New draft bill on the Danish implementation of NIS 2 in the telecommunications sector
Written By
Partner
Denmark
I am a partner in our international Tech & Comms Group in Denmark, with extensive experience in IT, technology, telecommunications and assisting companies internationally.
Associate
Denmark
I am an associate in our Danish Tech & Comms team, where I advise national and international clients on IT and telecommunications law.
This article reviews the main elements of the new draft bill on security and preparedness in the telecommunications sector, which aims to implement the NIS 2 Directive and is expected to enter into force on 1 July 2025. The objective is to provide an overview of the key aspects of the draft.
Summary of conclusions:
- Integration of existing security requirements and close alignment with NIS 2:
The draft incorporates existing national provisions, such as rules on emergency communication and employee security clearance, and implements the requirements of NIS 2 in a manner closely aligned with the directive. It does not impose additional obligations on the telecommunications sector beyond those specified in the directive. - Adjusted scope of application:
The draft introduces three categories of telecommunications providers, instead of the two outlined in the directive, with differing criteria and minimum thresholds. This is intended to ensure a more proportionate approach consistent with existing Danish telecommunications regulations. Providers with limited telecommunications activities are exempt from most NIS 2 requirements. - Definitions and inclusion of NI-ICS:
The draft introduces new definitions and classifications compared to existing legislation but does not explicitly clarify how number-independent interpersonal communication services (“NI-ICS”) are covered. While indications suggest their inclusion, the lack of explicit clarification creates some uncertainty.
In mid-December 2024, the Ministry of Civil Preparedness and Emergency Management published the draft bill on security and preparedness in the telecommunications sector for consultation (accessible here). The draft aims to implement Directive (EU) 2022/2555 (“NIS 2”) in the Danish telecommunications sector and represents the final piece of Denmark’s overall implementation of the NIS 2 Directive.
Sector-specific implementation of NIS 2 and integration with existing requirements
In Denmark, the NIS 2 Directive is being implemented through a dual approach:
- A general NIS 2 law titled the “act on measures to ensure a high level of cybersecurity”, which applies to most sectors.
- Sector-specific legislation for areas like energy, finance, and telecommunications, reflecting the extensive pre-existing regulations in these sectors.
The telecommunications sector is therefore excluded from the scope of the general NIS 2 law, except for public providers (e.g., municipalities). Instead, the sector will be regulated under this draft bill, which accounts for existing national requirements and rules.
The telecommunications sector is already subject to extensive security requirements that go beyond the standards set out in NIS 2. For example, the sector is governed by rules on emergency communication and employee security clearance.
To maintain these national provisions, the draft integrates existing regulations, particularly those under the Danish act on security of networks and services, with the new NIS 2 requirements. Cybersecurity obligations and reporting requirements under NIS 2 are implemented closely in line with the directive, ensuring no stricter or additional rules are imposed on the sector. This approach ensures that no extra operational requirements are added beyond what is mandated by NIS 2, although with the mandate for specific requirements to be set out in secondary legislation.
Adjusted scope of application
A central feature of the draft bill is its proposed scope of application, which differs from the framework established by NIS 2. The directive stipulates that all providers of public electronic communications networks and services, regardless of their size, fall within its scope and distinguishes between two categories: “essential” and “important” entities. These categories determine the extent of oversight and sanctions applied to each provider.
In contrast, the Danish draft introduces three categories of telecommunications providers:
| Classification | Criteria | NIS 2 requirements |
| Essential providers |
Providers whose activities in public electronic communications networks/services constitute their primary or non-accessory activity, and who meet:
|
Subject to all NIS 2 requirements, including stricter oversight and tougher sanctions. |
| Important providers | Providers whose activities meet the above description but do not fulfill one of the size thresholds above. | Subject to all NIS 2 requirements, but with lighter oversight and more lenient sanctions than essential providers. |
| Other providers | Providers not meeting the above criteria. | Only subject to NIS 2 requirements related to incident reporting. |
This classification deviates from both NIS 2 and the existing definitions under the Danish act on security of networks and services, which currently distinguishes between various types of providers, including providers of NI-ICS.
Considerations for applying additional thresholds
The draft includes an additional criterion: providers are only considered "essential" or "important" if public electronic communications networks or services are their primary or non-accessory activity.
According to the draft's explanatory notes, this is consistent with the current definition of "commercial providers" in the Danish act on security of networks and services and should be interpreted in the same spirit.
This criterion deviates from NIS 2, which does not require such thresholds based on the scale or commercial nature of activities. The Danish approach aims to ensure proportionality, avoiding scenarios where entities like housing associations, hotels, or cafés are subjected to full NIS 2 obligations. This approach aligns with principles in current Danish telecommunications legislation.
It is noteworthy that this additional threshold is not included in the draft for the general Danish NIS 2 law, suggesting it is specific to the telecommunications sector. Therefore, similar exceptions do not appear to apply to entities like small-scale cloud computing service providers, which remain within the scope of NIS 2 in Denmark.
Application to number-independent interpersonal communication services (NI-ICS)
The draft introduces some ambiguity regarding the inclusion of NI-ICS. Under the existing Danish act on security of networks and services, general providers and NI-ICS providers are defined separately, with their respective obligations clearly delineated. However, these distinctions have not been carried over into the draft, creating uncertainty about how NI-ICS providers are to be treated under the new framework.
The definition of "provider" has been adopted verbatim from the current act on security of networks and services, with one notable exception: the explicit exclusion of NI-ICS providers has been removed. Contrary to the approach under the current law, this omission suggests that NI-ICS providers may now fall under the general definition of "provider," unless they are specifically excluded elsewhere. Several factors support this interpretation:
- NIS 2 explicitly references NI-ICS in recital 96.
- Provisions in the existing Danish law applicable to NI-ICS are largely retained.
- The draft's explanatory notes specify that certain supervisory powers do not apply to NI-ICS providers, by implication suggesting that they are included under other provisions of the draft.
However, a definitive statement confirming the inclusion of NI-ICS providers as telecommunications providers under the new draft is missing, creating some uncertainty.
Key dates
The draft bill outlines two critical dates for the implementation of NIS 2 in the telecommunications sector:
- July 1, 2025: The law is proposed to take effect, with no additional transitional period.
- October 1, 2025: The deadline for providers to register with the relevant authorities as required under NIS 2.
Next steps
The draft bill is open for consultation until January 9, 2025, and is expected to be formally introduced to Parliament in February 2025.
