecurity from a technical concern to a strategic and governance-level responsibility. By enforcing risk-based security measures, strict reporting rules, and accountability at the executive level, it ensures faster detection, response, and recovery from cyber incidents.
It also strengthens national coordination through Denmark’s Styrelsen for Samfundssikkerhed (Agency for Societal Security) and the Center for Cyber Security (CFCS), improving real-time incident sharing and response between sectors.
This creates a unified, proactive cybersecurity environment across Danish society.
Get the guide: Cybersecurity frameworks in Denmark
What are benefits of Cybersikkerhedsloven?
Complying with the law offers clear practical benefits:
- Better security posture: organisations embed structured cybersecurity controls and governance.
- Faster incident response: with clear reporting rules and escalation, organisations can act quickly and avoid wider damage.
- Improved supplier resilience: supply-chain security makes service delivery more reliable.
- Regulatory confidence: being compliant helps build trust with customers, partners and public authorities.
- Competitive advantage: in sectors where cybersecurity is now a baseline requirement, compliance can be differentiator.
FAQs
Is Cybersikkerhedsloven mandatory?
Yes. It is a legally binding act. Since 1 July 2025, all in-scope entities must comply. Non-compliance can lead to fines up to €10 million or 2% of global turnover, depending on the severity of the violation.
Why is Cybersikkerhedsloven important?
It strengthens Denmark’s defenses against cyber threats and aligns the country with EU-wide cybersecurity standards. The law ensures essential services, from hospitals to power grids, are resilient to attacks and can recover quickly.
Who needs to comply with Cybersikkerhedsloven?
It applies to medium and large organizations (50+ employees or €10M+ turnover) in critical sectors, such as:
- Energy, transport, water, healthcare, and food
- Digital infrastructure and managed IT services
- Public administration (state and regional)
- Certain manufacturing, postal, and waste management firms
Smaller companies are generally excluded unless they provide vital services to others that are covered.
When is Cybersikkerhedsloven in effect?
The law took effect on 1 July 2025.Registration of digital service providers was required by 1 October 2025, and continuous compliance applies thereafter.
Is Cybersikkerhedsloven supported in Cyberday?
Yes. Cyberday fully supports Cybersikkerhedsloven (NIS2) compliance with ready-made tasks, policies, reporting workflows, and evidence tracking.
Start your free 14-day trial of Cyberday and see how easy it is to structure your Cybersikkerhedsloven compliance with pre-built controls and smart task automation.
