Welcome to ISACA Denmark Members
Welcome to our April edition as we close out the first quarter of 2026 and look ahead to May. April has been a pivotal month for Danish cybersecurity, marked not by dramatic breaches but by a fundamental shift in how we must think about cyber risk. The conversation is evolving from "can we stop attacks?" to "can we trust and control the digital ecosystem we depend on?"
This month brought us DNV Cyber's groundbreaking Denmark resilience report revealing that 54% of critical infrastructure executives rely on suppliers from geopolitically tense countries. We witnessed V2 Security 2026 in Copenhagen gathering over 5,500 participants to discuss emerging threats. ISACA Denmark held its annual general assembly on April 20th, reinforcing our community's focus on governance and resilience. On April 23rd, Connect4Cyber Episode 3 convened in Stockholm, opening pathways for Danish organizations to access Horizon Europe cybersecurity funding. And throughout, the Baltic Sea continued to remind us that critical infrastructure vulnerabilities extend beneath the waves.
As we enter May, these developments converge into a clear message: supply chain cybersecurity is now Denmark's defining cyber challenge. This article examines what we learned in April and what ISACA members must prepare for in the months ahead.
The DNV Cyber Wake-Up Call: Digital Sovereignty Meets Procurement Reality
On April 9, 2026, DNV Cyber published research that should fundamentally change how Danish organizations think about cybersecurity risk. Their report "How Cyber Resilient is Denmark?" surveyed 200 executives within Danish critical infrastructure organizations and 500 members of the public, revealing uncomfortable truths about Denmark's digital dependencies.
The headline findings are stark. Fifty-four percent of Danish critical infrastructure executives acknowledge they rely on third-party suppliers from countries where geopolitical tensions are rising. More significantly, 52% would support moving their digital supply chain to allied nations—a remarkable statement of willingness to prioritize sovereignty over cost or convenience.
These numbers represent more than survey data. They reflect a strategic awakening among Danish infrastructure leaders that supplier relationships are no longer purely technical or commercial decisions. They are geopolitical risk decisions with national security implications.
The research, developed in partnership with FT Longitude and conducted between November 2025 and January 2026, included in-depth interviews with leaders from Danish Industry (Dansk Industri), Ørsted, the Danish Health Data Authority (Sundhedsdatastyrelsen), AL Sydbank, Green Power Denmark, and DNV Cyber itself. Their collective message is consistent: Denmark's cyber resilience depends not just on what we build, but on who we trust to build it with us.
Why Supply Chains Matter More Than Ever
Supply chains are attractive attack targets because they provide potential single-entry points to multiple organizations and systems, including critical infrastructure. As DNV Cyber's research highlights, supplier-related cyber incidents can affect organizations far beyond the original target. This is not theoretical speculation. We saw it play out in Sweden's CGI breach (covered in our March newsletter), where a contractor compromise exposed architectural intelligence about systems serving 8.6 million citizens.
For Denmark, with its highly digitalized economy and concentrated vendor ecosystem, supply chain risk multiplies rapidly. When energy, transportation, water, healthcare, and financial services all depend on a relatively small number of major IT contractors and service providers, a single vendor compromise can cascade across multiple critical sectors simultaneously.
The concentration that enables Denmark's efficient digital government also creates systemic vulnerabilities that sophisticated adversaries—both state-sponsored and criminal—are actively exploiting.
From Trust to Verify
The DNV report's key recommendation is as simple as it is challenging to implement: "You can't secure what you don't know." Organizations need better understanding of vulnerabilities in their supply chains, employing approaches that provide greater oversight of suppliers.
This translates to practical imperatives for Danish organizations:
Better address cybersecurity requirements in procurement and supplier contracts before selection, not as afterthoughts. Security must be a primary procurement criterion alongside cost and functionality.
Increase focus on security in the design of processes and assets from the beginning. Retrofitting security onto systems built without it is exponentially more expensive and less effective than security-by-design.
Involve cyber teams earlier in projects, particularly in vendor selection and integration planning. Security expertise must inform procurement decisions, not just audit them afterward.
Implement ongoing testing and detect-and-response capabilities that specifically target supply chain attack vectors. Assume compromise and build detection systems accordingly.
What This Means for ISACA Members
For cybersecurity governance professionals, the DNV findings create both challenge and opportunity. The challenge is that supply chain risk management requires capabilities most organizations have not yet built: comprehensive vendor inventories, continuous monitoring of supplier security postures, contractual mechanisms that actually enforce security requirements, and incident response plans that account for vendor-originated compromises.
The opportunity is that executive awareness of supply chain risk is now high. When 52% of critical infrastructure leaders would support moving to allied-nation suppliers, they are signaling willingness to invest in security even at the cost of operational disruption. This creates political capital for governance initiatives that would have seemed too expensive or disruptive just months ago.
ISACA Denmark members should use this moment to push for supply chain security programs that include: formal supplier cybersecurity risk assessment processes, security requirements embedded in all procurement workflows, continuous monitoring of critical supplier environments (not just periodic audits), and tabletop exercises that specifically test vendor-compromise scenarios.
The DNV report gives us the data to make the business case. The question is whether we will act while we have executive attention, or wait for Denmark's own CGI-style incident to force the conversation.
V2 Security 2026: Denmark's Cyber Community Convenes
V2 Security 2026, held in Copenhagen on May 6-7, brought together over 5,500 participants for Denmark's largest annual gathering of cyber and information security professionals. With more than 100 presentations, seminars, and 100 exhibitors, the conference provided a comprehensive view of where Danish cybersecurity priorities are heading.
The program, developed in collaboration with the V2 editorial team and an advisory board of leading experts, covered the full spectrum from traditional cybersecurity and IoT/OT security to compliance frameworks and the transformative impact of AI on both threats and defenses.
Several themes emerged consistently across sessions. The convergence of IT and OT security dominated many discussions, reflecting Denmark's significant industrial and energy infrastructure. Speakers emphasized that operational technology can no longer be treated as isolated from enterprise networks, and that traditional air-gapping provides false security in interconnected industrial environments.
AI security occupied substantial program time, with sessions exploring both defensive applications (AI-powered threat detection, automated incident response) and offensive concerns (AI-generated phishing, automated vulnerability exploitation, the "Know Your Agents" governance challenge we introduced in February's newsletter).
Compliance complexity was another recurring topic, particularly the convergence of GDPR, NIS2, and Denmark's new AI Act implementation. Multiple sessions addressed how organizations can build integrated compliance programs rather than managing each framework in isolation.
For ISACA members who attended, V2 Security reinforced that Danish cybersecurity maturity is advancing beyond technical controls toward integrated risk management that accounts for business context, regulatory complexity, and geopolitical factors. The conversations at V2 Security were less about specific tools and more about governance frameworks, board-level reporting, and organizational cyber resilience.
ISACA Denmark Årsmøde: Strengthening Our Community
On April 20, 2026, ISACA Denmark held its annual general assembly at the Copenhagen Marriott Hotel. The årsmøde provided members with professional presentations, insights into ISACA's work and plans for 2026/2027, and valuable networking opportunities with fellow governance, risk, and compliance professionals.
The timing was particularly significant. As our newsletter series has documented, Denmark faces converging cyber challenges: shrinking privacy budgets amid increasing regulatory demands (January), geopolitical cyber warfare through OpDenmark and the emergence of AI agents (February), centralized identity system vulnerabilities exposed by Sweden's BankID breach (March), and now supply chain sovereignty concerns (April).
ISACA Denmark's role as a knowledge-sharing platform and community hub becomes more critical as these challenges intensify. Individual organizations may struggle to navigate AI Act compliance, NIS2 implementation, supply chain risk management, and digital identity governance simultaneously. But collectively, through organizations like ISACA Denmark, we can share best practices, learn from each other's experiences, and advocate for regulatory clarity and industry standards.
The årsmøde also highlighted ISACA's global recognition of governance and privacy leadership. ISACA's 2026 Global Achievement Awards honor professionals who have made significant contributions to IT governance, privacy, risk, and cybersecurity. While these awards recognize individual achievement, they also signal where the profession is heading: toward treating cybersecurity not just as technical defense but as organizational capability building, board-level governance, and strategic risk management.
For Danish members, this framing is particularly relevant. The challenges we face—from AI governance to supply chain resilience to digital identity security—cannot be solved through technology alone. They require governance frameworks, executive leadership, cross-functional collaboration, and precisely the kind of professional expertise ISACA members bring.
Connect4Cyber Episode 3: Opening Horizon Europe Pathways
On April 23, 2026, Connect4Cyber Episode 3 convened in Stockholm, co-organized by the Swedish Civil Defence and Resilience Agency (NCC-SE), the Finnish Transport and Communications Agency (NCC-FI), and the Estonian Information System Authority (NCC-EE). This third edition of the matchmaking event brought together cybersecurity stakeholders from across Europe with a specific goal: building consortia for Horizon Europe Cluster 3 cybersecurity funding calls.
Why This Matters for Denmark
Horizon Europe represents substantial funding opportunities for cybersecurity research and innovation. The 2026 cybersecurity calls under Cluster 3 include topics on secure AI systems, advanced cryptography, and security in software and hardware development—precisely the areas where Denmark needs capability development given our supply chain dependencies and critical infrastructure vulnerabilities.
Connect4Cyber specifically targets universities, research institutes, industry actors, and SMEs interested in applying to calls that close September 15, 2026. The event's pitching sessions allow organizations to present project ideas in 3-5 minutes to potential partners and coordinators, facilitating consortium formation.
For Danish organizations, particularly those linked to Denmark's National Cybersecurity Coordination Center (NCCC), this represents a realistic path to EU funding that can support capability development Denmark urgently needs. The event format—focused matchmaking rather than generic networking—is designed to produce actionable consortium formations, not just introductions.
Denmark's EU Funding Infrastructure
Denmark already has support structures to facilitate Horizon Europe participation. EuroCenter provides guidance on Horizon Europe generally, while EUopSTART offers proposal preparation support for both Horizon Europe and the European Defence Fund. Denmark has historically performed well in securing Horizon Europe funding, which makes the case for Danish-led or Danish-participating cyber consortia even stronger.
The Connect4Cyber model—Nordic collaboration with broader European participation—aligns well with Denmark's strategic positioning. Our supply chain concerns overlap significantly with Swedish, Finnish, and Estonian challenges. A Nordic-anchored consortium addressing supply chain cybersecurity, AI security governance, or critical infrastructure resilience would have both political support and practical applicability across the region.
The Action Item for ISACA Members
For Danish cybersecurity professionals, particularly those in organizations with research capabilities or innovation capacity, the September 15 deadline for these Horizon Europe calls is approaching. Organizations should:
Map existing capabilities against the call topics (secure AI systems, advanced cryptography, software/hardware security) to identify realistic application areas.
Identify consortium themes where Danish expertise adds value. Denmark's strengths in digital government, renewable energy infrastructure security, and maritime cybersecurity are all relevant to multiple call topics.
Prepare concise capability pitches (3-5 minutes maximum) that clearly articulate what you bring to a consortium and what partnerships you need.
Engage with Nordic counterparts who attended Connect4Cyber to explore consortium participation even if you didn't attend the Stockholm event.
The Horizon Europe opportunity is significant—funding ranges from €1 million to €8 million per project depending on the call, usually covering up to 100% of costs. For Danish organizations struggling to fund capability development through normal budgets (recall January's newsletter on shrinking privacy budgets), EU funding provides a viable alternative if we act strategically.
Baltic Sea Cable Security: The Infrastructure Beneath the Waves
Throughout April and into May, the Baltic Sea has continued to remind us that cybersecurity and physical infrastructure security are increasingly inseparable. While no new major cable incidents occurred in April, investigations into previous incidents continued, and NATO's presence in the region intensified.
The pattern of undersea cable and pipeline damage since Russia's 2022 invasion of Ukraine has fundamentally changed how Baltic nations view infrastructure security. From the Nord Stream explosions through multiple telecommunications cable severances to the Estlink 2 power cable damage, the Baltic Sea has become a theater where hybrid warfare tactics target the physical layer that digital communications depend on.
For Denmark, with critical connectivity to Sweden, Germany, and other Baltic nations, these undersea vulnerabilities have direct implications. When Finland and Estonia lose power transmission capacity through cable damage, or when Sweden and Lithuania lose telecommunications links, Denmark's regional integration and digital connectivity face indirect but real consequences.
The Digital-Physical Convergence
What makes Baltic cable incidents relevant to ISACA members is not the physical security aspect per se, but the demonstration that comprehensive cyber resilience requires protecting the entire stack—from physical cables to network protocols to application layers. Organizations with sophisticated endpoint security and network monitoring can still face catastrophic failures if physical infrastructure beneath their digital operations is compromised.
This convergence becomes particularly important as Denmark implements NIS2 requirements. The directive explicitly addresses both cyber and physical security of critical infrastructure, recognizing that modern threats target both simultaneously. Danish organizations subject to NIS2 must therefore assess risks across this full spectrum, not treating cyber and physical security as separate domains.
The Baltic cable incidents also demonstrate the geopolitical dimension of infrastructure security that the DNV report emphasizes. When cables are damaged by vessels from countries with geopolitical tensions, whether accidentally or deliberately, the result is the same: critical services disrupted, recovery costs incurred, and trust in infrastructure reliability undermined.
NATO's response—establishing Combined Task Force Baltic and enhancing maritime patrols—shows that infrastructure protection now requires military-civil coordination at levels unprecedented in peacetime. For critical infrastructure operators, this means engaging with national security authorities in ways that may feel unfamiliar but are increasingly necessary.
Looking Ahead to May: What ISACA Members Should Prepare For
As we move into May 2026, several developments warrant attention:
NIS2 Implementation Acceleration
Denmark's NIS2 implementation enters a more intensive phase in May, with sector-specific guidance expected for critical infrastructure operators. Organizations should be finalizing gap assessments against NIS2 requirements and developing remediation plans. The supply chain security provisions in NIS2 align directly with the DNV report findings—expect regulatory pressure to formalize vendor risk management.
AI Act Compliance Deadlines Approaching
With transparency obligations for AI-generated content and chatbot disclosure becoming enforceable in August 2026, organizations have less than three months to implement compliance mechanisms. For identity and access management systems using AI for fraud detection or risk assessment, high-risk AI Act requirements become fully applicable. May is the month to finalize AI system inventories and classifications.
Horizon Europe Proposal Development
For organizations interested in the September 15 Horizon Europe cybersecurity calls, May is when consortium formation must solidify and proposal development begins in earnest. The window for opportunistic participation is closing; serious applications require sustained effort through summer.
Datatilsynet's Thematic Supervision
Datatilsynet's 2026 supervision priorities—AI and new technologies, personal data security, transparency, and pan-European processing—will manifest as actual inspections in coming months. Organizations should conduct self-assessments now against these four themes rather than waiting for regulatory contact.
Conclusion: Trust Becomes the Critical Control
April 2026 taught Danish cybersecurity professionals a fundamental lesson: in highly digitalized societies with concentrated vendor ecosystems, trust is not just a nice-to-have organizational value. It is a technical control that must be actively managed, continuously monitored, and formally governed.
When 54% of critical infrastructure leaders acknowledge dependence on suppliers from geopolitically tense countries, they are admitting that trust relationships have become single points of failure as critical as any technical system. When 52% would support relocating to allied-nation suppliers, they are signaling that preserving trustworthy supply chains justifies operational disruption.
For ISACA Denmark members, this creates both urgency and opportunity. The urgency comes from recognizing that supply chain compromises are not hypothetical future threats but present realities that have affected Nordic neighbors and will eventually affect Denmark. The opportunity comes from executive awareness that enables governance investments previously considered too expensive or complex.
The question for May and beyond is whether we will act proactively—building supply chain governance, implementing vendor risk management, developing resilience architectures—or reactively, after Denmark experiences its own wake-up incident. The DNV report, V2 Security conversations, ISACA årsmøde discussions, Connect4Cyber opportunities, and Baltic infrastructure lessons all point toward the same conclusion: the time to act is now, while we still have the advantage of learning from others' experiences rather than our own disasters.
ISACA Denmark remains your platform for navigating these challenges collectively. Join our upcoming events, share your supply chain security experiences, and help shape Denmark's approach to trustworthy digital infrastructure. Together, we can ensure Denmark builds the resilient, well-governed, and strategically sound cybersecurity posture our digital society requires.
Key Dates for May:
- Ongoing: NIS2 gap assessments and remediation planning
- By end of May: AI system inventory and classification completion
- May-June: Horizon Europe consortium formation for September 15 deadline
- Throughout May: Self-assessment against Datatilsynet's 2026 supervision themes
Resources:
- DNV Cyber: "How Cyber Resilient is Denmark?" report
- Connect4Cyber: Nordic cybersecurity consortium building
- ISACA Global: 2026 Achievement Awards and governance frameworks
- Horizon Europe: Cluster 3 cybersecurity calls information
Get Involved: ISACA Denmark continues to provide essential forums for addressing supply chain security, AI governance, and digital infrastructure resilience. Participate in our events, contribute your expertise, and help build Denmark's cyber resilience through collective action rather than isolated efforts.