First came the GDPR rules in 2016, dramatically increasing the focus on how companies protect personal data. In 2022 came the NIS2 directive, with comprehensive new rules for cybersecurity. But companies are far better equipped today to ensure compliance than they were seven years ago. And customers also expect this from them.

In 2016, one of the most far-reaching sets of rules ever seen in the EU was adopted: the General Data Protection Regulation or GDPR. We have now had seven years to get familiar with GDPR, leading to much greater digital maturity in Danish companies, according to Maria Pilh Arendsdorf Bengtsen. Maria is an attorney at Horten, where she advises on data protection. The new security requirements in the NIS2 directive are therefore unlikely to be as disruptive as GDPR was.

“The mindset has changed. When the GDPR rules came on the scene in 2016, management had to get busy because there were no clear answers as to what companies needed to do to meet the requirements. There is a different awareness of data protection today. We are more used to incorporating compliance into business processes, and all the hard work companies have done in this area has really made a difference. So even though the NIS2 directive may bring back memories of the implementation of GDPR, most companies will be better prepared and ready to incorporate the new requirements,” says Maria Pilh Arendsdorf Bengtsen.

While the GDPR focused on protecting personal data, the NIS2 Directive – adopted by the European Parliament in 2022 – sets requirements for companies’ cybersecurity.

“The new rules also create opportunities. Digital compliance has become a competition parameter, and is now under the spotlight. Working to identify risks, improve security measures and create operational policies in the area has direct value in itself to companies. It could have a big impact on their business.”

Management responsibility

GDPR and NIS2 are not just central legal frameworks in the area of data. The new rules also demand organisational and business-critical insight, which company management must take responsibility for. Under NIS2, which will enter into force by October 2024, the management of any companies that do not comply with the directive requirements can be liable and subject to sanctions.

“Digital regulation is growing in the EU, and the future will see regular new requirements in areas such as data protection, AI and cybersecurity. Compliance takes time and resources, so it may be tempting to focus elsewhere, but it is essential for management to be at the forefront and aware of their responsibility,” says Maria Pilh Arendsdorf Bengtsen.

But it is not enough for management to be aware of their responsibility – because it is as individual employees process data that security breaches occur.
“It is crucial that data security is anchored in management, but it also places demands on employees. They have to handle the new requirements in practice and raise the alarm if they encounter problems. It is important that management sets clear guidelines matched to the reality in the organisation. You have to understand your flow of data and your organisation,” notes Maria Pilh Arendsdorf Bengtsen.

Data ethics can offer competitive advantages

Cybersecurity is not the only thing that needs to be anchored in management. The same is true for data ethics, which class C and D companies have had to cover in their annual report since 2021. According to attorney Emilie Loiborg, data ethics and data protection go hand in hand. She specialises in digital management and has worked extensively with data ethics issues.

“Data ethics is essentially about responsible practices when a company collects, uses and shares data. It also influences trust in the company and its brand externally. Data ethics, GDPR and the new cybersecurity rules in the NIS2 directive have given rise to a new agenda, where investors, partners and customers pay close attention to how companies handle data. Companies face whole new demands, from all sides, compared to just a few years ago.”
And these demands mean that it can be a competitive advantage have compliance in order.

“Companies risk having to pay fines for breaking the rules or ransoms to hackers, or losing customer trust and thus revenue. For some companies, having data protection, cyber security and data ethics in order may even mean they can increase their business, as it can help them differentiate themselves in a market focussing increasingly on the use of data,” believes Emilie Loiborg.


Maria Pilh Arendsdorf Bengtsen

Attorney (L)

Emilie Loiborg