How Danish Water Utilities Can Use the Energy Sector’s BEK 260 to Strengthen Cyber Resilience and Meet NIS2 Today

NIS2  in OT for water and energy:

NIS2 is the European directive defining cybersecurity duties for critical infrastructure. In Denmark, NIS2 is implemented in two different ways:

• The NIS2 Act (NIS2-loven) – a general legal framework that applies to most sectors, including the most critical entities in the water sector.
• Sector-specific regulation — where certain sectors are covered by dedicated rules. The energy sector is the example: the Act on Strengthened Resilience in the Energy Sector (Lov om styrket beredskab i energisektoren,) with BEK 260 (Bekendtgørelse 260/2025) as the operational executive order for that sector.

This difference matters.

The Danish Energy Sector:

In March 2025, the Danish Energy Agency introduced BEK 260, which regulates cyber-security and operational resilience for the energy sector.

BEK 260 is concrete and measurable. It describes exactly what must be controlled in practice. It is technology-neutral: it describes required capabilities, not brands, products, or architectures.

This is why energy operators have significantly more regulatory clarity. They operate within a defined, enforceable controls framework.

The Danish Water Sector:

Water operators are within the scope of the NIS2 Act. However, there is no sector-specific executive order (bekendtgørelse) or guidance (vejledning) for the water sector that translates NIS2 into concrete operational requirements and no such order or guidance has been announced.

Water operators therefore have an obligation to comply with the NIS2 Act, but do not have sector-specific control requirements. The NIS2 Act is principle-based and outcome-oriented; the ten areas in Section 6 of the Act are headings for risk management rather than a prescriptive control checklist.

Operators must consider state-of-the-art controls and cybersecurity standards and then use their own judgment to select appropriate and proportional measures to manage security risks in the utility. (The concept of state-of-the-art and proportionality can be found in the NIS2 directive (article 21(1)) and preparatory work of the NIS2 Act but surprisingly not in the text of the act.)

That means that water utilities must define a state-of-the art baseline and justify deviations and why selected controls are appropriate and proportional for each asset and supplier.

Consequence:

BEK 260 is one of the most operational and comprehensive executive orders issued in Europe within OT cybersecurity control designs.

Therefore, the rational and defensible approach for water operators today is:

• Use BEK 260 as state-of-the art baseline
• Consider if principles of proportionality and appropriateness result in deviations
• Document your considerations and choices

If water does not anchor their proportionality decisions against an existing and recognised benchmark, their documentation will be weaker. If they anchor against BEK 260, their control justification becomes defensible and traceable.

BEK 260 covers areas such as:

• Identity and access management
• Remote access
• Supplier access
• Logging and monitoring
• Incident handling
• Endpoint protection

Although targeted at energy, the structure of BEK 260 is easily transferable to other critical OT contexts such as water. It provides a credible template for control selection.

This is why the logic for water is straightforward: BEK 260 is already accepted by the Danish state as a valid model for sector-specific OT control requirements. By referencing BEK 260, water operators create a traceable, documented justification for their chosen level of control strength under NIS2 Act.