Which Danish Authority Audits Your NIS2 Compliance? A 4-Regulator Sector Map with Entity-Type Routing
Denmark was among the last EU member states to transpose NIS2. Lov nr. 434, the Danish NIS2 Act, was adopted by the Folketing on 29 April 2025 and entered force on 1 July 2025 — nine months after the EU’s October 2024 transposition deadline. When it did, it introduced one of the most distributed supervisory structures in the EU: at least 11 sector-specific competent authorities coordinated under a single national agency.
For Danish organisations preparing for NIS2 supervision, the first practical question is not “what measures do we need?” — it’s “who actually oversees us, and where do we register and report?” The answer is less straightforward than most compliance resources suggest. This guide maps every Danish NIS2 competent authority to its sector, explains the relationship between SAMSIK and CFCS, clarifies the GovCERT and DKCERT distinction, and covers Denmark’s enforcement model — which operates through criminal prosecution rather than administrative fines, making it structurally distinct from most EU member states.
Does This Apply to Your Organisation?
NIS2 applies to organisations that provide services in one of 18 regulated sectors and exceed the medium-sized enterprise threshold. The scope criteria are cumulative: your organisation must operate in a covered sector and meet at least one size condition.
| Criterion | Threshold | Notes |
|---|---|---|
| Employees | 50 or more | Full-time equivalent headcount |
| Annual turnover | Over €10,000,000 | Must exceed threshold together with balance sheet |
| Annual balance sheet total | Over €10,000,000 | Required in combination with turnover criterion |
Smaller organisations that fall below these thresholds are generally out of scope, with one exception: entities identified as critical regardless of size by their competent authority. Sole traders, microenterprises, and most SMEs with fewer than 50 employees fall outside NIS2 scope under the Danish Act. Denmark’s NIS2 implementation covers an estimated 6,000+ organisations across 18 sectors. Two entity tiers apply — Essential Entities (EE) face proactive supervision; Important Entities (IE) face reactive supervision. Both tiers carry identical technical requirements under Article 21 of the Directive; the difference is supervisory intensity and the maximum penalty ceiling. See essential vs important entities for the full classification logic.
Why Denmark Uses Multiple NIS2 Competent Authorities
Article 33 of the NIS2 Directive (2022/2555) explicitly permits member states to designate more than one competent authority, allowing sector-specialist regulators to govern supervision within their existing domain. Denmark chose this model comprehensively. Rather than a single national cybersecurity body handling all 18 sectors, the Danish framework assigns supervision to the regulator with established expertise in each domain — energy operators to Energistyrelsen, financial institutions to Finanstilsynet, maritime operators to Søfartsstyrelsen, and so on.
The coordinating layer is Styrelsen for Samfundssikkerhed (SAMSIK) — the Danish Agency for Civil Contingency and Resilience — which serves as both the national coordinating authority and the direct supervisory body for sectors not assigned to a specialist regulator. SAMSIK also hosts the Center for Cybersikkerhed (CFCS), which functions as Denmark’s national CSIRT and the single point of contact for NIS2 incident reporting across all sectors.
The energy sector has its own implementation timeline. Energistyrelsen implemented NIS2 energy requirements via a separate law, Act No. 258, which entered force on 7 March 2025 — more than three months before the main NIS2 Act. Energy operators have therefore been formally subject to NIS2 supervision since early 2025, ahead of most other sectors.
The Complete Danish NIS2 Sector Authority Map
Denmark’s competent authority structure assigns a specific supervisory body to each NIS2 sector. If your organisation operates across multiple sectors — for example, providing both energy services and digital infrastructure — you register with and report to each relevant authority. The Virk.dk registration portal routes submissions to the appropriate bodies automatically based on the sectors you declare.
| Sector (NIS2 Annex I / II) | Competent Authority | Type | Contact |
|---|---|---|---|
| Energy (electricity, gas, district heat, oil, hydrogen) | Energistyrelsen (Danish Energy Agency) | EE / IE | beredskab@ens.dk |
| Financial services (banking, capital markets, payment infrastructure) | Finanstilsynet (Danish FSA) | EE / IE | nis2@ftnet.dk |
| Health and medical devices | Sundhedsdatastyrelsen (Danish Health Data Authority) | EE / IE | nis2sundhedssektoren@sundhedsdata.dk |
| Drinking water supply and wastewater | Miljøstyrelsen (Danish Environmental Protection Agency) | EE / IE | vandforsyning@mst.dk |
| Waste management and waste incineration | Miljøstyrelsen | EE / IE | ada@mst.dk |
| Digital infrastructure (DNS, cloud, data centres, CDN, TLD registries) | Digitaliseringsstyrelsen (Danish Agency for Digital Government) | EE / IE | nis2@digst.dk |
| ICT service management (managed services, B2B) | Digitaliseringsstyrelsen | EE / IE | nis2@digst.dk |
| Telecommunications | Styrelsen for Samfundssikkerhed (SAMSIK) | EE / IE | tele@samsik.dk |
| Air, rail, and road transport; port operations | Trafikstyrelsen (Danish Transport Authority) | EE / IE | cyber@trafikstyrelsen.dk |
| Maritime shipping and vessel traffic services | Søfartsstyrelsen (Danish Maritime Authority) | EE / IE | sfs-dcis@dma.dk |
| Postal and courier services | Trafikstyrelsen | IE | cyber@trafikstyrelsen.dk |
| Manufacturing (NIS2 Annex II critical categories) | Styrelsen for Samfundssikkerhed (SAMSIK) | IE | tilsyn@samsik.dk |
| Chemical production and distribution | Styrelsen for Samfundssikkerhed (SAMSIK) | IE | tilsyn@samsik.dk |
| Food production and wholesale distribution | Fødevarestyrelsen (Danish Veterinary and Food Administration) | IE | Via sector guidance |
| Space and research entities | Uddannelses- og Forskningsstyrelsen (Danish Agency for Education and Research) | IE | Via sector guidance |
| Public administration (state and municipal) | Styrelsen for Samfundssikkerhed (SAMSIK) | EE / IE | tilsyn@samsik.dk |
Notes on entity type: EE = Essential Entity; IE = Important Entity. Annex I sectors generally contain Essential Entities; Annex II sectors contain Important Entities. An entity in an Annex II sector may be elevated to Essential by the competent authority based on its specific critical function. Greenland and the Faroe Islands are not covered by Lov nr. 434 — those territories maintain separate cybersecurity governance outside EU NIS2 scope.
A practical note on Digitaliseringsstyrelsen versus Erhvervsstyrelsen: earlier draft guidance and pre-legislation plans referenced Erhvervsstyrelsen (the Danish Business Authority) as a potential authority for digital infrastructure and ICT services. Under the final implementation published by SAMSIK, Digitaliseringsstyrelsen holds that supervisory role. Erhvervsstyrelsen retains its business registration and market oversight functions but is not listed as a NIS2 sector supervisor in the current authority framework.
SAMSIK and CFCS — Understanding the Coordinating Layer
The relationship between SAMSIK and CFCS is a practical source of confusion in Danish NIS2 compliance guides. Here is the structural reality: Styrelsen for Samfundssikkerhed (SAMSIK) is the overarching national authority. It coordinates NIS2 implementation across all sector authorities, serves as Denmark’s Single Point of Contact (SPOC) for cross-border NIS2 cooperation under Article 8 of the Directive, and acts as the direct competent authority for sectors without a specialist body assigned — manufacturing, chemicals, public administration, telecommunications, and vessel traffic services all fall under SAMSIK’s direct supervision.
Center for Cybersikkerhed (CFCS) — the Centre for Cyber Security — operates under SAMSIK’s umbrella. CFCS was historically part of the Ministry of Defence before consolidation into the SAMSIK structure. Its primary NIS2 function is as Denmark’s national CSIRT: all NIS2 incident notifications across all sectors route to CFCS, regardless of which sector authority supervises compliance documentation. If you visit cfcs.dk, you will be redirected to samsik.dk — this reflects the organisational consolidation, not the loss of CFCS’s operational function.
In practice: your sector authority (Energistyrelsen for energy, Finanstilsynet for finance, and so on) is who supervises your compliance posture, reviews your documentation, and holds the power to sanction you. CFCS is who you notify within 24 hours of discovering a significant incident. Both roles are essential; SAMSIK is the coordinating roof above the entire structure.
CSIRT Routing — CFCS, GovCERT, and DKCERT Explained
Danish cybersecurity guidance and vendor documentation frequently reference three acronyms in the same breath — GovCERT, DKCERT, and CFCS. Getting the routing right matters for NIS2 incident compliance.
GovCERT was Denmark’s dedicated government CSIRT, responsible for cyber incidents affecting central government systems. In 2014, GovCERT was fully consolidated into CFCS and no longer exists as a separate entity. Its functions — government incident coordination and the Network Security Service (Netsikkerhedstjenesten) — are now run by CFCS directly. References to GovCERT in compliance documentation published before 2014 or by vendors unfamiliar with the current structure refer to capabilities now absorbed by CFCS.
DKCERT (cert.dk) is operated by DeiC, the Danish e-Infrastructure Consortium, and serves exclusively as the CSIRT for Denmark’s research and education network (forskningsnettet). DKCERT handles incidents affecting universities, research institutions, and educational organisations connected to the national research network. It is a FIRST-registered team with a clearly defined scope: the research network only. DKCERT operates entirely outside the NIS2 incident reporting framework. If your organisation is a commercial entity or an in-scope public body, DKCERT is not a reporting channel for NIS2 purposes.
CFCS is the single NIS2 national CSIRT for all in-scope entities across all sectors. The three-stage notification timeline required under Article 23 of the Directive — 24-hour early warning, 72-hour full notification, and one-month final report — are all submitted to CFCS. Contact: cert@cert.cfcs.dk | +45 333 25 580. CFCS operates 24/7. The routing rule is straightforward: if you are a NIS2-covered entity and a significant incident occurs, report to CFCS regardless of your sector. Your sector authority handles compliance supervision; CFCS handles incident coordination.
Denmark’s Criminal Prosecution Enforcement Model
Denmark’s enforcement approach is structurally different from almost every other EU member state — and the difference matters for how compliance teams should frame the risk to management. Most EU jurisdictions implement NIS2 penalties as administrative fines, issued directly by the competent authority and payable without criminal proceedings. Denmark does not use administrative fines for NIS2 violations. Instead, violations are referred to the police and pursued through criminal prosecution. The penalty ceiling is identical to the Directive’s Article 34 maxima — but the route to that ceiling runs through the courts.
| Entity Type | Maximum Penalty (Article 34, NIS2 Directive) | Enforcement Route in Denmark |
|---|---|---|
| Essential Entity | €10,000,000 or 2% of total annual global turnover (whichever is higher) | Criminal prosecution via police referral from competent authority |
| Important Entity | €7,000,000 or 1.4% of total annual global turnover (whichever is higher) | Criminal prosecution via police referral from competent authority |
The criminal prosecution model carries two practical implications beyond the financial exposure. First, proceedings are substantially slower and more visible than administrative processes — the reputational impact of a formal criminal referral may exceed the financial penalty in most scenarios. Second, personal management liability under the Danish Act is narrower than in some EU states: management accountability applies only where gross negligence or intent can be demonstrated, rather than as a default strict liability rule.
Sector authorities retain direct supervisory powers including inspection rights, compliance orders, and directives to implement corrective measures. Criminal prosecution is the escalation path for serious or persistent non-compliance. Enforcement activity is expected to increase during 2026 as SAMSIK and sector authorities complete their first full supervisory cycle following the July 2025 entry into force. For detailed treatment of Denmark’s penalty structure and management accountability rules, see the NIS2 penalties overview.
Registration and the Virk.dk Portal
All Danish NIS2 entities register through virk.dk, Denmark’s central business registration portal. Registration requires MitID authentication. The system routes each submission automatically to the relevant competent authority based on the sectors declared — organisations in multiple sectors reach multiple authorities through a single submission.
The primary registration deadline — 1 October 2025 — has passed. Organisations that were in scope when Lov nr. 434 entered force on 1 July 2025 were required to register by that date. Non-registration is an independent compliance failure, distinct from technical measure obligations under Article 21.
Two ongoing registration rules govern entities entering scope after the deadline:
- New-scope entities: If your organisation becomes subject to NIS2 after 1 October 2025 — through growth past the size threshold, entry into a new regulated sector, or change in service scope — you must register within 2 weeks of crossing the scope boundary.
- DNS, cloud, and online marketplace providers: These categories have a longer initial window of 3 months from entering scope, reflecting the complexity of identifying in-scope entities in those categories.
For step-by-step scope determination, the NIS2 scope guide covers the entity-type decision logic. For the formal registration requirements, the entity registration guide provides the full process. Supervisory measures that apply once registered — inspection protocols, compliance directives, and audit cycles — are detailed in supervisory measures.
Incident Reporting Obligations
All significant incidents are reported to CFCS, regardless of sector. Article 23 of the NIS2 Directive sets a three-stage notification timeline that Denmark has adopted without modification:
| Stage | Deadline | Required Content |
|---|---|---|
| Early warning | 24 hours after discovery | Incident confirmed; suspected cause (attack / technical failure / other); cross-border impact yes/no |
| Full notification | 72 hours after discovery | Updated assessment; initial severity; indicators of compromise; affected services identified |
| Final report | 1 month after full notification | Detailed description; severity classification; root cause; remediation steps and lessons learned |
An incident qualifies as “significant” if it causes or is capable of causing severe operational disruption or material financial loss to the entity — or has caused or is capable of causing considerable damage to other persons. CFCS publishes sector-specific significance thresholds for each supervised sector. Reporting channel: cert@cert.cfcs.dk or the Virk.dk portal for digital submission. For the full framework covering what triggers a reportable incident and how to document it, see the Article 23 incident notification guide.
How to Identify Your Danish NIS2 Authority — Four Steps
- Confirm scope. Does your organisation employ 50 or more people, or does it exceed €10M in both annual turnover and balance sheet total? If no to both, you are likely outside scope — check whether a critical-function designation applies. Use the scope guide for the full decision tree.
- Identify your sector. Which NIS2 sectors does your organisation operate in? Cross-reference with the authority table above. If you span multiple sectors, you interact with multiple competent authorities.
- Classify your entity tier. Annex I sectors generally map to Essential Entity classification; Annex II to Important Entity. Your tier affects supervisory intensity and maximum penalty ceiling, not your Article 21 technical obligations — both tiers carry the same security requirements.
- Register via Virk.dk and prepare CFCS incident reporting. If you have not yet registered, do so using MitID authentication at virk.dk. Separately, document your CFCS incident reporting process — this is operationally distinct from registration. Energy sector operators should confirm whether Act No. 258 (March 2025) applies additional sector-specific obligations beyond the Directive baseline.
Frequently Asked Questions
Is CFCS still the correct reporting body, or should I use samsik.dk?
Both remain valid. CFCS operates under the SAMSIK umbrella but retains its own brand, contact details, and operational function as the national CSIRT. For incident reporting: cert@cert.cfcs.dk or the Virk.dk portal. For general NIS2 questions, sector authority contacts, and registration guidance: samsik.dk/nis2 is the central information hub. Visiting cfcs.dk will redirect to samsik.dk — this reflects organisational consolidation, not a change in CFCS’s incident response role.
Does DORA replace NIS2 obligations for Danish financial entities?
Not entirely. DORA applies as lex specialis for specific ICT risk management and incident reporting provisions — it takes precedence over NIS2 Article 21 obligations for those provisions in covered financial entities. However, NIS2 still governs scope determination, entity registration with Finanstilsynet, and CSIRT notification routing to CFCS. Danish financial entities must navigate both frameworks. DORA’s 4-hour initial incident notification deadline is stricter than NIS2’s 24-hour early warning — a practical consideration for incident response planning.
What happened to the Erhvervsstyrelsen NIS2 supervisory role?
Pre-legislation plans and some vendor guides referenced Erhvervsstyrelsen (the Danish Business Authority) as a potential supervisory authority for digital infrastructure and ICT services. Under the final implementation reflected in SAMSIK’s published authority overview, Digitaliseringsstyrelsen (Danish Agency for Digital Government) holds that supervisory role. Erhvervsstyrelsen retains its business registration and competition oversight functions but is not listed as a NIS2 sector supervisor in the current framework.
My organisation provides services in Denmark but is established in another EU state. Which authority applies?
NIS2 jurisdiction under Article 26 is primarily determined by where the entity is established, not where it delivers services. Non-Danish entities providing services to Danish customers are generally subject to NIS2 in their own member state. The exception applies to entities established outside the EU that must designate an EU representative — see the Article 26 jurisdiction guide for the full rule set.
Can sector authorities issue sanctions directly, or is everything routed through criminal prosecution?
Sector authorities hold direct supervisory powers including inspection rights, binding compliance orders, and directives to implement corrective measures. Criminal prosecution is the escalation mechanism for serious or persistent non-compliance — not the first-line response. In practice, expect sector authorities to use administrative compliance tools first, with criminal referral reserved for egregious failures or deliberate non-compliance.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- NIS2 — Overview of Competent Authorities, Styrelsen for Samfundssikkerhed (SAMSIK)
- NIS2 — Sektoransvarlige myndigheder, Styrelsen for Samfundssikkerhed (SAMSIK)
- Lov nr. 434 af 6. maj 2025 — Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau, Retsinformation.dk
- NIS-2 Regulatory Framework, Digitaliseringsstyrelsen
- Registration Obligation and Incident Reporting, Digitaliseringsstyrelsen
- NIS2 in Denmark, European Commission
- Directive (EU) 2022/2555 (NIS2), EUR-Lex
- DKCERT — Danish Computer Emergency Response Team, DeiC
- About CFCS / CERT, Center for Cybersikkerhed
- NIS-2 Q&A, Søfartsstyrelsen
- NIS2 Sector Guidance, Trafikstyrelsen
- NIS2 Denmark — Certification and Compliance, nis2certification.eu
- NIS2 Transposition in Denmark, nis-2-directive.com
