The Danish implementation of a framework for supervision of the financial sector under The DORA Regulation and NIS2 Directive

Published 7 May 2024

PrintCategory: Financial Regulation

On 2 May 2024, the Danish Parliament adopted an amendment to the Danish Financial Business Act (the “Act”) to provide the Danish FSA with a legal framework for supervision of the financial sector under the DORA Regulation (“DORA”) and the NIS-2 Directive (“NIS2”).

In January 2023, DORA and NIS2 entered into force and set standards for a modernization of the rules for IT and cybersecurity in the financial sector. NIS2 shall apply from 18 October 2024 and DORA from 17 January 2025.

The Act adopted on 2 May 2024, implements changes to the Danish Financial Act necessary to ensure an effective pan-European regulation on cybersecurity and supervision. The regulation will apply to financial entities subject to the supervision of the Danish FSA, including Funds of alternative investment funds (FAIFs).

The authority delegated to the Danish FSA

The Danish FSA as the designated authority

With the Act, the Danish FSA is designated as the competent authority to ensure financial entities’ compliance with the provisions of DORA and a legal basis is established to sanction infringements of the regulation. Further, the Act provides the Danish FSA with the framework to supervise IT and the cybersecurity of all relevant companies in the financial area providing digital infrastructure and management of IT services within the financial sector.

Covering the financial sector under DORA and NIS2 

DORA applies to financial entities, and it modernises and harmonises the rules within IT and cybersecurity across the financial sector; the regulation lays down rules to strengthen the resilience of enterprise IT technology, thereby reducing the risk of cyberattacks, and it aims to limit the damage and prioritize the resumption of activities in case of a cyberattack.

DORA does not regulate joint data centres and IT operators of retail payment systems which instead are covered by the NIS2 and its more general rules applicable to digital infrastructure and management of IT services. Therefore, the Act also implements rules of NIS2 for common data centres and IT operators of retail payment systems. When combining NIS2 with the requirement under DORA, the rules ensures that uniform requirement continue to apply to undertakings operating in the financial sector and, thereby, support companies that use the provision of IT services of operators of digital financial infrastructure in complying with DORA.

Authorisation to the Danish FSA to designate operators and set rules.

With the Act, the Danish FSA is authorized to designate common data centres and IT operators of retail payment systems as operators of financial digital infrastructures and the Danish FSA is authorized to set detailed rules for operation of financial digital infrastructure. With the authorization, the Danish FSA is able to ensure that the rules for digital financial infrastructure operators complies with requirements that may be established pursuant to delegated acts under NIS2 or that stem from DORA.

The Act also adopt amendment to incident reporting rules (as implemented with the first NIS directive) to be replaced by a requirement to report major IT-related incidents and voluntarily notify significant cyber threats to competent authorities under DORA. It is expected that the Centre for Cyber Security will be designated by the Danish FSA as the Danish national center for receipt of reporting within the financial sector.

The effective date

The Act will be effective from 1 Juli 2024. Certain provisions of the Act will have effect at later stages during 2024 and when the DORA applies on 17 January 2025.

Next steps

We still monitor the regulation issued by the Danish FSA to determine its impact on companies in the private equity market.

Other updates

21 May 2024Impact and ESGUpdates

Summary report of the consultations on the implementation of SFDR

The European Commission initiated in September 2023 public and targeted consultations on the implementation of the SFDR running until 22 December 2023. A summary of the contributions on the consultations have now been published in a summary report.

Disclosure RequirementsRegulatory Technical StandardsSustainability
13 May 2024Impact and ESGUpdates

The Danish FSA: Investment Managers must be better at disclosing sustainability related information

The Danish Financial Supervisory Authority has in a thematic review assessed several sustainability related issues at two investment managers.

Disclosure RequirementsSustainability
7 May 2024Impact and ESGUpdates

Invest Europe GP ESG Due Diligence Guide

Invest Europe has published a revised GP ESG Due Diligence Guide. It provides guidance on how ESG factors can be incorporated into general partner’s management and decision-making processes.

24 Apr 2024Impact and ESGUpdates

Final approval by the EU Parliament of the Corporate Sustainability Due Diligence Directive

Today, 24 April 2024, the Corporate Sustainability Due Diligence Directive (“CSDDD”) received the final green light from the European Parliament.

2 Apr 2024AIFsUpdates

AIFMD 2.0 published in the OJEU

On 26 March 2024, directive 2024/927 amending the directives 2011/61/EU (AIFMD) and 2009/65/EC (UCITSD), also known as AIFMD 2.0, has been published in the EU Official Journal.

AIFMDRisk Management
22 Mar 2024Impact and ESGUpdates

News regarding the Corporate Sustainability Due Diligence Directive

15 March 2024, the Committee of the Permanent Representatives of the Governments of the Member States to the European Union (“COREPER”) endorsed the Corporate Sustainability Due Diligence Directive (“CSDDD”) taking the directive one important step closer to finalizing the legislative process.