Cybersecurity
in Municipalities

The NIS 2 Act is the Danish implementation of the EU’s NIS 2 Directive and aims to strengthen and harmonize cybersecurity across the EU. The Act applies to both private and public entities, including municipalities, that provide critical infrastructure services. 

Municipalities are covered because they provide services in sectors such as health and transportation, as listed in Annexes I and II of the NIS 2 Act. 

It is advantageous to seek advice on NIS 2, as implementing or updating security measures in the municipality can be a complex task. Nesp.ONE are experts in NIS 2 implementation in municipalities.  

Yes. Municipalities are subject to NIS 2 on the same basis as other entities when they provide services within the covered sectors. Even though only some of the municipality’s functions are listed in the annexes, all of the municipality’s network and information systems will be covered  

However, this does not mean that the level of security must be the same everywhere – implementation must be based on a risk-based approach. Nesp.ONE is ready to provide advice tailored to the needs of each individual municipality. 

The municipality must implement technical, operational, and organizational measures that ensure an appropriate level of security in relation to the risks associated with the services provided by the municipality.

This means that critical systems (e.g., systems supporting healthcare services) may require a higher level of security than less critical systems, provided that they are sufficiently separated. 

Nesp.ONE offers assistance in implementing effective security measures that can quickly help municipalities achieve NIS 2 compliance. 

Municipal companies, § 60 associations, and other entities with their own CVR number are considered independent entities under the NIS 2 Act. 

If they provide services within a covered sector and meet the size criteria (e.g., at least 50 full-time employees or more than EUR 10 million in turnover and balance sheet total), they will be independently covered and responsible for complying with the law. Ownership by the municipality does not change this responsibility. 

Achieving NIS 2 compliance in municipalities can be a complex task, which is why Nesp.ONE has specialized consultants dedicated to this purpose.

No. Each entity is responsible for complying with NIS 2. 

However, the municipality must ensure supply chain security as part of its own compliance. This means that the municipality must consider the risks associated with suppliers and assess whether special requirements should be imposed on them.

Nesp.ONENIS 2 experts are ready to advise on all aspects of the legislation that must be taken into account to ensure NIS 2 compliance.

For municipalities, the supervisory authority is the Danish Agency for Civil Security.

Municipal companies with their own CVR number may be subject to a different sectoral authority depending on the sector in which they provide services (e.g., health or transport). 

Failure to comply may result in enforcement measures such as:• Fines 

• Warnings. 

• Binding instructions. 

• Order. 

However, certain sanctions do not apply to municipalities in the same way as they do to private companies. 

The directive calls for active prevention of these situations by maintaining ongoing control of security. Nesp.ONEcybersecurity experts are ready to ensure that your municipality complies with the NIS 2 law, so you can avoid sanctions.

Yes. The municipality is responsible for notifying the competent authority and CSIRT of significant incidents. 

The reporting itself may be carried out by a supplier or business partner, but the responsibility cannot be delegated. 

At Nesp.ONE experts in designing and implementing contingency plans that comply with the requirements of NIS 2.

Yes. Municipalities can collaborate on, for example: 

• Joint risk assessments. 

• Joint supplier management. 

• Shared IT solutions. 

However, responsibility for compliance always lies with the individual municipality.  

It can quickly become both technical and complicated to combine security measures with accurate and functional documentation, as well as maintenance thereof. This is where security experts such as Nesp.ONE in the effective implementation of security measures and in making them work in tandem with the municipality's day-to-day operations.

No. If the municipality provides public Wi-Fi for non-commercial purposes (e.g., in libraries or citizen service centers), it is not considered a provider of electronic communications services within the meaning of NIS 2.

Nesp.ONE ready to provide advice tailored to the needs of each individual municipality. 

Yes. The AI Act applies to public authorities, including municipalities, when they use or procure AI systems. Municipalities may have obligations both as users (deployers) and, in certain cases, as providers, depending on how the system is developed and used. 

If there is uncertainty about your role in relation to specific systems, Nesp.ONE can help with a concrete assessment of your role in relation to specific systems, so that the allocation of responsibility is clarified legally and organizationally.

The AI Act uses a broad definition. Systems that use machine learning, logic-based models, or statistical methods to generate recommendations, classifications, or decision support may be covered. This also applies to solutions that are part of larger specialist systems. 

Nesp.ONE's experts can conduct a structured review of existing solutions and help identify which systems are covered by the regulation.

A system can be classified as high risk if it is used in areas that affect citizens' rights or access to essential services, e.g. in employment, social administration, education or recruitment. The classification depends on both the purpose and the context of use. 

Nesp.ONE helps municipalities conduct the necessary risk assessments and documentation so that the classification is based on a solid foundation.

As a user, the municipality must ensure, among other things, correct use, monitoring, human control, and documentation. There must be clarity about how the system affects decisions and how risks are managed in practice. 

Nesp.ONE help translate these requirements into concrete workflows and governance processes that suit the municipality's organization. 

Yes. Although the supplier has responsibilities as a provider, the municipality has independent obligations as a user. This applies in particular to correct use, supervision, and integration into the municipality's decision-making processes. Contracts and procurement should therefore be assessed in light of the AI Act.

Nesp.ONE on the division of responsibilities and can assist in reviewing contractual basis and procurement processes with a view to strengthening compliance.

The AI Act and GDPR regulate different matters, but overlap in practice. GDPR focuses on the processing of personal data, while the AI Act focuses on risks associated with the AI system itself and its use.

Nesp.ONE with an integrated approach, where the AI Act and data protection are viewed in context, so that the municipality avoids parallel and fragmented processes.

The AI Act contains requirements for registration and documentation for certain types of systems, especially high-risk AI. Regardless of the registration requirement, it is advisable to have an internal inventory of AI applications to provide an overview and control. 

Nesp.ONE facilitates structured mapping that forms the basis for both registration and future governance.

AI Act implemented gradually. Some provisions enter into force earlier than others, while requirements to high-risk systems follow later. Preparation should be in good time, when building of governance and documentation requires coordination across across of the

Nesp.ONE can help with organizing a realistic compliance planthat takes account for both deadlines and the municipality resources. 

The first step is to create an overview of existing and planned AI applications. This is followed by a risk assessment and an assessment of the gap between current practice and the requirements of the regulation. 

Nesp.ONE gap analyses that provide a clear basis for decision-making and prioritise efforts so that the work becomes manageable and targeted. 

A lack of preparation can lead to legal sanctions, political criticism, and a loss of trust. For municipalities, the consequences can also affect legal certainty if automated decisions cannot be adequately explained or documented. 

Nesp.ONE can help municipalities work proactively and responsibly, so that compliance strengthens both governance and legitimacy.