All articles
Cybersecurity

NIS2 for Danish SMBs: is your business covered?

The NIS2 directive tightens cybersecurity requirements for many Danish businesses. Find out whether you are covered, what the requirements mean in practice, and where to begin.

JJ
Jonas Jensen
Stifter, Legiant
|5 June 2026|2 min

NIS2 is one of the regulatory frameworks that has caused the most confusion among Danish businesses. Many are unsure whether they are covered at all, and if so, what they are actually required to do. Here is a clear, level-headed overview.

What is NIS2?

NIS2 is an EU directive on cybersecurity that has been implemented into Danish law. Its purpose is to raise the level of security in sectors that are critical to society, and it significantly expands the circle of businesses that have concrete obligations compared with the original NIS directive.

Is your business covered?

Two things determine this: which sector you operate in, and the size of your business.

  • The directive covers a range of sectors, including energy, transport, healthcare, digital infrastructure, food production, waste management, and manufacturing.
  • As a general rule it applies to medium-sized and large businesses, but smaller businesses can also be covered if they play a critical role.

If you supply to a covered business, you may also encounter NIS2 requirements indirectly through contracts, because your customer must secure its own supply chain.

What does NIS2 require in practice?

The requirements fall into four groups:

  1. Risk management. You must have a clear handle on your cyber risks and have appropriate technical and organisational measures in place.
  2. Incident handling. You must be able to detect, manage, and report security incidents within set deadlines.
  3. Supply chain. You must assess the security of your suppliers.
  4. Management responsibility. Leadership is accountable and can be held personally liable, so this is not purely an IT matter.

Where should you start?

Start by clarifying whether you are covered - that is the most important first step. After that: carry out a straightforward risk assessment, get a handle on backup and access management, and write a plan for what your organisation will do if it is hit by an incident. You do not need to do everything at once, but you must be able to document that you are working systematically on security.

Frequently asked questions

Are small businesses covered by NIS2? Often not directly, but they may face requirements through customers in covered sectors. It is wise to prepare.

What are the penalties for non-compliance with NIS2? The supervisory authority can issue orders and fines, and management can be held personally liable.

When do the rules take effect? The obligations are coming into force, and new orders with further details are being issued on an ongoing basis. Keep an eye on updates relevant to your sector.

Stay informed without the hassle

NIS2 is still evolving, with new orders and guidance being published regularly. Legiant monitors the regulatory landscape for your industry and notifies you in plain language whenever something relevant changes, so you do not have to track it all yourself.

Get started for free and keep on top of the cybersecurity requirements for your specific sector.

Get regulatory changes before the deadline

Legiant monitors domestic and European regulation for your industry and keeps you informed so you're never caught off guard.

Try Legiant free