Be aware of FAKE EMAILS pretending to be from us. Read more here.

Implementation of NIS2

The NIS2 directive has been implemented in Danish legislation and has entered into force. The NIS2 Act, which implements the European NIS2 Directive, entered into force on 1 July 2025. Here you can read about what this means to you as a registrar and find answers to questions you may have.

Updated January 14th, 2026

What does the legislation say?

The Danish NIS2 law has entered into force on 1 July 2025. The Danish NIS2 Executive Order, which implements part of section 11 of the NIS2 Act (Article 28 of the Directive), enters into force on 1 January 2026. There is no further legislation on NIS2 on the way.

Please note that the NIS2 Act and Executive Order not only impose requirements for .dk domain names, but also for other domain names.

Find an overview of the most important requirements in the NIS2 (danish only) executive order. Please note that this is not a complete list of requirements.

What should registrars do in relation to the verification of information?

In collaboration with a number of registrars, Punktum dk has agreed on a model on how the registrars and Punktum dk can cooperate on some of the obligations in NIS2. See the result of the working group here, which has been sent out for consultation to all registrars.

In the model, it has been agreed that the registrars can choose whether it is the registrar or Punktum dk who carries out checks of the registrants' identity and contact information. The requirements for the verification have also been agreed.

Data and ID checks at the registrar

The requirements for registrars verification of registrant identity and contact information are described in the registrar Identity and Contact Information Verification Procedure. The procedure includes the exact description of when the registrar must check the registrant's information, what documentation can be used and what Punktum dk can demand in the event of an audit.

If the registrar chooses to carry out a check, the registrar must do this for all its registrants. 

However, the registrar can always choose to check a contact's identity and contact information before the contact is created in Punktum dk's systems. This applies even if the registrar has chosen not to carry out checks on its registrants. 

Punktum dk can conduct audits of controls carried out within the last 30 days at any time and can in this connection require the specific documentation to be handed over. 

The registrar may have the verification carried out by a third party, including a reseller. However, it is still the registrar who is obligated to Punktum dk and must, among other things, be able to document that an inspection complies with the agreed requirements. 

If the registrar performs the verification of the registrant's information, the registrar must verify the registrant's name, address, and email address. 

Whether the registrar chooses to carry out the check or not, the registrant's information – name, address, telephone number and email address – must still be correct.

What should registrars do in relation to companies' email addresses?

Starting November 1st 2025, companies' email addresses are shown in Punktum dk's public WHOIS database. E-mail addresses for companies, organizations, associations and authorities are published in WHOIS by Punktum dk and may not contain personal information. 

In connection with the requirement to publish companies' email addresses in WHOIS, Punktum dk has made it possible for registrants to use a secondary email address as a supplement to the primary one

We always publish the secondary email address in WHOIS. If there is no secondary email, the primary one will be published.

The difference between the two addresses:

  • Primary email: The legally required, primary contact address. This MUST always be checked to ensure the domain's function.
  • Secondary email (optional): An additional email address that registrants can choose to add.

Furthermore, Punktum dk has introduced an option for employees of a company to consent to his or her e-mail address being published. If this happens, the company does not need to provide an email address without personal data. Remember that only the natural person whose email address is published can give the consent. 

E-mail addresses for registrants who are private individuals and sole proprietorships are not published by Punktum dk.

Useful information and frequently asked questions

  • We have compiled questions and answers regarding NIS2. You can find them here.
  • Guide to selecting a verification method in the registrar portal here.
  • You can also find registrar newsletters with more info about NIS2 and other related topics here.
  • Technical updates with extended EPP documentation in GitHub:
  • Extended documentation – a more detailed description of the NIS2-related changes, including additional context and implementation details here.
  • EPP documentation – available in our GitHub alongside the rest of our technical documentation here.

The result of the working group's work
Working group appendix 1 
Working group appendix 2
NIS2 Directive
NIS2 law
NIS2 executive order
NIS2 Overview of requirements in the executive order
NIS2 recommendations
Registrar contract
Addendum to Registrar Contract