The Danish implementation of a framework for supervision of the financial sector under The DORA Regulation and NIS2 Directive

On 2 May 2024, the Danish Parliament adopted an amendment to the Danish Financial Business Act (the “Act”) to provide the Danish FSA with a legal framework for supervision of the financial sector under the DORA Regulation (“DORA”) and the NIS-2 Directive (“NIS2”).

In January 2023, DORA and NIS2 entered into force and set standards for a modernization of the rules for IT and cybersecurity in the financial sector. NIS2 shall apply from 18 October 2024 and DORA from 17 January 2025.

The Act adopted on 2 May 2024, implements changes to the Danish Financial Act necessary to ensure an effective pan-European regulation on cybersecurity and supervision. The regulation will apply to financial entities subject to the supervision of the Danish FSA, including Funds of alternative investment funds (FAIFs).

The authority delegated to the Danish FSA

The Danish FSA as the designated authority

With the Act, the Danish FSA is designated as the competent authority to ensure financial entities’ compliance with the provisions of DORA and a legal basis is established to sanction infringements of the regulation. Further, the Act provides the Danish FSA with the framework to supervise IT and the cybersecurity of all relevant companies in the financial area providing digital infrastructure and management of IT services within the financial sector.

Covering the financial sector under DORA and NIS2 

DORA applies to financial entities, and it modernises and harmonises the rules within IT and cybersecurity across the financial sector; the regulation lays down rules to strengthen the resilience of enterprise IT technology, thereby reducing the risk of cyberattacks, and it aims to limit the damage and prioritize the resumption of activities in case of a cyberattack.

DORA does not regulate joint data centres and IT operators of retail payment systems which instead are covered by the NIS2 and its more general rules applicable to digital infrastructure and management of IT services. Therefore, the Act also implements rules of NIS2 for common data centres and IT operators of retail payment systems. When combining NIS2 with the requirement under DORA, the rules ensures that uniform requirement continue to apply to undertakings operating in the financial sector and, thereby, support companies that use the provision of IT services of operators of digital financial infrastructure in complying with DORA.

Authorisation to the Danish FSA to designate operators and set rules.

With the Act, the Danish FSA is authorized to designate common data centres and IT operators of retail payment systems as operators of financial digital infrastructures and the Danish FSA is authorized to set detailed rules for operation of financial digital infrastructure. With the authorization, the Danish FSA is able to ensure that the rules for digital financial infrastructure operators complies with requirements that may be established pursuant to delegated acts under NIS2 or that stem from DORA.

The Act also adopt amendment to incident reporting rules (as implemented with the first NIS directive) to be replaced by a requirement to report major IT-related incidents and voluntarily notify significant cyber threats to competent authorities under DORA. It is expected that the Centre for Cyber Security will be designated by the Danish FSA as the Danish national center for receipt of reporting within the financial sector.

The effective date

The Act will be effective from 1 Juli 2024. Certain provisions of the Act will have effect at later stages during 2024 and when the DORA applies on 17 January 2025.

Next steps

We still monitor the regulation issued by the Danish FSA to determine its impact on companies in the private equity market.