A new report reveals that 57 percent of all Danish public institutions have been hit by cyberattacks in the past year that directly impacted their daily operations. Despite new EU requirements to strengthen cybersecurity, only 5 percent of public organizations fully comply with the NIS 2 directive standards.
Cyberattacks Disrupt Daily Operations
More than half of Denmark’s public institutions experienced cyberattacks within the last year that significantly affected their ability to perform basic functions. The alarming figure comes from a new report by Rambøll and Danish IT that examined the state of cybersecurity across public sector organizations.
According to Troels Johansen, chief consultant at IT-Branchen responsible for cybersecurity, the lack of security represents a massive problem for Denmark’s public infrastructure. When hackers gain access to local networks, they can disrupt operations, steal sensitive data, and potentially use these entry points as backdoors into the State IT’s central network containing confidential information about citizens, businesses, and the government itself.
Historic Threat Levels Drive New Requirements
The report follows several analyses showing that cyberattacks currently pose a historically high threat to Denmark. In response to escalating dangers, the European Union implemented the NIS 2 directive last year to improve cybersecurity in critical infrastructure and IT-supported functions across member states.
The NIS 2 directive, which took effect on July 1, 2025, builds upon and replaces the original NIS directive. Its purpose is to further strengthen and standardize cybersecurity and resilience against cyber threats across the EU for companies in numerous sectors and for public authorities considered critical to the economy and society.
What NIS 2 Requires
The directive introduces several new requirements for covered companies and authorities. Organizations must implement specific cybersecurity measures, report incidents promptly, and comply with strengthened supervisory and enforcement powers. These regulations aim to create a unified approach to protecting digital infrastructure across Europe.
Massive Compliance Gap Revealed
Despite the urgent need for better protection, Danish public institutions are falling dramatically short of meeting the new standards. The Rambøll and Danish IT report found that only 5 percent of the country’s public organizations fully comply with NIS 2 requirements. While 41 percent expect to achieve compliance soon, a concerning 46 percent are not meeting the standards at all.
Johansen emphasized the danger of inadequate cybersecurity in the public sector, particularly since the threat is not hypothetical. Real attacks have already struck numerous government agencies with noticeable consequences for their operations and service delivery to citizens.
Resources Fall Short of Threats
The research uncovered another troubling finding. An overwhelming 98 percent of municipal IT chiefs assessed that the cyber threat facing their communities far exceeds available resources to address it. This resource gap leaves local governments especially vulnerable to attacks that could compromise citizen services and sensitive personal information.
Municipal administrations handle everything from social services to building permits, making them attractive targets for cybercriminals seeking valuable data or looking to disrupt essential public functions. Without adequate funding and staffing for cybersecurity, these institutions remain exposed to increasingly sophisticated attacks.
Broader Implications for Society
The widespread vulnerability of public institutions creates risks that extend throughout Danish society. Government agencies store massive amounts of personal data, process financial transactions, coordinate emergency services, and maintain critical infrastructure. Successful attacks can lead to identity theft, financial fraud, service disruptions, and compromised national security.
Furthermore, when public institutions fall victim to ransomware attacks, taxpayer money often must be used either to pay ransoms or to rebuild systems from scratch. Recent incidents across Europe have shown how cyberattacks can paralyze hospital operations, shut down municipal services, and leak confidential citizen information.
Path Forward Requires Investment
Addressing Denmark’s cybersecurity gap will require substantial investment in both technology and personnel. Organizations need modern security systems, regular vulnerability assessments, employee training programs, and incident response capabilities. As it turns out, meeting these needs demands budget allocations that many municipalities and agencies currently lack.
In fact, experts argue that cybersecurity should be viewed as essential infrastructure rather than an optional expense. Just as governments invest in physical security for buildings and equipment, digital security requires ongoing commitment and resources proportional to the threats faced.
The report serves as a wake-up call for Danish authorities. With more than half of public institutions already experiencing damaging attacks and compliance rates remaining critically low, immediate action is necessary to protect government operations and citizen data from escalating cyber threats.
Sources and References
The Danish Dream: Denmark Under Siege: Cyberattacks Hit Hospitals, Cities
The Danish Dream: Best IT Security Services in Denmark for Foreigners
TV2: Over halvdelen af offentlige instanser ramt af cyberangreb inden for et år
