When the Danish NIS2 Act came into force on 1 July 2025, a lot of people braced for a repeat of the GDPR spring of 2018 — the all-hands panic, the board suddenly caring, the budget appearing overnight. It didn’t come. Things stayed oddly calm.

There’s a specific reason for the calm, and it’s worth understanding, because it’s the same reason so many NIS2 programmes are quietly stuck. Denmark chose not to impose personal management liability in its transposition. Unlike the version of NIS2 that keeps executives awake in some other member states, no individual director in Denmark has their own neck on the line.

That sounds like good news. It is, in fact, the core of the problem.

Accountability abhors a vacuum — and NIS2 created one

GDPR moved because it was personal. Someone senior could imagine themselves in the headline. NIS2 in Denmark carries a serious organisational penalty — up to €10M or 2% of global turnover — but an organisational fine is an abstraction. Abstractions don’t get prioritised. They get noted.

So compliance becomes a hot potato. The CISO wants budget and can’t get the board to feel the urgency. Finance wants it done cheaply, because an abstract future fine competes badly against a concrete present cost. The board wants deniability — a folder that says “we have a NIS2 programme” — without owning the operational reality underneath it. Everyone is faintly responsible, which is the same as no one being responsible.

The controls exist on paper. Nobody owns making them operate. That gap is not a documentation problem — it’s an accountability problem.

What “compliant on paper” actually looks like

I see the same picture across regulated clients: a binder of policies that no one runs, risk-management measures with no named owner, an incident-response playbook that has never once been executed, and a supply chain nobody has actually mapped. All of it would fail the first question a supervisory authority asks — not “do you have a policy” but “show me it operating.”

The fix: manufacture the accountability the law didn’t

If the statute won’t supply personal ownership, the programme has to. That’s not a legal move; it’s a delivery move.

  • Name an owner on every control. Not a committee — a person, with a decision right. Orphan measures are where compliance goes to die.
  • Build evidence pipelines, not documents. What gets logged, by whom, reviewed how often — so “show me” has an answer that doesn’t require a weekend.
  • Rank by real exposure. Sequence the supply-chain and incident-response gaps that actually carry audit and fine risk first, and make the board choose against that ranking instead of deferring.

NIS2 didn’t give anyone in Denmark a personal reason to act. So the work is to make it someone’s actual job before an incident or an audit makes it everyone’s emergency. Compliance was never a document exercise. It’s a delivery programme wearing a legal costume — and delivery programmes need an owner.