December 26, 2025
Welcome to ISACA Denmark's comprehensive year-end review. As we close 2025 and look toward January 2026, we reflect on a year that tested Denmark's cyber resilience like never before while simultaneously celebrating the incredible community, innovation, and strategic foresight that positioned our nation as a global cybersecurity leader. From state-sponsored attacks on critical infrastructure to the next generation of cyber defenders, from regulatory transformation to the delicate balance between data access and protection—2025 has been nothing short of extraordinary.
The Julemøde 2025: Celebrating Community and Looking Forward
On December 3, 2025, ISACA Denmark gathered at Crowne Plaza Copenhagen Towers for our annual Julemøde—a celebration that embodied everything our cybersecurity community represents. The day brought together over 640 members, industry specialists, military cyber defense trainers, regulators, and the next generation of security professionals in what became a microcosm of Denmark's entire cybersecurity ecosystem.
Grassroots Hacker Talent: Building Denmark's Offensive and Defensive Edge
One of the most inspiring sessions showcased how grassroots Danish hacker talent is developing at an unprecedented pace. Presenters training both current Danish military personnel and retired soldiers on offensive and defensive cyber capabilities demonstrated that Denmark's cyber defense doesn't rest solely on commercial solutions or foreign expertise—we're cultivating homegrown talent that understands both the technical landscape and the unique challenges facing Danish critical infrastructure.
These programs represent a strategic investment in Denmark's long-term security posture. By training military personnel in advanced cyber techniques, Denmark builds dual-use capabilities that serve both national defense and civilian infrastructure protection. The retired military personnel bring operational experience and tactical thinking to cybersecurity challenges that purely civilian practitioners might miss.
Risk Management and Leadership Dialogue: The CISO's Evolving Role
A highlight of the Julemøde was the live podcast recording (episode 17 of OnsdagsTanker, available December 17) featuring Per Silberg Hansen, Camilla Treschow Schrøder, Jacob Flohr Kristiansen, and Henrik Skovfoged discussing the CISO's role and collaboration with executive leadership and boards.
The conversation centered on streamlined risk management and the critical importance of strong dialogue between CISOs and leadership to ensure security initiatives align with fundamental business purpose and value. This isn't merely about reporting incidents upward—it's about integrating cybersecurity into strategic decision-making at the highest organizational levels.
The session emphasized that effective CISOs must translate technical risk into business language that boards can act upon. With NIS2's board-level accountability requirements now in force, this skill has become non-negotiable for security leaders across Denmark's 6,000+ covered entities.
The Data Regulation Paradox: Precision Over Conflict
Digitaliseringsstyrelsen's presentation on the EU Data Act illuminated one of 2025's most critical regulatory challenges: balancing data accessibility with data protection. This isn't a paradox to be resolved but a discipline requiring what speakers termed "surgical precision."
The Data Act, part of the broader European digital regulatory framework encompassing GDPR, NIS2, DORA, the Digital Markets Act, and dozens of other instruments, creates a complex landscape where data must flow freely for innovation while remaining protected against misuse. Danish organizations must navigate rules for business-to-business data sharing, consumer data rights related to connected products (IoT), switching between data processing services, and obligations around data sharing with public authorities.
The presentation highlighted that Denmark's role in this landscape isn't merely compliance but thought leadership. Danish regulators, businesses, and civil society are actively shaping how these regulations evolve through practical implementation and feedback to European institutions.
Generation Z: The Future Workforce Arrives
Perhaps the most thought-provoking session came from Camilla Bruun's presentation on Generation Z in the workplace. The statistics are stark: by 2030, Generation Z will comprise 58% of the workforce. This isn't a distant future—it's five years away, and organizations must prepare now.
Generation Z brings fundamentally different expectations and approaches to work. As one Gen Z voice quoted in the presentation noted: "We've become a project that older generations need courses to work with." This isn't criticism but recognition of genuine generational differences in communication styles, feedback expectations, psychological safety needs, and relationship to authority.
The presentation emphasized that Gen Z seeks meaning, authenticity, and psychological safety. They expect continuous feedback rather than annual reviews, value empathetic colleagues and relational leadership over hierarchical authority, and have low tolerance for unclear culture or values. They're the most community-oriented generation yet often feel lonely, thriving in collaborative environments with flat hierarchies and authentic relationships.
For cybersecurity organizations facing a 7,000+ role deficit, understanding how to attract, retain, and engage Generation Z isn't optional—it's existential. The technical skills shortage won't be solved if we can't create work environments that appeal to the generation entering the workforce.
December's Wake-Up Call: Russia Targets Danish Democracy and Infrastructure
As ISACA Denmark celebrated community and looked forward at the Julemøde, December brought sobering reminders of why our work matters. The Danish Defence Intelligence Service (DDIS) publicly attributed two major cyberattacks to pro-Russian hacktivist groups, marking a significant escalation in state-sponsored aggression against Danish targets.
The Water Utility Attack: Cyber-Physical Consequences
The first attack targeted a Danish water utility in 2024, causing physical damage including burst pipes and temporary water outages. DDIS attributed this destructive operation to the pro-Russian group Z-Pentest, explicitly framing it as part of Russia's broader hybrid warfare campaign against Western states supporting Ukraine.
This wasn't a data breach or service disruption—it was a kinetic attack delivered through digital means. The burst pipes and water outages demonstrate that cyber operations can produce tangible physical harm to citizens. When water systems fail, hospitals lose capacity, fire suppression capabilities diminish, and basic sanitation becomes compromised. The attack tested Denmark's resilience not just digitally but physically, socially, and psychologically.
The water sector remains a critical vulnerability. As noted in earlier ISACA Denmark communications, the Centre for Cyber Security classifies ransomware risk to water infrastructure as "very high," with many water utilities operating legacy operational technology (OT) systems with minimal security monitoring.
Election Interference: DDoS Against Democracy
The second attributed attack came during Denmark's November 2025 municipal and regional elections, when the pro-Russian group NoName057(16) conducted DDoS campaigns against Danish websites. The goal wasn't to alter vote counts but to disrupt access to information and undermine trust in democratic processes.
Election security has become a frontline in hybrid warfare. By overwhelming Danish websites with traffic during critical electoral periods, adversaries seek to create confusion, frustration, and doubt about the integrity of democratic institutions. Even if votes themselves remain secure, citizens' inability to access information erodes confidence in the system.
These attacks underscore that Denmark, as a visible supporter of Ukraine and NATO member, has become a deliberate target for Russian hybrid warfare operations. DDIS's public attribution sends a clear message: Denmark sees these operations, understands their strategic intent, and will not remain silent about state-sponsored aggression.
NIS2: From Registration to Reality
As December closed, Danish organizations moved from NIS2 compliance paperwork to operational reality. The directive's July 1, 2025 implementation and October 1 registration deadline have passed. Now comes the moment of truth: audits begin in January 2026.
The Enforcement Phase Begins
Denmark's NIS2 law (L 141 plus sector-specific bills) expanded coverage from roughly 1,000 to approximately 6,000 organizations. Essential Entities (VE) face fines up to €10 million or 2% of global turnover, while Important Entities (VI) face up to €7 million or 1.4% of turnover. Both categories face possible daily penalties and public naming for serious violations.
These aren't theoretical consequences. Supervisory authorities—CFCS and sector-specific regulators—possess powers to conduct on-site inspections, ad hoc audits, security scans, and other checks. They can order corrective measures or even suspend services for serious non-compliance.
Danish commentary in late November emphasized that organizations must demonstrate "operational reality" in risk management, incident response, and governance. Having policies in paper isn't sufficient—organizations must show these policies work in practice, that staff are trained, that response playbooks have been tested, and that boards actively engage with cyber risk.
What January Audits Will Scrutinize
Organizations should expect scrutiny of several key areas:
Governance and Board Accountability: NIS2 mandates board-level responsibility for cybersecurity. Auditors will examine whether boards receive regular briefings, understand organizational cyber risk, approve security investments, and hold management accountable for implementation.
Risk Assessments: Organizations must demonstrate systematic, documented risk assessments that identify critical assets, evaluate threats and vulnerabilities, and prioritize mitigation efforts proportionate to actual risk.
Supplier Security: Supply chain security clauses are now mandatory. Auditors will examine vendor contracts, third-party risk assessments, and mechanisms for monitoring supplier security posture.
OT/IT Segmentation: For critical infrastructure operators, proper segmentation between operational technology and information technology networks is essential. Legacy systems can't simply be air-gapped and forgotten—they must be actively managed and monitored.
Incident Response Capabilities: Organizations must demonstrate tested incident response plans, including 24-hour initial alert capabilities, 72-hour detailed update capabilities, and 30-day final reporting capabilities to authorities.
M&A Due Diligence Implications
An emerging trend in late 2025 is NIS2 compliance becoming a key due diligence item in Danish tech and critical infrastructure transactions. Acquirers increasingly demand evidence of NIS2 readiness, security scans, and compliance documentation before closing deals. Non-compliance represents not just regulatory risk but potential service suspension by authorities, fundamentally altering deal valuations.
Looking Ahead: January 2026 Copenhagen Cyber Events
As enforcement begins, January 2026 brings several significant Copenhagen-based conferences that provide timely learning opportunities:
International Conference on Mobile Application Security (ICMAPS) - January 9: This conference addresses secure mobile development and app security trends—critical given mobile devices' role as both business tools and attack surfaces. With hybrid work models and BYOD policies standard across Danish organizations, mobile security has never been more important.
International Conference on Software Engineering in Cybersecurity Compliance (ICSECC) - January 12: Perfect timing as NIS2 audits begin, this conference focuses on secure-by-design principles and building compliance into software development processes rather than bolting it on afterward. The conference aligns with both NIS2 requirements and broader European pushes toward cyber-resilient products under the Cyber Resilience Act.
International Conference on AI in Data Science for Cybersecurity (ICIADSC-26) - January 19-20: As AI tools like XBOW demonstrate unprecedented capability in vulnerability discovery (as covered in ISACA Denmark's October roundup), this conference explores AI's dual role as both security tool and potential threat vector. Topics span AI-powered threat detection, adversarial machine learning, and ethical considerations around autonomous security systems.
2025: A Year of Transformation and Resilience
As we reflect on 2025, several transformative themes emerge:
State-Sponsored Threats Became Kinetic: The Russian-attributed water utility attack demonstrated that cyber operations produce real physical consequences. Denmark must treat cybersecurity as national security, with all the resources, coordination, and political will that entails.
Regulatory Transformation: NIS2's implementation represents the most significant expansion of cybersecurity regulation in Danish history. Success requires not just compliance but cultural change in how organizations approach security.
Generational Transition: Generation Z's arrival in the workforce requires Danish cybersecurity leaders to rethink recruitment, retention, management, and culture. Technical skills matter, but so do authenticity, psychological safety, and meaning.
Data Governance Complexity: The European digital regulatory framework creates unprecedented complexity. Danish organizations must navigate overlapping requirements while maintaining both data accessibility for innovation and data protection against misuse.
Grassroots Innovation: From military cyber training programs to AI-powered penetration testing, Denmark demonstrates that leadership comes not just from government investment but from community-driven innovation and knowledge sharing.
Global Recognition: Denmark's #1 ranking in the FM Resilience Index validates our approach while creating responsibility to lead globally and share what we've learned.
The ISACA Denmark Community: Our Greatest Strength
Throughout 2025, ISACA Denmark members have been at the forefront of every development discussed in this review. Whether implementing NIS2 compliance, responding to state-sponsored attacks, training the next generation, or navigating data regulation complexity, our community has demonstrated the expertise, dedication, and collaborative spirit that makes Denmark a global cybersecurity leader.
The Julemøde 2025 showcased this perfectly—regulators, military trainers, CISOs, consultants, academics, and students gathering not in silos but in genuine dialogue about shared challenges. This cross-pollination of perspectives, this willingness to learn from each other regardless of sector or seniority, represents Denmark's true strategic advantage.
As we enter 2026 with NIS2 audits beginning, state-sponsored threats continuing, and generational workforce changes accelerating, our community's strength will be tested. But if 2025 taught us anything, it's that Danish cybersecurity professionals rise to meet challenges with innovation, resilience, and commitment to collective defense.
Forward Together
The story of 2025 is ultimately about transition—from preparation to enforcement, from theoretical threats to kinetic attacks, from one generation to the next, from isolated defenses to coordinated resilience. None of these transitions are complete. The work continues in 2026 and beyond.
For ISACA Denmark members, this means continued professional development, active community engagement, and leadership in our organizations and sectors. The challenges ahead are significant, but so are our capabilities.
As we close this incredible year, we thank every member who contributed to making 2025 a success. Your expertise, your dedication, and your willingness to share knowledge strengthens not just our community but Denmark's entire cybersecurity posture.
Here's to an even stronger 2026.