Denmark (DK)

February 2015: The Danish Cyber and Information Security Strategy (English version: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/nc...).

The strategy calls for:

• Intensified dialogue between private and public employers and education and research institutions regarding competence needs. However, there is no indication if government funding will support such a dialogue.
• Public sector cyber security levels must be raised and government institutions and business must have access to threat assessments and to advanced knowledge about how to reduce vulnerabilities.
• Setting up a business advisory board on ICT security.
• Setting up a self-service for businesses.

Industry organised (i.e. business or industry cybersecurity councils):

• The Council for Digital Security is a security and privacy advocacy group comprised of 20 private sector and academic organisations: www.digitalsikkerhed.dk.
• Dansk IT is a representative body for information technology professionals in Denmark, cyber security being one of the areas covered: dit.dk

Cross-country co-operation of cyber security clusters

• Denmark is among the countries that joined the Dutch security cluster: The Hague Security Delta in June 2016 as part of an effort to encourage co-operation with other European regions bringing together public and private parties, academia and R&D organisations to stimulate innovation and economic growth. In Denmark, Karup and CenSec are the participating clusters joining others from the Netherlands, France, Finland, and Germany.

BrainsBusiness is a platform for ICT innovation in North Denmark through the interaction of industry and university and the link to public authorities. Its activities include ICT trust, cyber security & network security, Open data & sharing of public sector information, Warehousing & support activities for transportation: www.brainsbusiness.dk/.

Finance and IT cluster in Denmark

Fintech and ICT-intensive financial services is an important sector in Denmark. The Danish vision is to form a strong finance IT cluster and develop financial IT infrastructure that will drive innovation and growth. Combining this dense finance ICT cluster with the advanced levels of education in financing and banking, Copenhagen is a hot spot for development and implementation of modern finance IT. Source: Copenhagen Fintech Innovation and Research (www.cfir.dk/en-gb/aboutcfir/pages/financeitindenmark.aspx)

The Danish NCSS places emphasis on building business capacity not only around cyber security but also risk management, including rules for the providers of government services.

Danish Government has a Centre for Cyber Security (Danish: https://fe-ddis.dk/Pages/default.aspx; English: https://fe-ddis.dk/eng/Pages/English.aspx).

It is part of the Defence Intelligence Service (FE), which is an agency under the Ministry of Defence, is responsible for detecting, analysing and helping to address advanced cyber attacks against authorities and companies providing important IT functions, such as the finance sector, government, telecommunications network, water supply. The Centre serves as Denmark’s National IT security authority, informing and advising Danish authorities and companies on IT security and is also the national centre of competence in cyber security. It is also the national authority for information security and preparedness in telecommunications, advising on emergency response telecommunications resources.

The 27 initiatives for 2015-2016 apply to each of the 6 stratgic focus areas.

Professionalised and reinforced ICT oversight (6 initiatives)

1. Increased information security effort in government institutions.
2. Mandatory security risk assessment of public IT projects.
3. Increased coordination of information security efforts between national and local authorities.
4. Co-operation between education and research institutions regarding cyber and information security
5. Intensified dialogue between private and public employers and education and research institutions regarding competence needs.
6. Sufficient capacity in the Agency for Governmental IT Services to handle cyber attacks.

Clear guidelines for suppliers (2 initiatives)

1. Introduction of security requirements in IT tenders and contracts.
2. Continuous security oversight of suppliers.

Strengthened cyber security and more knowledge (7 initiatives)

1. Mandatory inclusion of cyber threats in government institutions’ risk management.
2. Formation of a cyberthreat assessment unit.
3. Study regarding the possible concentration of government Internet connections.
4. Study regarding the development of secure communication among state institutions.
5. Formation of a unit to investigate major cyber security incidents
6. Formation of a SCADA knowledge centre.
7. Setting up a business advisory board on ICT security.

Robust infrastructure in the energy and telecommunications sectors (2 initiatives)

1. Strengthening of network and information security in telecommunications.
2. Stronger requirements regarding cyber and information security in the energy sector.

Denmark as a strong international partner (3 initiatives)

1. Strengthening of Danish cyber diplomacy.
2. Promotion of Denmark’s stance in international cyber and information security cooperation forums.
3. Nordic co-operation on research and education in cyber and information security.

Strong investigation and high level of information (7 initiatives)

1. Raised security awareness among citizens and businesses.
2. Security self-check service for businesses.
3. Expansion of the National Cyber Crime Center (NC3).
4. Increased capacity of the police regarding information security guidance.
5. Strengthening the cyber capacity and capability of the Danish Security and Intelligence Service (PET).
6. Establishment of an online platform for reporting cyber crime.
7. Study regarding a service providing information on stolen identity documents.

The Centre for Cyber Security has already implemented several initiatives, e.g. a Self-Service for companies to assess their cyber security (detect, analyse and help address security incidents) and published a Guide on DDoS attacks. In July 2016 it launched a new notification system for companies and authorities for undisclosed incident reporting to overcome barriers to reporting (fe-ddis.dk/cfcs/nyheder/arkiv/2016/Pages/Nyunderretningsordningforvirksomhederogmyndighederitilfældeafcyberangreb.aspx)

Other initiatives include vulnerability testing and awareness campaigns, as well as a set of legal measures described below.

In 2017, the Centre for Cyber Security has released a report that addresses the threat from cyber activities against Danish authorities and private companies: fe-ddis.dk/cfcs/CFCSDocuments/The%20cyber%20threat%20against%20Denmark%202017.pdf

Among the reported reccomendations, public authorities and private companies should make targeted efforts to improve processes, technology and behaviour. Processes include preparing regular risk analyses and identify which data requires protection and what the consequenses of a potential breach would be. Technology could involve improving knowledge of in-house IT infrastructure and processes and regular identification and patching of system vulnerabilities. Behaviour involves initiatives aimed at raising user awareness of the cyber threat and establishing staff training programmes that teach employees safe cyberspace behaviour. In addition, companies and public authorities should implement cyber attack contingency plans.