Understanding NIS2 guides - from directive to action

Legislation, 2025-06-30

Legislation, 2025-06-30

By Amanda Dige Trudslev | 1,069 words | Read time: 6 minutes

NIS2 became law today. If your business operates within one or more of the 18 critical sectors identified by the directive, now is the time to ensure you are aligned with the new EU framework for cybersecurity.

To support the transition, Styrelsen for Samfundssikkerhed (SAMSIK) has published several general guides aimed at helping Danish companies understand and meet the requirements of NIS2. These include:

Keep in mind: sector-specific guidance will come from the relevant sector authorities. If you are in doubt about which authority will guide and supervise you, you can find more information here.

In this post, we walk you through the main takeaways from each of SAMSIK’s guides. And as always, Trifork Security is here to help – whether you are unsure about your obligations or need support putting the right security measures in place.

1. Are you covered by NIS2?

This guide focuses on helping organisations assess whether NIS2 applies to them. It covers:

  • How entities are defined, and how size is calculated
  • The 18 covered sectors
  • The distinction between essential and important entities
  • Coverage of public administration entities
  • Registration obligations
  • Rules for suppliers to NIS2-covered entities

In short: if your organisation operates in a covered sector and has either at least 50 FTEs (or FTE equivalent) or an annual turnover over €10 million + a balance sheet total over €10 million, it is most likely covered. Please note that companies and organisations are responsible for assessing whether they are covered by the NIS2 Directive.

Once covered, the entire entity falls under the directive – not just the part of the business that matches the sector. Please note that NIS2 is based on a risk methodology, so non-critical activities do not necessarily need to be protected at the same level; it all depends on your specific risk assessments.

While future registration deadlines will be tight (two weeks for most, three months for digital infrastructure), existing entities have until October 1, 2025 to register.

2. What does NIS2 expect from management?

This guide outlines the responsibilities of the management body (e.g. the board or executive team), including:

  • What “leadership” means in the context of NIS2
  • How responsibilities can be delegated within the organisation
  • Requirements for risk management and training
  • Leadership’s role in overseeing cybersecurity efforts
  • Competencies
  • How management should contribute to employee training
  • What consequences there may be for non-compliance

Management is expected to approve and oversee all technical, operational, and organisational cybersecurity measures. They must also oversee that these measures are implemented effectively and have the necessary impact in relation to identified risks. While tasks can be delegated, ultimate responsibility remains with the management body.

There’s also a requirement for management to receive relevant training on handling cybersecurity risks. While not every individual must complete it, the management body must collectively have the necessary competencies to ensure effective governance.

3. Implementing cybersecurity measures

This guide walks you through essential steps – based on a risk-based approach – to build a robust cybersecurity posture. Key areas include:

  • Policies for risk assessment and information system security: Entities are expected to have approved policies for risk management and information system security, as well as  conduct regular risk assessments.
  • Incident handlings: The guide includes measures for preparing for and responding to incidents. Emphasis is placed on quick response, impact limitation, and ensuring responsibilities are clearly defined in advance. Furthermore the guide highlights the importance of logging and automatic monitoring as key elements in maintaining visibility and ensuring a swift response to potential incidents.
  • Business continuity: Measures must ensure the continued delivery of critical services, even during disruptions.
  • Supply chain security: Supply chain security is a key element of NIS2, and the guide presents which measures should be implemented to maintain a high level of security, for you and your supply chain.
  • System acquisition, development, and maintenance: Security should be built into the lifecycle of all systems – from procurement to decommissioning. This includes ensuring that updates and patches are handled securely and timely.
  • Policies to assess the effectiveness of risk management: Entities should define how cybersecurity efforts are evaluated and improved over time, with periodic reviews and adjustments based on lessons learned.
  • Cyber hygiene and staff training: Basic practices like software updates, strong password policies, and phishing awareness training are critical. Regular training sessions and refreshers are recommended for all employees.
  • Cryptography: The guide presents measures regarding cryptography, including policies and key handling.
  • Employee security, assess policies and asset management: The guide elaborates on the three areas concerning employee security, assess policies and asset management, e.g. roles and access rights must be clearly assigned and reviewed regularly.
  • MFA and emergency communication systems: Multifactor authentication should be enabled on systems. Furthermore, entities should assess whether alternative communication channels are necessary.

SAMSIK’s guide divides guidance into mandatory (‘shall’/’skal’), recommended (‘should’/’bør’), and optional (‘may’/’kan’) actions, helping you prioritise based on risk and available resources. You will also find references to relevant sections in recognized cybersecurity standards, making it easier to combine compliance with best practice

4. Reporting significant incidents

The final guide helps entities understand their obligations for reporting major cyber incidents under NIS2. It applies to both essential and important entities and provides clarity on what needs to be reported, how, and when. The guide includes:

  • What counts as a reportable incident
  • Reporting obligations when using third-party service providers
  • Trusted service provider requirements
  • Voluntary reporting and examples

A significant incident is one that leads to – or could lead to – serious disruption of services, financial loss, or harm to others.

Notifications must be submitted via Virk.dk, which forwards reports to the appropriate sector authority and CSIRT, with the option to notify Datatilsynet as well, in case of an incident involving personal data.

The reporting process consists of three phases:

  1. Early warning – within 24 hours
  2. Incident notification – within 72 hours
  3. Final report – within one month

Even if your organisation isn’t covered by NIS2, you can still voluntarily notify CSIRT about incidents, near misses, or cyber threats. These reports are not subject to public records requests.

Whether you are just starting to assess your obligations or already working on implementation, now is the time to ensure your organisation is ready. The guidance from SAMSIK offers a solid foundation, and at Trifork Security, we are here to help translate those words into action.

If you have questions or need a second set of eyes on your next steps, don’t hesitate to reach out.