All four NIS2 guides were published - and with the NIS2 Act (LOV. 06.05.2025) coming into force tomorrow, July 1, 2025, it's only fitting. Many companies and public organizations have had a hard time figuring out how to comply with the requirements in practice.
There's been a lot of uncertainty: Who is actually covered? What does top management's responsibility mean? How and when to report incidents - and to whom? It's all now much clearer, and you can find help in the four guides produced by the Danish Social Security Agency. They cover everything from incident handling to management responsibilities and implementation of cybersecurity measures - and even include concrete examples so you're not left in the dark.
Does that mean we can sit back now? Absolutely not. It's one thing to implement the legal requirements - it's another to comply with them. And this must be done in a way that is adapted to the company's risk profile and societal impact.
Fortunately, the legal text states that it is beneficial to rely on international standards. Specifically, ISO/IEC 27001 and ISA/IEC 62443 - two of the most recognized security standards in the world.
Is your business covered?
The first thing to consider is whether your company is covered by NIS2 at all. This depends on both your industry and your size. If your company has more than 50 employees or an annual turnover or balance sheet of more than €10 million, and is active in one of the sectors listed in appendices 1 and 2 of the law, then there's good reason to read on.
But smaller businesses can also be covered if they play a particularly important role in society. And when just one part of the business falls under the law, the rules actually apply to the whole company.
Cybersecurity requirements
NIS2 isn't just about getting the technology right - it's about getting the whole organization on board. The law sets out ten areas where cybersecurity must be addressed. This covers everything from backup and incident management to training, access control and secure software development.
These are not recommendations - they are minimum requirements that you must be able to document. The good thing is that the requirements provide a solid structure for managing your security and are based on well-known principles from ISO 27001 and ISA/IEC 62443.
Management responsibility
Top management does not escape responsibility - quite the opposite. NIS2 makes it very clear that the board and executive management are responsible for taking cyber security seriously. It's about both setting the direction and ensuring follow-through. And it's not just on paper - in the worst case scenario, there could be personal sanctions. That's why it's important that management gets the right skills and ensures that the entire organization works with cybersecurity in a structured way.
Duty to notify
If something goes wrong - that is, if there is a significant incident that affects operations, finances or other parties - you have a duty to notify both authorities and the CSIRT. This must be done quickly: initial notification within 24 hours, a follow-up within 72 hours and a final report within a month.
There's even the option to send voluntary notifications if in doubt - it's better to be ahead of the game.
Responsibility of suppliers
If you are a supplier to a NIS2-compliant company, there's no way around it. You'll be expected to demonstrate that you take cybersecurity seriously - especially if you develop software, operate systems or have access to critical data. Your customers may demand documentation, ask questions and even audit you.
How do you get started?
The most important thing is to get started. Here are three simple steps to help you get started:
- Get an overview: Make a GAP analysis in relation to the requirements set out in section 6.
- Get documentation in order: policies, procedures and responsibilities.
- Be ready for audits: Make sure you can explain your safety work and show what you've done.
Remember: It's not perfection that counts - it's progress, documentation and the willingness to take responsibility.
The four guidelines from the Danish Safety Technology Authority
Here is a brief introduction to each of the four key guides published to help businesses and governments understand and implement the requirements of the NIS2 Act:
- 1. Scope guidance (May 2025)
- This guide helps businesses and governments assess whether they are covered by the NIS2 Act. It explains the rules for size, sector and societal importance and how to understand the entire organization's coverage under the law.
- 2. Guide to implementing cybersecurity measures (June 2025)
- This guide elaborates on the requirements of Section 6 of the NIS2 Act. It describes ten key measures that all covered entities must implement - from risk management and incident management to supply chain security and access control.
- 3. Guidance on the role and tasks of management (May 2025)
- It gives top management a clear picture of their responsibilities, what they need to document and what sanctions they could potentially face. The guide emphasizes that cybersecurity is a management responsibility - not just an IT task.
- 4. Guidance on incident notification (June 2025)
- This guide explains when and how to report significant incidents. It also includes a decision tree and templates to make it easier to assess when to notify and how to do it correctly.