Den­mark is not ready for EU’s new cy­ber se­cur­ity rules

Denmark is one of Europe’s most digitalised societies. Almost every part of daily life, from healthcare to transport, runs on digital systems. But being highly digital does not mean being highly secure.

“We are facing the biggest cyber threat yet, but we are not ready. The threats come from criminal ransomware groups but also from hostile state actors,” says Jan Lemnitzer, Assistant Professor at Copenhagen Business School, where he does research on European cyber security policy and the implementation of the EU’s NIS2 directive.

According to Jan Lemnitzer, Denmark’s critical infrastructure, including municipalities and medium-sized companies, is underprepared for the requirements of the EU’s new NIS2 directive – meant to strengthen cyber security in Europe.

This leaves the country at risk of being left devastated by cyberattacks, Jan Lemnitzer says.

“Some companies are already gambling that regulators won’t be ready. They are not complying.”

Municipalities are included, but not prepared

NIS2 expands the definition of critical infrastructure. It is no longer just large banks and energy companies that must demonstrate they can manage cyber risks.

Municipalities, bus operators, wastewater plants, and many medium-sized firms with more than 50 employees now fall under the directive.

Including municipalities makes sense, according to Jan Lemnitzer. They hold vast amounts of personal data and provide essential services in a highly digital society. But they are also among the least prepared to defend themselves, he says.

“Municipalities are now classified as critical infrastructure, which makes sense because they hold so much sensitive data and run essential services. But their cyber defences are poor. They don’t have the expertise, and they don’t have the budgets. They can’t hire top experts, and politically it would be very unpopular to take money from kindergartens to pay for DDoS defence,” says Jan Lemnitzer.

Shared responsibility delays implementation

EU countries were required to put NIS2 into national law by October 2024. Denmark, however, had delayed implementation until the summer of 2025. And enforcement will not begin for many months, creating a dangerous vacuum, Jan Lemnitzer warns.

The Ministry of Resilience has the overall authority, but the responsibility for enforcement of NIS2 will be divided between ten different sector regulators, such as the Danish Transport Authority and the Danish Veterinary and Food Administration.

The idea is that each regulator will check whether organisations in their sector manage cyber risks properly. But in practice, most lack the skills to do so, says Jan Lemnitzer.

“Who in the Food Administration is able to tell Arla that they are doing cybersecurity wrong? They do not have staff who can realistically assess whether, for example, Arla’s cybersecurity management is correct. So, the Food Administration and other regulators will end up hiring Deloitte or PwC to do it for them,” Jan Lemnitzer says.

This fragmentation and lack of expertise mean that enforcement will likely be slow and inconsistent. And as long as the rules are not enforced, many companies and municipalities will choose to wait before investing in compliance.

Not just data: An attack could leave citizens without water or transport

This leaves Danish society vulnerable to cyberattacks that could disrupt daily life. Denmark’s high level of digitalisation means that a single weak link can have huge consequences.

In 2022, an IT supplier’s failure forced DSB to stop all trains in Denmark for a day, even though it wasn’t a cyberattack directed at DSB.

In December 2024, a pro-Russian cyberattack on a small water treatment plant near Køge left 50 households without water for hours after hackers manipulated pressure in the system.

“While this attack may seem small, it actually changed the national risk assessment for cyber threats, as it showed that Russian state hackers are actively targeting Danish infrastructure,” says Jan Lemnitzer.

The government’s own advice to households, asking Danes to stock up on three days’ worth of food and water, was furthermore based on scenarios involving cyberattacks against the national power grid.

“It’s not just data. A successful attack could mean no water, no trains, no mobile service. We are facing the biggest cyberthreat yet, but we are not ready. The rules are there, but  if they are not enforced consistently, companies and municipalities will delay compliance. And that leaves us exposed,” Jan Lemnitzer says.

CBS launches the SUCCESS tool

Part of the challenge in implementing NIS2 is that many small and medium-sized enterprises (SMEs) and municipalities lack the in-house expertise to meet the requirements. Hiring consultants is expensive, and skilled staff are in short supply.

To bridge this gap, Jan Lemnitzer and his team at CBS are preparing to launch a new tool for SMEs during Cybersecurity Awareness Week in early October.

The SUCCESS tool is designed to help organisations without cybersecurity departments carry out the risk assessments NIS2 requires.

“Most SMEs don’t have the expertise or the budget to hire consultants. SUCCESS is an Excel based tool where you simply fill out a form. It requires no specialist training, but it helps firms carry out and document the cyber risk assessments NIS2 demands,” Jan Lemnitzer explains.

By turning research into practice, CBS hopes to help smaller organisations comply with EU rules and strengthen Denmark’s overall resilience.

“All large companies rely on hundreds of SME suppliers, but they are the weak link in cybersecurity. If SMEs can raise their cybersecurity standards, it makes a difference not just for Denmark, but for Europe as a whole,” says Jan Lemnitzer.