Cybersecurity

Are Danish companies ready to comply with NIS2 requirements?

January 2024

A study carried out by the IRIS Group for Industriens Fond on Danish organizations affected by the NIS2 Directive investigated their compliance readiness.

We analyzed the survey responses they collected to understand the companies’ current level of awareness and familiarity with the Directive, the maturity of their compliance programs, and the specific requirements they are struggling with the most.

Check out the findings below!

 

Background information: What is the deadline for companies to comply with the NIS2 Directive?

Unlike EU regulations, which are directly applicable in Member States after they enter into force, EU directives must first be transposed into national laws by each Member State before becoming enforceable for the companies impacted. For the NIS2 Directive, the deadline for Member States to implement the corresponding national legislation is October 17th, 2024; and these local measures should then apply from the following day, October 18th, 2024.

Regardless of the specific official deadline for obliged entities to comply with the new requirements (that could vary depending on the national laws adopted in each of the entities’ locations), companies falling into the scope of NIS2 should start preparing themselves to address the new requirements to avoid risking compliance violations (and fines).

 

What’s the NIS2 compliance maturity level of NIS2-impacted companies in Denmark?

  • Scope awareness:
    22,7% of the companies interviewed are still unsure whether they fall within the scope of the Directive. It is essential to highlight how all of the companies interviewed were identified by the IRIS Group as affected by the NIS2 directive, which makes this uncertainty surprising. Thankfully, over half of the organizations surveyed are conscious that they fit into the scope of the Directive. However, clearer communication and guidance may be necessary to alleviate these doubts.

  • Familiarity with requirements
    About 44% claimed to be informed or very knowledgeable about it, while almost 17% of the companies participating in the study stated that they had not familiarized themselves with its requirements at all. These statistics indicate that a significant portion of Danish companies is on the right track to ensure their compliance readiness, but there is still room for improvement in terms of raising awareness and increasing understanding.

  • Compliance Planning
    The study revealed that a substantial portion of obliged organizations are actively planning internal and external processes to achieve NIS2 compliance, to a high or very high extent (26,7%) or at least to some extent (30,6%). Still, a significant number of companies have yet to establish a concrete strategy.

 

What are the NIS2 requirements Danish companies are struggling the most with?

As part of the survey, the companies interviewed were asked about their compliance readiness level regarding their cybersecurity risk-management measures, as described by Article 21(2) of the Directive.

Article 21(2) lists ten elements that should be included in a company’s technical, operational, and organizational measures to manage the risks posed to the security of their IT systems and OT networks and to prevent or minimize the impact of incidents.

Additionally, the Directive requires such measures to be implemented in each impacted company using a risk-based approach, so that they are appropriate to the specific threats faced by the organization. This means that an organization’s measures should be proportionate to its size, level of exposure to risks, and likelihood of occurrence of incidents (as well as their potential severity).

When asked about their current capabilities to fulfill the requirements laid down by Article 21(2), only 29,2% of companies surveyed claimed to be ready to meet all of them. The remaining 70,8% admitted that their current measures only abide by some of them.

In particular, the requirements companies are having more difficulties with are related to:

  • Supply chain security, including security-related aspects concerning relationships with suppliers or service providers; and
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.

 

Taking stock of the situation: Concluding insights

Offering a glimpse into how well Danish companies are prepared and mature in adhering to the NIS2 Directive, the data reveal that there are still plenty of opportunities to improve.

Although there is a degree of awareness and initial preparation in place, there is also a clear need for clarifying the directive’s scope and strengthening the understanding of its rules – especially in the areas of supply chain security and effectiveness assessment.

 

Moving forward: How to ensure NIS2 compliance readiness in your organization

While this snapshot refers to organizations based in Denmark, we can presume that a similar picture is playing out in other countries around Europe, and the world. And while impacted entities still have some time to prepare for the entry into force of the NIS2 requirements, it is advisable for OT and IT leaders and operators to start exploring the regulatory framework and planning their compliance strategy.

Companies need to proactively engage with the NIS2 Directive to protect their critical infrastructure and digital assets, thereby contributing to the overall resilience of the national and global network and information systems.

Besides, failing to achieve compliance could leave them open to the risk of facing administrative fines – as well as reputational risk, compromising their competitive positioning and market share.

 

How Secomea can help you prepare

Secomea’s solutions are up to date with the latest regulatory developments in the industry to help you achieve and maintain ongoing compliance.

We want to help you be well-prepared for a compliance inspection and ensure a smooth process that will safeguard your organization’s security and reputation.

Watch our webinar on-demand to gain essential insights and expert guidance – and reach out to learn more!

NEWSLETTER SIGN-UP

Get the latest Secomea news sent straight to your inbox.

Subscribe

CONTACT

Secomea Headquarters
Copenhagen, Denmark
+45 88 70 86 50
info@secomea.com

Contact Secomea
Contact a distributor

Find addresses here

Privacy & Cookie Policy  © Secomea 2024, All rights reserved

NIS2 Compliance Roadmap. Stay secure, stay compliant.

X