Cybersecurity 2024 Comparisons

Danish legislation does not offer a unified framework for addressing cybersecurity. However, a range of acts and regulations, hereunder from EU and national learning, pertain to supplement matters concerning cybersecurity.

Company Law

• The Danish Companies Act.

Criminal Law

• The Danish Criminal Code.

Critical Infrastructure

• The Danish Act on Network and Information Security of Domain Name Systems and Certain Digital Services.
• The Danish Act on Requirements of Security of Network and Information Systems within the Health Sector.
• The Danish Act on Security of Network and Information Systems for Operators of Essential Internet Exchange Points etc.
• The Danish Act on Security of Network and Information Systems in the Transport Sector.
• The Danish Act on Network and Information Systems Security.

Data Protection

• The General Data Protection Regulation (the GDPR). Penalties imposed for cybersecurity violations or data security incidents or breaches are primarily enforced under the GDPR. See 8.2 Significant Audits, Investigations or Penalties.
• The Danish Data Protection Act.

Health Sector

• The Danish Order on Health Preparedness Planning.
• The Danish Order on Health Records.

Intellectual Property

• The Danish Copyright Act.

Financial Services Sector

• The Danish Financial Business Act.
• The Danish Act on Payment Services.
• The Danish Order on Management and Control of Banks etc.
• The Danish Order on Outsourcing (the DORA (EU’s Digital Operational Resilience Act), which will be in full effect in 2025).

Telecommunications Sector

• The Danish Radio and Television Act.
• The Danish Telecommunications Act.

Other Sector-Specific Requirements to Emergency Preparedness and Response

• The Danish Order on Preparedness for the Natural Gas Sector.
• The Danish Order on Preparedness for the Electricity Sector.
• The Danish Order on Preparedness Relating to Offshore Oil and Gas Operations.
• The Danish Order on Preparedness Relating to Marine Pollution from Oil and Gas Installations etc.
• The Danish Order on Railway Undertakings and Railway Infrastructure Managers.
• The Danish Order on Risk-Based Municipal Emergency Services.

Trade Secret Protection

• Trade Secret Act.

Data Breach, Confidentiality and Information Security

• Danish Data Protection Act.

Other

• The Constitutional Act of the Kingdom of Denmark.
• The Danish Act on Television Surveillance.
• The Danish Act on the Centre for Cyber Security.
• The Danish Act on Trade Secrets.
• The EU Cybersecurity Act.

The Danish Data Protection Agency is responsible for enforcing the requirements under the GDPR. The regulator responsible for enforcing the requirements for operators of essential and digital services depends on the sector of the operator in question.

The Danish Business Authority has oversight of the main sections of the Danish Telecommunication Act. The regulators responsible for enforcing the requirements under the Danish Act on Payment Services and for providers of financial services depends on the nature of the breach, but are primarily the Financial Supervisory Authority, the Danish Business Authority and the Danish Centre for Cyber Security.

• The Danish Business Authority, Langelinie Allé 17, K-2100 København.
• Danish Centre for Cyber Security, Kastellet 30, DK-2100 København Ø.
• Financial Supervisory Authority, Finanstilsynet, Strandgade 29, 1401 København K.
• The Danish Medicines Agency, Axel Heides Gade 1, DK-2300 København S.

Non-compliance with GDPR regulations may result in administrative fines (see 8.2 Significant Audits, Investigations or Penalties). Similarly, failure to meet the requirements for essential services can be sanctioned with fines, as can non-compliance with the Danish Telecommunications Act and the Danish Act on Payment Services. Providers of financial services failing to meet requirements may face fines and potential imprisonment.

In most European countries, national data protection authorities can themselves issue administrative fines for violations of the common European rules in the General Data Protection Regulation (GDPR). In Denmark, fines under the regulation must be decided by the courts when the Danish Data Protection Agency has recommended a company to be fined.

The implementation of the EU Network and Information Security 2 (NIS2) Directive in Denmark has been delayed. NIS2 aims to bolster and standardise cybersecurity measures across the European Union for businesses operating in sectors critical to the economy and society.

Building upon and replacing the prior EU Directive on Security of Network and Information Systems (NIS), NIS2 aims to impose new obligations on companies and authorities covered by the directive. This includes implementation of cybersecurity protocols, incident reporting procedures, which imposes a 24 hours deadline for reporting incidents as opposed to the 72 hours deadline under the GDPR, and stronger oversight and enforcement mechanisms.

In Denmark, the Ministry of Defence is responsible for the implementation of NIS2, with the Centre for Cyber Security being responsible for the sector-specific regulations. This process involves incorporating the directive into Danish law, with a primary legislation establishing a foundational framework for compliance across sectors. Subsequent regulations tailored to specific sectors will be developed by respective ministries in alignment with the primary legislation.

It is worth noting that the energy, finance, and telecommunications sectors will not fall under the purview of the main NIS2 law. Implementation for these sectors will occur separately, with CFCS facilitating the drafting of sector-specific regulations and collaborating with relevant authorities to ensure adherence to the directive’s stipulations.

Entities subject to NIS2 can prepare by acquainting themselves with the directive’s overarching provisions, which are broadly outlined. More detailed requirements will be outlined in sector-specific regulations, which will be enforced concurrently with the primary legislation.

While the implementation of NIS2 has to be finally implemented by 17 October 2024. Denmark will miss the directive’s implementation deadline. The Danish parliament are scheduled to hold a hearing a legislative proposal in October 2024.

Denmark promotes collaboration and information sharing between the public and private sectors to enhance cybersecurity. This includes information sharing about threats, vulnerabilities, and incidents through formal and informal networks and partnerships.

The establishment of a national cybersecurity competence centre, the Danish National Coordination Center for Cyber Security (NCC-DKK), as encouraged by the EU, aims to consolidate expertise and resources for cybersecurity research, education, and practice. Furthermore, its purpose is to strengthen the Danish cybersecurity sector, increase the Danish take-up of cybersecurity funds from the EU and support the development and use of innovative cybersecurity solutions. NCC-DKK also administers a number of grant pools funded by the EU, the Danish Agency for Digitalisation and the Danish Business Authority, which focus on supporting industry-specific cybersecurity solutions and promoting knowledge and data sharing.

Danish Data Protection Authority (DDPA) regularly arranges seminars and similar to engage private company interaction and to have a dialogue. Recently, there was a panel discussion about AI arranged by the DDPA with approximately 250 participants.

The Centre for Cyber Security (CFCS) is the national IT security authority, Network Security Service and National Centre of Excellence within cybersecurity.

CFCS’s mission is to advise Danish public authorities and private companies that support functions vital to society on how to prevent, counter and protect against cyber-attacks. As a sector specific example, CFCS has published threat assessments of the cyber threats against the Danish maritime sector as well as the Danish energy sector, to mention the two most recent reports. They also publish assessments on, eg, threat levels of cyber-activism towards Denmark.

In order to provide the best possible service in terms of preventing, resisting, and handling cyber-attacks, it is essential that CFCS’s Network Security Service holds the necessary data to create the best possible overview of the current situation regarding the Danish Internet infrastructure.

Consequently, public authorities are obligated to report serious IT security incidents to CFCS, and private companies are encouraged to similarly report serious cyber incidents to the Centre.

Cybersecurity is an area of increasing focus in the Danish legal system. The Danish system structure is comparable to the legal systems across the EU with a focus on facilitating business across borders within the union based on fundamental human rights. See 5.5 Security Requirements for Industrial Control Systems (and SCADA) regarding certifications and data acquisition systems.

In December 2023, the Danish Centre for Cyber Security issued new threat assessments concerning the general cyber threat against Denmark. Since the illegal Russian invasion of Ukraine the general threat level is considered very high. For developments in regulatory activity and enforcement, refer to 1.4 Multilateral and Subnational Issues and 8.2 Significant Audits, Investigations or Penalties.

See 1.4 Multilateral and Subnational Issues.

Furthermore, it is reasonable to expect that Denmark, as well as other countries, will continue to adapt their cybersecurity policies and measures in response to emerging threats in the light of the high threat level (see 1.7 Key Developments).

See 1.1 Laws.

See 1.2 Regulators.

On the national level, the Centre for Cyber Security (CFCS) is the national IT security authority, Network Security Service and National Centre of Excellence within cybersecurity. The Centre’s mission is to advise Danish public authorities and private companies that support functions vital to society on how to prevent, counter and protect against cyber-attacks.

Furthermore, as a member of the EU, Denmark supports the initiatives within EU but also NATO and European Union Agency for Cybersecurity (ENISA).

The Danish Data Protection Agency is the responsible authority of enforcing on data protection and privacy regulations, operating under the EU’s GDPR and the Danish Data Protection Act. Its responsibilities includes enforcing data protection laws through investigations, audits, and fines for non-compliance, alongside offering advisory services to organisations on compliance strategies. The Danish Data Protection Agency also focuses on raising public awareness about privacy rights and the importance of data protection, contributing to policy development at both national and EU levels.

Additionally, it plays a crucial role in international cooperation on cross-border data protection issues and handles notifications of personal data breaches, advising on mitigation and compliance.

In Denmark, regulatory oversight of compliance with cybersecurity laws and regulations in the financial services sector primarily falls under the purview of the Danish Financial Supervisory Authority and the Danish Business Authority. These regulatory bodies monitor financial institutions’ adherence to legal obligations, including cybersecurity standards, and have the authority to levy sanctions for any breaches of compliance.

Companies operating within the financial services sector are obligated, among other requirements, to establish a cybersecurity policy, develop contingency plans, and adhere to an extensive set of guidelines when outsourcing key operational functions.

Concerning the telecommunications sector, providers of public electronic communications networks or services are primarily governed by legal mandates outlined in the Danish Telecommunications Act. These providers are required, among other stipulations, to register with the police and comply with specific regulations regarding equipment, information security, and emergency protocols.

It is important to note the adoption of a new EU directive, known as the EECC, which introduces updated telecom regulations across the EU. This directive was officially ratified on 20 December 2018, and has since been implemented by Denmark.

Furthermore, regarding cybersecurity in the healthcare sector, the Danish government has taken steps to establish a Security Analysis Centre within the healthcare industry. This centre, situated within the Danish Health Data Authority, aims to foster enhanced communication among healthcare stakeholders to bolster information security. Its mission is to proactively predict, prevent, and swiftly respond to any cyber threats posed by malicious actors, thus safeguarding sensitive healthcare data. Finally, the Danish Medicines Agency authorises and inspects pharmaceutical companies and licenses medicinal products in the Danish market and among other things it monitors medical devices available in Denmark and supervises adverse incidents involving medical devices.

See 1.2 Regulators.

Generally applied and broadly used standards such as PCI DSS and ISO 27001 are recognised and apply as de facto standards in Denmark as well. In addition, a range of guidelines issued by public bodies (see 1.2 Regulators) are available to Danish organisations. While organisations await the entry into force of the NIS2 Directive, adherence to such de facto standards also serve the purpose of preparing for complying with the NIS2 Directive.

Moreover, there is a national framework called the D-seal (Danish: D-mærke), which is a framework/standard where companies get a certification for IT security and responsible usage of data. The D-seal is mapped against NIS2 and covers it security standards as well as standards for responsible use of data.

In November 2023, the Danish Data Protection Agency published a catalogue of security measures with technical descriptions of each of the measures and with explanations of the scenarios in which each measure is most relevant and effective in order to ensure appropriate security (see GDPR, Article 5 and Article 32).

The descriptions of each measure can be read individually, so the catalogue can serve as a reference work.

Many measures can be implemented as part of the functions that support data protection in IT systems in general and are thus also relevant in relation to the obligations under Article 25 of the GDPR on the obligation to ensure that data protection is incorporated into the design and default settings when developing or acquiring new IT systems or developing/modifying existing IT systems.

The examples used are largely based on the Danish Data Protection Agency’s experience from inspections in private and public companies, processing of personal data breaches reported to the Danish Data Protection Agency, the EDPB’s guidelines and the ISO standards 27001 (Danish Standard DS/ISO/IEC 27001 – Requirements for Information Technology – Security techniques – Information Security Management Systems (ISMS)) and 27002.

The aim of the catalogue is to provide all organisations seeking to improve the level of it security and thus serve as a compilation of commonly applied measures.

Standards such as ISO/IEC 27001 apply an are widely used when implementing it security projects.

The GDPR, Article 32 contains a list of appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These are:

• pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The GDPR, Article 35 stipulates that where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

Under GDPR, Article 37, the controller and the processor shall designate a data protection officer in any case where:

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of processing on a large scale of sensitive data and personal data relating to criminal convictions and offences.

See 2.5 Financial or Other Sectoral Regulators regarding requirements in connection with outsourcing.

The Danish Act on Payments implementing PSD2 imposes a general duty to implement strong customer authentication on payment services.

See 4.2 Material Business Data and Material Non-public Information regarding requirements aimed preventing insider trading.

See 4.4 Denial of Service Attacks regarding the prevention of cyber-attacks. Also refer to 7.1 Required or Authorised Sharing of Cybersecurity Information and 10.1 Processes and Issues.

The Danish regulators mentioned in section work closely together with their counterparts in the EU as well as with EU bodies such as the European Data Protection Board and ENISA.

Furthermore, as part of the Nordic co-operation, Denmark is a member of the Nordic Council of Ministers and the Nordic Council together with Finland, Iceland, Norway, Sweden, the Faroe Islands, Greenland and Åland. One of the main focus areas of the Nordic co-operation is defence, where the Nordic countries share information and conduct joint training sessions, which also includes training in preventing and handling cyber threats.

In the Danish jurisdiction, the handling of personal data is primarily governed by the GDPR, which is the regulation that governs the processing of personal data within the EU as well as the processing of EU citizens personal data being processed outside of the EU. As a part of the EU, Denmark is required to follow and implement the GDPR into the Danish Data Protection Act, and furthermore Denmark has implemented specific complementary laws.

The key affirmative security requirements under the GDPR, for the processing of personal data includes:

• Privacy by design and by default (GDPR, Article 25).
• Records of Processing Activities (GDPR, Article 30).
• Security of processing (GDPR, Article 32).
• Notification of personal data breach to the supervisory authority within 72 hours (GDPR, Article 33).
• Communication of personal data breach to the data subject (GDPR, Article 34).
• Data Protection Impact Assessment (DPIA) (GDPR, Article 35).
• The role of the Data Protection Officer (DPO) (GDPR, Articles 37–39).
• Certification (GDPR, Article 42).

All these provisions mandate organisations operating within the scope of the GDPR, to incorporate both proactive and reactive measures to ensure adequate protection of individuals personal data, along with the need for documentation of such measures, to provide evidence of compliance.

See 3.3 Legal Requirements and Specific Required Security Practices.

Describe the key affirmative security requirements, including any required reporting, certification or other external involvement for material business data, material non-public information.

Handling of material business data and material non-public information within the Danish jurisdiction, will depend on the falls under the scope of different laws and regulations. There is no general regulation stipulating requirements to protect business data and non-public information across sectors. However, there are certain legal frameworks that apply to such information, and these are:

• The Danish Financial Statements Act – requires companies to take appropriate measures to protect sensitive business information that could impact financial markets if disclosed prematurely.
• The Danish Trade Secret Acts.
• Certain guidelines issued by the Danish business authority.
• For the financial sector, financial institutions and listed companies are required to incorporate measures accordingly to the Danish Securities Act to prevent insider trading.
• NIS Directive.
• The Danish Data Protection Act – supplementing the GDPR, the Danish Data Protection Act provides certain measures for protecting personal and sensitive data, which can in some contexts overlap business data.

As an EU member state, Denmark implements the NIS Directive, which requires certain operators of essential services and digital service providers to take appropriate and proportionate technical and organisational measures to manage cybersecurity risks and report significant incidents to national authorities. This directive covers sectors such as energy, transport, banking, health, and digital infrastructure.

See 1.1 Laws, 1.2 Regulators, 1.3 Administration and Enforcement Process, 4.4 Denial of Service Attacks and 5. Data Breach or Cybersecurity Event Reporting and Notification.

The Centre for Cyber Security provides guidelines and threat assessments for critical infrastructure sectors. While not always mandatory, compliance with these recommendations is strongly encouraged to enhance cybersecurity posture.

Organisations in Denmark are encouraged to obtain ISO/IEC 27001 certification, an international standard for information security management systems (ISMS). This certification demonstrates compliance with best practices in information security.

IT Security Certification for Cloud Services (Cloud Certification Scheme): Denmark has introduced a voluntary certification scheme for cloud services, aimed at enhancing the security of cloud-based services used by the public sector.

In Denmark, affirmative security requirements aimed at preventing cyber-attacks such as denial of service (DoS) attacks, ransomware, and extortion are underpinned by a combination of EU regulations and national legislation.

The GDPR requires entities to implement appropriate technical and organisational measures to ensure a high level of security, particularly in protecting personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. This encompasses the need to safeguard against cyber-attacks that compromise data availability, integrity, and confidentiality. Complementary to the GDPR, the Danish Data Protection Act emphasises the need for entities to secure personal data and outlines the obligations for reporting data breaches to the Danish Data Protection Agency and, in certain circumstances, to the affected individuals.

The NIS Directive mandates that operators of essential services and digital service providers must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems. These measures are aimed at ensuring the continuity of services, which includes preventing and mitigating DoS attacks, ransomware, and other cyber threats.

From a national perspective, the implementation of the NIS Directive, this requires critical sectors’ operators to adopt security measures to protect their network and information systems. It also mandates the reporting of significant cyber incidents to the Danish Centre for Cyber Security, which is part of the Danish Defence Intelligence Service.

Organisations covered under the Danish Act on Network and Information Systems Security are required to report significant incidents to the Danish Centre for Cyber Security. This includes incidents involving DoS attacks, ransomware, or other threats affecting system integrity and data availability.

Organisations must report personal data breaches to the Danish Data Protection Agency within 72 hours of becoming aware of the breach, especially if it poses a risk to the rights and freedoms of individuals.

While specific cybersecurity certifications are not mandated across all sectors, adherence to recognised standards (eg, ISO/IEC 27001) is encouraged as a demonstration of implementing robust security measures. The Danish Centre for Cyber Security offers guidance, threat assessments, and best practices for enhancing cybersecurity posture, including the prevention of ransomware, DoS attacks, and similar cyber threats.

Certain sectors may have additional regulations specifying more stringent security measures and reporting obligations. For example, the financial sector, regulated by the Danish Financial Supervisory Authority.

See 1.1 Laws, 1.2 Regulators, 1.3 Administration and Enforcement Process and 5. Data Breach or Cybersecurity Event Reporting and Notification.

See 4.4 Denial of Service Attacks.

Under the GDPR, the data controller shall notify the supervisory authority of a personal data breach without undue delay and no later than 72 hours after becoming aware of it. A data processor shall notify the data controller of a breach without undue delay.

Operators of essential services are required to report incidents with an impact on the continuity of the services they deliver. The recipient of the report depends on the sector of the operator. For instance, according to the Danish Act on Net and Information Security for Domain Name Systems and Certain Digital Services, incidents must be reported to the Danish Business Authority and the Danish Centre for Cyber Security. Such a report must namely contain information as to the number of affected users, the duration of the incident, and the geographical spread in relation to the area affected by the incident. The relevant regulator can publish information about specific incidents when necessary to prevent or manage an incident in progress.

Similarly, providers of digital services are required to report incidents with a substantial impact on the services they deliver to the Danish Business Authority and the Danish Centre for Cyber Security.

Providers of financial services are required to report certain incidents to the relevant authorities, primarily the Financial Supervisory Authority, the Danish Business Authority and the Danish Centre for Cyber Security.

The Danish Business Authority has oversight of the main sections of the Danish Telecommunication Act but, depending on the type of incident, other authorities may be involved, especially the Danish Centre for Cyber Security.

The Danish Act on Payment Services puts obligations on providers of payment services to report incidents to the authorities and to the users of the payment services if there is a risk that their transactions may be affected. The report to the authorities must, among other things, describe the reason for the incident and, if applicable, the attack methodology.

See 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

See 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

At the EU level, the Medical Devices Regulation 2017/745 and the In Vitro Diagnostic Medical Devices Regulation 2017/746 are specific to security requirements for medical devices and governs the design and manufacture of devices with the aim of protection against risks associated with the IT environment, including unauthorised access, loss of data integrity, and failure to maintain confidentiality.

Under both regulations, manufacturers are required to implement a risk management system for medical devices. This includes assessing and mitigating risks related to cybersecurity, such as vulnerabilities that could be exploited for unauthorised access or data breaches.

At the national level, the Danish Medicines Agency is responsible for overseeing the safety and regulation of medical devices in Denmark. This includes ensuring that devices meet the requirements set out in EU regulations and are registered appropriately. The agency also plays a role in monitoring adverse events and may issue guidance specific to the Danish context, eg, on the Medical Devices Regulation and the In Vitro Diagnostic Medical Devices.

While not specific to Denmark, international standards such as ISO/IEC 27001 (Information Security Management) and ISO/IEC 27799 (Health Informatics – Information Security Management in Health) can provide a framework for managing information security risks in medical devices. Compliance with these standards can help manufacturers meet the cybersecurity requirements of the Medical Devices Regulation and the In Vitro Diagnostic Medical Devices.

There is no legal framework specifically applicable to industrial control systems (an SCADA) in Denmark. However, if an incident on such systems is impacting critical infrastructure or personal data, the facility operator might need to inform the appropriate national authorities in accordance with Denmark’s legislation relevant to critical infrastructure protection or the GDPR respectively as the case may be. See 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

This could involve reporting under the Critical Infrastructure Act if the incident threatens the integrity of critical services, or under the Network and Information Systems (NIS) Act if the incident disrupts the delivery of essential services.

The GDPR and other regulations will apply to IoT devices in so far as they process personal data. There is currently no specific legal requirements concerning IoT devices.

ENISA publishes guidelines on best practice relevant to manufacturers of IoT devices.

The EU has passed the EU Cyber Resilience Act, which will impose certain requirements on IoT devices. It will apply to all products connected directly or indirectly to another device or network except for specified exclusions such as open-source software or services that are already covered by existing rules, which is the case for medical devices, aviation and cars. The Act is expected to enter into force in early 2024. Manufacturers will then have to apply the rules 36 months after their entry into force.

See 3.3 Legal Requirements and Specific Required Security Practices and 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

See 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

See 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

The use of beacons, which are discreet graphics embedded within content to establish a connection with a remote server and reveal the IP address of the viewer’s computer, is permissible. However, it is crucial to adhere to relevant data protection and ePrivacy regulations when processing any personal data, such as IP addresses. In such cases, individuals must be informed of the legal basis for the processing of their personal information.

Furthermore, employing Honeypots, deceptive digital traps designed to lure cyber-threat actors into interacting with a simulated network, offers organisations the ability to detect and thwart potential attacks without endangering their actual network or data. Effective from 1 July 2019, authorisation was granted to the Danish Centre for Cyber Security to deploy Honeypots for intelligence gathering on cyber-threat tactics and tools. These Honeypots may be implemented on the networks and equipment of affiliated authorities and companies, subject to appropriate agreements.

Similarly, sinkholes, strategies employed to divert malicious traffic away from an organisation’s IP addresses and servers, serve as a common defence against Distributed Denial of Service (DDoS) attacks in Denmark. As of 1 July 2019, the Danish Centre for Cyber Security has been empowered to employ sinkholes to prevent, halt, or mitigate imminent or ongoing cyber incidents.

What is of the essence, is that appropriate measures that protect the availability and integrity of individuals personal data are allowed, as long as it is proportionate to the defence measure being implemented.

The crucial point is that measures aimed at safeguarding the availability and integrity of individuals’ personal data are permissible, provided they are proportionate to the defence measure being implemented and have not been explicitly prohibited by regulations or guidelines from authorities.

See 6.1 Cybersecurity Defensive Measures. To some extent, cybersecurity and data privacy efforts go hand in hand in that they aim at safeguarding certain information. However, where cybersecurity measures entail surveillance of individuals and/or their personal data, affected individuals’ (ie, data subjects) right to privacy must be balanced against the legitimate interests of the organisation implementing the cybersecurity measures. In so far as those measures have the potential to pose a high risk to affected data subjects, eg, by using certain “high risk technologies” it will be required to perform data protection impact assessments. In this context it should be added that the integration of emerging technologies like artificial intelligence (AI) and the Internet of Things (IoT) into cybersecurity measures will accelerate these issues because these technologies often involve extensive data collection and processing, requiring careful consideration of their impact on privacy.

In the Danish jurisdiction, the sharing of cybersecurity information with the government or third parties is influenced by both European Union regulations and national laws.

Denmark, as an EU member state, implements the NIS Directive, which requires operators of essential services and digital service providers to notify relevant national authorities about serious cybersecurity incidents. The directive encourages information sharing to improve overall cybersecurity posture. In Denmark, this directive has been transposed into national law (The Danish Act on Network and Information Systems Security), outlining specific sectors and types of services that fall under its requirements.

The Danish Act on Network and Information Systems Security is as mentioned, the NIS Directive implemented in Denmark. It mandates that operators of essential services in sectors such as energy, transport, health, and digital infrastructure report significant cyber incidents to the Danish Centre for Cyber Security

Looking into the GDPR, it requires organisations to ensure the confidentiality, integrity, and availability of personal data, which includes reporting breaches to the Danish Data Protection Agency and, in certain cases, communicating these breaches to the affected individuals.

The Danish Centre for Cyber Security acts as the national cybersecurity authority and offers a framework for voluntary information sharing about cybersecurity threats, vulnerabilities, and incidents. Organisations working in critical sectors, are encouraged to share information to benefit from collective knowledge and defence mechanisms. As mentioned, certain sectors may have additional regulations or guidelines encouraging or requiring the sharing of cybersecurity information. For example, the financial sector, overseen by the Danish Financial Supervisory Authority, has specific reporting obligations regarding cybersecurity incidents.

See 7.1 Required or Authorised Sharing of Cybersecurity Information.

See 8.2 Significant Audits, Investigations or Penalties.

The most prominent Danish case concerning data security is the action by the Danish Data Protection Agency against Netcompany A/S (an it services provider that provide services to a large range of Danish public institutions), which resulted in the Danish Data Protection Agency reporting Netcompany to the police and recommending a fine of at least DKK15 million. The decision concerned the development of critical it infrastructure by Netcompany on behalf of a public Danish institution. The Danish Data Protection Agency’s decision was founded on grounds that Netcompany had failed to implement adequate security measures (“privacy by design”), failed to secure proper user authentication in that unauthorised access and, thereby to large amounts of personal data, to the solution was possible due to a coding deficiency and on grounds that Netcompany had not conducted a data protection impact assessment for the development of the solution, which was considered a crucial step for identifying and mitigating high risks to individuals’ rights and freedoms before processing personal data. This action by the Danish Data Protection Agency emphasises the need for responsible, secure data management to maintain trust in Denmark’s digital infrastructure. The record fine reflects the breach’s severity and the company’s size, aiming to enforce GDPR principles of effective, proportionate, and deterrent penalties.

The Danish Data Protection Agency has in a number of cases found that data security breaches as a result of cybersecurity violations should be fined under the GDPR.

In January 2024, a Danish municipality was issued a fine of DKK100,000–200,000 for failing to establish sufficient and appropriate security measures. The Danish Data Protection Agency became aware of the case when the municipality in question reported a personal data breach. A computer containing sensitive personal data, social security numbers and information about children, had been stolen in connection with a theft from an employee’s home. The computer’s hard drive was not encrypted. The municipality had not encrypted the municipality’s approximately 1,200 laptops, which the Danish Data Protection Agency considered a serious breach of the GDPR’s requirements for processing security (Article 32).

Furthermore, the Authority has emphasised that it is an essential and basic security measure to ensure encryption of portable devices, including computers.

The Danish Data Protection Agency has previously (in 2020 and 2022) recommended fines against three other Danish municipalities as well as the Civil Affairs Agency in similar cases regarding lack of encryption.

Finally, in a range of decisions by the Danish Data Protection Agency concerning private entities, the Data Protection Agency has found grounds to express criticism against organisations for their inadequate implementation of security measures as required by the GDPR, Article 32 following investigations arising out of hacker attacks.

See 1.1 Laws, 1.2 Regulators, 1.3 Administration and Enforcement Process.

See 8.2 Significant Audits, Investigations or Penalties.

Class actions are permitted in Denmark, however, here has not been any class action lawsuits pertaining to GDPR or cybersecurity in Denmark.

Under the Danish Companies Act, companies with limited liability must ensure the implementation of proper risk management and internal controls. This includes the responsibility to monitor cybersecurity threats and uphold a sufficient cybersecurity standard. Failure to adhere to these measures could result in a violation of the directors’ obligations should an incident occur due to inadequate cybersecurity.

Specifically, firms within the financial sector and those managing critical infrastructure, as outlined by the NIS Directive, must develop security protocols focused on IT security and designate staff for ensuring adherence to these policies. The GDPR further mandates the establishment of technical and organisational safeguards, which for some organisations might necessitate appointing a Chief Information Security Officer (CISO).

Moreover, in certain situations, these security policies and related documentation must be shared with appropriate regulatory bodies. The board of directors might also need to consider cybersecurity risks in the company’s annual reporting. For publicly traded companies, there’s an additional requirement to publicly disclose any information that could potentially influence their stock price, irrespective of whether this information stems from a cybersecurity incident.

Conducting due diligence in corporate transactions in Denmark involve a comprehensive assessment of various factors, including cybersecurity and personal data protection measures. This process encompasses identifying key risks related to cybersecurity vulnerabilities and compliance with data protection regulations such as GDPR. Key steps include evaluating the target company’s cybersecurity measures, assessing its data protection compliance, reviewing contracts and agreements for appropriate provisions, analysing cyber-insurance coverage, and ensuring legal and regulatory compliance. The findings are documented in a due diligence report, which serves as a basis for negotiation and development of mitigation strategies post-acquisition. Overall, due diligence in Denmark requires a collaborative effort between legal, IT, cybersecurity, and compliance professionals to mitigate risks and ensure compliance with cybersecurity and data protection requirements.

Certain companies, eg, within the financial sector and telecommunications sector (see 2.5 Financial or Other Sectoral Regulators) are required to maintain security policies. Under certain circumstances, such policies, etc, must be disclosed to the relevant authorities.

Further, the obligations of the board of directors may include an obligation to take cybersecurity risks into account in the company’s annual report.

Additionally, listed companies may be required to disclose information (regardless of whether it derives from a cybersecurity breach or not) that may affect the price of the company shares.

With regard to the further considerations on threats and defence mechanisms, it is worth noting that in Denmark’s legal landscape, unauthorised access, commonly known as hacking, is addressed under the Danish Criminal Code (DCC), marking it as a criminal offence that can lead to fines or imprisonment of up to one and a half years, with potential elevation to six years for cases involving aggravating circumstances or organised efforts. For instance, penalties have ranged from fines for unauthorised access to social media accounts to two-year imprisonment for repeated hacking that caused significant operational disruptions to a company.

Denial-of-service attacks, aimed at obstructing the use of information systems, carry similar legal consequences, with penalties scaling up in cases of systematic or organised actions. Phishing, while not explicitly criminalised, typically falls under other criminal offences like data fraud, where penalties can include imprisonment, especially when coupled with document falsification.

The legal framework extends to malware, with the DCC criminalising destructive attacks on IT systems, emphasising stricter penalties for attacks on critical societal systems. The sale or distribution of tools intended for cybercrime implicates individuals in complicity, aligning penalties with those of the primary offences. This encompasses a wide array of cyber activities, from manufacturing tools that bypass digital rights management (DRM) protections to acquiring information for unauthorised payment methods, each carrying its own set of penalties under the DCC.

Identity theft, while not directly criminalised, often leads to charges such as data fraud, with cases resulting in substantial jail sentences for the misuse of personal information.

The DCC also targets electronic theft, including unauthorised wire transfers and intellectual property infringements, with specific legislation like the Danish Act on Trade Secrets protecting confidential business information.

Moreover, unsolicited penetration testing could be construed as hacking under Danish law, highlighting the nuanced approach to cybersecurity. Other activities threatening IT security, like interception of communications or unauthorised use of accessed information, are punishable, reflecting a comprehensive legal stance against actions compromising IT system security, confidentiality, integrity, or availability.

This comprehensive legal framework underlines Denmark’s commitment to maintaining robust cybersecurity measures, holding individuals and entities accountable for actions that undermine digital security and integrity. Through a combination of specific statutes and broader criminal law provisions, Denmark effectively addresses a wide spectrum of cyber threats, ensuring the protection of its digital landscape.

The threat landscape of attacks on organisational data has increased, therefore, organisations increasingly opt to secure cyber risks via cyber insurances to protect against incidents.

Danish regulations do not impose restrictions on insurance coverage for various types of losses, including business interruption, system failures, cyber-extortion, or the restoration of digital assets. However, it remains ambiguous whether coverage extends to regulatory fines.

While organisations are legally permitted to pay ransoms, the rise in online criminal activity has led to increased insurance premiums, prompting some insurers to exclude ransom payments from their coverage. Insurance policies may still cover costs associated with business interruption, incident response, and data recovery.

Given that ransoms are frequently demanded in cryptocurrency, organisations facing extortion should be aware of the legal implications, including the potential for violating laws against supporting criminal activities or money laundering.