Denmark’s Sector Responsibility Principle: A Tedious Cyber Resilience Strategy

Abstract

In 2014, Denmark launched its first national strategy for cyber resilience of critical infrastructure (CI). The ‘National Cyber and Information Security Strategy’ and its two subsequent successors from 2018 and 2022 follow the Sector Responsibility Principle (SRP). According to the principle, the state distributes the task of achieving and maintaining societal resilience to individual sectors, for example, health, energy supply, or finance, while maintaining central oversight and responsibility for implementation. Denmark is not alone in taking this approach: in fact, all the Nordic countries have applied some version of SRP. Danish governments have over the last decade taken significant steps to implement and facilitate societal cyber resilience through development of institutions, strategies, legal measures, and public-private partnerships (PPP). That said, Danish governments have gone less far than, for example, Finland’s to take measures to achieve efficacy, and significant weaknesses are still left to be addressed. The article outlines the principles behind SRP and, using mainly Danish examples, demonstrates why implementation of SRP is both legally, organisationally, and echnically difficult but also politically ‘unpleasant’. Resilience is desirable but also a tedious chore. An inherent risk with SRP at both strategic, political level and individual private or public entity level are incentives to strive for legal compliance, rather than operational efficacy and act more according to a ‘sector responsibility avoidance principle’. In that light, the article outlines how the SRP has been implemented in Denmark so far, along with examples of both what drives the effort and challenges to successful SRP implementation.