Supervision (NIS2)

NIS2 introduces a two-tier supervisory regime based on entity classification. Essential entities are subject to proactive supervision that authorities can initiate without prior cause, whilst important entities are subject to reactive supervision that is typically triggered after an incident or complaint.

Back to Dictionary

The two supervisory regimes

NIS2 draws a clear distinction between the supervision of its two categories of organisations:

**Proactive supervision (essential entities):** Authorities may carry out inspections, audits and on-site checks of essential entities without a prior incident or complaint. This is equivalent to ongoing compliance monitoring.

**Reactive supervision (important entities):** Authorities typically only initiate supervision of important entities where there are indications of non-compliance, an incident has been reported, or a complaint has been received from a relevant party.

Supervisory authorities in Denmark

NIS2 requires each EU Member State to designate one or more competent authorities. In Denmark, supervision is distributed across sectors:

Centre for Cyber Security (CFCS): Overall coordination and national CSIRT function.
Danish Financial Supervisory Authority: The financial sector (banks, insurance, investment funds).
Danish Energy Agency: The energy sector.
Danish Business Authority: Digital infrastructure and digital services.
Danish Health Authority: The healthcare sector.
Danish Transport, Construction and Housing Authority: The transport sector.

Supervisory powers

Supervisory authorities under NIS2 have a broad range of powers, including:

The right to require documentation and information from organisations
The right to carry out on-site inspections
The right to require security audits performed by independent third parties
The right to issue warnings and orders
The right to impose administrative fines
In serious cases: the right to suspend an individual's right to exercise management functions

Prepare for supervision: Regardless of whether your organisation is an essential or important entity, you should ensure that your NIS2 documentation is up to date and readily accessible. Missing documentation is a red flag during supervisory visits.

Frequently Asked Questions about Supervision (NIS2)

What is the difference between proactive and reactive supervision under NIS2?

Proactive supervision applies to essential entities and means authorities can carry out inspections without prior cause. Reactive supervision applies to important entities and is typically only triggered by indications of non-compliance or after an incident.

Who supervises NIS2 compliance in Denmark?

Supervision is distributed across sector-specific authorities, including the Centre for Cyber Security (CFCS), the Danish Financial Supervisory Authority, the Danish Energy Agency and the Danish Business Authority. CFCS coordinates the overall national picture.

What powers do NIS2 supervisory authorities have?

Authorities can require documentation, carry out on-site inspections, require independent security audits, issue warnings and orders, impose administrative fines, and in serious cases suspend individuals from management functions.

Can important entities face proactive supervision?

Important entities are generally subject to reactive supervision. However, if there are concrete indications of non-compliance, authorities can initiate supervisory measures even without a reported incident.

How should organisations prepare for NIS2 supervision?

Organisations should ensure their NIS2 documentation is complete, up to date and readily accessible. This includes risk assessments, security policies, incident response procedures and evidence of implemented security measures.