If the first half of this edition turned our attention inward — to the ideas and arguments that filled the room at ISACA Denmark's annual meeting — the second half looks outward, at what May has told us about the state of Danish cybersecurity and what June and the summer months are about to demand of us.
The picture that emerges from May is not one defined by a single dramatic breach or headline incident. Instead, it is a month that might best be described as a resilience and governance reckoning — a point at which the regulatory obligations Denmark has been building toward for the past two years are colliding with the operational reality of organisations that are still catching up. The conversation in the Danish market has quietly but perceptibly shifted. We are talking less about whether we will be attacked and more about whether we are genuinely ready to absorb, respond to, and recover from whatever comes.
The NIS2 Gap Between Paper and Practice
Denmark's main NIS2 legislation entered into force on 1 July 2025, with registration obligations due by 1 October. The framework is no longer a future concern — it is current law, and supervisory activity is under way across the sector-based oversight model Denmark has chosen. Yet the signals coming out of May suggest that many organisations remain in a state of partial preparedness: they have done self-assessments, begun mapping suppliers, and put skeleton incident-reporting processes in place, but they have not yet proved that those processes will hold under pressure.
The gap that matters most is not technical. It is governance. NIS2 is explicit that cyber risk must be managed at executive and board level, not delegated to IT and left there. The board is legally responsible for approving security measures, overseeing their implementation, and ensuring that leadership members complete documented cybersecurity training. These are not soft expectations. Non-compliance carries personal liability implications for those at the top of the organisation.
The pattern that continues to emerge from advisory conversations and sector assessments is this: larger, more regulated organisations — telecoms, energy companies, major financial institutions — are increasingly prepared. Mid-market companies, municipal-adjacent organisations, and entities that sit in the second and third rings of supply chain dependency are still catching up. That unevenness is itself a risk, because NIS2's third-party risk provisions mean that a poorly governed supplier is a liability for every organisation that depends on them. Denmark has passed the law. Many boards have not yet passed the real test: demonstrating that they can manage cyber risk as an operational and strategic issue, not a compliance checkbox.
The four gaps that recur most frequently in current assessments are worth naming plainly. First, the absence of clear board ownership of cyber risk and recovery — not a CISO who reports upward, but a governing body that has genuinely engaged with what the risk means for the organisation's continuity and liability. Second, incomplete supplier and concentration-risk mapping, particularly for critical services where a single vendor failure could cascade. Third, untested incident reporting and escalation paths — most organisations can describe the 24-hour, 72-hour, and one-month NIS2 reporting obligations in principle, but far fewer have actually rehearsed the internal decision chain that would need to fire if a real incident hit. Fourth, the absence of cross-functional crisis exercises involving legal, operations, finance, and communications teams alongside the security function. A cybersecurity incident is not just an IT event. The organisations that handle them well have practised treating them as business events.
V2 Security 2026: Regulation as the New Driver
V2 Security Copenhagen, held on 6 and 7 May, brought together more than 5,500 participants for Denmark's largest annual gathering of cybersecurity and information security professionals. With over a hundred presentations and a hundred exhibitors, the conference offered a broad cross-section of where Danish and Nordic cybersecurity priorities are heading in 2026.
What struck observers about this year's programme was the degree to which regulation — rather than technology or threat intelligence — had become the organising theme. The conversations at V2 Security were less about which new attack vector to worry about and more about how compliance, procurement standards, and operational risk management are reshaping what cybersecurity functions actually do day to day. That shift reflects a maturation in the market. When a community of 5,500 professionals gathers and the dominant frame is governance rather than incident response, it signals that the field has moved from reactive to structural thinking. Cybersecurity is no longer primarily something you do after something goes wrong. It is something you build into how your organisation operates, procures, and reports.
That framing connects directly to the supply chain sovereignty conversation that DNV Cyber's Denmark resilience report set in motion earlier in the spring — covered in our previous edition — and which has continued to shape May's policy and commercial discussions. The question of which vendors Danish organisations can genuinely trust, and how to demonstrate that trust to regulators and partners, is not going away.
June and the Summer: The Softest Point in Denmark's Cyber Posture
There is a risk pattern that repeats every year in Denmark, and every year it catches some organisations off guard. June into July is when Danish organisations become structurally more vulnerable. Teams are smaller. Approvals are slower. Senior decision-makers are away. The combination of reduced staffing, higher volumes of remote access, and the general assumption that "nothing big happens in summer" creates conditions that attackers know how to exploit.
The threat categories that tend to spike during the holiday period are not exotic. They are precisely the ones that exploit human and process gaps rather than technical sophistication. Phishing and spear-phishing succeed because the experienced person who would normally catch them is on leave and their inbox is being monitored by someone less familiar with the normal pattern. Invoice fraud and business email compromise work because the colleague who would normally confirm an unusual payment request is unreachable. Account takeovers escalate because password resets and access recoveries take longer when the people who authorise them are not available. Ransomware recovery delays extend from hours to days because the backup administrator is in a different time zone and the recovery runbook has never actually been tested in a live scenario.
The practical preparation required before the summer break is not complex, but it requires deliberate action rather than assumption. Multifactor authentication needs to cover not just primary email but admin consoles, finance systems, remote access tools, and any SaaS platform with access to sensitive data or payment approval. Non-essential privilege changes should be frozen before vacations begin, with out-of-office approval rules enforced and named individuals explicitly responsible for approving payments, vendor changes, and password resets during the holiday period. Backup and recovery procedures need to be tested before July — not assumed to be functional, and not discovered to be broken after an incident. Employees travelling need clear guidance on avoiding open Wi-Fi, and organisations should make mobile hotspots or VPN access the default for remote work rather than an option.
The deeper preparation is cultural rather than technical. Summer vulnerability is partly a technology gap and partly a decision-making gap. Who has the authority to invoke an incident response process if the CISO is unavailable? Who approves an emergency vendor engagement if the usual procurement lead is on holiday? Who communicates with regulators under NIS2's 24-hour notification obligation if the legal team is operating at reduced capacity? These questions have answers, but the answers need to exist before the incident, not during it.
What to Take Into the Summer
The ISACA Denmark annual meeting, V2 Security, and the broader May governance conversation have together produced a reasonably clear picture of where Danish cybersecurity stands as we move into the summer. The regulatory framework is in place. The threat environment is elevated and geopolitically driven. The tools for building resilient organisations — NIS2 implementation models, CIS 18 controls, IEC 62443 for operational technology, AI-enabled GRC platforms — are available and increasingly well understood.
What remains uneven is the will and the capacity to operationalise all of that. The organisations that will come through the summer well are not necessarily the most technically sophisticated. They are the ones that have named who is responsible for what when things go wrong, tested their assumptions before the stress hits, and treated cybersecurity as a board-level operational matter rather than an IT department concern.
That is, in essence, the same argument that every presenter at the annual meeting made from a different angle. From geopolitical threat intelligence to risk quantification to NIS2 governance to OT auditing to the future of GRC — the thread running through all of it is the same. Knowing is not enough. Decision-making structures, tested processes, and board ownership are what turn knowledge into resilience.
We wish all ISACA Denmark members a safe and well-protected summer. Take the preparations seriously, enjoy the rest, and we will see you on the other side.