DAEN

MENU

Cybersecurity and Resilience

Our advice on cybersecurity and resilience is seamlessly combined with specialised legal expertise and technical and commercial knowledge of organisation and society

Our advice on cybersecurity and resilience is seamlessly combined with specialised legal expertise and technical and commercial knowledge of organisation and society

ADVICE ON CYBERSECURITY AND RESILIENCE

Our lawyers and advisors in the area of cybersecurity and resilience assist our clients achieve compliance with cybersecurity legislation, for example the NIS2 Directive, the DORA Regulation and the CER Directive. We also help organisations with cybersecurity in IT and technology projects by, for example, setting cybersecurity requirements for suppliers or in contract negotiations. Finally, we help our clients manage security breaches both internally and externally in respect of business associates to minimise cyberattacks.

CYBERSECURITY AND RESILIENCE IN PRIVATE AND PUBLIC ORGANISATIONS

Cybersecurity is crucial for mitigating the risk of cyberattacks, both in private and public organisations. Security breaches may lead to production shutdown and reputational damage as well as fines and liability in damages. It is crucial in our digitalised and data-driven society to be in control of security, but also to be able to provide documentation of digital security to business associates and authorities. Moreover, cybersecurity for organisations is complex and requires that various specialists in information security and IT security work together to find the solutions that best support the organisation.

A TRUSTED PARTNER - LEGAL AND COMMERCIAL SECURITY ADVICE 

Our lawyers and advisors are cybersecurity experts, and our experience is based on many years of working with IT security in organisations in the private sector and for the largest IT clients in the public sector such as the Danish Armed Forces, the Danish National Police and the Danish Agency for Digital Government.

We help organisations identify their information and cybersecurity needs and assist with planning and executing security projects that protect both the organisation and its data.

STRENGTHEN YOUR CYBERSECURITY AND RESILIENCE WITH SPECIALISED LEGAL ADVICE

Cybersecurity has become an inevitable part of modern business strategies. With the increasing threat of cyberattacks that can paralyse essential sectors, it is crucial for organisations to implement robust security measures to protect their network and data. Effective cybersecurity requires a combination of advanced technologies, continuous monitoring and thorough training of employees so that they can recognise and respond to potential threats in time.

Our advice includes risk assessments based on international standards such as ISO27005, ISO29134 and SANS CIS Risk Assessment Method so that organisations get a structured approach to the threat landscape. We also ensure that security requirements in contracts comply with recognised frameworks such as ISO27001 and SANS CIS Critical Security Controls, and we negotiate with suppliers to ensure optimal terms.

Regulatory compliance is a key part of our work, and we advise on compliance with the NIS2 Directive as well as the DORA Regulation and the CER Directive, always based on our tested concepts.

If any disputes relating to cybersecurity should arise, we assist with legal expertise and dispute resolution. We also advise on cybersecurity in public tender proceedings and assist organisations in the event of a security breach or a cyberattack, including incident response and crisis management.

With a combination of legal expertise and extensive technical knowledge of cybersecurity, we help our clients navigate in a complex threat landscape and make sure that there is a strong digital line of defence.

WHAT IS THE NIS2 DIRECTIVE?

The NIS2 Directive is about securing network and information systems, meaning hardware, software and services that make it possible to process and exchange data digitally. These systems form the backbone of any organisation working digitally.

 

How will the NIS2 Directive affect your organisation?

The NIS2 Directive is a milestone in the efforts by the EU to maintain and strengthen IT security across Member States. The Directive is the EU's updated legislation on cybersecurity and it came into force in 2023 as a continuation of the original NIS Directive from 2016.

The updates were necessary due to the rapidly changing digital threats in and against Europe, and in that connection the NIS2 Directive is a key part of the strategy to increase protection against such threats. The objective of the Directive is to strengthen the overall cybersecurity of the EU by setting stricter standards for sectors that are crucial to society, for example energy, health, transport and finance.

To achieve this, the NIS2 Directive requires that Member States establish relevant computer security incident response teams. In addition, organisations in the critical sectors are under an obligation to implement increased security measures and report serious cybersecurity incidents. The Directive stresses the need for a harmonised approach to cybersecurity to protect EU citizens and EU economic interests in an increasingly digitalised world.

The scope of coverage of the NIS2 Directive?

With the NIS2 Directive, the objective of the EU is to protect IT security and infrastructure in the EU against cyber threats and cybercrime at the most essential and important entities that provide services critical to society across public and private businesses/organisations.

Limited liability companies are in the scope of the NIS2 Directive if they have more than 50 employees, an annual turnover and/or balance sheet total of more than EUR 10 million and operate in certain sectors.

Public authorities are in the scope of the NIS2 Directive regardless of size if they are a State authority.

What are the requirements of the NIS2 Directive for organisations?

The current situation in many organisations is that it is the IT department that is responsible for its IT security. In theory, the top management can fulfil their responsibility by employing an IT manager or a Chief Information Officer for the position.

The NIS Directive places the security responsibility with the service provider and the NIS2 Directive tightens this responsibility by making the management directly responsible for IT security. The management is to approve and monitor cybersecurity measures, and members of management are expected to update their knowledge through relevant courses.

No specific training guidelines have yet been determined.

The management is responsible for the following regardless of whether the organisation is a limited liability company or a public authority:

•    Approval of measures to manage cybersecurity risks;

•    Supervision of the execution;

•    Attending courses to ensure that the management gains sufficient knowledge and skills concerning cybersecurity risks;

•    Ensuring implementation of the initiatives necessary to comply with the NIS2 Directive.

The management of limited liability companies may be held liable for misconduct, see the Danish Companies Act and sector-specific legislation, violations, see the NIS2 rules (administratively and possibly under civil and criminal law depending on the implementing legislation) and may be prohibited on such basis from exercising any management functions in the company, see the NIS2 rules.

The management of public authorities may also be held liable for violations, see the NIS2 rules. In addition, they may be held liable for misconduct, see sections 155, 156 and 157 of the Danish Criminal Code and the Danish Public Servants Act, under a collective agreement and/or contracts.

But members of the Danish Parliament, regional councils and municipal councils are exempted as the Danish Act on Ministerial Accountability (ministeransvarsloven), the Danish Act on the Management of Municipalities (kommunestyrelsesloven) and the Danish Act on Regions (regionsloven) apply to this area instead.

Increased supervision requirements under the NIS2 Directive

The NIS2 Directive increases the number of general IT security requirements. More management involvement and supervision, better risk management and improved security measures are expected. In connection with supervisions, you are to be able to document that risk assessments are carried out on an ongoing basis and that you have implemented adequate security in respect of risks, threats and vulnerabilities in the area of IT security. Enforcement, sanctions and a notification obligation also come into play.

What happens if organisations do not comply with the NIS2 Directive?

Organisations risk fines of up to 2% of their annual turnover. Further sanctions may include warnings, demands, prohibition, making offences public or the organisation appointing a compliance officer.

How these measures are exactly to be enforced depends on how the NIS2 Directive will be implemented into national acts.

How best to prepare for the NIS2 Directive

It will be a time-consuming and resource-intensive process to implement the requirements of the NIS2 Directive to a satisfactory degree in your organisation. It is a task that will involve your management, security, IT and law, and your customers will probably require that you have taken a sufficient initiative in good time. We therefore recommend that the sooner you start ensuring compliance with the NIS2 Directive the better.

Our team of experts are already hard at work on NIS2 Directive projects for several clients from a wide range of affected sectors. For example, we could start by making a gap analysis in respect of the requirements of the NIS2 Directive for your organisation and then contribute with a suitable implementation plan for increased cybersecurity.

THE DORA REGULATION TIGHTENS THE REQUIREMENTS AS TO CYBERSECURITY AND MANAGEMENT LIABILITY 

Cybersecurity has become an inevitable part of modern business strategies. With the increasing threat of cyberattacks that can paralyse essential sectors, it is crucial for organisations to implement robust security measures to protect their network and data. Effective cybersecurity requires a combination of advanced technologies, continuous monitoring and thorough training of employees so that they can recognise and respond to potential threats in time.

What can the management be held liable for if the requirements of the DORA Regulation are not complied with?

Violations, see the DORA Regulation:

•    Misconduct, see the Danish Companies Act (selskabsloven) and the Danish Financial Business Act (lov om finansiel virksomhed).

The supervision can be given more powers but must have these as a minimum:

•    Orders to stop the conduct and refrain from repeating it.

•    A temporary or permanent order against practice or conduct.

•    Any measure including a financial measure to ensure that the organisation complies with its obligations.

•    Sending out public notifications, including public statements revealing the identities of the management and the nature of their violations.

MEET OUR CYBERSECURITY AND RESILIENCE SPECIALISTS

If you need certified specialists who have both strong legal skills and a practical understanding of cybersecurity, please contact our team of specialists and lawyers. Cybersecurity is crucial for the success of your organisation and it is often a good business case to be in control of security.