CRA Compliance in Denmark
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Denmark manufacturers.
Denmark's Centre for Cyber Security (CFCS — Center for Cybersikkerhed) has been designated as the national competent authority for the CRA, combining its intelligence and operational cybersecurity functions in a single agency. Danish manufacturers in the maritime, pharmaceutical, and energy sectors are well-represented in the CRA's scope. The Danish Business Authority (Erhvervsstyrelsen) coordinates on market surveillance for consumer-facing products, while CFCS leads technical enforcement.
National Competent Authority (CRA)
CFCS
Center for Cybersikkerhed
CFCS is Denmark's national cybersecurity authority under the Defence Intelligence Service (Forsvarets Efterretningstjeneste). It serves as the designated NCA for the CRA and provides threat intelligence and guidance to Danish manufacturers.
https://www.cfcs.dk →National CSIRT (Article 14 Reports)
CFCS
Center for Cybersikkerhed
https://www.cfcs.dk/da/kontakt/
https://www.cfcs.dk →CRA Enforcement in Denmark
CFCS serves as Denmark's national competent authority for the CRA, with the Danish Business Authority (Erhvervsstyrelsen) handling market surveillance coordination for consumer products. Denmark is a major exporter of medical devices, maritime equipment, and industrial automation systems — all product categories within the CRA's scope. CFCS operates with a mandate rooted in national security, and its CRA enforcement is expected to focus especially on products with potential for systemic or critical infrastructure risk. The Danish Safety Technology Authority (Sikkerhedsstyrelsen) retains competence for electrical safety and coordinates on product market surveillance.
Article 14 Incident Reporting for Danish Manufacturers
Danish manufacturers submit Article 14 early warnings and notifications to CFCS, which serves as Denmark's national CSIRT for the CRA. CFCS operates a secure reporting portal and maintains operational contacts for urgent cybersecurity notifications. The Article 14 obligation requires an early warning within 24 hours and a full notification within 72 hours of discovering active exploitation of a product vulnerability. CFCS participates in the EU CSIRTs network and relays relevant notifications to ENISA. Manufacturers should establish a documented Article 14 notification procedure naming CFCS as the competent recipient before any incident arises.
Market Surveillance & Penalties
Market surveillance for CRA compliance in Denmark is coordinated between CFCS and the Danish Business Authority. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Denmark's regulatory enforcement tradition is characterised by constructive dialogue and graduated escalation, but persistent non-compliance results in formal enforcement action. Manufacturers should be aware that the Danish Consumer Ombudsman (Forbrugerombudsmanden) may also be involved for consumer-facing connected products, adding an additional oversight dimension.
Support for Danish Manufacturers
CFCS publishes cybersecurity guidance for Danish businesses and coordinates with the Danish Industry Foundation on SME cybersecurity programmes. The Erhvervsstyrelsen provides regulatory guidance on product compliance through its Virk.dk business portal. The Danish Standards organisation (DS) develops and publishes national standards aligned with ETSI EN 303 645 and IEC 62443, providing a reference framework for CRA Annex I compliance. Danish manufacturers can also access EU-level support through ENISA's published CRA guidance and the SME-focused resources from Digital Europe.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for CFCS, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact CFCS as a manufacturer with a CRA compliance question?+
CFCS can be contacted through its official website at cfcs.dk. For industry engagement on CRA implementation, the Danish Business Authority (Erhvervsstyrelsen) at erhvervsstyrelsen.dk provides a business-facing entry point for product compliance queries. CFCS publishes guidance documents in Danish and English and engages industry through the National Centre for Cyber Security's annual conference.
Does Denmark have national-level CRA implementing legislation?+
Denmark is expected to implement the CRA through amendments to the Lov om net- og informationssikkerhed (NIS Act), which already transposes NIS2, and through product safety regulations administered by the Danish Business Authority. National implementing measures are expected ahead of the CRA's December 2027 application date. The Danish government has consulted industry through the Danish Industry (DI) association on the implementation approach.
How does the CRA interact with Denmark's NIS2 implementation and existing cybersecurity obligations?+
Danish manufacturers that are also NIS2 essential or important entities face overlapping incident reporting obligations. CFCS is expected to provide consolidated guidance allowing Article 14 and NIS2 incident notifications to be submitted through a single channel where the incident qualifies under both frameworks. Danish manufacturers in energy, transport, and maritime sectors — where NIS2 applicability is broad — should conduct a combined NIS2 and CRA compliance assessment.
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.