The NIS2 deadline
you’re already past.
The Danish NIS2 Act has been in force since 1 July 2025 — the date is behind you. You’re an Essential or Important Entity, the Danish sector-specific regulations apply, and your controls exist on paper and nowhere else. If you’re a financial entity, DORA sits on top. Here’s how I’d turn paper into evidence.
What “compliant on paper” looks like.
- A binder of policies that no one operates day to day.
- Risk-management measures written, but no named owner for any of them.
- Supply-chain risk un-mapped — you can’t list your critical ICT third parties.
- An incident-response playbook nobody has ever run.
- No evidence you could hand a regulator tomorrow.
- Compliance is everyone’s job, which means it’s no one’s.
Map → Own → Operate.
NIS2 stalls when it’s scoped as a document exercise. The fix is to map against the actual Danish obligations, put a name on every control, and sequence the work by real exposure — then produce evidence a supervisor would accept. Click through each phase.
Gap to obligation
Map against the actual Danish obligations — then triage by real exposure.
What I do
- Map the gap against the Danish sector-specific regulations, not the generic directive.
- Confirm your classification — Essential vs Important — and what that actually obliges.
- For financial entities, overlay DORA’s ICT-risk and third-party requirements.
- Rank every gap by audit and fine exposure, not by ease.
The political read
- Denmark left personal management liability out of its transposition — so no one’s neck is on the line, and urgency has to be manufactured.
- Compliance is the hot potato: the CISO wants budget, Finance wants it cheap, the board wants deniability.
- A ranked, exposure-based list is how you make the board choose instead of defer.
Assign ownership
Turn paper controls into an operating programme with named owners.
What I do
- Put a named owner and a decision right on every control — no orphan measures.
- Build the evidence pipelines: what gets logged, by whom, reviewed how often.
- Stand up governance with a real cadence, not a quarterly slide.
- Map and onboard critical ICT third parties into the supply-chain controls.
The political read
- Named ownership is the whole game — it converts “compliance” from theatre into accountability.
- Expect resistance from anyone who preferred the ambiguity; make the RACI explicit.
- Tie ownership to existing roles, not a new committee no one attends.
Operate & prove
Produce continuous evidence a supervisor would accept.
What I do
- Stand up the incident-reporting path against Art. 23 timelines and test it for real.
- Prove continuous monitoring with evidence that’s generated, not assembled the night before.
- Close the supply-chain and highest-exposure gaps first, in sequence.
- Rehearse the supervisory conversation — can you show it, not just claim it?
The political read
- Evidence quietly removes deniability — which is exactly why it’s resisted, and exactly why it matters.
- A tested incident path is worth more than a perfect untested policy.
- “Show me” beats “trust me” in front of a regulator every time.
From “compliant on paper” to demonstrably operating — evidence a regulator would accept, owned by the business rather than the binder, with the highest-exposure gaps closed first.
Not your situation? Try another.
Compliant on paper, exposed in practice?
If NIS2 or DORA is in force and your controls only exist in a binder, I can help make them operate. Interim or freelance, via broker or direct. References from previous clients available on request.
Discuss an assignment →