DIGITALISATION

STRATEGY & ORGANISATION

Denmark is not ready for EU's new cyber security rules

Municipalities and SMEs still lack the skills and resources to comply with new EU rules on cyber security, leaving essential services at risk of disruption, warns CBS researcher Jan Lemnitzer.

By CBS Executive Education

Denmark is one of Europe’s most digitalised societies. Almost every part of daily life, from healthcare to transport, runs on digital systems. But being highly digital does not mean being highly secure.

“We are facing the biggest cyber threat yet, but we are not ready. The threats come from criminal ransomware groups but also from hostile state actors,” says Jan Lemnitzer, Assistant Professor at Copenhagen Business School, where he does research on European cyber security policy and the implementation of the EU’s NIS2 directive.

According to Jan Lemnitzer, Denmark’s critical infrastructure, including municipalities and medium-sized companies, is underprepared for the requirements of the EU’s new NIS2 directive – meant to strengthen cyber security in Europe.

This leaves the country at risk of being left devastated by cyberattacks, Jan Lemnitzer says.

“Some companies are already gambling that regulators won’t be ready. They are not complying.”

Jan Lemnitzer, Assistant Professor

Ransomware is a type of malware that locks or encrypts your files and systems to block access. A ransom is then demanded to restore access.

Municipalities are included, but not prepared

NIS2 expands the definition of critical infrastructure. It is no longer just large banks and energy companies that must demonstrate they can manage cyber risks.

Municipalities, bus operators, wastewater plants, and many medium-sized firms with more than 50 employees now fall under the directive.

Including municipalities makes sense, according to Jan Lemnitzer. They hold vast amounts of personal data and provide essential services in a highly digital society. But they are also among the least prepared to defend themselves, he says.

“Municipalities are now classified as critical infrastructure, which makes sense because they hold so much sensitive data and run essential services. But their cyber defences are poor. They don’t have the expertise, and they don’t have the budgets. They can’t hire top experts, and politically it would be very unpopular to take money from kindergartens to pay for DDoS defence,” says Jan Lemnitzer.

Shared responsibility delays implementation

EU countries were required to put NIS2 into national law by October 2024. Denmark, however, had delayed implementation until the summer of 2025. And enforcement will not begin for many months, creating a dangerous vacuum, Jan Lemnitzer warns.

The Ministry of Resilience has the overall authority, but the responsibility for enforcement of NIS2 will be divided between ten different sector regulators, such as the Danish Transport Authority and the Danish Veterinary and Food Administration.

The idea is that each regulator will check whether organisations in their sector manage cyber risks properly. But in practice, most lack the skills to do so, says Jan Lemnitzer.

“Who in the Food Administration is able to tell Arla that they are doing cybersecurity wrong? They do not have staff who can realistically assess whether, for example, Arla’s cybersecurity management is correct. So, the Food Administration and other regulators will end up hiring Deloitte or PwC to do it for them,” Jan Lemnitzer says.

This fragmentation and lack of expertise mean that enforcement will likely be slow and inconsistent. And as long as the rules are not enforced, many companies and municipalities will choose to wait before investing in compliance.

A Distributed Denial of Service (DDoS) attack is a cyberattack where the attacker floods a network or website with so much fake traffic that it becomes overloaded and unavailable to legitimate users.

Not just data: An attack could leave citizens without water or transport

This leaves Danish society vulnerable to cyberattacks that could disrupt daily life. Denmark’s high level of digitalisation means that a single weak link can have huge consequences.

In 2022, an IT supplier’s failure forced DSB to stop all trains in Denmark for a day, even though it wasn’t a cyberattack directed at DSB.

In December 2024, a pro-Russian cyberattack on a small water treatment plant near Køge left 50 households without water for hours after hackers manipulated pressure in the system.

“While this attack may seem small, it actually changed the national risk assessment for cyber threats, as it showed that Russian state hackers are actively targeting Danish infrastructure,” says Jan Lemnitzer.

The government’s own advice to households, asking Danes to stock up on three days’ worth of food and water, was furthermore based on scenarios involving cyberattacks against the national power grid.

“It’s not just data. A successful attack could mean no water, no trains, no mobile service. We are facing the biggest cyberthreat yet, but we are not ready. The rules are there, but if they are not enforced consistently, companies and municipalities will delay compliance. And that leaves us exposed,” Jan Lemnitzer says.

CBS launches the SUCCESS tool

Part of the challenge in implementing NIS2 is that many small and medium-sized enterprises (SMEs) and municipalities lack the in-house expertise to meet the requirements. Hiring consultants is expensive, and skilled staff are in short supply.

To bridge this gap, Jan Lemnitzer and his team at CBS are preparing to launch a new tool for SMEs during Cybersecurity Awareness Week in early October.

The SUCCESS tool is designed to help organisations without cybersecurity departments carry out the risk assessments NIS2 requires.

“Most SMEs don’t have the expertise or the budget to hire consultants. SUCCESS is an Excel based tool where you simply fill out a form. It requires no specialist training, but it helps firms carry out and document the cyber risk assessments NIS2 demands,” Jan Lemnitzer explains.

By turning research into practice, CBS hopes to help smaller organisations comply with EU rules and strengthen Denmark’s overall resilience.

“All large companies rely on hundreds of SME suppliers, but they are the weak link in cybersecurity. If SMEs can raise their cybersecurity standards, it makes a difference not just for Denmark, but for Europe as a whole.”

Jan Lemnitzer, Assistant Professor

Jan Martin Lemnitzer is Assistant Professor at the Department of Digitalization, Copenhagen Business School. He holds a MA degree from Heidelberg University and completed his PhD at the London School of Economics and Political Science.

Coming from a background in international politics and history, his research explores cyber norms and cyber security in international politics. More recently he has been focusing on business cyber security, cyber insurance and cyber security regulation (especially its implementation).

Cyberwar in Ukraine and critical infrastructure protection: what NIS2 means for you

EU Cybersecurity Regulations: leaders have had a year to get ready

“We could go from digital to stone-age society in an instant”

How to transform businesses with digital technology

Did you find this content interesting? Sign up for our newsletter and gain access to more of our research findings and events.

With the world’s grand challenges awaiting us, we need to continuously evolve, gain new knowledge and insights, and upskill.

Dive into a world of knowledge by signing up below. You will get:

Personal event invitations
Pertinent research-based insights on business and society
Information about the next intakes of our Executive Education programmes and courses

Executive MBA

CBS EMBA’s unique programme design and real-world applicability provides the platform for you to navigate a turbulent global business environment and become a leader in business who can steer your organisation to sustainable impact and success.

Learn more

Master of Business Development

The degree for those who are passionate about creating new, innovative solutions and want to take responsibility for elevating and developing the business - for those who want more.

Learn more

Digital business

No matter your job title, it’s essential to have a solid understanding of digitalization and the opportunities and challenges technology brings. This course gives you exactly that.

Learn more

Denmark is not ready for EU's new cyber security rules

“Some companies are already gambling that regulators won’t be ready. They are not complying.”

What is ransomware?

What is DDoS?

“All large companies rely on hundreds of SME suppliers, but they are the weak link in cybersecurity. If SMEs can raise their cybersecurity standards, it makes a difference not just for Denmark, but for Europe as a whole.”

About the researcher

Keep reading

Your gateway to more knowledge

Keep learning