	NIS2 Implementation in the EU
	Denmark
	(Europe) Firm Kromann Reumert Contributors Christel Teglers Updated 10 Feb 2026
Status of the legislative process	Enacted
Status of the NIS2 Implementation Act	The NIS2 Implementation Act is implemented into Danish law by several sector-specific laws: One act for the energy sector, implementing NIS2 and CER, which entered into force on 7 March 2025 ("Act No 258 of 6 March 2025 on Security and Preparedness in the Energy Sector"). The Act is supplemented by three Ministerial Orders that detail and describe the requirements for organizational resilience, physical security, cybersecurity, personnel approvals, incident reporting and supply chain security, amongst others. One act for the telco sector, implementing NIS2, which entered into force on 1 July 2025 ("Act No 435 of 6 May 2025 on Security and Preparedness in the Telco Sector"). The Act is supplemented by four Ministerial Orders that detail and describe the requirements for organizational resilience, physical security, cybersecurity, personnel approvals, incident reporting and supply chain security, amongst others. One act for certain designated operators of financial digital infrastructure, implementing NIS2 and aligning with the Digital Operational Resilience Act ("DORA"), which entered into force on 18 October 2024 (through a new Chapter 19 c in the Danish Financial Business Act). As of February 2026, the operators in scope of this legislation are: JN Data A/S, FORENINGEN BANKDATA, Netcompany Banking Services A/S, BEC Financial Technologies A.M.B.A., e-nettet A/S, Mastercard Payment Services Denmark A/S, and NETS Denmark A/S. One act for the remaining NIS2 sectors, i.e., transport, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research, which entered into force on 1 July 2025 ("Act No 434 of 6 May 2025 on Measures for a High Level of Cybersecurity").
Significant deviations of the National Implementation Act from the NIS2 Directive, if any	The sector-specific regulations for the energy and telco sectors as well as the designated IT operators of financial digital infrastructure are higher than those of the minimum requirements of the NIS2 Directive. For the energy and telco sectors, local law advice is recommended as the national legislation is detailed and cannot be summarized in short form. It is worth noting that the size cap rule under NIS2 does not apply to in-scope energy and telco companies in Denmark. For the designated operators of financial digital infrastructure, the deviations align rather closely with the substantive requirements under DORA.
Date of entry into force of the Implementation Act	18 October 2024: Designated operators of financial digital infrastructure (February 2026: 7 operators) 7 March 2025: Energy sector companies 1 July 2025: Telco companies and remaining NIS2 sectors

NIS2 Implementation in the EU

Back XLS

Status of the legislative process

Enacted

Status of the NIS2 Implementation Act

The NIS2 Implementation Act is implemented into Danish law by several sector-specific laws:

One act for the energy sector, implementing NIS2 and CER, which entered into force on 7 March 2025 ("Act No 258 of 6 March 2025 on Security and Preparedness in the Energy Sector"). The Act is supplemented by three Ministerial Orders that detail and describe the requirements for organizational resilience, physical security, cybersecurity, personnel approvals, incident reporting and supply chain security, amongst others.
One act for the telco sector, implementing NIS2, which entered into force on 1 July 2025 ("Act No 435 of 6 May 2025 on Security and Preparedness in the Telco Sector"). The Act is supplemented by four Ministerial Orders that detail and describe the requirements for organizational resilience, physical security, cybersecurity, personnel approvals, incident reporting and supply chain security, amongst others.
One act for certain designated operators of financial digital infrastructure, implementing NIS2 and aligning with the Digital Operational Resilience Act ("DORA"), which entered into force on 18 October 2024 (through a new Chapter 19 c in the Danish Financial Business Act). As of February 2026, the operators in scope of this legislation are: JN Data A/S, FORENINGEN BANKDATA, Netcompany Banking Services A/S, BEC Financial Technologies A.M.B.A., e-nettet A/S, Mastercard Payment Services Denmark A/S, and NETS Denmark A/S.
One act for the remaining NIS2 sectors, i.e., transport, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research, which entered into force on 1 July 2025 ("Act No 434 of 6 May 2025 on Measures for a High Level of Cybersecurity").

Significant deviations of the National Implementation Act from the NIS2 Directive, if any

The sector-specific regulations for the energy and telco sectors as well as the designated IT operators of financial digital infrastructure are higher than those of the minimum requirements of the NIS2 Directive. For the energy and telco sectors, local law advice is recommended as the national legislation is detailed and cannot be summarized in short form. It is worth noting that the size cap rule under NIS2 does not apply to in-scope energy and telco companies in Denmark. For the designated operators of financial digital infrastructure, the deviations align rather closely with the substantive requirements under DORA.

Date of entry into force of the Implementation Act

18 October 2024: Designated operators of financial digital infrastructure (February 2026: 7 operators)
7 March 2025: Energy sector companies
1 July 2025: Telco companies and remaining NIS2 sectors