Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

As mentioned, the NIS Directive has been implemented into Danish law via several sector-specific laws and regulations. Affected companies are required to take appropriate security measures and to notify the relevant national authorities of serious security incidents. The concrete measures to be taken are left to the discretion of the organisations themselves but should utilise the technology available, help identify risks, and prevent, detect and handle incidents to restrict the consequences of an incident. In practice, this is a requirement that companies covered by the legislation, among other things, should adopt and maintain an appropriate IT security policy.

In the financial sector, it is also a requirement that financial institutions adopts an IT security policy.

Furthermore, public authorities are required to apply ISO 27001 (see question 3), and companies within the financial sector are also subject to specific regulations (see question 6).

Pursuant to the GDPR and the Data Protection Act, appropriate technical and organisational security measures to ensure an appropriate level of security must also be implemented.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Pursuant to data protection regulation, an organisation must comply with certain documentation requirements in the event of a data breach involving personal data. As part of the documentation, the organisation shall keep all facts relating to the data breach, its effects and the remedial actions taken.

According to guidelines from the Danish Data Protection Agency, the organisation should keep documentation of the following in the event of a data breach:

  • date and time of the breach;
  • factual circumstances;
  • cause;
  • types of personal data affected;
  • consequences of the breach for the data subjects;
  • measures and remedies taken; and
  • information on whether the Data Protection Agency or data subjects were notified.

There is no specific time frame for how long a data breach log should be kept. Insofar as the breach log contains personal data, the retention requirements follow the general principles of the GPDR.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

According to data the GDPR and the Danish Data Protection Act, a data controller shall notify the Danish Data Protection Agency in case of a personal data breach without undue delay, and where feasible, no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification must describe the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. Further, the notification must communicate contact details of the data protection officer or other contact point, describe the likely consequences of the personal data breach and described the measures taken or proposed to be taken by the data controller to address the personal data breach. Reporting of personal data breaches to the Danish Data Protection Agency must take place via the agency’s online reporting form, which is available here: https://www.datatilsynet.dk/anmeld-brud-paa-persondatasikkerheden/.

A notification duty also applies to the data processor, who is required to notify the data controller without undue delay after becoming aware of a personal data breach.

In respect of the sector-specific cybersecurity laws and regulations implementing the NIS Directive, operators and providers are obliged to inform the relevant sector-specific authorities as soon as possible if an incident has a significant impact on the continuity of service delivery. The notification should include enough information about the incident for the competent authority to assess any possible cross-border consequences of the incident.

Further, the Danish Payments Act imposes an obligation on providers of payment systems to inform the Danish Financial Supervisory Authority in case of major operations or security incidents to the providers payment system. The information that should be provided to the Danish Financial Supervisory Authority follows the guidelines for reporting of major IT incidents from the European Banking Authority.

Timeframes

What is the timeline for reporting to the authorities?

In respect of data protection, data controllers are required to notify the Danish Data Protection Agency as soon as possible, and where feasible within 72 hours of becoming aware of the breach.

In respect of the sector-specific cybersecurity laws, reporting should take place as soon as possible. As the legislation implementing the NIS Directive is relatively new, practice in relation what ‘as soon as possible’ amounts to, is not firmly established. However, comparing with the notification requirements for payment service providers, see below, the timeline is presumable quite short. Also, see question 28.

Providers of payments systems that are subject to the Danish Payments Act are required to notify the Danish Financial Supervisory Authority of major operations or security incidents according to the following timelines. The payment service provider must submit:

  • an opening report within four hours of becoming aware of the incident;
  • a preliminary report within three business days of becoming aware of the incident; and
  • a final report within two weeks after the operation of the services was normalised.
Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

There are no legislative requirements in Denmark to notify others in the industry, however, failure to do so, may be in violation of best practices for the industry.

If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, data controllers are required to notify the data subjects of the personal data breach without undue delay. Such notification should provide substantially the same information as is required to be reported to authorities, see question 28.

In respect of the financial sector, providers of payment systems are required to notify users of the payment system, in cases where an incident affects or may affect users of the payment services.