The Danish government has presented bills for implementing the NIS2 Directive and the CER Directive

On 6 February 2025, the bills for implementing the NIS2 Directive and the CER Directive were presented by the Danish government to the Danish Parliament.

The bill L 141 for an Act on measures for a high level of cybersecurity (the ”NIS2 Act”) can be accessed here.

The bill L 140 for an Act on resilience of critical entities (the “CER Act”) can be accessed here.

The minister for Societal Resilience and Contingency (minister for Samfundssikkerhed og Beredskab) presented the bills informing that a minimum implementation is sought in accordance with the Danish government’s principles for implementation of business-oriented EU regulations. With the NIS2 Act and the CER Act will follow associated executive orders and sector-specific executive orders.

The NIS2 Act will implement security requirements aimed at cyber security for entities within critical sectors as defined and listed in the NIS 2 Directive in form of “Essential Entities” (Annex I) and “Important Entities” (Annex II). The regulation includes mandatory requirements for measures to manage cyber security risks, such as policies for risk analysis, notification obligations in the event of, among other things, significant incidents, and supervisory and enforcement measures.

The CER Act provides for sectoral ministries to identify entities within critical sectors with the aim of managing risks that could lead to disruption in the provision of essential services. These critical entities will become subject to addition supervision of the authorities, enforcing the rules and supporting the critical entities in increasing their resilience. The essential sectors include energy, transport, banking, health, drinking and wastewater, digital infrastructure and public administration.

The NIS2 Act and the CER Act are closely linked (as are the directives underlying the bills). Entities identified as critical entities under the CER Directive fall within the scope of the NIS 2 Directive and will be subject to the cyber security measures regulated under the NIS2 Directive.

It is proposed that both Acts enter into force on 1 July 2025.

Companies operating within the critical sectors (either as Essential Entities or Important Entities) must make an assessment of whether they will become subject to the NIS2 Act and will need to register themselves with the sector-specific authorities. Other companies operating in the supply chains to critical sectors should also assess the relevance to implement security measures as required under the NIS2 Act.

Tags:  CERCybersecurityNIS2