Select your country

BelgiumBelgium

ChinaChina

DenmarkDenmark

FranceFrance

GermanyGermany

GlobalGlobal

Maghreb & West AfricaMaghreb & West Africa

NetherlandsNetherlands

NorwayNorway

South AfricaSouth Africa

SwedenSweden

SwitzerlandSwitzerland

United KingdomUnited Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. Denmark
  2. Insights
  3. Blog
  4. Regulations
  5. NIS2 in Practice – How We Support Your Cybersecurity – From Analysis and Strategy to Ongoing Security Operations

NIS2 in Practice – How We Support Your Cybersecurity – From Analysis and Strategy to Ongoing Security Operations

ComplianceCybersecurityData SecurityNIS2Regulations

Share

The EU's new NIS2 Directive is now being implemented into Danish legislation, introducing stricter cybersecurity requirements for thousands of Danish companies and organizations dealing with critical infrastructure.

The first steps toward NIS2 compliance involve gaining a clear overview of the organization's maturity level, critical systems and assets, existing security measures, and documentation. This forms the foundation for making informed decisions regarding future security investments.

As an international cybersecurity partner, we assist organizations of all types in navigating these requirements—both strategically and operationally. Through consulting and implementation support, we help make the path to NIS2 compliance shorter and more manageable. With the right priorities, cybersecurity can become an area of focus that directly contributes to a company’s resilience, competitiveness, growth, and development.

 
By Ulrik Ledertoug og Bo Drejer, Orange Cyberdefense

After several delays, the Danish implementation of the NIS2 legislation will take effect on July 1, 2025. This will result in significant changes to how cybersecurity is managed within all Danish companies working with critical infrastructure. Particularly, they will now be required to adhere to a series of binding and stricter cybersecurity regulations. This applies not only internally but also to the companies’ suppliers, who must also extend their focus on, among other things, risk management, incident handling, and reporting security incidents.

“NIS2 is not just 'another compliance requirement'—it is a significant tightening of responsibility for cybersecurity, primarily targeting top management, making well-known best practices a legal requirement for companies and organizations dealing with critical infrastructure. The scope of NIS2 can be a significant challenge—especially for small and medium-sized enterprises, as they now have to address new requirements and responsibilities. But NIS2 is also an opportunity to elevate cybersecurity to a strategic level, where the security effort is not just about protection but also about developing a more resilient business. At Orange Cyberdefense, we help companies gain an overview, prioritize efforts, and translate requirements into practical solutions that strengthen both security and business,” says Ulrik Ledertoug, Director of Business Development and Services at Orange Cyberdefense Denmark.

Uncertainty Leading to Insecurity Among Companies

As a cybersecurity partner for large private and public organizations, we often encounter significant uncertainty among our clients regarding what NIS2 will concretely mean for them.

“We naturally agree with both authorities and industry organizations that cybersecurity has become business-critical. But many companies are still left with a range of unanswered questions about NIS2, such as: Are we even affected? Where do we start? What is the most direct path to compliance? This is exactly where we can make a difference,” says Bo Drejer, GRC Manager at Orange Cyberdefense Denmark—and continues:

“At the same time, I think it is very positive that the Ministry of Civil Security and Emergency Management has now launched the NIS2 Check tool, which is intended to help organizations uncertain about whether they fall under the new NIS2 legislation.”

A New Reality with New Requirements

The tool is a significant step in the right direction, but as emphasized by the Ministry, it is only advisory. Companies still bear the ultimate responsibility for clarifying whether they are subject to the new legislation.

“For many organizations, the tool will not be enough. They need specific advice—particularly regarding risk and threat assessments and assistance in prioritizing their operational cybersecurity efforts. It’s about translating strategy into practice, ensuring they are adequately secured on a daily basis and prepared to respond effectively in case of an incident or crisis,” says Bo Drejer.

Compliance Requires More Than Good Intentions

The new NIS2 legislation not only introduces increased documentation and registration requirements but also demands governance, risk management, incident handling, and technical security measures.

“Many companies are in the midst of extensive digitalization, but cybersecurity has not necessarily kept pace. When they are then tasked with determining whether they fall under NIS2—and how to comply with its requirements—it becomes an overwhelming task. Therefore, we often see that our clients have a great need for help in establishing a strategic overview and aligning it with operational security,” explains Bo Drejer.

A Long and Complex Process

The implementation of NIS2 requirements into Danish legislation has been a complex and protracted process. The new legislation has been delayed by about nine months. This also means that guidance for companies has been postponed, leaving many organizations insufficiently prepared.

“The legislation from the EU side has been clear for several years, but it has taken a long time to process the directive in Denmark and implement it into Danish law. We have also been waiting for concrete guidance for a long time, and that has neither made the task easier nor more manageable,” says Ulrik Ledertoug and adds:

“It is critically important that we strengthen cybersecurity due to the unstable geopolitical situation in the world, which contributes to a significant increase in the cyber threat. But as long as the Danish NIS2 legislation was not in place, and the affected companies and organizations were not legally required to strengthen their cyber defense, many boards and management teams focused on other tasks, which is understandable. Unfortunately, this does not make the challenges any easier as we approach the July 1st deadline. Now, it may be difficult to make it if internal resources are lacking, as the demand for external consultants and NIS2 experts is high, and the market is already being drained.”

How We Pave the Way for NIS2 Compliance

At Orange Cyberdefense, we have consultants and cybersecurity experts who help both private companies and public organizations translate the complex NIS2 requirements into concrete actions and solutions that improve cybersecurity in the areas prescribed by the legislation.

With our Managed Security Services (MSS), based on collecting and analyzing vast amounts of security data from around the world, we offer operational cybersecurity that strengthens the cyber defense, protects all layers of the organization, and generates the documentation and transparency needed to comply with NIS2 requirements.

We deliver Managed Security Services to over 50,000 customers, including:

  • 24/7 Monitoring and Incident Response: Our Cyber Security Operation Centre continuously monitors your environment and responds quickly to all relevant security incidents.
  • Threat Intelligence and Vulnerability Scanning: We identify threats before they turn into attacks and close gaps in time.
  • Endpoint Detection & Response (EDR/XDR): Advanced protection of endpoints and networks, focusing on both detection and active response.
  • Vulnerability Management: By collecting and enriching large amounts of threat data, we create the basis for a threat-based approach that sharply prioritizes the resources our customers need to build a stronger cyber defense.

“Several of our MSS clients have told us that they previously lacked an overview of their security level and vulnerabilities because their approach to cybersecurity was mostly based on intuition. That can no longer be the case—both in terms of the current threat landscape and the new NIS2 requirements,” says Ulrik Ledertoug—and continues:

“Through our Managed Security Services, organizations can gain the overview and security robustness that NIS2 requires. By combining threat intelligence, incident handling, and documentation in one integrated solution, we make it possible for organizations to shift from reactive to proactive security. This not only ensures compliance but also better risk management, reporting, and documentation for management, boards, and authorities.”

GRC Consulting: From Strategy to Control and Overview

As one of Europe’s leading cybersecurity solution providers, we know what it takes to secure all types of organizations in relation to technology, processes, and people. Therefore, our GRC consulting (Governance, Risk & Compliance) is a natural part of the path to NIS2 compliance.

Our GRC team’s consulting starts with a business-oriented risk assessment. What are your most critical assets? What should be protected best? And what can the business temporarily continue without? This assessment should reflect in the prioritization of your security investments.

Our team focuses on your work and decision-making processes, investment plans, and how your cybersecurity fits into your overall business strategy. We also assist with the practical implementation of all recommendations.

We help with:

  • Risk and Threat Assessments: Setting direction and priorities in the work to become NIS2-compliant.
  • Gap Analyses and Maturity Assessments: Together, we map your organization’s current situation and define what is required to reach the goal.
  • Development and Implementation of Policies and Controls: Since NIS2 requires all affected organizations to document and follow their cybersecurity processes.
  • Incident Response, Emergency Plans, and Crisis Management: We help prepare and test your response to cyberattacks—whenever they occur.
  • Supply Chain Security: We advise on how subcontractors can be included in a secure supply chain without posing a risk that could weaken you.

According to Bo Drejer, there is a clear trend in almost all Danish companies and organizations:

“Most organizations and companies I visit are very mature in terms of digitalization. They have the technologies but lack the governance needed to become NIS2-compliant,” explains Bo Drejer—and elaborates:

“With our GRC consulting, we ensure that cybersecurity is not just products and services but a real management discipline that strengthens the entire organization and business. We help match the intentions of NIS2 requirements with the companies’ daily operations, so there is alignment between the organizations’ security practices and the new legislation. This makes a real difference because we ensure that processes are streamlined and available resources are used optimally—both in the short and long term.”

What You Need to Know: The Direction is Set, but the Rules Take Time to Implement

From the moment NIS2 comes into effect on July 1, 2025, all affected organizations and companies will have three months to register as subject to the new legislation.

“For most organizations, the NIS2 requirements are extensive and cannot be implemented overnight. The sooner you get assistance from a competent security partner, the better—and we are ready to help. Both as advisors, sparring partners, and as providers of the cybersecurity solutions needed in practice,” says Ulrik Ledertoug, and Bo Drejer follows up:

“At Orange Cyberdefense, we don’t view NIS2 as just another compliance exercise but as an excellent opportunity to strengthen your brand as a trustworthy and efficient supplier and partner—while reducing your cyber risk. We do this by anchoring your cybersecurity strategy and practices within your overall business strategy to ensure you achieve optimal long-term value. NIS2 compliance is not just about avoiding sanctions—it’s about strengthening your organization’s credibility, resilience, and ability to respond quickly and effectively to threats and, in the worst case, large cyberattacks.”

NIS2 is more than just requirements and legislation—it is a well-thought-out and structured framework to take cybersecurity seriously before it’s too late. Whether your organization needs advice, technology, or both, we can help. All the way from the initial analysis to implementation, operation, and the creation of governance processes that ensure you comply with the applicable laws and remain compliant at all times.

 

If you need advice on how your company should address the NIS2 Directive or the DORA Regulation, get in touch with one of our experts or fill out the form below.

Bo Drejer

GRC Manager

Jonas Jacobsen

MSS Sales Specialist

Ulrik Ledertoug

Director of Business Development & Services

We will contact you.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.