Alliance42
Call
NIS2 GUIDE

NIS2: What You Need to Know

The EU directive is now Danish law. Here is what it means for your business - without the legal jargon.

01

What is NIS2?

NIS2 is an EU directive (2022/2555) that sets requirements for cybersecurity and incident reporting for organizations in 18 critical sectors. The directive was adopted by the EU in December 2022 and was to be transposed into national law by October 2024. In Denmark, NIS2 was implemented as Law No. 434 of 6 May 2025 ("Act on measures to ensure a high level of cybersecurity"), adopted by the Danish Parliament on 29 April 2025 and entered into force on 1 July 2025. The law brings approximately 6,000 Danish organizations into scope - far more than the previous NIS1 law.

02

Is your organization in scope?

NIS2 applies to medium and large organizations in 18 sectors. "Medium" follows the EU definition: 50+ employees OR EUR 10M+ in annual turnover. Certain types of organizations (DNS providers, cloud services, managed service providers) are in scope regardless of size.

Two classes of entities

Important entities: 50+ employees OR EUR 10M+ annual turnover, in one of the 18 sectors. Important entities have lighter supervisory requirements (ex-post supervision).

Essential entities: 250+ employees OR EUR 50M+ turnover, in one of the 11 highly critical sectors (Annex I). Essential entities have stricter requirements and proactive supervision.

The risk management requirements (Article 21) apply to both classes. The difference is primarily in supervisory intensity and fine levels.

The 18 sectors

Highly critical (Annex I): Energy (electricity, district heating, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, health (incl. pharmaceutical and vaccine manufacturing), drinking water, wastewater, digital infrastructure (IXP, DNS, TLD, cloud, data centre, CDN, trust services, electronic communications networks), ICT service management (MSP and MSSP), public administration, space. Other critical (Annex II): Postal and courier services, waste management, chemicals, food, manufacturing (medical devices, computers and electronics, machinery, vehicles).

03

What does NIS2 require?

NIS2 Article 21(2) defines 10 risk management measures that all in-scope organizations must implement. Here are the 10 requirements - and they map 1:1 to the 10 rows in our NIS2 coverage map on the A42-CC page:

  1. 01.Risk analysis and information security policies
  2. 02.Incident handling (prevention, detection and response)
  3. 03.Business continuity, backup, crisis management and disaster recovery
  4. 04.Supply chain security (supplier and service provider security)
  5. 05.Security in acquisition, development and maintenance of network and information systems (vulnerability management included)
  6. 06.Policies and procedures for assessing the effectiveness of risk management measures
  7. 07.Basic cyber hygiene and cybersecurity awareness training
  8. 08.Policies and procedures on the use of cryptography and encryption
  9. 09.Human resources security, access control and asset management
  10. 10.Multi-factor authentication, secured communications and emergency communication systems

See exactly how A42-CC covers each of the 10 requirements - with concrete evidence - on our A42-CC page.

04

The timeline - and where you stand

The NIS2 directive entered into force in the EU in January 2023. The Danish implementation law (Law No. 434) was adopted on 29 April 2025 and entered into force on 1 July 2025. Self-registration via virk.dk must be completed by 1 October 2025. Supervisory audits are expected to begin in early 2026. Fines can reach up to EUR 10 million or 2% of global turnover. The Ministry for Societal Resilience and Preparedness coordinates implementation, while sector-specific authorities carry out supervision.

You are still working toward compliance

You are not alone. Most Danish SMEs are still in the implementation phase. A42-CC can take you from "we have not started" to "we have the evidence pack ready" in 90 days.

You just discovered you are in scope

If you just found out that NIS2 applies to you - take a breath. We have a 30-60-90 day plan ready. It starts with a gap analysis and ends with an evidence pack.

You want to use NIS2 as a sales advantage

NIS2 compliance is not just a burden. It is a competitive advantage when you sell to larger customers or public authorities. Documented compliance opens doors.

Your customers are asking if you are NIS2-ready

Your customers are asking if you are NIS2-ready because they need to be. A42-CC gives you the documentation to show - without having to build it from scratch yourself.

You want to be ready for what comes next

Even if you are not in scope yet, the requirements are growing. NIS3 is coming. ISO 27001 is becoming standard in more industries. A42-CC builds the foundation, so you do not start over in two years.

05

How Alliance42 helps

A42-CC is built backwards from NIS2 Article 21(2) - not a security service that later got a compliance overlay. Evidence packs are built automatically as a byproduct of operations. Risk assessments are kept up to date. Twice a year we run an incident exercise with your team. When the auditor comes, the pack is ready. 500 DKK/license/mo. Everything included.

Ask about NIS2Estimate your price
Tobias Lauge Jensen

NIS2 isn't a checkbox. It's a board-level liability now. I built A42-CC so the evidence pack is ready before the auditor asks, not assembled in a panic the week before.

Tobias Lauge JensenFounder & CEO, Alliance42

Your place in the Alliance is waiting.

No sales team. No call center. Just me.

Estimate your priceCall Tobias
NIS2 in Denmark - Practical guide to the new EU directive