Governance & law · EU directive

NIS2

NIS2 is the EU directive that raises the baseline for cyber resilience across critical sectors. It widens scope, makes management personally accountable, sets minimum security measures and imposes hard incident-reporting deadlines. This page is a compressed, practical overview — and how it lines up with ISO 27001 and the CIS Controls.

Directive (EU) 2022/2555 Critical infrastructure Supply chain ISO 27001 mapping

What NIS2 is

The original NIS directive (NIS1, 2016) was the EU's first attempt to lift cybersecurity across member states by setting technical and organisational requirements for operators of critical services and harmonising the level of security EU-wide. NIS2 — Directive (EU) 2022/2555 — replaces it and goes considerably further.

It applies to operators of societally critical services and now reaches far beyond the original set. Where NIS1 focused on sectors like telecoms, finance, energy, health, transport and water, NIS2 widens the net to include areas such as food production, manufacturing, waste management and digital service providers. The reasoning is unchanged: attacks on critical sectors carry large societal risk.

The directive itself is the legal source; each member state transposes it into national law. In Denmark that is NIS2-loven — formally the Law on measures to ensure a high level of cybersecurity. Read the national law together with the directive to get the framing right.

Who it covers — essential vs important

NIS2 splits covered entities into two tiers based on how critical and how large they are. The requirements are essentially the same for both; the difference is in supervision intensity and the sanction ceiling.

Essential entities (VE)

Subject to proactive supervision — authorities can audit before anything has gone wrong. Higher fines apply.

Important entities (VI)

Primarily reactive supervision — checked after an incident or on concrete suspicion. Lower sanction ceiling than essential.

You self-assess. Authorities don't tell you that you're in scope — each organisation must determine for itself whether it's covered, then register. A medium-to-large entity providing services in a covered sector is the typical threshold. In Denmark the NIS2tjek.dk tool helps you check.

Management accountability

One of the sharpest changes from NIS1: NIS2 puts cybersecurity on the management table and keeps it there. Leadership must:

This is the governance hook: NIS2 is not an IT-department problem, it's a board-level obligation.

The security measures (risk management)

Covered entities must implement a set of cyber risk-management measures, taking an all-hazards, risk-based approach. The directive's Article 21 lists the minimum areas — they read like a condensed ISMS:

National guidance often expresses these as skal / bør / kan (must / should / could): mandatory measures, strong recommendations you must justify if you skip, and inspiration for going further. De-selecting a "should" needs documentation — e.g. cost, maturity or risk profile.

Incident reporting — the clock

Significant incidents must be reported to the relevant authority on a fixed ladder. Miss the window and you're non-compliant regardless of how well you handled the incident technically.

24h
Early warning to the authority
72h
Incident notification / fuller report
30d
Final report

In Denmark, incident notifications go in via Virk.dk, the national CSIRT role sits with the Defence Intelligence Service (FE), and CFCS provides technical support. Test and document the reporting procedure in advance so roles are clear across operations, helpdesk and management when something actually happens.

Supply-chain reach

NIS2 doesn't directly regulate the suppliers of a covered entity — but it reaches them indirectly. Because supply-chain security is one of the mandatory measures, a covered entity must assess the security of its relationships with suppliers and service providers, and will pass relevant requirements down its contracts.

So even if you're not in scope yourself, you may feel NIS2 through a customer who is: expect contractual security minimums, audit rights and incident-reporting clauses. The requirements should be proportional to how important your delivery is to the customer's security — a risk-based approach, not a blanket maximum.

Denmark — where things stand

Denmark missed the EU's 17 October 2024 transposition deadline and took a multi-sector route rather than one single statute: a general cross-sector law plus sector-specific rules for energy, telecoms, finance and more. An entity can therefore be covered by both the general law and a sector law at once, which makes the compliance picture more complex than in countries with one unified text.

1 Jul 2025NIS2-loven entered into force — requirements apply from day one, with no transition period (unlike e.g. Finland).
1 Oct 2025Registration deadline for covered entities (via Virk.dk). Not registering does not exempt you from the requirements.
Early 2026Supervisory audits begin.
Roughly 6,000 Danish organisations are estimated to be in scope. Fines can reach up to €10 million (or a percentage of turnover) for essential entities. Failing to register doesn't hide you — it tends to surface during an incident or an audit.

Mapping to ISO 27001 and CIS

NIS2 tells you what to achieve but not how. The established frameworks fill that gap, and the directive explicitly encourages using recognised international standards (Articles 21 and 25):

In short: adopt ISO 27001 as the frame, implement with ISO 27002 / CIS, drive it with ISO 27005 risk, and NIS2 compliance largely falls out of good governance rather than a separate parallel project.