CRA Compliance in Denmark
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Denmark manufacturers.
Denmark's national cybersecurity authority, Styrelsen for Samfundssikkerhed (SAMSIK — the Danish Agency for Societal Security), is expected to serve as the national competent authority for the CRA. SAMSIK was formed from a reorganisation of the former Centre for Cyber Security (CFCS) and has absorbed its cybersecurity mandate. Danish manufacturers in the maritime, pharmaceutical, and energy sectors are well-represented in the CRA's scope. The Danish Business Authority (Erhvervsstyrelsen) coordinates on market surveillance for consumer-facing products, while SAMSIK leads technical enforcement.
National Competent Authority (CRA)
SAMSIK
Styrelsen for Samfundssikkerhed
SAMSIK (Danish Agency for Societal Security) was established as the successor to CFCS (Center for Cybersikkerhed) and is Denmark's national cybersecurity authority under the Defence Intelligence Service. It is expected to serve as the designated NCA for the CRA and provides threat intelligence and guidance to Danish manufacturers. The cfcs.dk domain now redirects to samsik.dk.
https://samsik.dk →National CSIRT (Article 14 Reports)
SAMSIK
Styrelsen for Samfundssikkerhed
https://samsik.dk/kontakt/
https://samsik.dk →CRA Enforcement in Denmark
SAMSIK (formerly CFCS) is expected to serve as Denmark's national competent authority for the CRA, with the Danish Business Authority (Erhvervsstyrelsen) handling market surveillance coordination for consumer products. Denmark is a major exporter of medical devices, maritime equipment, and industrial automation systems — all product categories within the CRA's scope. SAMSIK operates with a mandate rooted in national security, and its CRA enforcement is expected to focus especially on products with potential for systemic or critical infrastructure risk. The Danish Safety Technology Authority (Sikkerhedsstyrelsen) retains competence for electrical safety and coordinates on product market surveillance.
Article 14 Incident Reporting for Danish Manufacturers
Danish manufacturers submit Article 14 early warnings and notifications to SAMSIK, which serves as Denmark's national CSIRT for the CRA. The Article 14 obligation requires an early warning within 24 hours and a full notification within 72 hours of discovering active exploitation of a product vulnerability. SAMSIK participates in the EU CSIRTs network and relays relevant notifications to ENISA. Manufacturers should establish a documented Article 14 notification procedure naming SAMSIK as the competent recipient before any incident arises.
Market Surveillance & Penalties
Market surveillance for CRA compliance in Denmark is coordinated between SAMSIK and the Danish Business Authority. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Denmark's regulatory enforcement tradition is characterised by constructive dialogue and graduated escalation, but persistent non-compliance results in formal enforcement action. Manufacturers should be aware that the Danish Consumer Ombudsman (Forbrugerombudsmanden) may also be involved for consumer-facing connected products, adding an additional oversight dimension.
Support for Danish Manufacturers
SAMSIK publishes cybersecurity guidance for Danish businesses and coordinates with the Danish Industry Foundation on SME cybersecurity programmes. The Erhvervsstyrelsen provides regulatory guidance on product compliance through its Virk.dk business portal. The Danish Standards organisation (DS) develops and publishes national standards aligned with ETSI EN 303 645 and IEC 62443, providing a reference framework for CRA Annex I compliance. Danish manufacturers can also access EU-level support through ENISA's published CRA guidance and the SME-focused resources from Digital Europe.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for SAMSIK, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free for Article 14 compliance — for all manufacturers placing products with digital elements on the EU market.
Start your free portalFrequently asked
How do I contact SAMSIK as a manufacturer with a CRA compliance question?+
SAMSIK can be contacted through its official website at samsik.dk. For industry engagement on CRA implementation, the Danish Business Authority (Erhvervsstyrelsen) at erhvervsstyrelsen.dk provides a business-facing entry point for product compliance queries. SAMSIK publishes guidance documents in Danish and English and engages industry through annual cybersecurity conferences.
Does Denmark have national-level CRA implementing legislation?+
Denmark is expected to implement the CRA through amendments to the Lov om net- og informationssikkerhed (NIS Act), which already transposes NIS2, and through product safety regulations administered by the Danish Business Authority. National implementing measures are expected ahead of the CRA's December 2027 application date. The Danish government has consulted industry through the Danish Industry (DI) association on the implementation approach.
How does the CRA interact with Denmark's NIS2 implementation and existing cybersecurity obligations?+
Danish manufacturers that are also NIS2 essential or important entities face overlapping incident reporting obligations. SAMSIK is expected to provide consolidated guidance allowing Article 14 and NIS2 incident notifications to be submitted through a single channel where the incident qualifies under both frameworks. Danish manufacturers in energy, transport, and maritime sectors — where NIS2 applicability is broad — should conduct a combined NIS2 and CRA compliance assessment.
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.