New legislation to strengthen preparedness in the energy sector
The energy sector emergency response regulation aims to ensure that the sector is sufficiently prepared to protect and maintain the energy supply in the event of natural, man-made and technological risks.
New legislation to strengthen Denmark’s security of supply
The energy sector is regulated by sector-specific emergency preparedness legislation designed to increase resilience and emergency preparedness against natural, man-made and technological threats to Denmark’s energy supply:
- Act on Strengthened Preparedness in the Energy Sector (in Danish)
- Executive Order on Resilience and Emergency Preparedness in the Energy Sector (Unofficial English translation)
- Executive Order on Fees under the Act on Strengthened Preparedness (in Danish)
Currently, the energy sector faces significant and elevated threats from cyberattacks and espionage. Furthermore, the sector is undergoing major transformations driven by the green transition and digitalisation.
Legislation in this area focuses on preventing and responding to incidents that threaten the energy supply. This is primarily achieved through regulations on organisational preparedness, physical security and cybersecurity for companies in the energy sector. It applies to companies involved in the supply of electricity, gas, oil, district heating, district cooling and hydrogen.
The new legislation also modernises the existing emergency preparedness regulations for the energy sector. It introduces new requirements for companies' physical security, cybersecurity and organisational preparedness to ensure high levels of resilience. For example, there are stipulations regarding where network and information systems critical to the energy supply can be operated and accessed remotely, as well as requirements for the preparation of risk and vulnerability assessments in the procurement, design and establishment of energy infrastructure. The legislation also mandates alarms for responding to intrusions, increased network security, including network partitioning to minimise the spread of cyberattacks. Furthermore, the requirements will vary depending on the criticality of the company's supply.
The legislation implements Directive (EU) 2022/2557 of the European Parliament and Council of 14 December 2022 on the resilience of critical entities (repealing Council Directive 2008/114/EC) and Directive (EU) 2022/2555 of the European Parliament and Council of 14 December 2022 on measures to ensure a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (the NIS 2 Directive).
In addition to implementing the NIS 2 and CER directives, the legislation introduces several supplementary requirements for companies' preparedness to prevent and respond to incidents that threaten the energy supply.
Useful tools
The Danish Energy Agency is developing several tools to help clarify the requirements that energy companies must comply with under the Executive Order on Resilience and Emergency Preparedness in the Energy Sector. The first one, which outlines the key requirements, is provided below:
Tool 1: An overview of requirements for companies based on their classification levels 1 to 5.
[Will shortly be made available in an unofficial English translation]
Tool 2: An overview of requirements for company facilities based on the five classification categories.
Frequently Asked Questions on Emergency Response Regulation
The FAQs will be continuously updated and expanded. A more detailed list of questions and answers is available on the Danish website.
The Danish Energy Agency classifies companies subject to Executive Order No. 260 of 6 March 2025 on Resilience and Preparedness for the Energy Sector into five categories, based on the threshold values set out in Annex 1 of the Executive Order, titled 'Tables of Threshold Values for the Classification of Companies'. This is outlined in Section 4 of the Executive Order.
A company’s classification determines the specific requirements in the Executive Order that must be met, as well as the applicable fee, in accordance with the Executive Order on the Danish Energy Agency’s Fees under the Act on Strengthened Preparedness in the Energy Sector (No. 261 of 6 March 2025).
Company classification is based on data available to the Danish Energy Agency. If this classification does not reflect your own data on the amount of energy your company processes — and this results in a different classification — please notify us separately by emailing beredskab@ens.dk .
On 7 March 2025, the Danish Energy Agency sent a classification letter, along with a welcome letter, via digital post to the company’s CVR number. These letters provided important information regarding the commencement of emergency response regulations in the energy sector and included instructions for submitting contact details for emergency response roles and data for classification, in accordance with Section 9 of Executive Order No. 260 on Resilience and Emergency Preparedness in the Energy Sector. The submission deadlines are 1 April 2025 and 1 May 2025, respectively.
If no corrections to your data are received by 1 May 2025, the company’s classification will remain in effect from that date until the next category update.
For further details on the specific categories for different types of supply, see Chapter 2 of the Executive Order and the relevant annex.
Executive Order on Resilience and Emergency Preparedness in the Energy Sector.
