Interactive playbook · NIS2 / DORA

The NIS2 deadline
you’re already past.

The Danish NIS2 Act has been in force since 1 July 2025 — the date is behind you. You’re an Essential or Important Entity, the Danish sector-specific regulations apply, and your controls exist on paper and nowhere else. If you’re a financial entity, DORA sits on top. Here’s how I’d turn paper into evidence.

What “compliant on paper” looks like.

  • A binder of policies that no one operates day to day.
  • Risk-management measures written, but no named owner for any of them.
  • Supply-chain risk un-mapped — you can’t list your critical ICT third parties.
  • An incident-response playbook nobody has ever run.
  • No evidence you could hand a regulator tomorrow.
  • Compliance is everyone’s job, which means it’s no one’s.

Map → Own → Operate.

NIS2 stalls when it’s scoped as a document exercise. The fix is to map against the actual Danish obligations, put a name on every control, and sequence the work by real exposure — then produce evidence a supervisor would accept. Click through each phase.

Gap to obligation

Map against the actual Danish obligations — then triage by real exposure.

What I do

  • Map the gap against the Danish sector-specific regulations, not the generic directive.
  • Confirm your classification — Essential vs Important — and what that actually obliges.
  • For financial entities, overlay DORA’s ICT-risk and third-party requirements.
  • Rank every gap by audit and fine exposure, not by ease.

The political read

  • Denmark left personal management liability out of its transposition — so no one’s neck is on the line, and urgency has to be manufactured.
  • Compliance is the hot potato: the CISO wants budget, Finance wants it cheap, the board wants deniability.
  • A ranked, exposure-based list is how you make the board choose instead of defer.
Tools engaged Gap-to-obligation mapping Danish sector regulations DORA overlay Exposure ranking
Outcome

From “compliant on paper” to demonstrably operating — evidence a regulator would accept, owned by the business rather than the binder, with the highest-exposure gaps closed first.

Compliant on paper, exposed in practice?

If NIS2 or DORA is in force and your controls only exist in a binder, I can help make them operate. Interim or freelance, via broker or direct. References from previous clients available on request.

Discuss an assignment →