Denmark's public institutions have faced cyber attacks affecting 57 percent of all entities in the past year, directly disrupting daily operations and hampering their ability to serve citizens, according to a new report from Dansk IT and Rambøll. This widespread vulnerability poses significant risks to national security and economic stability, with hackers potentially accessing sensitive data on citizens, businesses, and state functions. The findings come as the European Union's NIS 2 directive, aimed at bolstering cybersecurity in critical sectors, took effect in July 2025, yet compliance in Denmark remains alarmingly low.
A Crisis in Public Sector Cybersecurity
The report highlights that over half of Denmark's public institutions have experienced cyber attacks that impacted their core functions within the last year. Troels Johansen, chief consultant at IT-Branchen with responsibility for cybersecurity, emphasized the severity, stating, 'It is dangerous if the public sector does not have control over cybersecurity. Especially when the threat is not hypothetical but has already hit so many authorities with noticeable consequences for operations.' These attacks can disrupt local networks, steal data, and serve as backdoors to central state IT systems, compromising sensitive information that underpins both public services and private sector activities. The cyber threat level is currently historically high, following a series of analyses that prompted the EU to implement the NIS 2 directive to enhance resilience across critical infrastructure.
NIS 2 Compliance: A Daunting Gap
Despite the NIS 2 directive's enforcement, which sets stringent requirements for cybersecurity measures, incident reporting, and oversight for public authorities and companies in critical sectors like energy and transport, Danish compliance is lagging. The report reveals that only 5 percent of public organizations fully meet the NIS 2 requirements, while 41 percent expect to be compliant soon. A staggering 46 percent do not adhere to the directives, leaving gaps that could expose vital economic functions to further attacks. The directive builds on earlier EU regulations to standardize and strengthen cybersecurity across member states, focusing on entities deemed crucial for the economy and society. However, the slow adoption in Denmark suggests a systemic issue in resource allocation and prioritization, which could have ripple effects on trade and commerce.
Economic and Trade Implications
The cybersecurity shortfalls in public institutions threaten Denmark's economic landscape, particularly in trade-dependent sectors. Cyber attacks on authorities handling export licenses, business registrations, or tax data can delay transactions, increase costs for companies, and undermine confidence in Danish digital infrastructure. For instance, breaches in systems managed by agencies in Copenhagen's business districts or the Øresund region could disrupt cross-border trade with Sweden and other EU partners. While specific Danish companies like Ørsted in renewable energy or Maersk in shipping rely on secure public systems for regulatory compliance and data exchange, the report does not detail individual firm impacts. However, the broader risk is clear: insecure public networks can facilitate data theft that harms business competitiveness, especially in sectors where Denmark leads, such as green technology and maritime logistics.
Business Sector Vulnerability and Response
The lack of cybersecurity in public institutions indirectly affects private enterprises, as many Danish businesses interact with government platforms for contracts, subsidies, and regulatory approvals. A cyber attack that cripples these systems could stall projects, lead to revenue losses, and deter foreign investment. Troels Johansen's warning underscores the urgency: 'If a hacker gains access to local networks, operations can be disrupted, data stolen, and access used as a backdoor to the state's central network.' This connectivity means that vulnerabilities in public sector IT can cascade into the private economy, impacting everything from small startups in Copenhagen's innovation hubs to large exporters. The NIS 2 directive's emphasis on critical sectors includes those vital to Denmark's economy, yet the compliance gap suggests a need for accelerated action to protect trade flows and corporate data.
Moving Forward: Priorities for Resilience
Addressing this cybersecurity crisis requires coordinated efforts between public authorities and business stakeholders. The report's data indicate that while 41 percent of organizations aim for soon compliance, nearly half remain non-compliant, highlighting a need for increased funding, training, and technological upgrades. For Denmark's economy, which thrives on exports and renewable energy advancements, securing public IT systems is not just a regulatory issue but a commercial imperative. The NIS 2 directive provides a framework, but implementation must be swift to prevent further attacks that could erode trust in Danish institutions and hamper economic growth. As cyber threats evolve, the focus should shift from reactive measures to proactive safeguards, ensuring that public services support rather than hinder business continuity and trade security.
In conclusion, the high rate of cyber attacks on Danish public institutions reveals a critical weakness with far-reaching consequences for the nation's economic health. With low compliance to the NIS 2 directive, the path forward demands urgent attention to cybersecurity investments, lest Denmark's trade advantages and business reputation suffer in an increasingly digital world.