New legislation to strengthen Denmark’s security of supply

The energy sector is regulated by sector-specific emergency preparedness legislation designed to increase resilience and emergency preparedness against natural, man-made and technological threats to Denmark’s energy supply: 

Currently, the energy sector faces significant and elevated threats from cyberattacks and espionage. Furthermore, the sector is undergoing major transformations driven by the green transition and digitalisation.

Legislation in this area focuses on preventing and responding to incidents that threaten the energy supply. This is primarily achieved through regulations on organisational preparedness, physical security and cybersecurity for companies in the energy sector. It applies to companies involved in the supply of electricity, gas, oil, district heating, district cooling and hydrogen. 

The new legislation also modernises the existing emergency preparedness regulations for the energy sector. It introduces new requirements for companies' physical security, cybersecurity and organisational preparedness to ensure high levels of resilience. For example, there are stipulations regarding where network and information systems critical to the energy supply can be operated and accessed remotely, as well as requirements for the preparation of risk and vulnerability assessments in the procurement, design and establishment of energy infrastructure. The legislation also mandates alarms for responding to intrusions, increased network security, including network partitioning to minimise the spread of cyberattacks. Furthermore, the requirements will vary depending on the criticality of the company's supply.

The legislation implements Directive (EU) 2022/2557 of the European Parliament and Council of 14 December 2022 on the resilience of critical entities (repealing Council Directive 2008/114/EC) and Directive (EU) 2022/2555 of the European Parliament and Council of 14 December 2022 on measures to ensure a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (the NIS 2 Directive). 
In addition to implementing the NIS 2 and CER directives, the legislation introduces several supplementary requirements for companies' preparedness to prevent and respond to incidents that threaten the energy supply.

Useful tools 

The Danish Energy Agency is developing several tools to help clarify the requirements that energy companies must comply with under the Executive Order on Resilience and Emergency Preparedness in the Energy Sector. The first one, which outlines the key requirements, is provided below:

Tool 1: An overview of requirements for companies based on their classification levels 1 to 5.

 

 

Tool 2: An overview of requirements for company facilities based on the five classification categories.

Frequently Asked Questions on Emergency Response Regulation

The FAQs will be continuously updated and expanded. A more detailed list of questions and answers is available on the Danish website.

The Danish Energy Agency classifies companies subject to Executive Order No. 260 of 6 March 2025 on Resilience and Preparedness for the Energy Sector into five categories, based on the threshold values set out in Annex 1 of the Executive Order, titled 'Tables of Threshold Values for the Classification of Companies'. This is outlined in Section 4 of the Executive Order.

A company’s classification determines the specific requirements in the Executive Order that must be met, as well as the applicable fee, in accordance with the Executive Order on the Danish Energy Agency’s Fees under the Act on Strengthened Preparedness in the Energy Sector (No. 261 of 6 March 2025).

Company classification is based on data available to the Danish Energy Agency. If this classification does not reflect your own data on the amount of energy your company processes — and this results in a different classification — please notify us separately by emailing beredskab@ens.dk .

On 7 March 2025, the Danish Energy Agency sent a classification letter, along with a welcome letter, via digital post to the company’s CVR number. These letters provided important information regarding the commencement of emergency response regulations in the energy sector and included instructions for submitting contact details for emergency response roles and data for classification, in accordance with Section 9 of Executive Order No. 260 on Resilience and Emergency Preparedness in the Energy Sector. The submission deadlines are 1 April 2025 and 1 May 2025, respectively.

If no corrections to your data are received by 1 May 2025, the company’s classification will remain in effect from that date until the next category update.

For further details on the specific categories for different types of supply, see Chapter 2 of the Executive Order and the relevant annex. 

Executive Order on Resilience and Emergency Preparedness in the Energy Sector.

Under Section 11 of the Executive Order on Resilience and Preparedness in the Energy Sector, companies are required to appoint an emergency coordinator and a cyber coordinator. Companies with facilities classified in categories 4 and 5 must also appoint one or more security coordinators.
Companies must provide the Danish Energy Agency with up-to-date contact information for the individuals appointed to these coordinating roles.

The Emergency Coordinator

The emergency coordinator is responsible for overseeing the company’s emergency preparedness planning. This includes contributing to the preparation of risk and vulnerability assessments in accordance with Section 18 and emergency response plans under Section 19. The appointed coordinator typically has in-depth knowledge of the company and, in some cases, close ties to its operational activities. The coordinator also participates in inspections.

The Cyber Coordinator

The cyber coordinator is responsible for cybersecurity related to the company’s supply-critical networks and information systems. The cyber coordinator is tasked with coordinating security measures for the company’s networks and information systems and with leading the development of emergency response plans for these systems.

The Security Coordinator

The appointment of a security coordinator is only required for the largest companies operating facilities classified in categories 4 and 5.
The coordinator is tasked with coordinating physical security within the company and at its facilities. It is important to note that the Executive Order allows for the appointment of multiple security coordinators, which may be relevant for companies with a large number of facilities. In such cases, the appointed security coordinators must jointly coordinate the necessary measures at the company’s category 4 and 5 facilities.

Cooperation between the Emergency, Cyber and Security Coordinators

The emergency coordinator, cyber coordinator and security coordinator must coordinate across their respective areas to ensure that the company’s emergency preparedness is planned based on a comprehensive risk picture.

These coordinators must meet with the company’s management body four times per year to assess organisational preparedness, physical security and cybersecurity.  

It is worth noting that participation in these meetings does not necessarily require the most senior level of management. In practice, attendance by members of the executive board has generally been considered sufficient. This practice will be formally clarified in the next amendment to the Executive Order.
The emergency coordinator and the cyber coordinator also serve as the primary points of contact for the Danish Energy Agency in matters related to the supervision and processing of the company’s emergency preparedness documentation.

Companies at levels 4 and 5 must not appoint the same individual as both emergency coordinator and cyber coordinator, nor may this individual also be a member of the company’s management body that approves risk assessments and emergency response plans pursuant to Section 10. This requirement is stipulated in Section 11(6) of the Executive Order. However, overlap between the management body and the security coordinator is permitted.

Resilience and preparedness fall under the responsibilities of management. The Executive Order on Resilience and Preparedness sets specific requirements for managers, as well as members of boards of directors or executive boards, in companies and authorities covered by the Order. 

Question 1: How does the Executive Order define the concept of management?

The Executive Order on Resilience places requirements on the management body of companies (Section 10).

The management body is defined as either the central management body, as outlined in the Danish Companies Act, or the management defined in the LEV Act, depending on the company’s legal structure. (The LEV Act refers to the Act on Strengthened Preparedness in the Energy Sector – Lov om styrket beredskab i energisektoren).

Who constitutes the management body shall be understood in accordance with the definitions of “the central management body” in Section 5, no. 4 of the Danish Companies Act and “management” in Section 4a, no. 2 of the LEV Act, respectively. 

According to the Companies Act, the central management body is:

  • The board of directors in companies that have both a management board and a board of directors.
  • The management board in companies that have only one management board.
  • The management board in companies that have both a management board and a supervisory board.

In the LEV Act, “management” means members of a board of directors, executive board or a similar management body.

The relevant definition of the management body depends on the company’s legal form. The Companies Act applies only to public limited companies and private limited companies, whereas the LEV Act applies to commercial enterprises not covered by the Companies Act, such as sole proprietorships, partnerships, limited partnerships, cooperatives and foundations or associations with commercial activities.

It is for each company to determine whether its company structure falls under the Companies Act or the LEV Act.

Question 2: What responsibilities does management have for overseeing the emergency response?

The management body is responsible for determining the company’s risk management and preparedness. This responsibility extends the board of directors’ duties related to risk management under Section 115 of the Companies Act and is comparable to the board’s role in managing financial and non-financial risks, such as operational and technological risks.  Therefore, the management body’s tasks regarding risk management and preparedness align with its broader risk oversight responsibilities, requiring it to assess and control the risks faced by the company or organisation.

Under Section 10, the management body must approve:

  • Risk and vulnerability assessments in accordance with Section 18.
  • Risk assessments related to projects submitted to the Danish Energy Agency pursuant to Section 28(1).
  • Emergency plans as specified in Section 19.

Pursuant to Section 11(5), the management body must: 

  • Meet at least four times per year with the emergency preparedness coordinators—the emergency coordinator, cyber coordinator and security coordinators—to review and take a position on the company’s organisational preparedness, physical security and cybersecurity. Official minutes of the meetings are to be documented and retained.
  • Evaluate and determine an appropriate level of security for the company’s network and information systems, as well as physical security, based on the company’s risk exposure and the societal importance of its services. This includes making strategic decisions on which protective measures to implement and when the level of protection is sufficient.

It is worth noting that participation in these meetings does not necessarily require the most senior level of management. In practice, attendance by members of the executive board has generally been considered sufficient. This practice will be formally clarified in the next amendment to the Executive Order.

Question 3: How is management expected to follow through on decisions related to the company’s risk and emergency preparedness measures? 

The company’s management body is responsible for overseeing the implementation of decisions based on risk and vulnerability assessments, including mitigation measures related to cybersecurity and facility resilience outlined in the emergency plans.

Management must ensure that these security measures are effectively implemented and achieve their intended outcomes. This follow-up can be conducted through various methods, such as regular management reports that provide updates on strategic objectives, action plans and key performance indicators related to cyber and information security.

Additionally, the management body can establish processes for internal or external reviews of the company’s resilience and preparedness requirements. The findings from these reviews must be reported back to management.

Question 4: What training and awareness requirements does the Executive Order on Resilience and Preparedness impose on management and employees?

Section 24 of the Executive Order on Resilience and Preparedness requires members of a company’s management body to participate in relevant training or courses related to organisational preparedness, physical security and cybersecurity.

While the Executive Order does not prescribe specific formats or course content, this requirement should be understood in light of the management body’s responsibilities under Section 10, to assess risks and ensure that adequate preparedness measures are in place.

The training aims to equip management with the knowledge and skills needed to evaluate risks effectively, make informed decisions and oversee cybersecurity and physical security initiatives. Although it is not mandatory for each individual member to complete a set number of courses, the management body as a whole must collectively maintain sufficient competence to supervise the organisation’s preparedness and protection efforts.

Relevant training activities may include: 

  • General courses on cyber and information security
  • Leadership and management courses
  • Workshops focused on managing cyber and information security risks
  • Courses or certifications following recognised European and international security standards
  • Internally developed courses or seminars tailored specifically for management on cyber and information security

Additional training and awareness requirements:

  • All training activities must be documented, for example through course certificates or confirmation of participation.
  • Companies must ensure that personnel involved in organisational preparedness, physical security and cybersecurity acquire and maintain the necessary competencies. This includes providing required instruction, education and training as stipulated in Section 25.
  • Companies are required to carry out annual awareness initiatives to promote and sustain knowledge of 
    relevant emergency plans, threats and vulnerabilities within the company, as stated in Section 26(1).
  • Companies must also annually implement awareness measures to enhance the company’s ability to recognise and respond to cyber threats and vulnerabilities, in accordance with Section 26(2).

 

Some companies and organisations have established committees, such as cyber and information security committees or audit committees, comprising representatives from the management body. These committees typically handle tasks related to managing and overseeing the company’s cybersecurity.

While the management body may delegate certain tasks to these committees, it retains collective responsibility for ensuring the company complies with the obligations outlined in the Executive Order on Resilience and Preparedness in the Energy Sector, including those specifically applicable to management. Therefore, the management body must actively monitor and ensure that the committee effectively fulfills its duties.
 

Coordinated emergency preparedness refers to two methods by which companies covered by Executive Order 260 can jointly carry out their emergency preparedness efforts.

The first method (type 1) – and historically the most commonly used form of coordinated emergency preparedness – involves one company managing emergency preparedness on behalf of two or more other companies.

The second, less frequently used method (type 2) is when companies jointly manage preparedness across all participating companies.

Coordinated preparedness under Section 113 carries various practical and legal implications. Detailed guidance on applying for coordinated preparedness, including how and where to submit applications, is available on the Danish Energy Agency’s closed emergency preparedness site for companies covered by the Act on Strengthened Preparedness in the Energy Sector.

Companies that previously operated coordinated preparedness under earlier Executive Orders (No. 2646 of 28 December 2021 for the Electricity Sector, No. 2647 of 28 December 2021 for IT Preparedness in Electricity and Natural Gas Sectors and No. 821 of 14 August 2019 for the Natural Gas Sector) must reapply under the current regulations, as prior arrangements do not continue automatically according to Section 1.

 

Contact

Beredskab
Mail Icon