Danish Implementation of NIS2 Legislation Postponed – Again!

Fire NIS2-udsættelser

First, there was one delay. Then two, then three – and now the implementation date for NIS2, the directive aimed at ensuring a high common level of cybersecurity across the EU, has been postponed a fourth time. Just three days before it was originally due to be implemented in Danish law, the Ministry of Civil Protection and Emergency Management announced that it had informed the EU Commission that Denmark does not expect NIS2 to come into force domestically until July 1, 2025 – nearly nine months past the EU’s deadline.

Postponement Signals Hesitation

On February 5, 2024, the Danish Ministry of Defence announced that implementation of the EU’s new NIS2 Directive in Danish law was taking longer than expected. Originally, the bill was scheduled to be introduced to the Danish Parliament in Q1 2024, first submitted for consultation on July 5, 2024, with the aim of being passed in October 2024 after the summer break. But due to the complexity and scope of the legal work, it's now expected to be passed in February 2025.

This means Denmark will not meet the EU’s official implementation deadline of October 17, 2024. Initially, Minister of Defence Troels Lund Poulsen expected a delay of about two months, with the directive entering into force by the end of 2024. That didn’t hold. The date was then moved to January 1, 2025, later to March 1, 2025 – and now it's been postponed again to July 1, 2025.

This drawn-out process has sparked widespread criticism from cybersecurity experts, IT lawyers, and consulting firms – criticism that Ulrik Ledertoug, Director of Business Development & Services at Orange Cyberdefense Denmark, agrees with.

“No matter how you spin it, the Ministry’s announcement is a sign of hesitation – and it’s becoming a giant security blanket over Denmark’s cybersecurity,” he says.

Cybersecurity Is Critical to Society

The purpose of the NIS2 Directive is to ensure a higher and more uniform level of cybersecurity for all companies, organizations, and public authorities responsible for critical infrastructure – such as water, energy, food, transport, communications, and healthcare. According to Ulrik Ledertoug, improving cybersecurity across the EU is urgently needed, given the current and future threat landscape.

“It’s a matter of national importance that we strengthen cybersecurity due to the unstable geopolitical climate, which has greatly intensified cyber threats. But without a Danish NIS2 law, I fear that overburdened executive teams and boards will focus on matters closer to business – and delay action on NIS2 until it becomes a legal requirement,” he says.

He continues:

“Recent examples of these threats include frequent DDoS attacks that overwhelm websites of Danish companies, public organizations, and authorities – as well as far more severe ransomware attacks with potentially devastating consequences. We need to take these threats seriously.”

“In January 2023, the Danish Centre for Cybersecurity raised the threat level from pro-Russian cyber activist groups from medium to high, and in June 2024 raised the threat of destructive cyberattacks on critical Danish infrastructure from low to medium. That warning led the Danish government and Emergency Management Agency to issue new guidance urging citizens to stock supplies for at least three days in case of crises or hybrid warfare.”

Delays Could Cause Major Problems

In this context, Ulrik Ledertoug finds it unacceptable that Denmark cannot meet the original deadline for having NIS2-required security improvements up and running.

“The Ministry now expects the law to pass Parliament in March 2025. But that’s vague, and it causes many to lean back instead of proactively engaging with NIS2,” says Ulrik Ledertoug.

“Many affected companies and authorities haven’t started properly – and haven’t drafted a roadmap for meeting the minimum requirements clearly outlined in the NIS2 Directive. Since it’s not yet implemented into Danish law, there’s a real risk that everyone stays idle until after New Year – while those with malicious intent continue scanning our critical infrastructure for vulnerabilities.”

He adds:

“If we imagine a cybersecurity scale from 1 to 5 – with 1 being low resistance and 5 being optimal protection – NIS2 compliance is about 3.5 to 4.0. But even Denmark’s largest enterprises, despite years of investment, are only around 1.5. SMEs are even lower. It’s reckless to keep delaying. We must start now!”

The Market Will Be Drained of Consultants

Ulrik Ledertoug also warns that the repeated delays could trigger a chaotic situation in spring 2025 – especially if a short deadline is suddenly enforced.

“The legal process is taking so long that it may result in immense pressure on affected organizations and local security vendors in early 2025. Everyone might wait until the last minute, creating a rush that will drain the market of external consultants and NIS2 experts,” he says.

“When companies realize they can’t manage compliance internally, we’ll face serious bottlenecks. There simply won’t be enough experts available to meet demand before the deadline.”