Denmark (DK)

Current status: National Cyber Security Strategy

The Danish Government published its NCSS in February 2015 after a formal presentation in December 2014. The NCSS sets our 27 government initiatives for 2015-2016 as part of a coordinated and long-term strategy.

Overriding objectives for a strong and cohesive security strategy:

Obj. 1 - Maintain trust of citizens and businesses in cyber and information security measures of government institutions and providers of IT systems and infrastructure upon which society relies for providing important functions. Provide measures to strengthen cyber and information security that permit user-friendly and effective use of new technologies.

Obj. 2 - Strengthen the protection of important functions in society and national security against cyber-attacks.

The NCSS establishes 6 strategic focus areas with specific initiatives to raise cyber and information security levels in Denmark.

Strategic Focus Area 1 - Professionalised and reinforced ICT oversight: Ministries must manage information security systematically and professionally and initiate strong ICT oversight of subordinate authorities.

Strategic Focus Area 2 - Clear guidelines for suppliers: Government institutions must set clear requirements regarding cyber and information security for providers of IT services and infrastructure, perform regular risk assessments and follow up regularly on providers’ ICT security measures.

Strategic Focus Area 3 - Strengthened cyber security and more knowledge: Public sector cyber security levels must be raised and government institutions and business must have access to threat assessments and to advanced knowledge about how to reduce vulnerabilities.

Strategic Focus Area 4 - Robust infrastructure in the energy and telecommunications sectors: There must be a high level of cyber and information security within the energy and telecommunications sectors.

Strategic Focus Area 5 - Denmark as a strong international partner: Danish authorities must work with international partners to strengthen cyber and information security through active participation in relevant forums.

Strategic Focus Area 6 - Strong investigation and high level of information: Cyber-crime investigations must be strong and competent, and citizens and businesses must be given a better basis for adequately assuming responsibility for security in relation to their own equipment and online conduct.

Appropriate definition of critical infrastructure protection (CIP)? Yes, the Danish Security and Intelligence Service (PET) provides an appropriate definition. The NCSS gives priority to the energy and telecommunications sectors where the aim is to increase security levels underpinned by several new legal measures in 2016: (Danish: https://www.pet.dk/default.aspx; English: https://www.pet.dk/English.aspx)

Denmark has also published official guidelines stating that compliance with international security standards will be required for government procurement relating to critical infrastructure and other ICT services: Cloud computing and the legal framework, offering guidance on legislative requirement and the contractual environment related to cloud computing), published by the Agency for Digitisation in August 2012, at a time when government and local government agencies were early adopters of cloud services: English: http://digitaliser.dk/resource/2368677

 

NATIONAL CYBERSECURITY STRATEGY - NIS Capacities

Year of adoption

February 2015: The Danish Cyber and Information Security Strategy (English version: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/nc...).

Updates and revisions

This is the first cybersecurity for Denmark.

Implementation and monitoring

Danish Government has a Centre for Cyber Security (Danish: https://fe-ddis.dk/Pages/default.aspx; English: https://fe-ddis.dk/eng/Pages/English.aspx).

It is part of the Defence Intelligence Service (FE), which is an agency under the Ministry of Defence, is responsible for detecting, analysing and helping to address advanced cyber attacks against authorities and companies providing important IT functions, such as the finance sector, government, telecommunications network, water supply. The Centre serves as Denmark’s National IT security authority, informing and advising Danish authorities and companies on IT security and is also the national centre of competence in cyber security. It is also the national authority for information security and preparedness in telecommunications, advising on emergency response telecommunications resources.

The 27 initiatives for 2015-2016 apply to each of the 6 stratgic focus areas.

Professionalised and reinforced ICT oversight (6 initiatives)

  1. Increased information security effort in government institutions.
  2. Mandatory security risk assessment of public IT projects.
  3. Increased coordination of information security efforts between national and local authorities.
  4. Co-operation between education and research institutions regarding cyber and information security
  5. Intensified dialogue between private and public employers and education and research institutions regarding competence needs.
  6. Sufficient capacity in the Agency for Governmental IT Services to handle cyber attacks.

Clear guidelines for suppliers (2 initiatives)

  1. Introduction of security requirements in IT tenders and contracts.
  2. Continuous security oversight of suppliers.

Strengthened cyber security and more knowledge (7 initiatives)

  1. Mandatory inclusion of cyber threats in government institutions’ risk management.
  2. Formation of a cyberthreat assessment unit.
  3. Study regarding the possible concentration of government Internet connections.
  4. Study regarding the development of secure communication among state institutions.
  5. Formation of a unit to investigate major cyber security incidents
  6. Formation of a SCADA knowledge centre.
  7. Setting up a business advisory board on ICT security.

Robust infrastructure in the energy and telecommunications sectors (2 initiatives)

  1. Strengthening of network and information security in telecommunications.
  2. Stronger requirements regarding cyber and information security in the energy sector.

Denmark as a strong international partner (3 initiatives)

  1. Strengthening of Danish cyber diplomacy.
  2. Promotion of Denmark’s stance in international cyber and information security cooperation forums.
  3. Nordic co-operation on research and education in cyber and information security.

Strong investigation and high level of information (7 initiatives)

  1. Raised security awareness among citizens and businesses.
  2. Security self-check service for businesses.
  3. Expansion of the National Cyber Crime Center (NC3).
  4. Increased capacity of the police regarding information security guidance.
  5. Strengthening the cyber capacity and capability of the Danish Security and Intelligence Service (PET).
  6. Establishment of an online platform for reporting cyber crime.
  7. Study regarding a service providing information on stolen identity documents.

The Centre for Cyber Security has already implemented several initiatives, e.g. a Self-Service for companies to assess their cyber security (detect, analyse and help address security incidents) and published a Guide on DDoS attacks. In July 2016 it launched a new notification system for companies and authorities for undisclosed incident reporting to overcome barriers to reporting (fe-ddis.dk/cfcs/nyheder/arkiv/2016/Pages/Nyunderretningsordningforvirksomhederogmyndighederitilfældeafcyberangreb.aspx)

Other initiatives include vulnerability testing and awareness campaigns, as well as a set of legal measures described below.

Operational capacity building

Denmark has two national response teams and three known privately held teams. Government-run CERTs:

Both operate under the national Centre for Cyber Security.

Commercial/ISP customer based CERTs:

  • TDC Security Operations Centre
  • CSIRT.DK
  • CSIS.DK

Denmark is also part of the Nordic co-operation on research and education in cyber and information security: Funet CERT (Finland); NORDUnet CERT (Norden); RHNet CERT (Iceland); Sunet CERT (Sweden); UNINETT CERT (Norway).

Legal conditions

Coverage based on the BSA CyberSecurity Dashboard:

  • Law on the Center for Cyber ​​Security: Act no. 713 of 25 June 2014 Center for Cyber ​​Security.
  • Guidelines on the treatment of data: DoD guidelines of 30 June 2014 concerning the processing of data in and from the Center for Cyber ​​Security network security service.
  • Law on electronic communications networks and services (Telecommunications Act): Order no. 128 of 7 February 2014 of the Law on electronic communications networks and services.

Other relevant coverage:

  • Legislation/policy requiring  an inventory of “systems” and the classification of data.

Coverage since the publication of the CyberSecurity Dashboard:

  • Order on connection to network security service: Order no. 1546 of 11 December 2015 on connecting to the Center for Cyber ​​Security network security service.
  • Act on network and information security: Act no. 1567 of 15.12.2015 on network and information security
  • Order on information security and emergency networks and services: Order no. 567 of 1 June 2016 on information security and emergency networks and services.
  • Order on information and notification duties relating to network and information security: Order no. 566 of 1 June 2016 on information and notification duties relating to network and information security.
  • Order on security of employees on network and information security, which enters into force on 1 January 2017: Order no. 565 of 1 June 2016 on the security clearance of employees on network and information security.
  • Order on emergency operators' access to electronic communications in emergency situations, etc.: Order no. 564 of 1 June 2016 on emergency operators' access to electronic communications in emergency situations, etc..

 Other updates since the BSA Dashboard include:

  • Legislation/policy requiring the establishment of a written information security plan: now guided by a single plan.
  • Legislation/policy requiring security practices to be mapped to risk levels: risk management for IT providers of public services and continuous monitoring under strategic focus area 2.
  • Legislation/policy requiring (at least) an annual cyber security audit.
  • Legislation/policy requiring a public report on cyber security capacity for the government.
  • Legislation/policy requiring mandatory reporting of cyber security incidents.

Business and Public Private partnership

The strategy calls for:

  • Intensified dialogue between private and public employers and education and research institutions regarding competence needs. However, there is no indication if government funding will support such a dialogue.
  • Public sector cyber security levels must be raised and government institutions and business must have access to threat assessments and to advanced knowledge about how to reduce vulnerabilities.
  • Setting up a business advisory board on ICT security.
  • Setting up a self-service for businesses.

Industry organised (i.e. business or industry cybersecurity councils):

  • The Council for Digital Security is a security and privacy advocacy group comprised of 20 private sector and academic organisations: www.digitalsikkerhed.dk.
  • Dansk IT is a representative body for information technology professionals in Denmark, cyber security being one of the areas covered: dit.dk

Cross-country co-operation of cyber security clusters

  • Denmark is among the countries that joined the Dutch security cluster: The Hague Security Delta in June 2016 as part of an effort to encourage co-operation with other European regions bringing together public and private parties, academia and R&D organisations to stimulate innovation and economic growth. In Denmark, Karup and CenSec are the participating clusters joining others from the Netherlands, France, Finland, and Germany.

BrainsBusiness is a platform for ICT innovation in North Denmark through the interaction of industry and university and the link to public authorities. Its activities include ICT trust, cyber security & network security, Open data & sharing of public sector information, Warehousing & support activities for transportation: www.brainsbusiness.dk/.

BrainsBusiness is a unique platform for ICT innovation in North Denmark through the interaction of industry and university and the link to public authoritie
Other measures

Finance and IT cluster in Denmark

Fintech and ICT-intensive financial services is an important sector in Denmark. The Danish vision is to form a strong finance IT cluster and develop financial IT infrastructure that will drive innovation and growth. Combining this dense finance ICT cluster with the advanced levels of education in financing and banking, Copenhagen is a hot spot for development and implementation of modern finance IT. Source: Copenhagen Fintech Innovation and Research (www.cfir.dk/en-gb/aboutcfir/pages/financeitindenmark.aspx)

The Danish NCSS places emphasis on building business capacity not only around cyber security but also risk management, including rules for the providers of government services.

Overall assessment/best practices

In 2017, the Centre for Cyber Security has released a report that addresses the threat from cyber activities against Danish authorities and private companies: fe-ddis.dk/cfcs/CFCSDocuments/The%20cyber%20threat%20against%20Denmark%202017.pdf

Among the reported reccomendations, public authorities and private companies should make targeted efforts to improve processes, technology and behaviour. Processes include preparing regular risk analyses and identify which data requires protection and what the consequenses of a potential breach would be. Technology could involve improving knowledge of in-house IT infrastructure and processes and regular identification and patching of system vulnerabilities. Behaviour involves initiatives aimed at raising user awareness of the cyber threat and establishing staff training programmes that teach employees safe cyberspace behaviour. In addition, companies and public authorities should implement cyber attack contingency plans.

Date of last WISER analysis July 2017

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident

to national CERT/CSIRT

Center for Cyber ​​Security

DKCERT

TDC Security Operations Center

CSIS.DK

CSIRT.DK

Guidance and updates  
Languages Danish. Only the NCSS is in English. @Danish_GovCERT
Date of last WISER analysis July 2017

 

Contact us for more info