Use the Lexology Getting The Deal Through tool to compare the answers in this article with those from other jurisdictions.

Legal framework

Legislation

Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

There is no one specific cybersecurity law as such in Denmark. Rather, the legal landscape is made up by several laws promoting cybersecurity. The main statutes within the field of cybersecurity are the following.

Critical infrastructure

  • The Danish Act on Network and Information Security of Domain Name Systems and Certain Digital Services (Act No. 436 of 8 May 2018);
  • the Danish Act on Network and Information Security for Operators of Essential Internet exchange points (Act No. 437 of 8 May 2018);
  • the Danish Act on Security Requirements for Network and Information Systems in the Health Sector (Act No. 440 of 8 May 2018); and
  • the Danish Act on Security of Network and Information Systems in the Transport Sector (Act No. 441 of 8 May 2018).

Data protection

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR); and
  • the Danish Data Protection Act (Act No. 502 of 23 May 2018).

Company law

  • The Danish Companies Act (Act No. 1089 of 14 September 2015).

Criminal law

  • The Danish Criminal Code.

Health sector

  • The Danish Executive Order on Health Preparedness Planning (Order no 971 of 28 June 2016); and
  • the Danish Executive Order on Health Records (Order No. 530 of 24 May 2018).

Financial sector

  • The Danish Financial Business Act (Consolidated Act No. 1140 of 26 September 2017);
  • the Danish Act on Payment Services (Act No. 652 of June 2017);
  • the Danish Order on Management and Control of Banks (Order No. 1026 of 30 June 2016); and
  • the Danish Order on Outsourcing (Order No. 1304 of 25 November 2010).

Telecommunications sector

  • The Danish Act on Electronic Communication Networks and Services (Consolidated Act No. 128 of 7 February 2014); and
  • the Danish Act on Radio and Television Activities (Consolidated Act No. 444 of 8 May 2018).

Transport sector

  • The Danish Act on Network and Information Security for the Transport Sector (Act No. 442 of 8 May 2018); and
  • the Danish Executive Order on Network and Information Security for the Transport (Order No. 1042 of 6 August 2018).

Intellectual property law

  • The Danish Copyright Act (Act No. 1144 of 23 October 2014).

Other sector-specific regulations promoting cybersecurity

  • The Danish Executive Order on Preparedness for the Electricity Sector (Order No. 1024 of 21 August 2007);
  • the Danish Executive Order on IT Preparedness for the Electricity and Natural Gas Sector (Order No. 425 of 1 May 2018);
  • the Danish Executive Order on Preparedness for the Oil Sector (Order No. 424 of 25 April 2018); and
  • the Danish Executive Order on Security Requirements for the Network and Information Systems of Certain Water Supplies (Order No. 429 of 4 May 2018).

Other

  • The Danish Act on Television Surveillance (Act No. 1190 of 11 October 2017);
  • the Danish Act on the Centre for Cyber Security (Act No. 713 of 25 June 2014); and
  • Danish Executive Order on Providers of Electronic Communications Networks and Electronic Registration and Storage of Communications Services (Order No. 988 of 28 September 2006, the ‘Logging Order’).

Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

Cybersecurity laws and regulations affect all companies and organisations that control or process data. Although cybersecurity requirements affect almost all sectors, the sectors that are most affected by the cybersecurity laws and regulations are primarily the telecommunications sector, the financial sector, the health sector and the transport sector.

Has your jurisdiction adopted any international standards related to cybersecurity?

Denmark has adopted ISO27001 as state security standard and ISO 27001 has been compulsory for public authorities and state institutions to follow since January 2014.

What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?

According to the Danish Companies Act, it is a requirement for limited liability companies, which has a board of directors, that the board of directors, in addition to managing the overall and strategic management, ensures that the company has in place the necessary procedures for risk management and internal controls. This includes an obligation to maintain an overview of the adequacy of the organisation’s protection of networks and data and to implement the necessary technical and organisational measures to protect the company against cybersecurity threats. If such measures are found to be inadequate in connection with a cyber incident, it may be regarded as a breach of the board of directors’ duties, which may led to individual liability for the members of the board.

How does your jurisdiction define cybersecurity and cybercrime?

Denmark has not adopted any statutory or case law definitions of cybersecurity or cybercrime respectively. The Danish Centre for Cyber Security, which is a government body under the Danish Defence Intelligence Service, defines cybercrime in its yearly threat assessment as cases where people or networks use cyber attacks to commit criminal acts, with the purpose of enrichment. However, the Centre for Cyber Security differentiates between cybercrime and cyberthreats, the latter being defined as threats from cyber attacks, where people or networks attempt to interrupt or gain unauthorised access to data, systems, digital networks or digital services (‘Threat assessment, the cyberthreat against Denmark’, the Danish Centre for Cyber Security, published May 2018). As a general concept, cybercrime should therefore presumably be considered to cover both of these definitions. Likewise, there is no formal definition of cybersecurity in Denmark. However, the Danish Center for Cyber Security defines its main objective as assisting Danish companies and organisations, which support community-essential functions, with preventing, mitigating and protecting itself against cyber attacks, which may provide as an indicative measure of what is considered to be cybersecurity by the Danish authorities (‘About Center for Cyber Security’, publication by the Danish Center for Cyber Security, undated).

Under Danish and EU law, there is a distinction between cybersecurity and data privacy, as cybersecurity is considered an instrument under data privacy legislation to achieve data privacy.

What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?

There are no comprehensive minimum protective measures as such, except for complying with the requirement under the GDPR and the Data Protection Act to implement appropriate technical and organisational security measures to ensure a level of security appropriate to the risk. Specifically, in relation to transmission of confidential and special categories of personal data (sensitive personal data), however, it is a requirement for companies and organisations to apply encryption when transmitting such data by email via the internet. The Danish Data Protection Agency has not set up specific requirements to the type of encryption that should be used, it is merely a requirement that the level of encryption is appropriate relative to the risk. Previously, the requirement to apply encryption when transmitting confidential and special categories of personal data via email only applied to public authorities, however, as of 1 January 2019, the requirement will be extended to also apply to private companies and organisations.

Public authorities are required to apply ISO 27001 (see question 3).

Further, pursuant to the Danish Executive Order on Outsourcing, companies within the financial sector are required to comply with an extensive set of requirements when outsourcing key activities. Examples of these requirements include preparing an IT security policy promoting cybersecurity and preparing a contingency plan as a response to incidents.

Scope and jurisdiction

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?

There no laws or regulations that specifically address cyberthreats to intellectual property. However, any violation of intellectual property committed as a cyber act or within the cyberspace, and which has been catered for in the Danish Copyright Act, will be punishable pursuant to the Copyright Act and the Criminal Code.

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?

Yes. The Network and Information Systems Directive (Directive (EU) 2016/1148, (the NIS-Directive) has been implemented into Danish law via several sector-specific laws and regulations (listed under section 1 under Critical infrastructure).

According to the legislation implementing the EU’s NIS Directive, operators of essential services within the different sectors are required to implement an appropriate level of technical and organisational security requirements to ensure a level of security, appropriate to the risk of security incidents in the network or information systems, which they use for their activities.

Further, the legislation imposes a requirement for operators of such essential services to report security incidents to the authorities as soon as possible after becoming aware of such incidents, if the incident significantly affects the continuity of delivering the operator’s services.

According to the implementing legislation, an operator of essential services is defined as a unit that (i) provides a service, which is essential for maintaining critical social or economic activities, where (ii) the delivery of the service depends on network and information systems, and (iii) an incident will have significant disruptive effects on the delivery of the service.

Further to this, certain digital service providers, which are not considered providers of essential services, are also subject to requirements under the Network and Information Security Act for Domain Name Systems and Certain Digital Services, including the requirement to implement an appropriate level of technical and organisational security requirements. Providers of digital services covered by the act are companies or organisations of a certain size that provides online marketplaces, online search engines or cloud computing services.

Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?

According to the Danish Criminal Code, it is illegal to open sealed messages to another person. Emails are recognised by the Danish courts as sealed messages under the Criminal Code.

However, in an employer-employee relationship the restriction under the Criminal Code only apply to private emails. Whether an email is private must be determined on a case-by-case basis.

Case law has established that emails may be opened when (i) a company has entered into an agreement with its employees stipulating that all emails sent and received from a company email address are the property of the company and (ii) the emails are not classified as ‘private’ in the subject field.

If the employer has a concrete suspicion of an employee constituting a cyberthreat, derogation can, depending on the circumstances, be made from the prohibition to open sealed messages.

However, in the event that the employer is accessing an employee’s email and detects that such an email includes private content, the employer must immediately stop reading the email.

Furthermore, access to employees’ emails entails the collection and processing of personal data and must therefore be in compliance with the general requirements of processing of personal data under the Data Protection Act.

In respect of the telecommunications sector, the Danish Logging Order imposes requirements on providers of electronic communications networks or services to record and store metadata on telecommunications data generated or processed in the provider’s network so that this information may be used as part of the investigation and prosecution of criminal offences.

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

Criminal offences relating to cyberactivities are regulated in the Danish Criminal Code. The principal cyberactivities criminalised by law in Denmark are as follows:

  • hacking (ie, unauthorised access to information or programs intended for use in an information system);
  • denial-of-service attacks (preventing use or access to information systems);
  • infection of IT systems with malware (punishable as vandalism);
  • possession or use of hardware, software or other tools used to commit cybercrimes (not criminalised as such, but punishable as an attempt of cybercrime in conjunction with other preparatory acts);
  • phishing (not specifically criminalised, but will in most cases form part of other criminalised offences such as data fraud);
  • identity fraud or theft (not specifically criminalised, but will in most cases form part of other criminalised offences such as hacking, theft, falsification of documents, fraud or data fraud);
  • electronic theft (eg, copyright infringement, data fraud, unlawful acquisition, use and disclosure of trade secrets); and
  • unauthorised interception of information.

How has your jurisdiction addressed information security challenges associated with cloud computing?

In respect of data protection, Denmark has not specifically addressed the security challenges associated with cloud computing other than the requirements as regards protective measures that follow from the Danish Data Protection Act and the GDPR. When processing personal data, the responsibility for ensuring adequate security measures are in place ultimately lies with the data controller, as being the owner of the data. However, both the data controller and the data processor are, according to the GDPR, required to have in place adequate appropriate technical and organisational security measures to protect personal data, and may both become liable for lacking adequate security measures.

Denmark has further adopted a war rule, which means that personal data of Danish citizens may in some cases not be transferred out of Denmark. Before the entering into force of the GDPR, the war rule stated that personal data held and processed on behalf of the public administration, which could be of particular interest to foreign powers, should be handled in a way to enable disposal or destruction in case of war or similar conditions. This was by many interpreted to mean that personal data held for the public administration could not be transferred out of Denmark, as it would not be possible to delete such data in the event of war. In the new Data Protection Act, the war rule has been changed into a mandate for the Minister of Justice to lay down rules requiring that personal data processed in specific IT systems, which are held for the public administration, may be kept in whole or in part only in Denmark. In principle, this entails that the Danish Ministry of Justice should maintain a negative-list of specific IT systems used within the public administration, which should be kept in Denmark. As of November 2018, such negative-list has not yet been published, but is expected soon. At present, it is therefore very uncertain to which degree personal data processed for the public administration may be stored in the cloud.

How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?

Following the EU’s attempts to harmonise cybersecurity laws and regulations across the EU, the rest of the member states within the EU are likely to have the same or similar laws and regulations as Denmark in respect of cybersecurity. Generally, Danish law will apply to a foreign organisation if the organisation can be considered to be established in Denmark.

This will generally be the case when the organisation has some form of permanent establishment. If Danish law applies, the regulatory requirements will be the same for foreign organisations.

Further, in respect of data privacy, the Danish Data Protection Act will apply to processing performed by foreign organisations if the processing concerns supply of products or services to Danish citizens or monitoring the behaviour of Danish citizens, when their behaviour takes place in Denmark.

Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Yes. The Danish Centre for Cyber Security and the Danish Agency for Digitisation have published numerous guidelines relating to IT-security and managing cyber security threats all of which are available on the authorities’ respective websites. The guidelines are voluntary to follow for private companies and are in some cases compulsory for public authorities. Examples of these guidelines include (not a full list):

  • Guides from the Danish Agency for Digitisation;
  • Guide to IT preparedness planning;
  • Guide to awareness on information security;
  • Guide to planning of IT security implementation;
  • Guide on which requirements to impose on suppliers in relation to information security;
  • Guides from the Danish Centre for Cyber Security;
  • Guide on securing mobile devices;
  • Guide on reducing the risk of false emails;
  • Guide on reducing the risk of ransomware;
  • Guide on how to avoid DNS amplification attacks;
  • Guide on enhancing the security of mainframe installations;
  • Guide on IT security when travelling; and
  • recommmendations on enhancing the security of IT operations outsourced by the public sector.

The guides are available via (only in Danish): https://en.digst.dk/ (the Agency for Digitisation) and https://fe-ddis.dk/cfcs/publikationer/Pages/publikationer.aspx (the Danish Centrefor Cyber Security).

How does the government incentivise organisations to improve their cybersecurity?

The government in Denmark does not incentivise organisations to improve their cybersecurity by providing financial support or otherwise providing organisations with financial benefits. Rather, the government issues guidelines and provides assistance to small and medium-sized companies with assessing their level of cybersecurity.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

There are no designated main industry standards and codes of practices promoting cybersecurity in Denmark. Rather, guidance has appeared piecemeal and is issued by different government authorities depending on the scope of the specific guideline. See question 13.

Are there generally recommended best practices and procedures for responding to breaches?

Denmark has not adopted any specific source of best practices and procedures for responding to data breaches.

However, companies and organisations may be required to notify data subjects or authorities in case of a data breach pursuant to the data protection and cybersecurity legislation. See question 28.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Generally, there are no broad legal or policy incentives for voluntary sharing of information about cyberthreats in Denmark as such.

The Danish Centre for Cyber Security encourages companies and organisations to report cybersecurity incidents via the centre’s voluntary notification scheme even in cases where the company or organisation is not subject to a legal requirement to report the incident. The background for this voluntary reporting scheme is according to the Danish Centre for Cyber Security that increased notification from a wide range of business sectors will make the Centre for Cyber Security better able to provide advice and assistance in connection with cyberthreats. To encourage voluntary reporting, such cases are exempt from the right of access to documents under Danish law.

In respect of data breaches involving personal data, data breaches that are reported to the Danish Data Protection Agency are made public on the agency’s website.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The government and the private sector cooperate through ad hoc sector specific bodies formed by the government and to some extent through formal and informal networks to develop cybersecurity standards and procedures.

Each year, the Danish government publishes a ‘National Strategy for cyber- and information security’, which describes the measures and initiatives that the government plans to carry out in the coming year. In the latest report, the government announced that it would form sector-specific units for each of the sectors of vital importance to the society. These sector-specific units are intended to contribute to the implementation of sector-specific threat assessments, surveillance, preparedness planning, security implementation and knowledge sharing.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Yes, insurances for cybersecurity breaches are available in Denmark and are becoming more and more frequently used.

Enforcement

Regulation

Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

The Danish Data Protection Authority is responsible for overseeing an enforcing the requirements under the GDPR and the Danish Data Protection Act.

Which regulatory authority is responsible for overseeing and enforcing the requirements for operators of essential services following from the NIS Directive and the implementing acts depends on the sector of the operator in question.

In respect of the telecommunications sector, the Danish Business Authority is the responsible authority for overseeing and enforcing the Danish Telecommunications Act.

In respect of the financial sector, the responsible authority for enforcing cybersecurity rules depends on the subject matter of the case. However, the primary responsible authorities are the Financial Business Authority, the Danish Business Authority and the Danish Centre for Cyber Security.

Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.

The Danish authorities have varying powers to monitor compliance, conduct investigations and prosecute infringements depending on which authority is competent in a given case.

The Danish Data Protection Agency is authorised to carry out planned as well as ad hoc investigations of the premises of any company, organisation, public authority or other body acting as a data controller or data processor. In this regard, the Danish Data Protection Agency may, among other things, require any information that it deems necessary to perform its investigation as well as gain access to any premises of a data controller or data processor.

The Net Security Services under the Danish Centre for Cyber Security can under certain circumstances without a court order process package and traffic data from authorities.

What are the most common enforcement issues and how have regulators and the private sector addressed them?

There have only been few cases where those responsible for cyberattacks have been prosecuted and no high-profile cases have been subject to prosecution. The most common enforcement measures are the investigations conducted by the Danish Data Protection Agency. Before the entering into force of the GDPR, the Danish Data Protection Agency often made use of the power to issue an enforcement notice against the data controller or data processor being the subject matter of the case, in which the Data Protection Agency would order the party in question to remedy the non-compliance with data protection legislation. The highest fine given under the previous legislation for violations of data protection legislation was 25,000 kroner for sale of a customer database. The Danish Data Protection Agency has not issued any fines yet under the GDPR; however, it is expected that the level of fines will increase. The Danish Data Protection Agency has traditionally been viewed as having a cooperative approach and following the entering into force of the GDPR, the agency has stated that it intends to continue with this approach.

Penalties

What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?

Companies and other legal entities are under Danish law punishable according to Chapter 5 of the Danish Criminal Code.

Breaches of the requirement under the GDPR and the Danish Data Protection Act to establish adequate technical and organisational security measures are punishable by prison of up to six months or a fine of up to €10 million, or in the case of an undertaking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Further, failure to comply with any laws and regulations aimed at preventing cybersecurity are punishable by a fine. This includes failure to comply with the provisions of among others, the Danish Telecommunications Act, the laws implementing the NIS Directive for providers of essential services, the Danish Act on Payment Services and the Danish Financial Business Act.

The failure to comply with the Danish Financial Business Act may in certain circumstances also be punishable by imprisonment.

What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?

Failure to comply with the reporting obligations under the GDPR and the Danish Data Protection Act are punishable by prison of up to six months or a fine of up to €10 million, or in the case of an undertaking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Failure to comply with the reporting obligations under the laws implementing the NIS Directive is equally punishable by a fine.

How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?

Anyone, whether a natural person or a legal entity, who has suffered damage as a result of another person or organisation’s acts or omissions can claim compensation for the damage suffered from the responsible party. That applies equally for claims relating to violations of cybersecurity laws or regulations. To succeed with such claim, the injured party will, under normal circumstances, have the burden of proof that (i) the party has incurred a loss, (ii) there is a basis of liability (eg, culpa), and (iii) there is a causal link between the act or omission giving rise to the claim and the actual damage suffered.

Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

As mentioned, the NIS Directive has been implemented into Danish law via several sector-specific laws and regulations. Affected companies are required to take appropriate security measures and to notify the relevant national authorities of serious security incidents. The concrete measures to be taken are left to the discretion of the organisations themselves but should utilise the technology available, help identify risks, and prevent, detect and handle incidents to restrict the consequences of an incident. In practice, this is a requirement that companies covered by the legislation, among other things, should adopt and maintain an appropriate IT security policy.

In the financial sector, it is also a requirement that financial institutions adopts an IT security policy.

Furthermore, public authorities are required to apply ISO 27001 (see question 3), and companies within the financial sector are also subject to specific regulations (see question 6).

Pursuant to the GDPR and the Data Protection Act, appropriate technical and organisational security measures to ensure an appropriate level of security must also be implemented.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Pursuant to data protection regulation, an organisation must comply with certain documentation requirements in the event of a data breach involving personal data. As part of the documentation, the organisation shall keep all facts relating to the data breach, its effects and the remedial actions taken.

According to guidelines from the Danish Data Protection Agency, the organisation should keep documentation of the following in the event of a data breach:

  • date and time of the breach;
  • factual circumstances;
  • cause;
  • types of personal data affected;
  • consequences of the breach for the data subjects;
  • measures and remedies taken; and
  • information on whether the Data Protection Agency or data subjects were notified.

There is no specific time frame for how long a data breach log should be kept. Insofar as the breach log contains personal data, the retention requirements follow the general principles of the GPDR.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

According to data the GDPR and the Danish Data Protection Act, a data controller shall notify the Danish Data Protection Agency in case of a personal data breach without undue delay, and where feasible, no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification must describe the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. Further, the notification must communicate contact details of the data protection officer or other contact point, describe the likely consequences of the personal data breach and described the measures taken or proposed to be taken by the data controller to address the personal data breach. Reporting of personal data breaches to the Danish Data Protection Agency must take place via the agency’s online reporting form, which is available here: https://www.datatilsynet.dk/anmeld-brud-paa-persondatasikkerheden/.

A notification duty also applies to the data processor, who is required to notify the data controller without undue delay after becoming aware of a personal data breach.

In respect of the sector-specific cybersecurity laws and regulations implementing the NIS Directive, operators and providers are obliged to inform the relevant sector-specific authorities as soon as possible if an incident has a significant impact on the continuity of service delivery. The notification should include enough information about the incident for the competent authority to assess any possible cross-border consequences of the incident.

Further, the Danish Payments Act imposes an obligation on providers of payment systems to inform the Danish Financial Supervisory Authority in case of major operations or security incidents to the providers payment system. The information that should be provided to the Danish Financial Supervisory Authority follows the guidelines for reporting of major IT incidents from the European Banking Authority.

Timeframes

What is the timeline for reporting to the authorities?

In respect of data protection, data controllers are required to notify the Danish Data Protection Agency as soon as possible, and where feasible within 72 hours of becoming aware of the breach.

In respect of the sector-specific cybersecurity laws, reporting should take place as soon as possible. As the legislation implementing the NIS Directive is relatively new, practice in relation what ‘as soon as possible’ amounts to, is not firmly established. However, comparing with the notification requirements for payment service providers, see below, the timeline is presumable quite short. Also, see question 28.

Providers of payments systems that are subject to the Danish Payments Act are required to notify the Danish Financial Supervisory Authority of major operations or security incidents according to the following timelines. The payment service provider must submit:

  • an opening report within four hours of becoming aware of the incident;
  • a preliminary report within three business days of becoming aware of the incident; and
  • a final report within two weeks after the operation of the services was normalised.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

There are no legislative requirements in Denmark to notify others in the industry, however, failure to do so, may be in violation of best practices for the industry.

If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, data controllers are required to notify the data subjects of the personal data breach without undue delay. Such notification should provide substantially the same information as is required to be reported to authorities, see question 28.

In respect of the financial sector, providers of payment systems are required to notify users of the payment system, in cases where an incident affects or may affect users of the payment services.

Update and trends

Update and trends

What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?

Denmark has long prided itself as a leading country in its digitalisation of both its public and private sector. However, the large-scale digitalisation has led to many regulatory and commercial challenges, and security breaches and cybercrime are an increasing problem for Danish authorities and businesses. It is therefore no surprise that cybersecurity has been and continues to be a major issue.

In May 2018, the Danish government released a national strategy against cyber attacks, which sets out 25 different initiatives and six goal-oriented strategies. Regulatory changes are explicitly mentioned as a key initiative of the strategy. As part of the developments, the Danish Ministry of Defence has begun work on a legislative proposal to increase the possibilities for authorities to prevent targeted cyber attacks on critical infrastructure.

The national strategy is part of a greater effort towards cyber security. Another initiative in 2018 was the establishment of a unit for cybersecurity and information. In cooperation with other key interest groups, the unit strives towards the further digitalisation of Denmark, while maintaining a strong focus on cybersecurity solutions. Practical resources such as guidelines and support tools are expected to be released in the near future.