NIS2, CER, and background checks: what the EU legislation actually require
Both the NIS2 Directive and the CER Directive entered into force in Denmark on 1 July 2025, and both establish explicit requirements for background checks on personnel with access to critical systems, facilities, and sensitive information. Together they create a shared baseline — but the way they apply differs by sector, and three sectors (energy, finance, and telecom) are governed by dedicated sector-specific legislation rather than the main NIS2 act.
The NIS2 Directive
The NIS2 Directive requires organisations in scope to implement security procedures for employees who handle sensitive or important data, including data access policies. This covers both essential and important entities across sectors such as transport, health, digital infrastructure, water, food, and public administration. Among the specific requirements are background checks, access rights management, and training. Importantly, if your organisation is designated as a critical entity under CER, it is automatically subject to NIS2 requirements as well.
The CER Directive
The CER Directive goes further on personnel security, requiring organisations to identify categories of staff who perform critical functions, determine access rights to premises and sensitive information, and establish formal procedures for background checks — including designating which categories of personnel must undergo them. Authorities are also empowered to request assistance in conducting checks on staff in certain roles. The directive applies to critical infrastructure operators and their suppliers across a broad range of sectors.
Both directives take a risk-based approach: the scope and depth of background checks depends on the individual's role and their level of access to critical systems or information.
Sector-specific frameworks to be aware of:
Energy
The energy sector operates under Lov om styrket beredskab i energisektoren and associated bekendtgørelser, including a dedicated Bekendtgørelse om sikkerhedsgodkendelse i energisektoren. The rules cover electricity, gas, oil, district heating, cooling, and hydrogen. A key requirement is that background checks must be conducted before security clearance is granted to personnel — making them a formal prerequisite, not an optional measure.
Read more about this sector
Telecom
The telecom sector is governed by Lov nr. 435 af 6. maj 2025 om sikkerhed og beredskab i telesektoren, along with Bekendtgørelse nr. 963 om sikkerhedsgodkendelse af personer, som har funktioner inden for telesektoren. Background checks are required for key personnel in specifically defined roles. Sector registration with the competent authority is required, and SAMSIK (Styrelsen for Samfundssikkerhed) coordinates oversight.
Read more about this sector
Finance
The financial sector is subject to DORA (the Digital Operational Resilience Act) and regulated through Finanstilsynet, with sector-specific rules that operate independently of the main NIS2 act.
Read more about this sector
Key implementation dates
Companies must register with the relevant competent authority by 1 October 2025. The national CER strategy and risk assessment must be in place by 17 January 2026. Competent authorities must designate critical entities by 17 July 2026, after which designated entities have nine months to complete a risk assessment and ten months to meet all CER requirements.
A consistent theme across all frameworks is the need for a holistic approach — background checks sit at the intersection of HR, physical security, and IT security, and siloed implementation risks leaving gaps that regulators, and adversaries, will notice.
