Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Yes. The Danish Centre for Cyber Security and the Danish Agency for Digitisation have published numerous guidelines relating to IT-security and managing cyber security threats all of which are available on the authorities’ respective websites. The guidelines are voluntary to follow for private companies and are in some cases compulsory for public authorities. Examples of these guidelines include (not a full list):

  • Guides from the Danish Agency for Digitisation;
  • Guide to IT preparedness planning;
  • Guide to awareness on information security;
  • Guide to planning of IT security implementation;
  • Guide on which requirements to impose on suppliers in relation to information security;
  • Guides from the Danish Centre for Cyber Security;
  • Guide on securing mobile devices;
  • Guide on reducing the risk of false emails;
  • Guide on reducing the risk of ransomware;
  • Guide on how to avoid DNS amplification attacks;
  • Guide on enhancing the security of mainframe installations;
  • Guide on IT security when travelling; and
  • recommmendations on enhancing the security of IT operations outsourced by the public sector.

The guides are available via (only in Danish): https://en.digst.dk/ (the Agency for Digitisation) and https://fe-ddis.dk/cfcs/publikationer/Pages/publikationer.aspx (the Danish Centrefor Cyber Security).

How does the government incentivise organisations to improve their cybersecurity?

The government in Denmark does not incentivise organisations to improve their cybersecurity by providing financial support or otherwise providing organisations with financial benefits. Rather, the government issues guidelines and provides assistance to small and medium-sized companies with assessing their level of cybersecurity.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

There are no designated main industry standards and codes of practices promoting cybersecurity in Denmark. Rather, guidance has appeared piecemeal and is issued by different government authorities depending on the scope of the specific guideline. See question 13.

Are there generally recommended best practices and procedures for responding to breaches?

Denmark has not adopted any specific source of best practices and procedures for responding to data breaches.

However, companies and organisations may be required to notify data subjects or authorities in case of a data breach pursuant to the data protection and cybersecurity legislation. See question 28.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Generally, there are no broad legal or policy incentives for voluntary sharing of information about cyberthreats in Denmark as such.

The Danish Centre for Cyber Security encourages companies and organisations to report cybersecurity incidents via the centre’s voluntary notification scheme even in cases where the company or organisation is not subject to a legal requirement to report the incident. The background for this voluntary reporting scheme is according to the Danish Centre for Cyber Security that increased notification from a wide range of business sectors will make the Centre for Cyber Security better able to provide advice and assistance in connection with cyberthreats. To encourage voluntary reporting, such cases are exempt from the right of access to documents under Danish law.

In respect of data breaches involving personal data, data breaches that are reported to the Danish Data Protection Agency are made public on the agency’s website.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The government and the private sector cooperate through ad hoc sector specific bodies formed by the government and to some extent through formal and informal networks to develop cybersecurity standards and procedures.

Each year, the Danish government publishes a ‘National Strategy for cyber- and information security’, which describes the measures and initiatives that the government plans to carry out in the coming year. In the latest report, the government announced that it would form sector-specific units for each of the sectors of vital importance to the society. These sector-specific units are intended to contribute to the implementation of sector-specific threat assessments, surveillance, preparedness planning, security implementation and knowledge sharing.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Yes, insurances for cybersecurity breaches are available in Denmark and are becoming more and more frequently used.