Denmark’s payment infrastructure is buckling under repeated outages, and experts say the problem is structural, not accidental. Yet the system still lacks the kind of regulation that governs electricity or telecom networks.
Another day, another payment outage in Denmark. Nets, the company that runs much of the country’s card payment infrastructure, went down again this week. Dankort terminals stopped working in shops across the country. Online payments stalled. For hours, thousands of Danes could not pay for groceries, fuel, or anything else.
As reported by DR, experts are no longer surprised by the technical failures. They are surprised that this keeps happening to something so vital. One infrastructure specialist told the outlet that critical systems should not fail this way. Yet Denmark treats Nets as a private commercial operator, not as critical infrastructure.
A Pattern, Not a Glitch
This is not the first time Nets has stumbled. The company has experienced multiple major outages over recent years. MobilePay, Dankort, card terminals in stores, and online payment gateways have all gone dark during peak hours. Each time, commerce grinds to a halt. Shops turn away customers. Online retailers lose sales. Public services that depend on digital payments slow down.
I have lived in Denmark long enough to notice the pattern. Every few months, another breakdown. Each time, Nets issues a brief apology and a vague explanation. The public gets frustrated. Then life resumes until the next failure.
No Clear Rules for Uptime
Here is the awkward truth. Denmark has no single, enforceable standard for how reliable payment systems must be. Unlike electricity or telecommunications, payment infrastructure exists in a regulatory gray zone. Banks and payment companies are supervised by financial regulators, but there is no equivalent to the strict uptime requirements imposed on power grids.
Nets dominates the Danish payment landscape, especially through its Dankort system. When it fails, the consequences ripple through society just as surely as a blackout would. Yet it is not regulated like a monopoly utility. It is a private company with contracts and competitors in some areas, but in practice it is too big to fail quietly.
Europe Is Tightening the Screws
The European Union has started to address this gap. Two new directives, CER and NIS2, came into force in 2023. They aim to strengthen resilience and cybersecurity across critical sectors, including finance and digital infrastructure. CER focuses on physical and organizational resilience. NIS2 deals with cybersecurity and information systems.
Both frameworks will eventually require payment companies to conduct regular risk assessments, maintain backup systems, and report incidents to authorities. Around 1,000 Danish companies across 11 sectors will be covered, according to industry group Dansk Industri. Payment infrastructure will be among them.
Denmark Is Running Late
The problem is that Denmark has not yet implemented these directives into national law. The EU deadline passed in October 2024. Danish authorities have said full implementation will not arrive until 2025. Until then, companies like Nets face no new obligations under the CER or NIS2 frameworks.
Meanwhile, the mistakes keep piling up. Earlier this year, Nets accidentally charged 2,000 people twice. Now the system is going offline again. Each incident erodes trust in digital payments. For expats like me who came from countries with more cash backup options, it is jarring to see how reliant Denmark has become on a single digital ecosystem.
Lessons From Energy Sector Attacks
Denmark learned a hard lesson in 2023 when 22 energy companies were hit by a coordinated cyberattack. Hackers exploited vulnerabilities in firewall systems. Some attackers gained access to industrial control systems. Several companies had to isolate parts of the grid to prevent wider damage. Authorities later said the attack showed signs of state involvement.
That incident prompted serious debate about how vulnerable critical infrastructure really is. It led to calls for better coordination, stronger oversight, and sector specific response teams. The payment sector has had no equivalent wake up call yet, even though the consequences of failure are just as immediate for ordinary people.
The Transparency Problem
Another frustration is the lack of clear information. When Nets goes down, the company rarely explains exactly what went wrong or how many transactions were affected. There is no public database tracking downtime or financial losses. Experts who spoke to DR and other outlets say they cannot properly evaluate the risks because the data is not shared.
This will change under NIS2, which requires companies to report major incidents to regulators and possibly to the public. But until that becomes law in Denmark, Nets and similar operators can keep their cards close. It leaves the rest of us guessing whether these are freak accidents or symptoms of deeper systemic weakness.
What Needs to Change
Several experts told Danish media that payment systems should be treated the same way as electricity or water. That means mandatory redundancy, regular testing, clear uptime targets, and penalties for failures. It also means public oversight and transparent reporting when things go wrong.
Some warn that overregulation could stifle competition and innovation. Payment technology moves fast, and heavy handed rules might lock in outdated systems. But the counterargument is simple. If a system is so central that its failure disrupts the entire economy, it cannot be left to sort itself out. Preparing for outages should not be the responsibility of individual consumers alone.
I find it telling that Denmark, a country proud of its digital government and cashless society, has been so slow to enforce robustness in the one system that makes it all possible. The political will exists to digitize everything. But the willingness to regulate and secure that digitization has lagged behind.
A Reckoning Is Coming
When Denmark finally passes CER and NIS2 into law, Nets and other payment operators will face tougher requirements. They will have to prove they can handle failures, cyberattacks, and peak loads without crashing. Regulators will have the power to demand answers and impose fines. The public will get more transparency.
Until then, we can expect more of
